From c70a0eb07cf45cd55904a9e47dec1420ae808a0b Mon Sep 17 00:00:00 2001
From: winlin <winlin@vip.126.com>
Date: Fri, 3 Apr 2020 15:03:09 +0800
Subject: [PATCH] Config to use RSA or ECDSA

---
 trunk/conf/full.conf               |  4 ++++
 trunk/src/app/srs_app_config.cpp   | 17 +++++++++++++++++
 trunk/src/app/srs_app_config.hpp   |  1 +
 trunk/src/app/srs_app_dtls.cpp     | 18 ++++++++++++++----
 trunk/src/app/srs_app_dtls.hpp     |  8 +++++---
 trunk/src/app/srs_app_rtc_conn.cpp |  8 ++++++--
 trunk/src/app/srs_app_rtc_conn.hpp |  2 +-
 7 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/trunk/conf/full.conf b/trunk/conf/full.conf
index c7467666d..f8dc90c96 100644
--- a/trunk/conf/full.conf
+++ b/trunk/conf/full.conf
@@ -399,6 +399,10 @@ rtc_server {
     #       $CANDIDATE $EIP # TODO: Implements it.
     # default: *
     candidate       *;
+    # Whether use ECDSA certificate.
+    # If not, use RSA certificate.
+    # default: on
+    ecdsa           on;
 }
 
 vhost rtc.vhost.srs.com {
diff --git a/trunk/src/app/srs_app_config.cpp b/trunk/src/app/srs_app_config.cpp
index 32467ab06..5a579c83b 100644
--- a/trunk/src/app/srs_app_config.cpp
+++ b/trunk/src/app/srs_app_config.cpp
@@ -4639,6 +4639,23 @@ std::string SrsConfig::get_rtc_server_candidates()
     return (conf->arg0().c_str());
 }
 
+bool SrsConfig::get_rtc_server_ecdsa()
+{
+    static bool DEFAULT = true;
+
+    SrsConfDirective* conf = root->get("rtc_server");
+    if (!conf) {
+        return DEFAULT;
+    }
+
+    conf = conf->get("ecdsa");
+    if (!conf || conf->arg0().empty()) {
+        return DEFAULT;
+    }
+
+    return SRS_CONF_PERFER_TRUE(conf->arg0());
+}
+
 SrsConfDirective* SrsConfig::get_rtc(string vhost)
 {
     SrsConfDirective* conf = get_vhost(vhost);
diff --git a/trunk/src/app/srs_app_config.hpp b/trunk/src/app/srs_app_config.hpp
index 35637a2ff..f130b9a3b 100644
--- a/trunk/src/app/srs_app_config.hpp
+++ b/trunk/src/app/srs_app_config.hpp
@@ -520,6 +520,7 @@ public:
     virtual bool get_rtc_server_enabled(SrsConfDirective* conf);
     virtual int get_rtc_server_listen();
     virtual std::string get_rtc_server_candidates();
+    virtual bool get_rtc_server_ecdsa();
 
     SrsConfDirective* get_rtc(std::string vhost);
     bool get_rtc_enabled(std::string vhost);
diff --git a/trunk/src/app/srs_app_dtls.cpp b/trunk/src/app/srs_app_dtls.cpp
index 7de9d3adf..c923a544a 100644
--- a/trunk/src/app/srs_app_dtls.cpp
+++ b/trunk/src/app/srs_app_dtls.cpp
@@ -28,6 +28,8 @@ using namespace std;
 #include <string.h>
 
 #include <srs_kernel_log.hpp>
+#include <srs_kernel_error.hpp>
+#include <srs_app_config.hpp>
 
 #include <srtp2/srtp.h>
 #include <openssl/ssl.h>
@@ -36,17 +38,18 @@ SrsDtls* SrsDtls::_instance = NULL;
 
 SrsDtls::SrsDtls()
 {
+    dtls_ctx = NULL;
 }
 
 SrsDtls::~SrsDtls()
 {
+    SSL_CTX_free(dtls_ctx);
 }
 
 SrsDtls* SrsDtls::instance()
 {
     if (!_instance) {
         _instance = new SrsDtls();
-        _instance->init();
     }   
     return _instance;
 }
@@ -66,8 +69,10 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
     return 1;
 }
 
-void SrsDtls::init()
+srs_error_t SrsDtls::init(const SrsRequest& req)
 {
+    srs_error_t err = srs_success;
+
     // Initialize SRTP first.
     srs_assert(srtp_init() == 0);
 
