dtls: Add support for ephemeral DTLS certificates.

This mimics the behavior of Chrome and Firefox and creates an ephemeral
X.509 certificate for each DTLS session.

Currently, the only supported key type is ECDSA because of its faster
generation time, but other key types can be added in the future as
necessary.

ASTERISK-27395

Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4

1 files changed, 13 insertions, 0 deletions

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index cdd78fd7e..fa228ceb1 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -31785,6 +31785,14 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v_head
 			}
 		}
 
+		/* Validate DTLS configuration */
+		if (ast_rtp_dtls_cfg_validate(&peer->dtls_cfg)) {
+			sip_unref_peer(peer, "Removing peer due to bad DTLS configuration");
+			return NULL;
+		}
+
+		/* SRB */
+
 		/* Apply the encryption tag length to the DTLS configuration, in case DTLS is in use */
 		peer->dtls_cfg.suite = (ast_test_flag(&peer->flags[2], SIP_PAGE3_SRTP_TAG_32) ? AST_AES_CM_128_HMAC_SHA1_32 : AST_AES_CM_128_HMAC_SHA1_80);
 
@@ -32984,6 +32992,11 @@ static int reload_config(enum channelreloadreason reason)
 		}
 	}
 
+	/* Validate DTLS configuration */
+	if (ast_rtp_dtls_cfg_validate(&default_dtls_cfg)) {
+		return -1;
+	}
+
 	/* Override global defaults if setting found in general section */
 	ast_copy_flags(&global_flags[0], &setflags[0], mask[0].flags);
 	ast_copy_flags(&global_flags[1], &setflags[1], mask[1].flags);