From b5146839e61832bb50a57d075e66baba83761738 Mon Sep 17 00:00:00 2001
From: Ben Ford <bford@sangoma.com>
Date: Mon, 4 Aug 2025 12:22:12 -0500
Subject: [PATCH] res_rtp_asterisk: Don't send RTP before DTLS has negotiated.

There was no check in __rtp_sendto that prevented Asterisk from sending
RTP before DTLS had finished negotiating. This patch adds logic to do
so.

Fixes: #1260
---
 res/res_rtp_asterisk.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index b94a0fb40e..40f20f1509 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -3451,6 +3451,16 @@ static int __rtp_sendto(struct ast_rtp_instance *instance, void *buf, size_t siz
 	struct ast_rtp *transport_rtp = ast_rtp_instance_get_data(transport);
 	struct ast_srtp *srtp = ast_rtp_instance_get_srtp(transport, rtcp);
 	int res;
+#if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)
+	char *out = buf;
+	struct dtls_details *dtls = !rtcp ? &rtp->dtls : &rtp->rtcp->dtls;
+
+	/* Don't send RTP if DTLS hasn't finished yet */
+	if (dtls->ssl && ((*out < 20) || (*out > 63)) && dtls->connection == AST_RTP_DTLS_CONNECTION_NEW) {
+		*via_ice = 0;
+		return 0;
+	}
+#endif
 
 	*via_ice = 0;
 
-- 
2.47.2