commit 1b4878a3a45ce227c24c15cc26ac87d43cf5dc64
author Philipp Hancke <phancke@meta.com> Tue Jul 01 16:07:56 2025
committer WebRTC LUCI CQ <webrtc-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Jul 01 22:33:27 2025
tree 372e09a9fbacdbabe21092da08731be0e9680260
parent c575d44615c2669468095089a55411815dca3855

dtls-in-stun: remove restriction on not having certificates

previously, dtls-in-stun was not supported when a certificate was
configured explicitly via generateCertficate. This was done to avoid the
edge case of large RSA certificates (4096/8192 bytes) which caused the
DTLS packet size during the handshake to exceed the available MTU and
led to fragmentation of the certificate flights

This fragmentation is now supported in the code for DTLS-PQC so the
restriction can be removed.

Manually tested with
  https://jsfiddle.net/fippo/19vwyatu/3/
since generating the large RSA certificates in a unit test takes several
seconds (and is generally untested).

Bug: webrtc:367395350
Change-Id: I75a3764c5c1bc7202ad450bda655251803f9344c
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/398044
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@meta.com>
Reviewed-by: Jonas Oreland <jonaso@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#45067}

pc/peer_connection.cc

diff --git a/pc/peer_connection.cc b/pc/peer_connection.cc
index efc37f4..0acd59b 100644
--- a/pc/peer_connection.cc
+++ b/pc/peer_connection.cc
@@ -798,8 +798,7 @@
       });
 
   IceConfig ice_config(configuration);
-  ice_config.dtls_handshake_in_stun =
-      CanAttemptDtlsStunPiggybacking(configuration);
+  ice_config.dtls_handshake_in_stun = CanAttemptDtlsStunPiggybacking();
 
   transport_controller_->SetIceConfig(ice_config);
   return transport_controller_.get();
@@ -1528,8 +1527,7 @@
       modified_config.GetTurnPortPrunePolicy() !=
           configuration_.GetTurnPortPrunePolicy();
   IceConfig ice_config(modified_config);
-  ice_config.dtls_handshake_in_stun =
-      CanAttemptDtlsStunPiggybacking(modified_config);
+  ice_config.dtls_handshake_in_stun = CanAttemptDtlsStunPiggybacking();
 
   // Apply part of the configuration on the network thread.  In theory this
   // shouldn't fail.
@@ -3006,13 +3004,8 @@
   };
 }
 
-bool PeerConnection::CanAttemptDtlsStunPiggybacking(
-    const RTCConfiguration& configuration) {
-  // Enable DTLS-in-STUN only if no certificates were passed those
-  // may be RSA certificates and this feature only works with small
-  // ECDSA certificates. Determining the type of the key is
-  // not trivially possible at this point.
-  return dtls_enabled_ && configuration.certificates.empty() &&
+bool PeerConnection::CanAttemptDtlsStunPiggybacking() {
+  return dtls_enabled_ &&
          env_.field_trials().IsEnabled("WebRTC-IceHandshakeDtls");
 }
 

pc/peer_connection.h

diff --git a/pc/peer_connection.h b/pc/peer_connection.h
index 1a4cc90..e16cd6c 100644
--- a/pc/peer_connection.h
+++ b/pc/peer_connection.h
@@ -618,7 +618,7 @@
   std::function<void(const RtpPacketReceived& parsed_packet)>
   InitializeUnDemuxablePacketHandler();
 
-  bool CanAttemptDtlsStunPiggybacking(const RTCConfiguration& configuration);
+  bool CanAttemptDtlsStunPiggybacking();
 
   const Environment env_;
   const scoped_refptr<ConnectionContext> context_;