Bug: chromium:1018077
Change-Id: I585d4064f39e5f9d268b408ebf6ae13a056c778a
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/158403
Reviewed-by: Henrik Boström <hbos@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#29628}
Compiling without BoringSSL fails since g_use_time_callback_for_testing
is defined inside a OPENSSL_IS_BORINGSSL block.
Bug: webrtc:10160
Change-Id: I25c27fa8ed128a50aa855db2012026c97954b91b
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/134226
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27779}
This reverts commit 7276b974b7.
Reason for revert: Changing to a later Chrome release.
Original change's description:
> Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC.
>
> This change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This
> is part of a larger effort at Google to remove old TLS protocols:
> https://security.googleblog.com/2018/10/modernizing-transport-security.html
>
> For the M74 timeline I have added a disabled by default field trial
> WebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites
> as consumers move away from these legacy cipher protocols but it will be off
> in Chrome.
>
> This is compliant with the webrtc-security-arch specification which states:
>
> All Implementations MUST implement DTLS 1.2 with the
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
> curve [FIPS186]. Earlier drafts of this specification required DTLS
> 1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and
> at the time of this writing some implementations do not support DTLS
> 1.2; endpoints which support only DTLS 1.2 might encounter
> interoperability issues. The DTLS-SRTP protection profile
> SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
> Implementations MUST favor cipher suites which support (Perfect
> Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD
> over non-AEAD cipher suites.
>
> Bug: webrtc:10261
> Change-Id: I847c567592911cc437f095376ad67585b4355fc0
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141
> Commit-Queue: Benjamin Wright <benwright@webrtc.org>
> Reviewed-by: David Benjamin <davidben@webrtc.org>
> Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#27006}
TBR=steveanton@webrtc.org,davidben@webrtc.org,qingsi@webrtc.org,benwright@webrtc.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: webrtc:10261
Change-Id: I34727e65c069e1fb2ad71838828ad0a22b5fe811
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/130367
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27403}
This change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This
is part of a larger effort at Google to remove old TLS protocols:
https://security.googleblog.com/2018/10/modernizing-transport-security.html
For the M74 timeline I have added a disabled by default field trial
WebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites
as consumers move away from these legacy cipher protocols but it will be off
in Chrome.
This is compliant with the webrtc-security-arch specification which states:
All Implementations MUST implement DTLS 1.2 with the
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
curve [FIPS186]. Earlier drafts of this specification required DTLS
1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and
at the time of this writing some implementations do not support DTLS
1.2; endpoints which support only DTLS 1.2 might encounter
interoperability issues. The DTLS-SRTP protection profile
SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
Implementations MUST favor cipher suites which support (Perfect
Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD
over non-AEAD cipher suites.
Bug: webrtc:10261
Change-Id: I847c567592911cc437f095376ad67585b4355fc0
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: David Benjamin <davidben@webrtc.org>
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27006}
This is a partial cleanup there is more work to do here. Essentially I am just
moving things from static to anonymous namespaces and reordering things to
make more sense. I have removed some old microsoft compiler warning
supressions which I believe are not required anymore.
After this BIO should be refactored to use proper style.
Bug: webrtc:9860
Change-Id: I8419be002d8f412dd89f37f3b865794792ccf559
Reviewed-on: https://webrtc-review.googlesource.com/c/120863
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26912}
This change simply adds const to all the variables that can use it. It seemed
like a good idea to enforce const correctness where possible in the TLS stack.
Bug: webrtc:9860
Change-Id: Iabfe1e26647b0c21e2f209e0e0f96d0ec7465e7a
Reviewed-on: https://webrtc-review.googlesource.com/c/124623
Commit-Queue: Karl Wiberg <kwiberg@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26865}
Now that WebRTC requires OpenSSL 1.1.0 as minimum, some bits can be
removed. The simpler versioning API is shared between BoringSSL and
OpenSSL 1.1.0, and there are some remnants of the threading callbacks
that can be removed.
Bug: none
Change-Id: I2078ca9c444b1f1efa9e4b235eb4e6037865d8fb
Reviewed-on: https://webrtc-review.googlesource.com/c/120261
Commit-Queue: David Benjamin <davidben@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26475}
