[asterisk-commits] file: branch file/sha256-a-harsh-reality r417140 - /team/file/sha256-a-harsh-...

Mon Jun 23 13:19:31 CDT 2014

Author: file
Date: Mon Jun 23 13:19:25 2014
New Revision: 417140

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=417140
Log:
Get hold/unhold working.

This change does two things:
1. The return value of SSL_read is used to determine when errors occur versus info callback
2. The SSL structures are cleared and setup on negotiation AND renegoation

Modified:
    team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c

Modified: team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c?view=diff&rev=417140&r1=417139&r2=417140
==============================================================================

--- team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c (original)
+++ team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c Mon Jun 23 13:19:25 2014
@@ -295,7 +295,6 @@
 	enum ast_rtp_dtls_hash remote_hash; /*!< Remote hash used for the fingerprint */
 	unsigned char remote_fingerprint[EVP_MAX_MD_SIZE]; /*!< Fingerprint of the peer certificate */
 	enum ast_rtp_dtls_connection connection; /*!< Whether this is a new or existing connection */
-	unsigned int dtls_failure:1; /*!< Failure occurred during DTLS negotiation */
 	unsigned int rekey; /*!< Interval at which to renegotiate and rekey */
 	int rekeyid; /*!< Scheduled item id for rekeying */
 	int dtlstimerid; /*!< Scheduled item id for DTLS retransmission for RTP */
@@ -794,18 +793,6 @@
 #endif
 
 #ifdef HAVE_OPENSSL_SRTP
-static void dtls_info_callback(const SSL *ssl, int where, int ret)
-{
-	struct ast_rtp *rtp = SSL_get_ex_data(ssl, 0);
-
-	/* We only care about alerts */
-	if (!(where & SSL_CB_ALERT)) {
-		return;
-	}
-
-	rtp->dtls_failure = 1;
-}
-
 static int dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 {
 	/* We don't want to actually verify the certificate so just accept what they have provided */
@@ -828,9 +815,6 @@
 		goto error;
 	}
 
-	SSL_set_ex_data(rtp->rtcp->ssl, 0, rtp);
-	SSL_set_info_callback(rtp->rtcp->ssl, dtls_info_callback);
-
 	if (!(rtp->rtcp->read_bio = BIO_new(BIO_s_mem()))) {
 		ast_log(LOG_ERROR, "Failed to allocate memory for inbound SSL traffic on RTCP of RTP instance '%p'\n",
 			instance);
@@ -846,14 +830,6 @@
 	BIO_set_mem_eof_return(rtp->rtcp->write_bio, -1);
 
 	SSL_set_bio(rtp->rtcp->ssl, rtp->rtcp->read_bio, rtp->rtcp->write_bio);
-
-	if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
-		SSL_set_accept_state(rtp->rtcp->ssl);
-	} else {
-		SSL_set_connect_state(rtp->rtcp->ssl);
-	}
-
-	rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 
 	return 0;
 
@@ -992,9 +968,6 @@
 		goto error;
 	}
 
-	SSL_set_ex_data(rtp->ssl, 0, rtp);
-	SSL_set_info_callback(rtp->ssl, dtls_info_callback);
-
 	if (!(rtp->read_bio = BIO_new(BIO_s_mem()))) {
 		ast_log(LOG_ERROR, "Failed to allocate memory for inbound SSL traffic on RTP instance '%p'\n",
 			instance);
@@ -1010,14 +983,6 @@
 	BIO_set_mem_eof_return(rtp->write_bio, -1);
 
 	SSL_set_bio(rtp->ssl, rtp->read_bio, rtp->write_bio);
-
-	if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
-		SSL_set_accept_state(rtp->ssl);
-	} else {
-		SSL_set_connect_state(rtp->ssl);
-	}
-
-	rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 
 	return 0;
 
@@ -1249,11 +1214,25 @@
 
 #ifdef HAVE_OPENSSL_SRTP
 	if (rtp->ssl) {
+		SSL_clear(rtp->ssl);
+		if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
+			SSL_set_accept_state(rtp->ssl);
+		} else {
+			SSL_set_connect_state(rtp->ssl);
+		}
+		rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 		SSL_do_handshake(rtp->ssl);
 		dtls_srtp_check_pending(instance, rtp, 0);
 	}
 
 	if (rtp->rtcp && rtp->rtcp->ssl) {
+		SSL_clear(rtp->rtcp->ssl);
+		if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
+			SSL_set_accept_state(rtp->rtcp->ssl);
+		} else {
+			SSL_set_connect_state(rtp->rtcp->ssl);
+		}
+		rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 		SSL_do_handshake(rtp->rtcp->ssl);
 		dtls_srtp_check_pending(instance, rtp, 1);
 	}
@@ -1742,13 +1721,13 @@
 
 		len = SSL_read(ssl, buf, len);
 
-		dtls_srtp_check_pending(instance, rtp, rtcp);
-
-		if (rtp->dtls_failure) {
+		if ((len < 0) && (SSL_get_error(ssl, len) == SSL_ERROR_SSL)) {
 			ast_log(LOG_ERROR, "DTLS failure occurred on RTP instance '%p', terminating\n",
 				instance);
 			return -1;
 		}
+
+		dtls_srtp_check_pending(instance, rtp, rtcp);
 
 		if (SSL_is_init_finished(ssl)) {
 			/* Any further connections will be existing since this is now established */
@@ -4636,10 +4615,24 @@
 #endif
 
 	if (rtp->ssl) {
+		SSL_clear(rtp->ssl);
+		if (rtp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
+			SSL_set_accept_state(rtp->ssl);
+		} else {
+			SSL_set_connect_state(rtp->ssl);
+		}
+		rtp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 		SSL_do_handshake(rtp->ssl);
 		dtls_srtp_check_pending(instance, rtp, 0);
 	}
 	if (rtp->rtcp && rtp->rtcp->ssl) {
+		SSL_clear(rtp->rtcp->ssl);
+		if (rtp->rtcp->dtls_setup == AST_RTP_DTLS_SETUP_PASSIVE) {
+			SSL_set_accept_state(rtp->rtcp->ssl);
+		} else {
+			SSL_set_connect_state(rtp->rtcp->ssl);
+		}
+		rtp->rtcp->connection = AST_RTP_DTLS_CONNECTION_NEW;
 		SSL_do_handshake(rtp->rtcp->ssl);
 		dtls_srtp_check_pending(instance, rtp, 1);
 	}


