Add IsAcceptableCipher, use instead of GetDefaultCipher.
The old code insists on exact cipher suite matches with hardwired expectations. It does this matching parameterized with key type (RSA vs ECDSA) and TLS version (DTLS vs TLS and version 1.0 vs 1.2).
This CL changes things to check against a white-list of cipher suites, with the check parameterized with key type (again RSA vs ECDSA). Then separately checks TLS version since the old implicit check of TLS version by means of resulting cipher suite was too blunt.
Using a white list for cipher suites isn't perfect, but it is safe and requires minimal maintenance. It allows compatibility with not just one exact version of underlying crypto lib, but any version with reasonable defaults.
The CL also re-enables critical tests which had to be disabled recently to allow a boringssl roll.
BUG=webrtc:5634
Review URL: https://codereview.webrtc.org/1774583002
Cr-Commit-Position: refs/heads/master@{#11951}
diff --git a/webrtc/base/sslstreamadapter.cc b/webrtc/base/sslstreamadapter.cc
index a2cff3e..bcecc03 100644
--- a/webrtc/base/sslstreamadapter.cc
+++ b/webrtc/base/sslstreamadapter.cc
@@ -86,11 +86,13 @@
bool SSLStreamAdapter::HaveExporter() {
return OpenSSLStreamAdapter::HaveExporter();
}
-int SSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
- KeyType key_type) {
- return OpenSSLStreamAdapter::GetDefaultSslCipherForTest(version, key_type);
+bool SSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
+ return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
}
-
+bool SSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
+ KeyType key_type) {
+ return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
+}
std::string SSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
return OpenSSLStreamAdapter::SslCipherSuiteToName(cipher_suite);
}
