From dc4775d5ce655097e888e9de913ca009bd1f95c4 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Wed, 14 Oct 2020 16:03:19 -0400
Subject: [PATCH] TT#97302 respond with the same DTLS hash func as was offered

Change-Id: Id72df1083b5d329fa33875853981ec471440a6c1
---
 daemon/dtls.c                   | 10 ++++++++--
 daemon/sdp.c                    | 16 ++++++++++++++--
 include/dtls.h                  |  2 +-
 perl/NGCP/Rtpengine/AutoTest.pm |  1 +
 t/auto-daemon-tests.pl          |  4 ++--
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/daemon/dtls.c b/daemon/dtls.c
index 9ddabfe97..3dbe1dea4 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -125,6 +125,7 @@ static void cert_free(void *p) {
 		EVP_PKEY_free(cert->pkey);
 	if (cert->x509)
 		X509_free(cert->x509);
+	g_queue_clear_full(&cert->fingerprints, free);
 }
 
 static void buf_dump_free(char *buf, size_t len) {
@@ -258,8 +259,13 @@ static int cert_init(void) {
 	/* digest */
 
 	new_cert = obj_alloc0("dtls_cert", sizeof(*new_cert), cert_free);
-	new_cert->fingerprint.hash_func = &hash_funcs[0];
-	dtls_fingerprint_hash(&new_cert->fingerprint, x509);
+
+	for (int i = 0; i < num_hash_funcs; i++) {
+		struct dtls_fingerprint *fp = malloc(sizeof(*fp));
+		fp->hash_func = &hash_funcs[i];
+		dtls_fingerprint_hash(fp, x509);
+		g_queue_push_tail(&new_cert->fingerprints, fp);
+	}
 
 	new_cert->x509 = x509;
 	new_cert->pkey = pkey;
diff --git a/daemon/sdp.c b/daemon/sdp.c
index 712c66d98..b969adbea 100644
--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@@ -2193,11 +2193,23 @@ static void insert_dtls(struct call_media *media, struct sdp_chopper *chop) {
 	if (!call->dtls_cert || !MEDIA_ISSET(media, DTLS) || MEDIA_ISSET(media, PASSTHRU))
 		return;
 
-	hf = call->dtls_cert->fingerprint.hash_func;
+	struct dtls_fingerprint *fp = NULL;
+	for (GList *l = call->dtls_cert->fingerprints.head; l; l = l->next) {
+		fp = l->data;
+		if (!media->fingerprint.hash_func)
+			break;
+		if (!strcasecmp(media->fingerprint.hash_func->name, fp->hash_func->name))
+			break;
+		fp = NULL;
+	}
+	if (!fp) // use first if no match
+		fp = call->dtls_cert->fingerprints.head->data;
+
+	hf = fp->hash_func;
 
 	assert(hf->num_bytes > 0);
 
-	p = call->dtls_cert->fingerprint.digest;
+	p = fp->digest;
 	o = hexbuf;
 	for (i = 0; i < hf->num_bytes; i++)
 		o += sprintf(o, "%02X:", *p++);
diff --git a/include/dtls.h b/include/dtls.h
index e67a0e430..2690f13ca 100644
--- a/include/dtls.h
+++ b/include/dtls.h
@@ -41,7 +41,7 @@ struct dtls_fingerprint {
 
 struct dtls_cert {
 	struct obj obj;
-	struct dtls_fingerprint fingerprint;
+	GQueue fingerprints;
 	EVP_PKEY *pkey;
 	X509 *x509;
 	time_t expires;
diff --git a/perl/NGCP/Rtpengine/AutoTest.pm b/perl/NGCP/Rtpengine/AutoTest.pm
index b00258e0a..3976da36c 100644
--- a/perl/NGCP/Rtpengine/AutoTest.pm
+++ b/perl/NGCP/Rtpengine/AutoTest.pm
@@ -125,6 +125,7 @@ sub offer_answer {
 	$regexp =~ s/CRYPTO192/([0-9a-zA-Z\/+]{51})/gs;
 	$regexp =~ s/CRYPTO256/([0-9a-zA-Z\/+]{62})/gs;
 	$regexp =~ s/LOOPER/([0-9a-f]{12})/gs;
+	$regexp =~ s/FINGERPRINT256/([0-9a-fA-F:]{95})/gs;
 	$regexp =~ s/FINGERPRINT/([0-9a-fA-F:]{59})/gs;
 	my $crlf = crlf($resp->{sdp});
 	like $crlf, qr/$regexp/s, "$name - output '$cmd' SDP";
diff --git a/t/auto-daemon-tests.pl b/t/auto-daemon-tests.pl
index 0680aaa6e..253988cdf 100755
--- a/t/auto-daemon-tests.pl
+++ b/t/auto-daemon-tests.pl
@@ -1872,7 +1872,7 @@ a=rtpmap:0 PCMU/8000
 a=sendrecv
 a=rtcp:PORT
 a=setup:active
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 SDP
 
 
@@ -1925,7 +1925,7 @@ a=rtpmap:0 PCMU/8000
 a=sendrecv
 a=rtcp:PORT
 a=setup:passive
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 SDP