commit 8f38601583ae4113aac09d664d90f6d5f06da5b1
parent 1092a6e9f0d63b427114a606f81e05d3e8099ca5
Author: Michael Froman <mfroman@mozilla.com>
Date: Wed, 8 Oct 2025 18:33:49 -0500
Bug 1993083 - Vendor libwebrtc from 1b4878a3a4
Upstream commit: https://webrtc.googlesource.com/src/+/1b4878a3a45ce227c24c15cc26ac87d43cf5dc64
dtls-in-stun: remove restriction on not having certificates
previously, dtls-in-stun was not supported when a certificate was
configured explicitly via generateCertficate. This was done to avoid the
edge case of large RSA certificates (4096/8192 bytes) which caused the
DTLS packet size during the handshake to exceed the available MTU and
led to fragmentation of the certificate flights
This fragmentation is now supported in the code for DTLS-PQC so the
restriction can be removed.
Manually tested with
https://jsfiddle.net/fippo/19vwyatu/3/
since generating the large RSA certificates in a unit test takes several
seconds (and is generally untested).
Bug: webrtc:367395350
Change-Id: I75a3764c5c1bc7202ad450bda655251803f9344c
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/398044
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@meta.com>
Reviewed-by: Jonas Oreland <jonaso@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#45067}
Diffstat:
3 files changed, 7 insertions(+), 14 deletions(-)
diff --git a/third_party/libwebrtc/README.mozilla.last-vendor b/third_party/libwebrtc/README.mozilla.last-vendor
@@ -1,4 +1,4 @@
# ./mach python dom/media/webrtc/third_party_build/vendor-libwebrtc.py --from-local /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc --commit mozpatches libwebrtc
-libwebrtc updated from /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-10-08T23:32:19.144272+00:00.
+libwebrtc updated from /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-10-08T23:33:39.397760+00:00.
# base of lastest vendoring
-c575d44615
+1b4878a3a4
diff --git a/third_party/libwebrtc/pc/peer_connection.cc b/third_party/libwebrtc/pc/peer_connection.cc
@@ -798,8 +798,7 @@ JsepTransportController* PeerConnection::InitializeTransportController_n(
});
IceConfig ice_config(configuration);
- ice_config.dtls_handshake_in_stun =
- CanAttemptDtlsStunPiggybacking(configuration);
+ ice_config.dtls_handshake_in_stun = CanAttemptDtlsStunPiggybacking();
transport_controller_->SetIceConfig(ice_config);
return transport_controller_.get();
@@ -1528,8 +1527,7 @@ RTCError PeerConnection::SetConfiguration(
modified_config.GetTurnPortPrunePolicy() !=
configuration_.GetTurnPortPrunePolicy();
IceConfig ice_config(modified_config);
- ice_config.dtls_handshake_in_stun =
- CanAttemptDtlsStunPiggybacking(modified_config);
+ ice_config.dtls_handshake_in_stun = CanAttemptDtlsStunPiggybacking();
// Apply part of the configuration on the network thread. In theory this
// shouldn't fail.
@@ -3006,13 +3004,8 @@ PeerConnection::InitializeUnDemuxablePacketHandler() {
};
}
-bool PeerConnection::CanAttemptDtlsStunPiggybacking(
- const RTCConfiguration& configuration) {
- // Enable DTLS-in-STUN only if no certificates were passed those
- // may be RSA certificates and this feature only works with small
- // ECDSA certificates. Determining the type of the key is
- // not trivially possible at this point.
- return dtls_enabled_ && configuration.certificates.empty() &&
+bool PeerConnection::CanAttemptDtlsStunPiggybacking() {
+ return dtls_enabled_ &&
env_.field_trials().IsEnabled("WebRTC-IceHandshakeDtls");
}
diff --git a/third_party/libwebrtc/pc/peer_connection.h b/third_party/libwebrtc/pc/peer_connection.h
@@ -618,7 +618,7 @@ class PeerConnection : public PeerConnectionInternal,
std::function<void(const RtpPacketReceived& parsed_packet)>
InitializeUnDemuxablePacketHandler();
- bool CanAttemptDtlsStunPiggybacking(const RTCConfiguration& configuration);
+ bool CanAttemptDtlsStunPiggybacking();
const Environment env_;
const scoped_refptr<ConnectionContext> context_;
