Bug 1304919 - Update WebRTC to latest NSS, r=ekr
authorMartin Thomson <martin.thomson@gmail.com>
Fri, 23 Sep 2016 13:47:00 +1000
changeset 315320 494e0af296f6916a371f4cfb154e26e91ae8366d
parent 315319 a32d729a8c6b82bf35b370fc573f210bda60aa04
child 315321 27e8b32dea3e6ca0500494ceba82dbb3420d1376
push id30747
push usercbook@mozilla.com
push dateTue, 27 Sep 2016 09:22:00 +0000
treeherdermozilla-central@66a77b9bfe5d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersekr
bugs1304919
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1304919 - Update WebRTC to latest NSS, r=ekr MozReview-Commit-ID: Jz9lraGZIyx
config/external/nss/nss.symbols
media/mtransport/transportlayerdtls.cpp
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@@ -668,16 +668,17 @@ SSL_GetClientAuthDataHook
 SSL_GetImplementedCiphers
 SSL_GetNextProto
 SSL_GetNumImplementedCiphers
 SSL_GetSRTPCipher
 SSL_HandshakeCallback
 SSL_HandshakeNegotiatedExtension
 SSL_ImplementedCiphers @DATA@
 SSL_ImportFD
+SSL_NamedGroupConfig
 SSL_NumImplementedCiphers @DATA@
 SSL_OptionSet
 SSL_OptionSetDefault
 SSL_PeerCertificate
 SSL_PeerCertificateChain
 SSL_PeerStapledOCSPResponses
 SSL_ResetHandshake
 SSL_SetCanFalseStartCallback
--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@@ -448,16 +448,25 @@ TransportLayerDtls::SetVerificationDiges
   digests_.push_back(new VerificationDigest(
       digest_algorithm, digest_value, digest_len));
 
   verification_mode_ = VERIFY_DIGEST;
 
   return NS_OK;
 }
 
+// These are the named groups that we will allow.
+static const SSLNamedGroup NamedGroupPreferences[] = {
+  ssl_grp_ec_curve25519,
+  ssl_grp_ec_secp256r1,
+  ssl_grp_ec_secp384r1,
+  ssl_grp_ffdhe_2048,
+  ssl_grp_ffdhe_3072
+};
+
 // TODO: make sure this is called from STS. Otherwise
 // we have thread safety issues
 bool TransportLayerDtls::Setup() {
   CheckThread();
   SECStatus rv;
 
   if (!downward_) {
     MOZ_MTLOG(ML_ERROR, "DTLS layer with nothing below. This is useless");
@@ -582,16 +591,23 @@ bool TransportLayerDtls::Setup() {
     MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
     return false;
   }
 
   if (!SetupCipherSuites(ssl_fd)) {
     return false;
   }
 
+  rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
+                            mozilla::ArrayLength(NamedGroupPreferences));
+  if (rv != SECSuccess) {
+    MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
+    return false;
+  }
+
   // Certificate validation
   rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
                                reinterpret_cast<void *>(this));
   if (rv != SECSuccess) {
     MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
     return false;
   }
 
@@ -686,44 +702,36 @@ static const uint32_t DisabledCiphers[] 
   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
   TLS_ECDH_RSA_WITH_RC4_128_SHA,
 
   TLS_RSA_WITH_AES_128_GCM_SHA256,
+  TLS_RSA_WITH_AES_256_GCM_SHA384,
   TLS_RSA_WITH_AES_128_CBC_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA256,
   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
   TLS_RSA_WITH_AES_256_CBC_SHA,
   TLS_RSA_WITH_AES_256_CBC_SHA256,
   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
   TLS_RSA_WITH_SEED_CBC_SHA,
-  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
   TLS_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_RSA_WITH_RC4_128_SHA,
   TLS_RSA_WITH_RC4_128_MD5,
 
   TLS_DHE_RSA_WITH_DES_CBC_SHA,
   TLS_DHE_DSS_WITH_DES_CBC_SHA,
-  SSL_RSA_FIPS_WITH_DES_CBC_SHA,
   TLS_RSA_WITH_DES_CBC_SHA,
 
-  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
   TLS_ECDHE_ECDSA_WITH_NULL_SHA,
   TLS_ECDHE_RSA_WITH_NULL_SHA,
   TLS_ECDH_ECDSA_WITH_NULL_SHA,
   TLS_ECDH_RSA_WITH_NULL_SHA,
-
   TLS_RSA_WITH_NULL_SHA,
   TLS_RSA_WITH_NULL_SHA256,
   TLS_RSA_WITH_NULL_MD5,
 };
 
 bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
   SECStatus rv;