TT#113750 don't auto switch from an already selected fingerprint

If we receive an SDP with a DTLS fingerprint, by default we adopt the hash function used for that fingerprint in subsequent communication with that peer. However, if the SDP is an answer, and we previously used a different hash function in the offer towards that peer, then a later re-invite offer would be sent with a different fingerprint, causing an unexpected DTLS restart. Instead, make sure we don't change fingerprints if one was already sent. Change-Id: I603bb86ce2d7121556c161749ed08128dd0b63b2
5 years ago · 8029a4d1cd
parent 3791b8f595
commit 8029a4d1cd
3 changed files with 10 additions and 4 deletions
--- a/daemon/call.c
+++ b/daemon/call.c
@ -1595,8 +1595,8 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi

 skip_sdes:
 	if (flags->opmode == OP_OFFER) {
-		if (MEDIA_ISSET(this, DTLS) && !this->fingerprint.hash_func && flags->dtls_fingerprint.len)
-			this->fingerprint.hash_func = dtls_find_hash_func(&flags->dtls_fingerprint);
+		if (MEDIA_ISSET(this, DTLS) && !this->fp_hash_func && flags->dtls_fingerprint.len)
+			this->fp_hash_func = dtls_find_hash_func(&flags->dtls_fingerprint);
 	}
 }
 // for an answer, uses the incoming received list of SDES crypto suites to prune
--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@ -2288,12 +2288,16 @@ static void insert_dtls(struct call_media *media, struct sdp_chopper *chop) {
 	if (!call->dtls_cert || !MEDIA_ISSET(media, DTLS) || MEDIA_ISSET(media, PASSTHRU))
 		return;

+	hf = media->fp_hash_func;
+	if (!hf)
+		hf = media->fingerprint.hash_func;
+
 	struct dtls_fingerprint *fp = NULL;
 	for (GList *l = call->dtls_cert->fingerprints.head; l; l = l->next) {
 		fp = l->data;
-		if (!media->fingerprint.hash_func)
+		if (!hf)
 			break;
-		if (!strcasecmp(media->fingerprint.hash_func->name, fp->hash_func->name))
+		if (!strcasecmp(hf->name, fp->hash_func->name))
 			break;
 		fp = NULL;
 	}
@ -2301,6 +2305,7 @@ static void insert_dtls(struct call_media *media, struct sdp_chopper *chop) {
 		fp = call->dtls_cert->fingerprints.head->data;

 	hf = fp->hash_func;
+	media->fp_hash_func = hf;

 	assert(hf->num_bytes > 0);

--- a/include/call.h
+++ b/include/call.h
@ -312,6 +312,7 @@ struct call_media {
 	str			media_id;
 	GQueue			sdes_in, sdes_out;
 	struct dtls_fingerprint fingerprint; /* as received */
+	const struct dtls_hash_func *fp_hash_func; // outgoing

 	GQueue			streams; /* normally RTP + RTCP */
 	GQueue			endpoint_maps;