@@ -87,10 +92,13 @@ void SrsDtls::init()
     //dtls_ctx = SSL_CTX_new(DTLSv1_2_method());
 #endif
 
+    // Whether use ECDSA certificate.
+    bool is_ecdsa = _srs_config->get_rtc_server_ecdsa();
+
     // Create keys by RSA or ECDSA.
     EVP_PKEY* dtls_pkey = EVP_PKEY_new();
     srs_assert(dtls_pkey);
-    if (false) { // By RSA
+    if (!is_ecdsa) { // By RSA
         RSA* rsa = RSA_new();
         srs_assert(rsa);
 
@@ -110,7 +118,7 @@ void SrsDtls::init()
         RSA_free(rsa);
         BN_free(exponent);
     }
-    if (true) { // By ECDSA, https://stackoverflow.com/a/6006898
+    if (is_ecdsa) { // By ECDSA, https://stackoverflow.com/a/6006898
         EC_KEY* eckey = EC_KEY_new();
         srs_assert(eckey);
 
@@ -240,4 +248,6 @@ void SrsDtls::init()
         fingerprint.assign(fp, strlen(fp));
         srs_trace("fingerprint=%s", fingerprint.c_str());
     }
+
+    return err;
 }
diff --git a/trunk/src/app/srs_app_dtls.hpp b/trunk/src/app/srs_app_dtls.hpp
index 5853f91b3..65d38c167 100644
--- a/trunk/src/app/srs_app_dtls.hpp
+++ b/trunk/src/app/srs_app_dtls.hpp
@@ -28,6 +28,8 @@
 
 #include <string>
 
+class SrsRequest;
+
 #include <openssl/ssl.h>
 
 class SrsDtls
@@ -36,12 +38,12 @@ private:
     static SrsDtls* _instance;
 private:
     std::string fingerprint;
-    SSL_CTX*    dtls_ctx;
+    SSL_CTX* dtls_ctx;
 private:
     SrsDtls();
     virtual ~SrsDtls();
-
-    void init();
+public:
+    srs_error_t init(const SrsRequest& req);
 public:
     static SrsDtls* instance();
     SSL_CTX* get_dtls_ctx() { return dtls_ctx; }
diff --git a/trunk/src/app/srs_app_rtc_conn.cpp b/trunk/src/app/srs_app_rtc_conn.cpp
index a85046a7d..9c209c494 100644
--- a/trunk/src/app/srs_app_rtc_conn.cpp
+++ b/trunk/src/app/srs_app_rtc_conn.cpp
@@ -142,10 +142,14 @@ SrsDtlsSession::~SrsDtlsSession()
     }
 }
 
-srs_error_t SrsDtlsSession::initialize()
+srs_error_t SrsDtlsSession::initialize(const SrsRequest& req)
 {    
     srs_error_t err = srs_success;
 
+    if ((err = SrsDtls::instance()->init(req)) != srs_success) {
+        return srs_error_wrap(err, "DTLS init");
+    }
+
     if ((dtls = SSL_new(SrsDtls::instance()->get_dtls_ctx())) == NULL) {
         return srs_error_new(ERROR_OpenSslCreateSSL, "SSL_new dtls");
     }
@@ -593,7 +597,7 @@ SrsRtcSession::SrsRtcSession(SrsRtcServer* rtc_svr, const SrsRequest& req, const
     rtc_server = rtc_svr;
     session_state = INIT;
     dtls_session = new SrsDtlsSession(this);
-    dtls_session->initialize();
+    dtls_session->initialize(req);
     strd = NULL;
 
     username = un;
diff --git a/trunk/src/app/srs_app_rtc_conn.hpp b/trunk/src/app/srs_app_rtc_conn.hpp
index f9ebb931c..49c054174 100644
--- a/trunk/src/app/srs_app_rtc_conn.hpp
+++ b/trunk/src/app/srs_app_rtc_conn.hpp
@@ -97,7 +97,7 @@ public:
     SrsDtlsSession(SrsRtcSession* s);
     virtual ~SrsDtlsSession();
 
-    srs_error_t initialize();
+    srs_error_t initialize(const SrsRequest& req);
 
     srs_error_t on_dtls(SrsUdpMuxSocket* udp_mux_skt);
     srs_error_t on_dtls_handshake_done(SrsUdpMuxSocket* udp_mux_skt);