[Core] Fix DTLS Peer Certificate verification

author praveen-kd-23 <114381678+praveen-kd-23@users.noreply.github.com>

Thu, 2 Apr 2026 15:03:28 +0000 (20:33 +0530)

committer GitHub <noreply@github.com>

Thu, 2 Apr 2026 15:03:28 +0000 (18:03 +0300)
author praveen-kd-23 <114381678+praveen-kd-23@users.noreply.github.com>
Thu, 2 Apr 2026 15:03:28 +0000 (20:33 +0530)
committer GitHub <noreply@github.com>
Thu, 2 Apr 2026 15:03:28 +0000 (18:03 +0300)
diff --git a/src/include/switch_core.h b/src/include/switch_core.h

index ff04fa0954c03814b7470f93cbc4d300d4642e32..f72cbc7880c0e4d956f0cd33e38b36a643226854 100644 (file)
--- a/src/include/switch_core.h
+++ b/src/include/switch_core.h
@@ -147,7 +147,7 @@ typedef void(*switch_device_state_function_t)(switch_core_session_t *session, sw
  
  #define DTLS_SRTP_FNAME "dtls-srtp"
  #define MAX_FPLEN 64
-#define MAX_FPSTRLEN 192
+#define MAX_FPSTRLEN 193
  
  typedef struct dtls_fp_s {
         uint32_t len;
diff --git a/src/switch_rtp.c b/src/switch_rtp.c

index 20fba2720a88e55b744494122666c6a6bc95d41c..d038566d90b4861809875d1a273fb096e96779e9 100644 (file)
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3233,8 +3233,13 @@ static int dtls_state_setup(switch_rtp_t *rtp_session, switch_dtls_t *dtls)
         if ((dtls->type & DTLS_TYPE_SERVER)) {
                 r = 1;
         } else if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
-               switch_core_cert_extract_fingerprint(cert, dtls->remote_fp);
-               r = switch_core_cert_verify(dtls->remote_fp);
+               dtls_fingerprint_t fp = {0};
+
+               fp.type = dtls->remote_fp->type;
+
+               switch_core_cert_extract_fingerprint(cert, &fp);
+               r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
+
                 X509_free(cert);
         }
  
@@ -3446,9 +3451,12 @@ static int cb_verify_peer(int preverify_ok, X509_STORE_CTX *ctx)
         }
  
         if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
-               switch_core_cert_extract_fingerprint(cert, dtls->remote_fp);
+               dtls_fingerprint_t fp = {0};
  
-               r = switch_core_cert_verify(dtls->remote_fp);
+               fp.type = dtls->remote_fp->type;
+
+               switch_core_cert_extract_fingerprint(cert, &fp);
+               r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
  
                 X509_free(cert);
         } else {
@@ -4019,8 +4027,6 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
         }
         
         BIO_ctrl(dtls->filter_bio, BIO_CTRL_DGRAM_SET_MTU, dtls->mtu, NULL);
-       
-       switch_core_cert_expand_fingerprint(remote_fp, remote_fp->str);
  
         if ((type & DTLS_TYPE_RTP)) {
                 rtp_session->dtls = dtls;
author	praveen-kd-23 <114381678+praveen-kd-23@users.noreply.github.com>
	Thu, 2 Apr 2026 15:03:28 +0000 (20:33 +0530)
committer	GitHub <noreply@github.com>
	Thu, 2 Apr 2026 15:03:28 +0000 (18:03 +0300)
src/include/switch_core.h		patch \| blob \| blame \| history
src/switch_rtp.c		patch \| blob \| blame \| history