From 52ec809b03b699915feed6ac6690eb42802f184a Mon Sep 17 00:00:00 2001 From: Sam Peters Date: Fri, 27 Mar 2026 09:02:58 -0500 Subject: [PATCH] Added WithDTLSEllipticCurves ConnectOption for FIPS --- engine.go | 2 ++ room.go | 11 +++++++++++ signalling/interfaces.go | 3 +++ transport.go | 5 +++++ 4 files changed, 21 insertions(+) diff --git a/engine.go b/engine.go index b603ef37..8bad49f3 100644 --- a/engine.go +++ b/engine.go @@ -350,6 +350,7 @@ func (e *RTCEngine) createPublisherPCLocked(configuration webrtc.Configuration) IncludeDefaultInterceptors: e.connParams.IncludeDefaultInterceptors, OnRTTUpdate: e.setRTT, IsSender: true, + DTLSEllipticCurves: e.connParams.DTLSEllipticCurves, }); err != nil { return err } @@ -435,6 +436,7 @@ func (e *RTCEngine) createSubscriberPCLocked(configuration webrtc.Configuration) RetransmitBufferSize: e.connParams.RetransmitBufferSize, Interceptors: e.connParams.Interceptors, IncludeDefaultInterceptors: e.connParams.IncludeDefaultInterceptors, + DTLSEllipticCurves: e.connParams.DTLSEllipticCurves, }); err != nil { return err } diff --git a/room.go b/room.go index ece9bf73..3546a5b1 100644 --- a/room.go +++ b/room.go @@ -40,6 +40,8 @@ import ( "github.com/livekit/protocol/auth" protoCodecs "github.com/livekit/protocol/codecs" "github.com/livekit/protocol/livekit" + + dtlsElliptic "github.com/pion/dtls/v3/pkg/crypto/elliptic" ) var ( @@ -195,6 +197,15 @@ func WithCodecs(codecs []livekit.Codec) ConnectOption { } } +// WithDTLSEllipticCurves configures the DTLS elliptic curves used for key exchange. +// Use this on FIPS 140-enabled systems to specify NIST-approved curves (e.g. P-256, P-384) +// instead of the default X25519. +func WithDTLSEllipticCurves(curves ...dtlsElliptic.Curve) ConnectOption { + return func(p *signalling.ConnectParams) { + p.DTLSEllipticCurves = curves + } +} + type PLIWriter func(webrtc.SSRC) type Room struct { diff --git a/signalling/interfaces.go b/signalling/interfaces.go index 90617a2b..1033cf09 100644 --- a/signalling/interfaces.go +++ b/signalling/interfaces.go @@ -22,6 +22,7 @@ import ( "github.com/livekit/mediatransportutil/pkg/pacer" "github.com/livekit/protocol/livekit" protoLogger "github.com/livekit/protocol/logger" + dtlsElliptic "github.com/pion/dtls/v3/pkg/crypto/elliptic" "github.com/pion/interceptor" "github.com/pion/webrtc/v4" "google.golang.org/protobuf/proto" @@ -89,6 +90,8 @@ type ConnectParams struct { ICETransportPolicy webrtc.ICETransportPolicy + DTLSEllipticCurves []dtlsElliptic.Curve // FIPS 140: override default DTLS curves + // internal use Codecs []webrtc.RTPCodecParameters } diff --git a/transport.go b/transport.go index 67c4dcf0..95fd9a72 100644 --- a/transport.go +++ b/transport.go @@ -24,6 +24,7 @@ import ( "github.com/bep/debounce" "github.com/pion/dtls/v3" + dtlsElliptic "github.com/pion/dtls/v3/pkg/crypto/elliptic" "github.com/pion/interceptor" "github.com/pion/interceptor/pkg/nack" "github.com/pion/interceptor/pkg/twcc" @@ -79,6 +80,7 @@ type PCTransportParams struct { IncludeDefaultInterceptors bool OnRTTUpdate func(rtt uint32) IsSender bool + DTLSEllipticCurves []dtlsElliptic.Curve } func (t *PCTransport) registerDefaultInterceptors(params PCTransportParams, i *interceptor.Registry) error { @@ -208,6 +210,9 @@ func NewPCTransport(params PCTransportParams) (*PCTransport, error) { se := webrtc.SettingEngine{} se.SetSRTPProtectionProfiles(dtls.SRTP_AEAD_AES_128_GCM, dtls.SRTP_AES128_CM_HMAC_SHA1_80) + if len(params.DTLSEllipticCurves) > 0 { + se.SetDTLSEllipticCurves(params.DTLSEllipticCurves...) + } se.SetDTLSRetransmissionInterval(dtlsRetransmissionInterval) se.SetICETimeouts(iceDisconnectedTimeout, iceFailedTimeout, iceKeepaliveInterval) lf := pionlogger.NewLoggerFactory(logger)