OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
61 // This isn't elegant, but it's better than an external reference | 61 // This isn't elegant, but it's better than an external reference |
62 static const SrtpCipherMapEntry kSrtpCipherMap[] = { | 62 static const SrtpCipherMapEntry kSrtpCipherMap[] = { |
63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 }, | 63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 }, |
64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 }, | 64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 }, |
65 {NULL, 0} | 65 {NULL, 0} |
66 }; | 66 }; |
67 #endif | 67 #endif |
68 | 68 |
69 // Ciphers to enable to get ECDHE encryption with endpoints that support it. | 69 // Ciphers to enable to get ECDHE encryption with endpoints that support it. |
70 static const uint32_t kEnabledCiphers[] = { | 70 static const uint32_t kEnabledCiphers[] = { |
71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
73 }; | 73 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 74 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}; |
74 | 75 |
75 // Default cipher used between NSS stream adapters. | 76 // Default cipher used between NSS stream adapters. |
76 // This needs to be updated when the default of the SSL library changes. | 77 // This needs to be updated when the default of the SSL library changes. |
77 static const char kDefaultSslCipher10[] = | 78 static const char kDefaultSslCipher10[] = |
78 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; | 79 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; |
79 static const char kDefaultSslCipher12[] = | 80 static const char kDefaultSslCipher12[] = |
80 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; | 81 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; |
81 | 82 static const char kDefaultSslEcCipher10[] = |
| 83 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; |
| 84 static const char kDefaultSslEcCipher12[] = |
| 85 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; |
82 | 86 |
83 // Implementation of NSPR methods | 87 // Implementation of NSPR methods |
84 static PRStatus StreamClose(PRFileDesc *socket) { | 88 static PRStatus StreamClose(PRFileDesc *socket) { |
85 ASSERT(!socket->lower); | 89 ASSERT(!socket->lower); |
86 socket->dtor(socket); | 90 socket->dtor(socket); |
87 return PR_SUCCESS; | 91 return PR_SUCCESS; |
88 } | 92 } |
89 | 93 |
90 static PRInt32 StreamRead(PRFileDesc *socket, void *buf, PRInt32 length) { | 94 static PRInt32 StreamRead(PRFileDesc *socket, void *buf, PRInt32 length) { |
91 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret); | 95 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret); |
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
488 | 492 |
489 if (identity_.get()) { | 493 if (identity_.get()) { |
490 identity = static_cast<NSSIdentity *>(identity_.get()); | 494 identity = static_cast<NSSIdentity *>(identity_.get()); |
491 } else { | 495 } else { |
492 LOG(LS_ERROR) << "Can't be an SSL server without an identity"; | 496 LOG(LS_ERROR) << "Can't be an SSL server without an identity"; |
493 Error("BeginSSL", -1, false); | 497 Error("BeginSSL", -1, false); |
494 return -1; | 498 return -1; |
495 } | 499 } |
496 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(), | 500 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(), |
497 identity->keypair()->privkey(), | 501 identity->keypair()->privkey(), |
498 kt_rsa); | 502 identity->keypair()->ssl_kea_type()); |
499 if (rv != SECSuccess) { | 503 if (rv != SECSuccess) { |
500 Error("BeginSSL", -1, false); | 504 Error("BeginSSL", -1, false); |
501 return -1; | 505 return -1; |
502 } | 506 } |
503 | 507 |
504 // Insist on a certificate from the client | 508 // Insist on a certificate from the client |
505 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE); | 509 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE); |
506 if (rv != SECSuccess) { | 510 if (rv != SECSuccess) { |
507 Error("BeginSSL", -1, false); | 511 Error("BeginSSL", -1, false); |
508 return -1; | 512 return -1; |
(...skipping 577 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1086 return true; | 1090 return true; |
1087 #else | 1091 #else |
1088 return false; | 1092 return false; |
1089 #endif | 1093 #endif |
1090 } | 1094 } |
1091 | 1095 |
1092 bool NSSStreamAdapter::HaveExporter() { | 1096 bool NSSStreamAdapter::HaveExporter() { |
1093 return true; | 1097 return true; |
1094 } | 1098 } |
1095 | 1099 |
1096 std::string NSSStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version) { | 1100 std::string NSSStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version, |
1097 switch (version) { | 1101 KeyType key_type) { |
1098 case SSL_PROTOCOL_TLS_10: | 1102 if (key_type == KT_RSA) { |
1099 case SSL_PROTOCOL_TLS_11: | 1103 switch (version) { |
1100 return kDefaultSslCipher10; | 1104 case SSL_PROTOCOL_TLS_10: |
1101 case SSL_PROTOCOL_TLS_12: | 1105 case SSL_PROTOCOL_TLS_11: |
1102 default: | 1106 return kDefaultSslCipher10; |
1103 return kDefaultSslCipher12; | 1107 case SSL_PROTOCOL_TLS_12: |
| 1108 default: |
| 1109 return kDefaultSslCipher12; |
| 1110 } |
| 1111 } else if (key_type == KT_ECDSA) { |
| 1112 switch (version) { |
| 1113 case SSL_PROTOCOL_TLS_10: |
| 1114 case SSL_PROTOCOL_TLS_11: |
| 1115 return kDefaultSslEcCipher10; |
| 1116 case SSL_PROTOCOL_TLS_12: |
| 1117 default: |
| 1118 return kDefaultSslEcCipher12; |
| 1119 } |
| 1120 } else { |
| 1121 return std::string(); |
1104 } | 1122 } |
1105 } | 1123 } |
1106 | 1124 |
1107 } // namespace rtc | 1125 } // namespace rtc |
1108 | 1126 |
1109 #endif // HAVE_NSS_SSL_H | 1127 #endif // HAVE_NSS_SSL_H |
OLD | NEW |