Bug 1172785 - Switch to ECDSA for MTI suites, r=ekr

--HG--
extra : commitid : BV7RgOzWYvf
extra : rebase_source : 8f74bf40b69029b1aeee1dbc708872a8d0488656
This commit is contained in:
Martin Thomson 2015-07-06 10:40:04 -07:00
parent 8fd488c3ef
commit 0401014a7f
2 changed files with 15 additions and 15 deletions

View File

@ -958,8 +958,7 @@ TEST_F(TransportTest, TestConnect) {
ConnectSocket();
// check that we got the right suite
// bug 1052610
//ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
// no SRTP on this one
ASSERT_EQ(0, p1_->srtpCipher());
@ -970,8 +969,7 @@ TEST_F(TransportTest, TestConnectSrtp) {
SetDtlsPeer();
ConnectSocket();
// bug 1052610
//ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
// SRTP is on
ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, p1_->srtpCipher());
@ -1177,24 +1175,23 @@ static void ConfigureOneCipher(TransportTestPeer* peer, uint16_t suite) {
TEST_F(TransportTest, TestCipherMismatch) {
SetDtlsPeer();
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
ConfigureOneCipher(p2_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
ConfigureOneCipher(p2_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
ConnectSocketExpectFail();
}
// TODO(mt@mozilla.com) restore; bug 1052610
TEST_F(TransportTest, DISABLED_TestCipherMandatoryOnlyGcm) {
TEST_F(TransportTest, TestCipherMandatoryOnlyGcm) {
SetDtlsPeer();
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
ConnectSocket();
ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
}
TEST_F(TransportTest, TestCipherMandatoryOnlyCbc) {
SetDtlsPeer();
ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
ConnectSocket();
ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
}
TEST_F(TransportTest, TestSrtpMismatch) {

View File

@ -648,10 +648,13 @@ bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const {
// Ciphers we need to enable. These are on by default in standard firefox
// builds, but can be disabled with prefs and they aren't on in our unit tests
// since that uses NSS default configuration.
// Only override prefs to comply with MUST statements in the security-arch.
//
// Only override prefs to comply with MUST statements in the security-arch doc.
// Anything outside this list is governed by the usual combination of policy
// and user preferences.
static const uint32_t EnabledCiphers[] = {
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
};
// Disable all NSS suites modes without PFS or with old and rusty ciphersuites.