From ae662fa0836290b534d6fa29ce5202f8f95feb22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=8F=E6=A5=9A?= <771730766@qq.com>
Date: Wed, 25 Oct 2023 17:50:29 +0800
Subject: [PATCH] =?UTF-8?q?=20webrtc=20dtls=E9=BB=98=E8=AE=A4=E9=87=87?=
 =?UTF-8?q?=E7=94=A8https=E8=AF=81=E4=B9=A6=EF=BC=8C=E5=A6=82=E6=9E=9Chttp?=
 =?UTF-8?q?s=E8=AF=81=E4=B9=A6=E4=B8=8D=E5=AD=98=E5=9C=A8=E5=88=99?=
 =?UTF-8?q?=E9=9A=8F=E6=9C=BA=E7=94=9F=E6=88=90=20=20(#2928)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

之前默认随机创建dtls证书，导致每次启动证书都不一致，而Firefox要求同主机的dtls证书必须一致，所以导致每次服务重启，Firefox可能拒绝dtls握手。
并且在集群模式下，如果Firefox接入多个不同集群实例的webrtc服务，也可能导致webrtc dtls握手失败。
---
 3rdpart/ZLToolKit          |  2 +-
 webrtc/DtlsTransport.cpp   | 71 ++++++++------------------------------
 webrtc/DtlsTransport.hpp   |  2 +-
 webrtc/WebRtcTransport.cpp |  2 +-
 4 files changed, 18 insertions(+), 59 deletions(-)

diff --git a/3rdpart/ZLToolKit b/3rdpart/ZLToolKit
index 273592b6..3fd2b856 160000
--- a/3rdpart/ZLToolKit
+++ b/3rdpart/ZLToolKit
@@ -1 +1 @@
-Subproject commit 273592b6ba39babe6407021ffc089bfe7328e447
+Subproject commit 3fd2b856b6856dd679a32c673431561c0affdd0c
diff --git a/webrtc/DtlsTransport.cpp b/webrtc/DtlsTransport.cpp
index 66183f8e..5ae4f4b0 100644
--- a/webrtc/DtlsTransport.cpp
+++ b/webrtc/DtlsTransport.cpp
@@ -29,6 +29,8 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <cstdio>  // std::sprintf(), std::fopen()
 #include <cstring> // std::memcpy(), std::strcmp()
 #include "Util/util.h"
+#include "Util/SSLBox.h"
+#include "Util/SSLUtil.h"
 
 using namespace std;
 
@@ -129,16 +131,10 @@ namespace RTC
         MS_TRACE();
 
         // Generate a X509 certificate and private key (unless PEM files are provided).
-        if (true /*
-          Settings::configuration.dtlsCertificateFile.empty() ||
-          Settings::configuration.dtlsPrivateKeyFile.empty()*/)
-        {
+        auto ssl = toolkit::SSL_Initor::Instance().getSSLCtx("", true);
+        if (!ssl || !ReadCertificateAndPrivateKeyFromContext(ssl.get())) {
             GenerateCertificateAndPrivateKey();
         }
-        else
-        {
-            ReadCertificateAndPrivateKeyFromFiles();
-        }
 
         // Create a global SSL_CTX.
         CreateSslCtx();
@@ -297,59 +293,22 @@ namespace RTC
         MS_THROW_ERROR("DTLS certificate and private key generation failed");
     }
 
-    void DtlsTransport::DtlsEnvironment::ReadCertificateAndPrivateKeyFromFiles()
+    bool DtlsTransport::DtlsEnvironment::ReadCertificateAndPrivateKeyFromContext(SSL_CTX *ctx)
     {
-#if 0
         MS_TRACE();
-
-        FILE* file{ nullptr };
-
-        file = fopen(Settings::configuration.dtlsCertificateFile.c_str(), "r");
-
-        if (!file)
-        {
-            MS_ERROR("error reading DTLS certificate file: %s", std::strerror(errno));
-
-            goto error;
+        certificate = SSL_CTX_get0_certificate(ctx);
+        if (!certificate) {
+            return false;
         }
+        X509_up_ref(certificate);
 
-        certificate = PEM_read_X509(file, nullptr, nullptr, nullptr);
-
-        if (!certificate)
-        {
-            LOG_OPENSSL_ERROR("PEM_read_X509() failed");
-
-            goto error;
+        privateKey = SSL_CTX_get0_privatekey(ctx);
+        if (!privateKey) {
+            return false;
         }
-
-        fclose(file);
-
-        file = fopen(Settings::configuration.dtlsPrivateKeyFile.c_str(), "r");
-
-        if (!file)
-        {
-            MS_ERROR("error reading DTLS private key file: %s", std::strerror(errno));
-
-            goto error;
-        }
-
-        privateKey = PEM_read_PrivateKey(file, nullptr, nullptr, nullptr);
-
-        if (!privateKey)
-        {
-            LOG_OPENSSL_ERROR("PEM_read_PrivateKey() failed");
-
-            goto error;
-        }
-
-        fclose(file);
-
-        return;
-
-    error:
-
-        MS_THROW_ERROR("error reading DTLS certificate and private key PEM files");
-#endif
+        EVP_PKEY_up_ref(privateKey);
+        InfoL << "Load webrtc dtls certificate: " << toolkit::SSLUtil::getServerName(certificate);
+        return true;
     }
 
     void DtlsTransport::DtlsEnvironment::CreateSslCtx()
diff --git a/webrtc/DtlsTransport.hpp b/webrtc/DtlsTransport.hpp
index bf57d01d..53a1981d 100644
--- a/webrtc/DtlsTransport.hpp
+++ b/webrtc/DtlsTransport.hpp
@@ -88,7 +88,7 @@ namespace RTC
         private:
             DtlsEnvironment();
             void GenerateCertificateAndPrivateKey();
-            void ReadCertificateAndPrivateKeyFromFiles();
+            bool ReadCertificateAndPrivateKeyFromContext(SSL_CTX *ctx);
             void CreateSslCtx();
             void GenerateFingerprints();
 
diff --git a/webrtc/WebRtcTransport.cpp b/webrtc/WebRtcTransport.cpp
index 4ec13e6f..9ac6251f 100644
--- a/webrtc/WebRtcTransport.cpp
+++ b/webrtc/WebRtcTransport.cpp
@@ -251,7 +251,7 @@ void WebRtcTransport::sendSockData(const char *buf, size_t len, RTC::TransportTu
 }
 
 Session::Ptr WebRtcTransport::getSession() const {
-    auto tuple = _ice_server->GetSelectedTuple(true);
+    auto tuple = _ice_server ? _ice_server->GetSelectedTuple(true) : nullptr;
     return tuple ? static_pointer_cast<Session>(tuple->shared_from_this()) : nullptr;
 }