From 4a173c2ebcc26766c8bdf6bee0860357a50a1454 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 4 Feb 2022 12:25:21 -0500
Subject: [PATCH] TT#14008 fix erroneous crypto reset after rejecting DTLS

If DTLS is rejected in an answer via `DTLS=off` we must forget that DTLS
was previously offered, as otherwise a re-invite would detect the
fingerprint as changed if the re-invite doesn't offer DTLS again. We
also make sure DTLS is shut down if during stream init DTLS is not
given, when it was present before.

Change-Id: I48ee6f0ec5ec02f558a6799951552ea2272d0e96
---
 daemon/call.c | 8 +++++++-
 daemon/dtls.c | 6 +++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/daemon/call.c b/daemon/call.c
index 133635ff5..11e0925ce 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -1142,6 +1142,8 @@ static void __fill_stream(struct packet_stream *ps, const struct endpoint *epp,
 }
 
 void call_stream_crypto_reset(struct packet_stream *ps) {
+	ilog(LOG_DEBUG, "Resetting crypto context");
+
 	crypto_reset(&ps->crypto);
 
 	mutex_lock(&ps->in_lock);
@@ -1226,6 +1228,8 @@ int __init_stream(struct packet_stream *ps) {
 		if (dtls_conn)
 			dtls_active = dtls_is_active(dtls_conn);
 	}
+	else
+		dtls_shutdown(ps);
 
 	if (MEDIA_ISSET(media, SDES) && dtls_active == -1) {
 		for (GList *l = ps->sfds.head; l; l = l->next) {
@@ -1646,8 +1650,10 @@ static void __generate_crypto(const struct sdp_ng_flags *flags, struct call_medi
 	else {
 		/* if both SDES and DTLS are supported, we may use the flags to select one
 		 * over the other */
-		if (MEDIA_ARESET2(this, DTLS, SDES) && flags->dtls_off)
+		if (MEDIA_ARESET2(this, DTLS, SDES) && flags->dtls_off) {
 			MEDIA_CLEAR(this, DTLS);
+			this->fingerprint.hash_func = NULL;
+		}
 		/* flags->sdes_off is ignored as we prefer DTLS by default */
 
 		/* if we're talking to someone understanding DTLS, then skip the SDES stuff */
diff --git a/daemon/dtls.c b/daemon/dtls.c
index 12a3c6f9a..df3399480 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -791,9 +791,11 @@ void dtls_shutdown(struct packet_stream *ps) {
 
 	__DBG("dtls_shutdown");
 
+	bool had_dtls = false;
 
 	if (ps->ice_dtls.init) {
 		if (ps->ice_dtls.connected && ps->ice_dtls.ssl) {
+			had_dtls = true;
 			SSL_shutdown(ps->ice_dtls.ssl);
 		}
 		dtls_connection_cleanup(&ps->ice_dtls);
@@ -806,6 +808,7 @@ void dtls_shutdown(struct packet_stream *ps) {
 			continue;
 
 		if (d->connected && d->ssl) {
+			had_dtls = true;
 			SSL_shutdown(d->ssl);
 			dtls(sfd, NULL, &ps->endpoint);
 		}
@@ -821,7 +824,8 @@ void dtls_shutdown(struct packet_stream *ps) {
 		ps->dtls_cert = NULL;
 	}
 
-	call_stream_crypto_reset(ps);
+	if (had_dtls)
+		call_stream_crypto_reset(ps);
 }
 
 void dtls_connection_cleanup(struct dtls_connection *c) {