From 0401014a7f457ab6c8abbcd809e7ad88b2627995 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 6 Jul 2015 10:40:04 -0700 Subject: [PATCH] Bug 1172785 - Switch to ECDSA for MTI suites, r=ekr --HG-- extra : commitid : BV7RgOzWYvf extra : rebase_source : 8f74bf40b69029b1aeee1dbc708872a8d0488656 --- media/mtransport/test/transport_unittests.cpp | 21 ++++++++----------- media/mtransport/transportlayerdtls.cpp | 9 +++++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/media/mtransport/test/transport_unittests.cpp b/media/mtransport/test/transport_unittests.cpp index fd3f25f5bf2b..8f76ad9fb99b 100644 --- a/media/mtransport/test/transport_unittests.cpp +++ b/media/mtransport/test/transport_unittests.cpp @@ -958,8 +958,7 @@ TEST_F(TransportTest, TestConnect) { ConnectSocket(); // check that we got the right suite - // bug 1052610 - //ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); + ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); // no SRTP on this one ASSERT_EQ(0, p1_->srtpCipher()); @@ -970,8 +969,7 @@ TEST_F(TransportTest, TestConnectSrtp) { SetDtlsPeer(); ConnectSocket(); - // bug 1052610 - //ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); + ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); // SRTP is on ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, p1_->srtpCipher()); @@ -1177,24 +1175,23 @@ static void ConfigureOneCipher(TransportTestPeer* peer, uint16_t suite) { TEST_F(TransportTest, TestCipherMismatch) { SetDtlsPeer(); - ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); - ConfigureOneCipher(p2_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + ConfigureOneCipher(p2_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); ConnectSocketExpectFail(); } -// TODO(mt@mozilla.com) restore; bug 1052610 -TEST_F(TransportTest, DISABLED_TestCipherMandatoryOnlyGcm) { +TEST_F(TransportTest, TestCipherMandatoryOnlyGcm) { SetDtlsPeer(); - ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); + ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); ConnectSocket(); - ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); + ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite()); } TEST_F(TransportTest, TestCipherMandatoryOnlyCbc) { SetDtlsPeer(); - ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); ConnectSocket(); - ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite()); + ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite()); } TEST_F(TransportTest, TestSrtpMismatch) { diff --git a/media/mtransport/transportlayerdtls.cpp b/media/mtransport/transportlayerdtls.cpp index d6baed54c905..cca6441993f5 100644 --- a/media/mtransport/transportlayerdtls.cpp +++ b/media/mtransport/transportlayerdtls.cpp @@ -648,10 +648,13 @@ bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const { // Ciphers we need to enable. These are on by default in standard firefox // builds, but can be disabled with prefs and they aren't on in our unit tests // since that uses NSS default configuration. -// Only override prefs to comply with MUST statements in the security-arch. +// +// Only override prefs to comply with MUST statements in the security-arch doc. +// Anything outside this list is governed by the usual combination of policy +// and user preferences. static const uint32_t EnabledCiphers[] = { - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA }; // Disable all NSS suites modes without PFS or with old and rusty ciphersuites.