Bug 1172785 - Switch to ECDSA for MTI suites, r=ekr

2024-09-13 09:24:08 -07:00 · 2015-07-06 10:40:04 -07:00 · 2015-07-06 10:40:04 -07:00 · fd71e66b19
commit fd71e66b19
parent 8bdc9eeda2
2 changed files with 15 additions and 15 deletions
--- a/media/mtransport/test/transport_unittests.cpp
+++ b/media/mtransport/test/transport_unittests.cpp
@ -958,8 +958,7 @@ TEST_F(TransportTest, TestConnect) {
  ConnectSocket();

  // check that we got the right suite
-  // bug 1052610
-  //ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
+  ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());

  // no SRTP on this one
  ASSERT_EQ(0, p1_->srtpCipher());
@ -970,8 +969,7 @@ TEST_F(TransportTest, TestConnectSrtp) {
  SetDtlsPeer();
  ConnectSocket();

-  // bug 1052610
-  //ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
+  ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());

  // SRTP is on
  ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, p1_->srtpCipher());
@ -1177,24 +1175,23 @@ static void ConfigureOneCipher(TransportTestPeer* peer, uint16_t suite) {

 TEST_F(TransportTest, TestCipherMismatch) {
  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
-  ConfigureOneCipher(p2_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+  ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+  ConfigureOneCipher(p2_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
  ConnectSocketExpectFail();
 }

-// TODO(mt@mozilla.com) restore; bug 1052610
-TEST_F(TransportTest, DISABLED_TestCipherMandatoryOnlyGcm) {
+TEST_F(TransportTest, TestCipherMandatoryOnlyGcm) {
  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+  ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
  ConnectSocket();
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
+  ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
 }

 TEST_F(TransportTest, TestCipherMandatoryOnlyCbc) {
  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+  ConfigureOneCipher(p1_, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
  ConnectSocket();
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
+  ASSERT_EQ(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
 }

 TEST_F(TransportTest, TestSrtpMismatch) {
--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@ -648,10 +648,13 @@ bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const {
 // Ciphers we need to enable.  These are on by default in standard firefox
 // builds, but can be disabled with prefs and they aren't on in our unit tests
 // since that uses NSS default configuration.
-// Only override prefs to comply with MUST statements in the security-arch.
+//
+// Only override prefs to comply with MUST statements in the security-arch doc.
+// Anything outside this list is governed by the usual combination of policy
+// and user preferences.
 static const uint32_t EnabledCiphers[] = {
-  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 };

 // Disable all NSS suites modes without PFS or with old and rusty ciphersuites.