webrtc/base/nssstreamadapter.cc - Issue 1189583002: Support generation of EC keys using P256 curve and support ECDSA certs.

Side by Side Diff: webrtc/base/nssstreamadapter.cc

Issue 1189583002: Support generation of EC keys using P256 curve and support ECDSA certs. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master

Patch Set: explicitly enable ECDSA for NSS; tolerate ECDSA and RSA certs in unittest Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.	2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.

3 *	3 *

4 * Use of this source code is governed by a BSD-style license	4 * Use of this source code is governed by a BSD-style license

5 * that can be found in the LICENSE file in the root of the source	5 * that can be found in the LICENSE file in the root of the source

6 * tree. An additional intellectual property rights grant can be found	6 * tree. An additional intellectual property rights grant can be found

7 * in the file PATENTS. All contributing project authors may	7 * in the file PATENTS. All contributing project authors may

8 * be found in the AUTHORS file in the root of the source tree.	8 * be found in the AUTHORS file in the root of the source tree.

9 */	9 */

10	10

(...skipping 52 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 },	63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 },

64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 },	64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 },

65 {NULL, 0}	65 {NULL, 0}

66 };	66 };

67 #endif	67 #endif

68	68

69 // Ciphers to enable to get ECDHE encryption with endpoints that support it.	69 // Ciphers to enable to get ECDHE encryption with endpoints that support it.

70 static const uint32_t kEnabledCiphers[] = {	70 static const uint32_t kEnabledCiphers[] = {

71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,	71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,	72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

	73 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
	juberti1 2015/06/26 19:16:01 this should be ECDHE this should be ECDHE torbjorng (webrtc) 2015/07/02 12:35:07 Done. Show quoted text On 2015/06/26 19:16:01, juberti1 wrote: > this should be ECDHE Done.
	74 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
	juberti1 2015/06/26 19:16:01 we don't want the AES-256 variant. this should be we don't want the AES-256 variant. this should be TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 torbjorng (webrtc) 2015/07/02 12:35:07 Done. Show quoted text On 2015/06/26 19:16:01, juberti1 wrote: > we don't want the AES-256 variant. this should be > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Done.
73 };	75 };

74	76

75 // Default cipher used between NSS stream adapters.	77 // Default cipher used between NSS stream adapters.

76 // This needs to be updated when the default of the SSL library changes.	78 // This needs to be updated when the default of the SSL library changes.

77 static const char kDefaultSslCipher10[] =	79 static const char kDefaultSslCipher10[] =

78 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";	80 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";

79 static const char kDefaultSslCipher12[] =	81 static const char kDefaultSslCipher12[] =

80 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";	82 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";

81	83

82	84

(...skipping 405 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
488	490

489 if (identity_.get()) {	491 if (identity_.get()) {

490 identity = static_cast<NSSIdentity *>(identity_.get());	492 identity = static_cast<NSSIdentity *>(identity_.get());

491 } else {	493 } else {

492 LOG(LS_ERROR) << "Can't be an SSL server without an identity";	494 LOG(LS_ERROR) << "Can't be an SSL server without an identity";

493 Error("BeginSSL", -1, false);	495 Error("BeginSSL", -1, false);

494 return -1;	496 return -1;

495 }	497 }

496 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(),	498 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(),

497 identity->keypair()->privkey(),	499 identity->keypair()->privkey(),

498 kt_rsa);	500 identity->keypair()->ssl_kea_type());

499 if (rv != SECSuccess) {	501 if (rv != SECSuccess) {

500 Error("BeginSSL", -1, false);	502 Error("BeginSSL", -1, false);

501 return -1;	503 return -1;

502 }	504 }

503	505

504 // Insist on a certificate from the client	506 // Insist on a certificate from the client

505 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);	507 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);

506 if (rv != SECSuccess) {	508 if (rv != SECSuccess) {

507 Error("BeginSSL", -1, false);	509 Error("BeginSSL", -1, false);

508 return -1;	510 return -1;

(...skipping 591 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1100 return kDefaultSslCipher10;	1102 return kDefaultSslCipher10;

1101 case SSL_PROTOCOL_TLS_12:	1103 case SSL_PROTOCOL_TLS_12:

1102 default:	1104 default:

1103 return kDefaultSslCipher12;	1105 return kDefaultSslCipher12;

1104 }	1106 }

1105 }	1107 }

1106	1108

1107 } // namespace rtc	1109 } // namespace rtc

1108	1110

1109 #endif // HAVE_NSS_SSL_H	1111 #endif // HAVE_NSS_SSL_H

OLD	NEW

« no previous file with comments | « webrtc/base/nssidentity.cc ('k') | webrtc/base/opensslidentity.h » ('j') | webrtc/base/ssladapter_unittest.cc » ('J')