From eea7830c1d78b1855399ea07c17584cea67faf3d Mon Sep 17 00:00:00 2001 From: Robert Wilson Date: Tue, 3 Mar 2026 13:30:15 +0000 Subject: [PATCH] res_rtp_asterisk.c: Fix DTLS packet drop when TURN loopback re-injection occurs before ICE candidate check When TURN is configured in rtp.conf, pjproject re-injects TURN packets via 127.0.0.1 (the loopback address). The DTLS packet handler checks the source address against the ICE active candidate list before the loopback address substitution runs, causing the packet to be silently dropped as the source 127.0.0.1 is not in the candidate list. Fix by performing the loopback address substitution before the ICE candidate source check in the DTLS path, mirroring the logic already present in the non-DTLS RTP path. Fixes: #1795 UserNote: WebRTC calls using TURN configured in rtp.conf (turnaddr, turnusername, turnpassword) will now correctly complete DTLS/SRTP negotiation. Previously all DTLS packets were silently dropped due to the loopback re-injection address not being in the ICE active candidate list. --- res/res_rtp_asterisk.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index 5f63eb0737..c99bab405b 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -3267,6 +3267,18 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in); +#ifdef HAVE_PJPROJECT + /* If this packet arrived via TURN/ICE loopback re-injection, + * substitute the real remote address before the candidate check + * otherwise the DTLS check will see 127.0.0.1 and drop the packet. + */ + if (!ast_sockaddr_isnull(&rtp->rtp_loop) && !ast_sockaddr_cmp(&rtp->rtp_loop, sa)) { + ast_rtp_instance_get_remote_address(instance, sa); + } else if (rtcp && !ast_sockaddr_isnull(&rtp->rtcp_loop) && !ast_sockaddr_cmp(&rtp->rtcp_loop, sa)) { + ast_sockaddr_copy(sa, &rtp->rtcp->them); + } +#endif + /* * If ICE is in use, we can prevent a possible DOS attack * by allowing DTLS protocol messages (client hello, etc)