mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-01-19 09:30:44 +00:00
Bug 1172785 - Switch to ECDSA for MTI suites, r=ekr
--HG-- extra : commitid : BV7RgOzWYvf extra : rebase_source : 8f74bf40b69029b1aeee1dbc708872a8d0488656
This commit is contained in:
parent
8fd488c3ef
commit
0401014a7f
@ -958,8 +958,7 @@ TEST_F(TransportTest, TestConnect) {
|
||||
ConnectSocket();
|
||||
|
||||
// check that we got the right suite
|
||||
// bug 1052610
|
||||
//ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
|
||||
// no SRTP on this one
|
||||
ASSERT_EQ(0, p1_->srtpCipher());
|
||||
@ -970,8 +969,7 @@ TEST_F(TransportTest, TestConnectSrtp) {
|
||||
SetDtlsPeer();
|
||||
ConnectSocket();
|
||||
|
||||
// bug 1052610
|
||||
//ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
|
||||
// SRTP is on
|
||||
ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, p1_->srtpCipher());
|
||||
@ -1177,24 +1175,23 @@ static void ConfigureOneCipher(TransportTestPeer* peer, uint16_t suite) {
|
||||
|
||||
TEST_F(TransportTest, TestCipherMismatch) {
|
||||
SetDtlsPeer();
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
|
||||
ConfigureOneCipher(p2_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
|
||||
ConfigureOneCipher(p2_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
|
||||
ConnectSocketExpectFail();
|
||||
}
|
||||
|
||||
// TODO(mt@mozilla.com) restore; bug 1052610
|
||||
TEST_F(TransportTest, DISABLED_TestCipherMandatoryOnlyGcm) {
|
||||
TEST_F(TransportTest, TestCipherMandatoryOnlyGcm) {
|
||||
SetDtlsPeer();
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
|
||||
ConnectSocket();
|
||||
ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
|
||||
}
|
||||
|
||||
TEST_F(TransportTest, TestCipherMandatoryOnlyCbc) {
|
||||
SetDtlsPeer();
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
|
||||
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
|
||||
ConnectSocket();
|
||||
ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
|
||||
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
|
||||
}
|
||||
|
||||
TEST_F(TransportTest, TestSrtpMismatch) {
|
||||
|
@ -648,10 +648,13 @@ bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const {
|
||||
// Ciphers we need to enable. These are on by default in standard firefox
|
||||
// builds, but can be disabled with prefs and they aren't on in our unit tests
|
||||
// since that uses NSS default configuration.
|
||||
// Only override prefs to comply with MUST statements in the security-arch.
|
||||
//
|
||||
// Only override prefs to comply with MUST statements in the security-arch doc.
|
||||
// Anything outside this list is governed by the usual combination of policy
|
||||
// and user preferences.
|
||||
static const uint32_t EnabledCiphers[] = {
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
};
|
||||
|
||||
// Disable all NSS suites modes without PFS or with old and rusty ciphersuites.
|
||||
|
Loading…
x
Reference in New Issue
Block a user