Config to use RSA or ECDSA

5 years ago · c70a0eb07c
parent 5e06a2568b
commit c70a0eb07c
7 changed files with 48 additions and 10 deletions
--- a/trunk/conf/full.conf
+++ b/trunk/conf/full.conf
@ -399,6 +399,10 @@ rtc_server {
    #       $CANDIDATE $EIP # TODO: Implements it.
    # default: *
    candidate       *;
+    # Whether use ECDSA certificate.
+    # If not, use RSA certificate.
+    # default: on
+    ecdsa           on;
 }

 vhost rtc.vhost.srs.com {
--- a/trunk/src/app/srs_app_config.cpp
+++ b/trunk/src/app/srs_app_config.cpp
@ -4639,6 +4639,23 @@ std::string SrsConfig::get_rtc_server_candidates()
    return (conf->arg0().c_str());
 }

+bool SrsConfig::get_rtc_server_ecdsa()
+{
+    static bool DEFAULT = true;
+
+    SrsConfDirective* conf = root->get("rtc_server");
+    if (!conf) {
+        return DEFAULT;
+    }
+
+    conf = conf->get("ecdsa");
+    if (!conf || conf->arg0().empty()) {
+        return DEFAULT;
+    }
+
+    return SRS_CONF_PERFER_TRUE(conf->arg0());
+}
+
 SrsConfDirective* SrsConfig::get_rtc(string vhost)
 {
    SrsConfDirective* conf = get_vhost(vhost);
--- a/trunk/src/app/srs_app_config.hpp
+++ b/trunk/src/app/srs_app_config.hpp
@ -520,6 +520,7 @@ public:
    virtual bool get_rtc_server_enabled(SrsConfDirective* conf);
    virtual int get_rtc_server_listen();
    virtual std::string get_rtc_server_candidates();
+    virtual bool get_rtc_server_ecdsa();

    SrsConfDirective* get_rtc(std::string vhost);
    bool get_rtc_enabled(std::string vhost);
--- a/trunk/src/app/srs_app_dtls.cpp
+++ b/trunk/src/app/srs_app_dtls.cpp
@ -28,6 +28,8 @@ using namespace std;
 #include <string.h>

 #include <srs_kernel_log.hpp>
+#include <srs_kernel_error.hpp>
+#include <srs_app_config.hpp>

 #include <srtp2/srtp.h>
 #include <openssl/ssl.h>
@ -36,17 +38,18 @@ SrsDtls* SrsDtls::_instance = NULL;

 SrsDtls::SrsDtls()
 {
+    dtls_ctx = NULL;
 }

 SrsDtls::~SrsDtls()
 {
+    SSL_CTX_free(dtls_ctx);
 }

 SrsDtls* SrsDtls::instance()
 {
    if (!_instance) {
        _instance = new SrsDtls();
-        _instance->init();
    }   
    return _instance;
 }
@ -66,8 +69,10 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
    return 1;
 }

-void SrsDtls::init()
+srs_error_t SrsDtls::init(const SrsRequest& req)
 {
+    srs_error_t err = srs_success;
+
    // Initialize SRTP first.
    srs_assert(srtp_init() == 0);

@ -87,10 +92,13 @@ void SrsDtls::init()
    //dtls_ctx = SSL_CTX_new(DTLSv1_2_method());
 #endif

+    // Whether use ECDSA certificate.
+    bool is_ecdsa = _srs_config->get_rtc_server_ecdsa();
+
    // Create keys by RSA or ECDSA.
    EVP_PKEY* dtls_pkey = EVP_PKEY_new();
    srs_assert(dtls_pkey);
-    if (false) { // By RSA
+    if (!is_ecdsa) { // By RSA
        RSA* rsa = RSA_new();
        srs_assert(rsa);

@ -110,7 +118,7 @@ void SrsDtls::init()
        RSA_free(rsa);
        BN_free(exponent);
    }
-    if (true) { // By ECDSA, https://stackoverflow.com/a/6006898
+    if (is_ecdsa) { // By ECDSA, https://stackoverflow.com/a/6006898
        EC_KEY* eckey = EC_KEY_new();
        srs_assert(eckey);

@ -240,4 +248,6 @@ void SrsDtls::init()
        fingerprint.assign(fp, strlen(fp));
        srs_trace("fingerprint=%s", fingerprint.c_str());
    }
+
+    return err;
 }
--- a/trunk/src/app/srs_app_dtls.hpp
+++ b/trunk/src/app/srs_app_dtls.hpp
@ -28,6 +28,8 @@

 #include <string>

+class SrsRequest;
+
 #include <openssl/ssl.h>

 class SrsDtls
@ -36,12 +38,12 @@ private:
    static SrsDtls* _instance;
 private:
    std::string fingerprint;
-    SSL_CTX*    dtls_ctx;
+    SSL_CTX* dtls_ctx;
 private:
    SrsDtls();
    virtual ~SrsDtls();
-
-    void init();
+public:
+    srs_error_t init(const SrsRequest& req);
 public:
    static SrsDtls* instance();
    SSL_CTX* get_dtls_ctx() { return dtls_ctx; }
--- a/trunk/src/app/srs_app_rtc_conn.cpp
+++ b/trunk/src/app/srs_app_rtc_conn.cpp
@ -142,10 +142,14 @@ SrsDtlsSession::~SrsDtlsSession()
    }
 }

-srs_error_t SrsDtlsSession::initialize()
+srs_error_t SrsDtlsSession::initialize(const SrsRequest& req)
 {    
    srs_error_t err = srs_success;

+    if ((err = SrsDtls::instance()->init(req)) != srs_success) {
+        return srs_error_wrap(err, "DTLS init");
+    }
+
    if ((dtls = SSL_new(SrsDtls::instance()->get_dtls_ctx())) == NULL) {
        return srs_error_new(ERROR_OpenSslCreateSSL, "SSL_new dtls");
    }
@ -593,7 +597,7 @@ SrsRtcSession::SrsRtcSession(SrsRtcServer* rtc_svr, const SrsRequest& req, const
    rtc_server = rtc_svr;
    session_state = INIT;
    dtls_session = new SrsDtlsSession(this);
-    dtls_session->initialize();
+    dtls_session->initialize(req);
    strd = NULL;

    username = un;
--- a/trunk/src/app/srs_app_rtc_conn.hpp
+++ b/trunk/src/app/srs_app_rtc_conn.hpp
@ -97,7 +97,7 @@ public:
    SrsDtlsSession(SrsRtcSession* s);
    virtual ~SrsDtlsSession();

-    srs_error_t initialize();
+    srs_error_t initialize(const SrsRequest& req);

    srs_error_t on_dtls(SrsUdpMuxSocket* udp_mux_skt);
    srs_error_t on_dtls_handshake_done(SrsUdpMuxSocket* udp_mux_skt);