mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 11:25:00 +00:00
Bug 996237 - Limit WebRTC cipher profiles. r=ekr
This commit is contained in:
parent
1dec47d185
commit
25a9f7a101
@ -29,7 +29,7 @@ enum {
|
||||
};
|
||||
|
||||
#define TRANSPORT_LAYER_ID(name) \
|
||||
virtual const std::string id() { return name; } \
|
||||
virtual const std::string id() const { return name; } \
|
||||
static std::string ID() { return name; }
|
||||
|
||||
// Abstract base class for network transport layers.
|
||||
@ -81,10 +81,10 @@ class TransportLayer : public sigslot::has_slots<> {
|
||||
SignalPacketReceived;
|
||||
|
||||
// Return the layer id for this layer
|
||||
virtual const std::string id() = 0;
|
||||
virtual const std::string id() const = 0;
|
||||
|
||||
// The id of the flow
|
||||
const std::string& flow_id() {
|
||||
const std::string& flow_id() const {
|
||||
return flow_id_;
|
||||
}
|
||||
|
||||
|
@ -500,11 +500,11 @@ bool TransportLayerDtls::Setup() {
|
||||
}
|
||||
}
|
||||
|
||||
// Require TLS 1.1. Perhaps some day in the future we will allow
|
||||
// TLS 1.0 for stream modes.
|
||||
// Require TLS 1.1 or 1.2. Perhaps some day in the future we will allow TLS
|
||||
// 1.0 for stream modes.
|
||||
SSLVersionRange version_range = {
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1
|
||||
SSL_LIBRARY_VERSION_TLS_1_2
|
||||
};
|
||||
|
||||
rv = SSL_VersionRangeSet(ssl_fd, &version_range);
|
||||
@ -549,16 +549,8 @@ bool TransportLayerDtls::Setup() {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Set the SRTP ciphers
|
||||
if (srtp_ciphers_.size()) {
|
||||
// Note: std::vector is guaranteed to contiguous
|
||||
rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0],
|
||||
srtp_ciphers_.size());
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
|
||||
return false;
|
||||
}
|
||||
if (!SetupCipherSuites(ssl_fd)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Certificate validation
|
||||
@ -588,6 +580,116 @@ bool TransportLayerDtls::Setup() {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Ciphers we need to enable. These are on by default in standard firefox
|
||||
// builds, but can be disabled with prefs and they aren't on in our unit tests
|
||||
// since that uses NSS default configuration.
|
||||
// Only override prefs to comply with MUST statements in the security-arch.
|
||||
static const uint32_t EnabledCiphers[] = {
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
};
|
||||
|
||||
// Disalbe all NSS suites modes without PFS or with old and rusty ciphersuites.
|
||||
// Anything outside this list is governed by the usual combination of policy
|
||||
// and user preferences.
|
||||
static const uint32_t DisabledCiphers[] = {
|
||||
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
||||
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||
|
||||
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_DHE_DSS_WITH_RC4_128_SHA,
|
||||
|
||||
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
|
||||
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
|
||||
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
|
||||
TLS_ECDH_RSA_WITH_RC4_128_SHA,
|
||||
|
||||
TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
||||
TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
TLS_RSA_WITH_AES_256_CBC_SHA256,
|
||||
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
||||
TLS_RSA_WITH_SEED_CBC_SHA,
|
||||
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
TLS_RSA_WITH_RC4_128_SHA,
|
||||
TLS_RSA_WITH_RC4_128_MD5,
|
||||
|
||||
TLS_DHE_RSA_WITH_DES_CBC_SHA,
|
||||
TLS_DHE_DSS_WITH_DES_CBC_SHA,
|
||||
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
|
||||
TLS_RSA_WITH_DES_CBC_SHA,
|
||||
|
||||
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
|
||||
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
|
||||
|
||||
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
|
||||
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
|
||||
|
||||
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
|
||||
TLS_ECDHE_RSA_WITH_NULL_SHA,
|
||||
TLS_ECDH_ECDSA_WITH_NULL_SHA,
|
||||
TLS_ECDH_RSA_WITH_NULL_SHA,
|
||||
|
||||
TLS_RSA_WITH_NULL_SHA,
|
||||
TLS_RSA_WITH_NULL_SHA256,
|
||||
TLS_RSA_WITH_NULL_MD5,
|
||||
};
|
||||
|
||||
bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
|
||||
SECStatus rv;
|
||||
|
||||
// Set the SRTP ciphers
|
||||
if (!srtp_ciphers_.empty()) {
|
||||
// Note: std::vector is guaranteed to contiguous
|
||||
rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0], srtp_ciphers_.size());
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
|
||||
MOZ_MTLOG(ML_INFO, LAYER_INFO << "Enabling: " << EnabledCiphers[i]);
|
||||
rv = SSL_CipherPrefSet(ssl_fd, EnabledCiphers[i], PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
MOZ_MTLOG(ML_ERROR, LAYER_INFO <<
|
||||
"Unable to enable suite: " << EnabledCiphers[i]);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
for (size_t i = 0; i < PR_ARRAY_SIZE(DisabledCiphers); ++i) {
|
||||
MOZ_MTLOG(ML_INFO, LAYER_INFO << "Disabling: " << DisabledCiphers[i]);
|
||||
|
||||
PRBool enabled = false;
|
||||
rv = SSL_CipherPrefGet(ssl_fd, DisabledCiphers[i], &enabled);
|
||||
if (rv != SECSuccess) {
|
||||
MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
|
||||
"Unable to check if suite is enabled: " << DisabledCiphers[i]);
|
||||
return false;
|
||||
}
|
||||
if (enabled) {
|
||||
rv = SSL_CipherPrefSet(ssl_fd, DisabledCiphers[i], PR_FALSE);
|
||||
if (rv != SECSuccess) {
|
||||
MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
|
||||
"Unable to disable suite: " << DisabledCiphers[i]);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
void TransportLayerDtls::StateChange(TransportLayer *layer, State state) {
|
||||
if (state <= state_) {
|
||||
|
@ -126,6 +126,7 @@ class TransportLayerDtls : public TransportLayer {
|
||||
|
||||
|
||||
bool Setup();
|
||||
bool SetupCipherSuites(PRFileDesc* ssl_fd) const;
|
||||
void Handshake();
|
||||
|
||||
static SECStatus GetClientAuthDataHook(void *arg, PRFileDesc *fd,
|
||||
|
Loading…
Reference in New Issue
Block a user