ben.carrasco/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2026-05-06 08:47:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Core] Fix DTLS Peer Certificate verification

Browse Source
This commit is contained in:
praveen-kd-23
2026-04-02 20:33:28 +05:30
committed by GitHub
parent 14b8295dbc
commit 8babcee3ea
2 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/include/switch_core.h
+1 -1
View File
@@ -147,7 +147,7 @@ typedef void(*switch_device_state_function_t)(switch_core_session_t *session, sw
#define DTLS_SRTP_FNAME "dtls-srtp" #define DTLS_SRTP_FNAME "dtls-srtp"
#define MAX_FPLEN 64 #define MAX_FPLEN 64
#define MAX_FPSTRLEN 192 #define MAX_FPSTRLEN 193
typedef struct dtls_fp_s { typedef struct dtls_fp_s {
uint32_t len; uint32_t len;
src/switch_rtp.c
+12 -6
View File
@@ -3233,8 +3233,13 @@ static int dtls_state_setup(switch_rtp_t *rtp_session, switch_dtls_t *dtls)
if ((dtls->type & DTLS_TYPE_SERVER)) { if ((dtls->type & DTLS_TYPE_SERVER)) {
r = 1; r = 1;
} else if ((cert = SSL_get_peer_certificate(dtls->ssl))) { } else if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
switch_core_cert_extract_fingerprint(cert, dtls->remote_fp); dtls_fingerprint_t fp = {0};
r = switch_core_cert_verify(dtls->remote_fp);
fp.type = dtls->remote_fp->type;
switch_core_cert_extract_fingerprint(cert, &fp);
r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
X509_free(cert); X509_free(cert);
} }
@@ -3446,9 +3451,12 @@ static int cb_verify_peer(int preverify_ok, X509_STORE_CTX *ctx)
} }
if ((cert = SSL_get_peer_certificate(dtls->ssl))) { if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
switch_core_cert_extract_fingerprint(cert, dtls->remote_fp); dtls_fingerprint_t fp = {0};
r = switch_core_cert_verify(dtls->remote_fp); fp.type = dtls->remote_fp->type;
switch_core_cert_extract_fingerprint(cert, &fp);
r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
X509_free(cert); X509_free(cert);
} else { } else {
@@ -4019,8 +4027,6 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
} }
BIO_ctrl(dtls->filter_bio, BIO_CTRL_DGRAM_SET_MTU, dtls->mtu, NULL); BIO_ctrl(dtls->filter_bio, BIO_CTRL_DGRAM_SET_MTU, dtls->mtu, NULL);
switch_core_cert_expand_fingerprint(remote_fp, remote_fp->str);
if ((type & DTLS_TYPE_RTP)) { if ((type & DTLS_TYPE_RTP)) {
rtp_session->dtls = dtls; rtp_session->dtls = dtls;