Bug 1304919 - Update WebRTC to latest NSS, r=ekr

MozReview-Commit-ID: Jz9lraGZIyx --HG-- extra : rebase_source : 9b80b600f46ecc04ea9f282342d3a98ef0e915b8 extra : source : f1aace586e14a276cc43dd00111d5c9d04580ea0
2016-09-23 13:47:00 +10:00 · 2016-09-23 13:47:00 +10:00 · 54eb5cb215
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@ -673,6 +673,7 @@ SSL_HandshakeCallback
 SSL_HandshakeNegotiatedExtension
 SSL_ImplementedCiphers @DATA@
 SSL_ImportFD
+SSL_NamedGroupConfig
 SSL_NumImplementedCiphers @DATA@
 SSL_OptionSet
 SSL_OptionSetDefault
--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@ -453,6 +453,15 @@ TransportLayerDtls::SetVerificationDigest(const std::string digest_algorithm,
  return NS_OK;
 }

+// These are the named groups that we will allow.
+static const SSLNamedGroup NamedGroupPreferences[] = {
+  ssl_grp_ec_curve25519,
+  ssl_grp_ec_secp256r1,
+  ssl_grp_ec_secp384r1,
+  ssl_grp_ffdhe_2048,
+  ssl_grp_ffdhe_3072
+};
+
 // TODO: make sure this is called from STS. Otherwise
 // we have thread safety issues
 bool TransportLayerDtls::Setup() {
@ -587,6 +596,13 @@ bool TransportLayerDtls::Setup() {
    return false;
  }

+  rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
+                            mozilla::ArrayLength(NamedGroupPreferences));
+  if (rv != SECSuccess) {
+    MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
+    return false;
+  }
+
  // Certificate validation
  rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
                               reinterpret_cast<void *>(this));
@ -691,6 +707,7 @@ static const uint32_t DisabledCiphers[] = {
  TLS_ECDH_RSA_WITH_RC4_128_SHA,

  TLS_RSA_WITH_AES_128_GCM_SHA256,
+  TLS_RSA_WITH_AES_256_GCM_SHA384,
  TLS_RSA_WITH_AES_128_CBC_SHA,
  TLS_RSA_WITH_AES_128_CBC_SHA256,
  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
@ -698,27 +715,18 @@ static const uint32_t DisabledCiphers[] = {
  TLS_RSA_WITH_AES_256_CBC_SHA256,
  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
  TLS_RSA_WITH_SEED_CBC_SHA,
-  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
  TLS_RSA_WITH_3DES_EDE_CBC_SHA,
  TLS_RSA_WITH_RC4_128_SHA,
  TLS_RSA_WITH_RC4_128_MD5,

  TLS_DHE_RSA_WITH_DES_CBC_SHA,
  TLS_DHE_DSS_WITH_DES_CBC_SHA,
-  SSL_RSA_FIPS_WITH_DES_CBC_SHA,
  TLS_RSA_WITH_DES_CBC_SHA,

-  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
  TLS_ECDHE_ECDSA_WITH_NULL_SHA,
  TLS_ECDHE_RSA_WITH_NULL_SHA,
  TLS_ECDH_ECDSA_WITH_NULL_SHA,
  TLS_ECDH_RSA_WITH_NULL_SHA,
-
  TLS_RSA_WITH_NULL_SHA,
  TLS_RSA_WITH_NULL_SHA256,
  TLS_RSA_WITH_NULL_MD5,