Bug 1583317: added prefs to set DTLS min/max versions in PeerConnections. r=mt

Differential Revision: https://phabricator.services.mozilla.com/D46835

--HG--
extra : moz-landing-system : lando

media/mtransport/transportlayerdtls.cpp

@@ -438,6 +438,17 @@ nsresult TransportLayerDtls::SetVerificationDigest(const DtlsDigest& digest) {
   return NS_OK;
 }
 
+void TransportLayerDtls::SetMinMaxVersion(Version min_version,
+                                          Version max_version) {
+  if (min_version < Version::DTLS_1_0 || min_version > Version::DTLS_1_3 ||
+      max_version < Version::DTLS_1_0 || max_version > Version::DTLS_1_3 ||
+      min_version > max_version || max_version < min_version) {
+    return;
+  }
+  minVersion_ = min_version;
+  maxVersion_ = max_version;
+}
+
 // These are the named groups that we will allow.
 static const SSLNamedGroup NamedGroupPreferences[] = {
     ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
@@ -523,10 +534,8 @@ bool TransportLayerDtls::Setup() {
     }
   }
 
-  // Require TLS 1.1 or 1.2. Perhaps some day in the future we will allow TLS
-  // 1.0 for stream modes.
-  SSLVersionRange version_range = {SSL_LIBRARY_VERSION_TLS_1_1,
-                                   SSL_LIBRARY_VERSION_TLS_1_2};
+  SSLVersionRange version_range = {static_cast<PRUint16>(minVersion_),
+                                   static_cast<PRUint16>(maxVersion_)};
 
   rv = SSL_VersionRangeSet(ssl_fd.get(), &version_range);
   if (rv != SECSuccess) {

media/mtransport/transportlayerdtls.h

@@ -25,6 +25,7 @@
 #include "dtlsidentity.h"
 #include "transportlayer.h"
 #include "ssl.h"
+#include "sslproto.h"
 
 namespace mozilla {
 
@@ -68,6 +69,13 @@ class TransportLayerDtls final : public TransportLayer {
   void SetRole(Role role) { role_ = role; }
   Role role() { return role_; }
 
+  enum class Version : uint16_t {
+    DTLS_1_0 = SSL_LIBRARY_VERSION_DTLS_1_0,
+    DTLS_1_2 = SSL_LIBRARY_VERSION_DTLS_1_2,
+    DTLS_1_3 = SSL_LIBRARY_VERSION_DTLS_1_3
+  };
+  void SetMinMaxVersion(Version min_version, Version max_version);
+
   void SetIdentity(const RefPtr<DtlsIdentity>& identity) {
     identity_ = identity;
   }
@@ -160,6 +168,9 @@ class TransportLayerDtls final : public TransportLayer {
   Verification verification_mode_ = VERIFY_UNSET;
   std::vector<DtlsDigest> digests_;
 
+  Version minVersion_ = Version::DTLS_1_0;
+  Version maxVersion_ = Version::DTLS_1_2;
+
   // Must delete nspr_io_adapter after ssl_fd_ b/c ssl_fd_ causes an alert
   // (ssl_fd_ contains an un-owning pointer to nspr_io_adapter_)
   UniquePtr<TransportLayerNSPRAdapter> nspr_io_adapter_ = nullptr;

media/webrtc/signaling/src/peerconnection/MediaTransportHandler.cpp

@@ -160,6 +160,8 @@ class MediaTransportHandlerSTS : public MediaTransportHandler,
   RefPtr<NrIceResolver> mDNSResolver;
   std::map<std::string, Transport> mTransports;
   bool mObfuscateHostAddresses = false;
+  uint32_t minDtlsVersion = 0;
+  uint32_t maxDtlsVersion = 0;
 
   std::set<std::string> mSignaledAddresses;
 
@@ -427,6 +429,13 @@ nsresult MediaTransportHandlerSTS::CreateIceCtx(
                                               __func__);
         }
 
+        // We are reading these here, because when we setup the DTLS transport
+        // we are on the wrong thread to read prefs
+        minDtlsVersion =
+            Preferences::GetUint("media.peerconnection.dtls.version.min");
+        maxDtlsVersion =
+            Preferences::GetUint("media.peerconnection.dtls.version.max");
+
         CSFLogDebug(LOGTAG, "%s done", __func__);
         return InitPromise::CreateAndResolve(true, __func__);
       });
@@ -1150,6 +1159,10 @@ RefPtr<TransportFlow> MediaTransportHandlerSTS::CreateTransportFlow(
 
   dtls->SetIdentity(aDtlsIdentity);
 
+  dtls->SetMinMaxVersion(
+      static_cast<TransportLayerDtls::Version>(minDtlsVersion),
+      static_cast<TransportLayerDtls::Version>(maxDtlsVersion));
+
   for (const auto& digest : aDigests) {
     rv = dtls->SetVerificationDigest(digest);
     if (NS_FAILED(rv)) {

modules/libpref/init/all.js

@@ -493,6 +493,10 @@ pref("media.videocontrols.picture-in-picture.video-toggle.always-show", false);
   pref("media.peerconnection.ice.proxy_only", false);
   pref("media.peerconnection.turn.disable", false);
 
+  // 770 = DTLS 1.0, 771 = DTLS 1.2
+  pref("media.peerconnection.dtls.version.min", 770);
+  pref("media.peerconnection.dtls.version.max", 771);
+
   // These values (aec, agc, and noise) are from:
   // media/webrtc/trunk/webrtc/modules/audio_processing/include/audio_processing.h
   #if defined(MOZ_WEBRTC_HARDWARE_AEC_NS)