Bug 1304919 - Update WebRTC to latest NSS, r=ekr

MozReview-Commit-ID: Jz9lraGZIyx

--HG--
extra : rebase_source : 9b80b600f46ecc04ea9f282342d3a98ef0e915b8
extra : source : f1aace586e14a276cc43dd00111d5c9d04580ea0
This commit is contained in:
Martin Thomson 2016-09-23 13:47:00 +10:00
parent b4a425d1e8
commit 54eb5cb215
2 changed files with 18 additions and 9 deletions

View File

@ -673,6 +673,7 @@ SSL_HandshakeCallback
SSL_HandshakeNegotiatedExtension
SSL_ImplementedCiphers @DATA@
SSL_ImportFD
SSL_NamedGroupConfig
SSL_NumImplementedCiphers @DATA@
SSL_OptionSet
SSL_OptionSetDefault

View File

@ -453,6 +453,15 @@ TransportLayerDtls::SetVerificationDigest(const std::string digest_algorithm,
return NS_OK;
}
// These are the named groups that we will allow.
static const SSLNamedGroup NamedGroupPreferences[] = {
ssl_grp_ec_curve25519,
ssl_grp_ec_secp256r1,
ssl_grp_ec_secp384r1,
ssl_grp_ffdhe_2048,
ssl_grp_ffdhe_3072
};
// TODO: make sure this is called from STS. Otherwise
// we have thread safety issues
bool TransportLayerDtls::Setup() {
@ -587,6 +596,13 @@ bool TransportLayerDtls::Setup() {
return false;
}
rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
mozilla::ArrayLength(NamedGroupPreferences));
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
return false;
}
// Certificate validation
rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
reinterpret_cast<void *>(this));
@ -691,6 +707,7 @@ static const uint32_t DisabledCiphers[] = {
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
@ -698,27 +715,18 @@ static const uint32_t DisabledCiphers[] = {
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_SEED_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_RC4_128_MD5,
TLS_DHE_RSA_WITH_DES_CBC_SHA,
TLS_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_MD5,