From 28248607f03bfd3e5fc6b29e0528edfd4f04a601 Mon Sep 17 00:00:00 2001 From: Marvin W Date: Wed, 9 Feb 2022 23:52:47 +0100 Subject: DTLS: Handle DTLS fingerprint in transport-info before session-accept --- plugins/ice/src/transport_parameters.vala | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'plugins/ice/src') diff --git a/plugins/ice/src/transport_parameters.vala b/plugins/ice/src/transport_parameters.vala index fdeebb82..66dde8b1 100644 --- a/plugins/ice/src/transport_parameters.vala +++ b/plugins/ice/src/transport_parameters.vala @@ -160,13 +160,25 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport } } + private bool bytes_equal(uint8[] a1, uint8[] a2) { + return a1.length == a2.length && Memory.cmp(a1, a2, a1.length) == 0; + } + public override void handle_transport_accept(StanzaNode transport) throws Jingle.IqError { debug("on_transport_accept from %s", peer_full_jid.to_string()); base.handle_transport_accept(transport); if (dtls_srtp_handler != null && peer_fingerprint != null) { - dtls_srtp_handler.peer_fingerprint = peer_fingerprint; - dtls_srtp_handler.peer_fp_algo = peer_fp_algo; + if (dtls_srtp_handler.peer_fingerprint != null) { + if (!bytes_equal(dtls_srtp_handler.peer_fingerprint, peer_fingerprint)) { + warning("Tried to replace certificate fingerprint mid use. We don't allow that."); + peer_fingerprint = dtls_srtp_handler.peer_fingerprint; + peer_fp_algo = dtls_srtp_handler.peer_fp_algo; + } + } else { + dtls_srtp_handler.peer_fingerprint = peer_fingerprint; + dtls_srtp_handler.peer_fp_algo = peer_fp_algo; + } if (peer_setup == "passive") { dtls_srtp_handler.mode = DtlsSrtp.Mode.CLIENT; dtls_srtp_handler.stop_dtls_connection(); @@ -186,6 +198,19 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport debug("on_transport_info from %s", peer_full_jid.to_string()); base.handle_transport_info(transport); + if (dtls_srtp_handler != null && peer_fingerprint != null) { + if (dtls_srtp_handler.peer_fingerprint != null) { + if (!bytes_equal(dtls_srtp_handler.peer_fingerprint, peer_fingerprint)) { + warning("Tried to replace certificate fingerprint mid use. We don't allow that."); + peer_fingerprint = dtls_srtp_handler.peer_fingerprint; + peer_fp_algo = dtls_srtp_handler.peer_fp_algo; + } + } else { + dtls_srtp_handler.peer_fingerprint = peer_fingerprint; + dtls_srtp_handler.peer_fp_algo = peer_fp_algo; + } + } + if (!we_want_connection) return; if (remote_ufrag != null && remote_pwd != null && !remote_credentials_set) { -- cgit v1.2.3-70-g09d2