Backed out changeset ab292958d0e7 (bug 996237) for build failures on Android

media/mtransport/transportlayer.h

@@ -29,7 +29,7 @@ enum {
 };
 
 #define TRANSPORT_LAYER_ID(name) \
-  virtual const std::string id() const { return name; } \
+  virtual const std::string id() { return name; } \
   static std::string ID() { return name; }
 
 // Abstract base class for network transport layers.
@@ -81,10 +81,10 @@ class TransportLayer : public sigslot::has_slots<> {
                          SignalPacketReceived;
 
   // Return the layer id for this layer
-  virtual const std::string id() const = 0;
+  virtual const std::string id() = 0;
 
   // The id of the flow
-  const std::string& flow_id() const {
+  const std::string& flow_id() {
     return flow_id_;
   }
 

media/mtransport/transportlayerdtls.cpp

@@ -500,11 +500,11 @@ bool TransportLayerDtls::Setup() {
     }
   }
 
-  // Require TLS 1.1 or 1.2. Perhaps some day in the future we will allow TLS
-  // 1.0 for stream modes.
+  // Require TLS 1.1. Perhaps some day in the future we will allow
+  // TLS 1.0 for stream modes.
   SSLVersionRange version_range = {
     SSL_LIBRARY_VERSION_TLS_1_1,
-    SSL_LIBRARY_VERSION_TLS_1_2
+    SSL_LIBRARY_VERSION_TLS_1_1
   };
 
   rv = SSL_VersionRangeSet(ssl_fd, &version_range);
@@ -549,9 +549,17 @@ bool TransportLayerDtls::Setup() {
     return false;
   }
 
-  if (!SetupCipherSuites(ssl_fd)) {
+  // Set the SRTP ciphers
+  if (srtp_ciphers_.size()) {
+    // Note: std::vector is guaranteed to contiguous
+    rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0],
+                            srtp_ciphers_.size());
+
+    if (rv != SECSuccess) {
+      MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
       return false;
     }
+  }
 
   // Certificate validation
   rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
@@ -580,116 +588,6 @@ bool TransportLayerDtls::Setup() {
   return true;
 }
 
-// Ciphers we need to enable.  These are on by default in standard firefox
-// builds, but can be disabled with prefs and they aren't on in our unit tests
-// since that uses NSS default configuration.
-// Only override prefs to comply with MUST statements in the security-arch.
-static const uint32_t EnabledCiphers[] = {
-  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-};
-
-// Disalbe all NSS suites modes without PFS or with old and rusty ciphersuites.
-// Anything outside this list is governed by the usual combination of policy
-// and user preferences.
-static const uint32_t DisabledCiphers[] = {
-  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-  TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-
-  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-  TLS_DHE_DSS_WITH_RC4_128_SHA,
-
-  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-  TLS_ECDH_RSA_WITH_RC4_128_SHA,
-
-  TLS_RSA_WITH_AES_128_GCM_SHA256,
-  TLS_RSA_WITH_AES_128_CBC_SHA,
-  TLS_RSA_WITH_AES_128_CBC_SHA256,
-  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-  TLS_RSA_WITH_AES_256_CBC_SHA,
-  TLS_RSA_WITH_AES_256_CBC_SHA256,
-  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
-  TLS_RSA_WITH_SEED_CBC_SHA,
-  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-  TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_RSA_WITH_RC4_128_SHA,
-  TLS_RSA_WITH_RC4_128_MD5,
-
-  TLS_DHE_RSA_WITH_DES_CBC_SHA,
-  TLS_DHE_DSS_WITH_DES_CBC_SHA,
-  SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-  TLS_RSA_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
-  TLS_ECDHE_ECDSA_WITH_NULL_SHA,
-  TLS_ECDHE_RSA_WITH_NULL_SHA,
-  TLS_ECDH_ECDSA_WITH_NULL_SHA,
-  TLS_ECDH_RSA_WITH_NULL_SHA,
-
-  TLS_RSA_WITH_NULL_SHA,
-  TLS_RSA_WITH_NULL_SHA256,
-  TLS_RSA_WITH_NULL_MD5,
-};
-
-bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
-  SECStatus rv;
-
-  // Set the SRTP ciphers
-  if (!srtp_ciphers_.empty()) {
-    // Note: std::vector is guaranteed to contiguous
-    rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0], srtp_ciphers_.size());
-
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
-      return false;
-    }
-  }
-
-  for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
-    MOZ_MTLOG(ML_INFO, LAYER_INFO << "Enabling: " << EnabledCiphers[i]);
-    rv = SSL_CipherPrefSet(ssl_fd, EnabledCiphers[i], PR_TRUE);
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_ERROR, LAYER_INFO <<
-                "Unable to enable suite: " << EnabledCiphers[i]);
-      return false;
-    }
-  }
-
-  for (size_t i = 0; i < PR_ARRAY_SIZE(DisabledCiphers); ++i) {
-    MOZ_MTLOG(ML_INFO, LAYER_INFO << "Disabling: " << DisabledCiphers[i]);
-
-    PRBool enabled = false;
-    rv = SSL_CipherPrefGet(ssl_fd, DisabledCiphers[i], &enabled);
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
-                "Unable to check if suite is enabled: " << DisabledCiphers[i]);
-      return false;
-    }
-    if (enabled) {
-      rv = SSL_CipherPrefSet(ssl_fd, DisabledCiphers[i], PR_FALSE);
-      if (rv != SECSuccess) {
-        MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
-                  "Unable to disable suite: " << DisabledCiphers[i]);
-        return false;
-      }
-    }
-  }
-  return true;
-}
 
 void TransportLayerDtls::StateChange(TransportLayer *layer, State state) {
   if (state <= state_) {

media/mtransport/transportlayerdtls.h

@@ -126,7 +126,6 @@ class TransportLayerDtls : public TransportLayer {
 
 
   bool Setup();
-  bool SetupCipherSuites(PRFileDesc* ssl_fd) const;
   void Handshake();
 
   static SECStatus GetClientAuthDataHook(void *arg, PRFileDesc *fd,