From bdf27616ba0ef19a5896f2dd9f7727799930225c Mon Sep 17 00:00:00 2001 From: Mark Hills Date: Wed, 3 Feb 2021 15:37:43 +0000 Subject: [PATCH] Do not mutate something which the DTLS listener server does not own Multiple DTLS listener servers are created, and server->dtls_ctx is the same object shared between them. Set these callbacks once, and logically this is at the point where the SSL context is created. --- src/apps/relay/dtls_listener.c | 47 ++++++++++++---------------------- src/apps/relay/dtls_listener.h | 4 +++ src/apps/relay/mainrelay.c | 2 ++ 3 files changed, 23 insertions(+), 30 deletions(-) diff --git a/src/apps/relay/dtls_listener.c b/src/apps/relay/dtls_listener.c index 7689a134..31056386 100644 --- a/src/apps/relay/dtls_listener.c +++ b/src/apps/relay/dtls_listener.c @@ -935,36 +935,6 @@ static int init_server(dtls_listener_relay_server_type* server, server->verbose=verbose; server->e = e; - -#if DTLS_SUPPORTED - if(server->dtls_ctx) { - -#if defined(REQUEST_CLIENT_CERT) - /* If client has to authenticate, then */ - SSL_CTX_set_verify(server->dtls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); -#endif - - SSL_CTX_set_read_ahead(server->dtls_ctx, 1); - - SSL_CTX_set_cookie_generate_cb(server->dtls_ctx, generate_cookie); - SSL_CTX_set_cookie_verify_cb(server->dtls_ctx, verify_cookie); - } - -#if DTLSv1_2_SUPPORTED - if(server->dtls_ctx_v1_2) { - - #if defined(REQUEST_CLIENT_CERT) - /* If client has to authenticate, then */ - SSL_CTX_set_verify(server->dtls_ctx_v1_2, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); - #endif - - SSL_CTX_set_read_ahead(server->dtls_ctx_v1_2, 1); - - SSL_CTX_set_cookie_generate_cb(server->dtls_ctx_v1_2, generate_cookie); - SSL_CTX_set_cookie_verify_cb(server->dtls_ctx_v1_2, verify_cookie); - } -#endif -#endif return create_server_socket(server, report_creation); } @@ -980,6 +950,23 @@ static int clean_server(dtls_listener_relay_server_type* server) { /////////////////////////////////////////////////////////// +#if DTLS_SUPPORTED +void setup_dtls_callbacks(SSL_CTX *ctx) { + if (!ctx) + return; + +#if defined(REQUEST_CLIENT_CERT) + /* If client has to authenticate, then */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); +#endif + + SSL_CTX_set_read_ahead(ctx, 1); + + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie); +} +#endif + dtls_listener_relay_server_type* create_dtls_listener_server(const char* ifname, const char *local_address, int port, diff --git a/src/apps/relay/dtls_listener.h b/src/apps/relay/dtls_listener.h index 9d7cab68..5ca4ec99 100644 --- a/src/apps/relay/dtls_listener.h +++ b/src/apps/relay/dtls_listener.h @@ -50,6 +50,10 @@ typedef struct dtls_listener_relay_server_info dtls_listener_relay_server_type; /////////////////////////////////////////// +#if DTLS_SUPPORTED +void setup_dtls_callbacks(SSL_CTX *ctx); +#endif + dtls_listener_relay_server_type* create_dtls_listener_server(const char* ifname, const char *local_address, int port, diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index d11a2cd8..9d951868 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -3198,10 +3198,12 @@ static void openssl_load_certificates(void) set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method()); set_ctx(&turn_params.dtls_ctx_v1_2,"DTLS1.2",DTLSv1_2_server_method()); SSL_CTX_set_read_ahead(turn_params.dtls_ctx_v1_2, 1); + setup_dtls_callbacks(turn_params.dtls_ctx_v1_2); #else set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method()); #endif SSL_CTX_set_read_ahead(turn_params.dtls_ctx, 1); + setup_dtls_callbacks(turn_params.dtls_ctx); TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS cipher suite: %s\n",turn_params.cipher_list);