DTLS: Handle DTLS fingerprint in transport-info before session-accept

plugins/ice/src/transport_parameters.vala

@@ -160,13 +160,25 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
         }
     }
 
+    private bool bytes_equal(uint8[] a1, uint8[] a2) {
+        return a1.length == a2.length && Memory.cmp(a1, a2, a1.length) == 0;
+    }
+
     public override void handle_transport_accept(StanzaNode transport) throws Jingle.IqError {
         debug("on_transport_accept from %s", peer_full_jid.to_string());
         base.handle_transport_accept(transport);
 
         if (dtls_srtp_handler != null && peer_fingerprint != null) {
-            dtls_srtp_handler.peer_fingerprint = peer_fingerprint;
-            dtls_srtp_handler.peer_fp_algo = peer_fp_algo;
+            if (dtls_srtp_handler.peer_fingerprint != null) {
+                if (!bytes_equal(dtls_srtp_handler.peer_fingerprint, peer_fingerprint)) {
+                    warning("Tried to replace certificate fingerprint mid use. We don't allow that.");
+                    peer_fingerprint = dtls_srtp_handler.peer_fingerprint;
+                    peer_fp_algo = dtls_srtp_handler.peer_fp_algo;
+                }
+            } else {
+                dtls_srtp_handler.peer_fingerprint = peer_fingerprint;
+                dtls_srtp_handler.peer_fp_algo = peer_fp_algo;
+            }
             if (peer_setup == "passive") {
                 dtls_srtp_handler.mode = DtlsSrtp.Mode.CLIENT;
                 dtls_srtp_handler.stop_dtls_connection();
@@ -186,6 +198,19 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
         debug("on_transport_info from %s", peer_full_jid.to_string());
         base.handle_transport_info(transport);
 
+        if (dtls_srtp_handler != null && peer_fingerprint != null) {
+            if (dtls_srtp_handler.peer_fingerprint != null) {
+                if (!bytes_equal(dtls_srtp_handler.peer_fingerprint, peer_fingerprint)) {
+                    warning("Tried to replace certificate fingerprint mid use. We don't allow that.");
+                    peer_fingerprint = dtls_srtp_handler.peer_fingerprint;
+                    peer_fp_algo = dtls_srtp_handler.peer_fp_algo;
+                }
+            } else {
+                dtls_srtp_handler.peer_fingerprint = peer_fingerprint;
+                dtls_srtp_handler.peer_fp_algo = peer_fp_algo;
+            }
+        }
+
         if (!we_want_connection) return;
 
         if (remote_ufrag != null && remote_pwd != null && !remote_credentials_set) {

plugins/rtp/src/stream.vala

@@ -317,7 +317,7 @@ public class Dino.Plugins.Rtp.Stream : Xmpp.Xep.JingleRtp.Stream {
                 rtp_buffer.unmap();
             }
             if (our_ssrc != buffer_ssrc) {
-                warning("Sending RTP %s buffer seq %u with SSRC %u when our ssrc is %u", media, buffer_seq, buffer_ssrc, our_ssrc);
+                warning_once("Sending RTP %s buffer seq %u with SSRC %u when our ssrc is %u", media, buffer_seq, buffer_ssrc, our_ssrc);
             }
         }
 

xmpp-vala/src/module/xep/0176_jingle_ice_udp/transport_parameters.vala

@@ -119,6 +119,13 @@ public abstract class Xmpp.Xep.JingleIceUdp.IceUdpTransportParameters : Jingle.T
         foreach (StanzaNode candidateNode in node.get_subnodes("candidate")) {
             remote_candidates.add(Candidate.parse(candidateNode));
         }
+
+        StanzaNode? fingerprint_node = node.get_subnode("fingerprint", DTLS_NS_URI);
+        if (fingerprint_node != null) {
+            peer_fingerprint = fingerprint_to_bytes(fingerprint_node.get_string_content());
+            peer_fp_algo = fingerprint_node.get_attribute("hash");
+            peer_setup = fingerprint_node.get_attribute("setup");
+        }
     }
 
     public virtual void create_transport_connection(XmppStream stream, Jingle.Content content) {