Skip to content

Instantly share code, notes, and snippets.

@xytis
Last active August 29, 2015 14:02
Show Gist options
  • Save xytis/cd00a2938f91424aa41c to your computer and use it in GitHub Desktop.
Save xytis/cd00a2938f91424aa41c to your computer and use it in GitHub Desktop.
Added permanent fix =]
Index: .version
===================================================================
--- .version (revision 414969)
+++ .version (working copy)
@@ -1 +1 @@
-11.10.0
+11.10.0-x2
Index: include/asterisk/rtp_engine.h
===================================================================
--- include/asterisk/rtp_engine.h (revision 414969)
+++ include/asterisk/rtp_engine.h (working copy)
@@ -375,7 +375,7 @@
/*! \brief DTLS fingerprint hashes */
enum ast_rtp_dtls_hash {
- AST_RTP_DTLS_HASH_SHA1, /*!< SHA-1 fingerprint hash */
+ AST_RTP_DTLS_HASH_SHA256, /*!< SHA-256 fingerprint hash */
};
/*! \brief DTLS configuration structure */
Index: res/res_rtp_asterisk.c
===================================================================
--- res/res_rtp_asterisk.c (revision 414969)
+++ res/res_rtp_asterisk.c (working copy)
@@ -787,12 +787,42 @@
{
struct ast_rtp *rtp = SSL_get_ex_data(ssl, 0);
+ const char *str;
+ int w;
+ w=where& ~SSL_ST_MASK;
+ if (w & SSL_ST_CONNECT) str="SSL_connect";
+ else if (w & SSL_ST_ACCEPT) str="SSL_accept";
+ else str="undefined";
+ if (where & SSL_CB_LOOP)
+ {
+ ast_log(LOG_ERROR,"%s:%s\n",str,SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_ALERT)
+ {
+ str=(where & SSL_CB_READ)?"read":"write";
+ ast_log(LOG_ERROR,"SSL3 alert %s:%s:%s\n",
+ str,
+ SSL_alert_type_string_long(ret),
+ SSL_alert_desc_string_long(ret));
+ }
+ else if (where & SSL_CB_EXIT)
+ {
+ if (ret == 0)
+ ast_log(LOG_ERROR,"%s:failed in %s\n",
+ str,SSL_state_string_long(ssl));
+ else if (ret < 0)
+ {
+ ast_log(LOG_ERROR,"%s:error in %s\n",
+ str,SSL_state_string_long(ssl));
+ }
+ }
+
/* We only care about alerts */
if (!(where & SSL_CB_ALERT)) {
return;
}
- rtp->dtls_failure = 1;
+ //rtp->dtls_failure = 1;
}
static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, const struct ast_rtp_dtls_cfg *dtls_cfg)
@@ -851,7 +881,7 @@
if (!BIO_read_filename(certbio, dtls_cfg->certfile) ||
!(cert = PEM_read_bio_X509(certbio, NULL, 0, NULL)) ||
- !X509_digest(cert, EVP_sha1(), fingerprint, &size) ||
+ !X509_digest(cert, EVP_sha256(), fingerprint, &size) ||
!size) {
ast_log(LOG_ERROR, "Could not produce fingerprint from certificate '%s' for RTP instance '%p'\n",
dtls_cfg->certfile, instance);
@@ -1046,7 +1076,7 @@
int pos = 0;
struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
- if (hash != AST_RTP_DTLS_HASH_SHA1) {
+ if (hash != AST_RTP_DTLS_HASH_SHA256) {
return;
}
@@ -1059,7 +1089,7 @@
{
struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
- if (hash != AST_RTP_DTLS_HASH_SHA1) {
+ if (hash != AST_RTP_DTLS_HASH_SHA256) {
return NULL;
}
@@ -1432,7 +1462,7 @@
unsigned char fingerprint[EVP_MAX_MD_SIZE];
unsigned int size;
- if (!X509_digest(certificate, EVP_sha1(), fingerprint, &size) ||
+ if (!X509_digest(certificate, EVP_sha256(), fingerprint, &size) ||
!size ||
memcmp(fingerprint, rtp->remote_fingerprint, size)) {
X509_free(certificate);
@@ -1446,7 +1476,7 @@
}
/* Ensure that certificate verification was successful */
- if (SSL_get_verify_result(rtp->ssl) != X509_V_OK) {
+ if (SSL_get_verify_result(rtp->ssl) != X509_V_OK && SSL_get_verify_result(rtp->ssl) != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
ast_log(LOG_WARNING, "Peer certificate on RTP instance '%p' failed verification test\n",
instance);
return -1;
Index: channels/chan_sip.c
===================================================================
--- channels/chan_sip.c (revision 414969)
+++ channels/chan_sip.c (working copy)
@@ -10494,13 +10494,24 @@
(processed == TRUE)? "OK." : "UNSUPPORTED OR FAILED.");
}
- /* Ensure crypto lines are provided where necessary */
- if (audio && secure_audio && !processed_crypto) {
- ast_log(LOG_WARNING, "Rejecting secure audio stream without encryption details: %s\n", m);
- return -1;
- } else if (video && secure_video && !processed_crypto) {
- ast_log(LOG_WARNING, "Rejecting secure video stream without encryption details: %s\n", m);
- return -1;
+ {
+ /* Ensure crypto lines are provided where necessary */
+ struct ast_rtp_engine_dtls *dtls;
+ if (audio &&
+ secure_audio && !(
+ processed_crypto || (
+ (dtls = ast_rtp_instance_get_dtls(p->rtp)) &&
+ dtls->active(p->rtp)))) {
+ ast_log(LOG_WARNING, "Rejecting secure audio stream without encryption details: %s\n", m);
+ return -1;
+ } else if (video &&
+ secure_video && !(
+ processed_crypto || (
+ (dtls = ast_rtp_instance_get_dtls(p->vrtp)) &&
+ dtls->active(p->vrtp)))) {
+ ast_log(LOG_WARNING, "Rejecting secure video stream without encryption details: %s\n", m);
+ return -1;
+ }
}
}
@@ -11037,11 +11048,11 @@
ast_log(LOG_WARNING, "Unsupported connection attribute value '%s' received on dialog '%s'\n",
value, p->callid);
}
- } else if (sscanf(a, "fingerprint: %5s %255s", hash, value) == 2) {
+ } else if (sscanf(a, "fingerprint:%s %255s", hash, value) == 2) {
found = TRUE;
- if (!strcasecmp(hash, "sha-1")) {
- dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
+ if (!strcasecmp(hash, "sha-256")) {
+ dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA256, value);
} else {
ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",
hash, p->callid);
@@ -12730,8 +12741,8 @@
break;
}
- if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1))) {
- ast_str_append(a_buf, 0, "a=fingerprint:SHA-1 %s\r\n", fingerprint);
+ if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA256))) {
+ ast_str_append(a_buf, 0, "a=fingerprint:SHA-256 %s\r\n", fingerprint);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment