summaryrefslogtreecommitdiffstats
path: root/third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc')
-rw-r--r--third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc1853
1 files changed, 1853 insertions, 0 deletions
diff --git a/third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc b/third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc
new file mode 100644
index 0000000000..0a99d9b1f0
--- /dev/null
+++ b/third_party/libwebrtc/rtc_base/ssl_stream_adapter_unittest.cc
@@ -0,0 +1,1853 @@
+/*
+ * Copyright 2011 The WebRTC Project Authors. All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "rtc_base/ssl_stream_adapter.h"
+
+#include <algorithm>
+#include <memory>
+#include <set>
+#include <string>
+
+#include "absl/memory/memory.h"
+#include "absl/strings/string_view.h"
+#include "api/array_view.h"
+#include "api/task_queue/pending_task_safety_flag.h"
+#include "rtc_base/buffer_queue.h"
+#include "rtc_base/checks.h"
+#include "rtc_base/gunit.h"
+#include "rtc_base/helpers.h"
+#include "rtc_base/memory/fifo_buffer.h"
+#include "rtc_base/memory_stream.h"
+#include "rtc_base/message_digest.h"
+#include "rtc_base/openssl_stream_adapter.h"
+#include "rtc_base/ssl_adapter.h"
+#include "rtc_base/ssl_identity.h"
+#include "rtc_base/stream.h"
+#include "test/field_trial.h"
+
+using ::testing::Combine;
+using ::testing::tuple;
+using ::testing::Values;
+using ::testing::WithParamInterface;
+using ::webrtc::SafeTask;
+
+static const int kBlockSize = 4096;
+static const char kExporterLabel[] = "label";
+static const unsigned char kExporterContext[] = "context";
+static int kExporterContextLen = sizeof(kExporterContext);
+
+// A private key used for testing, broken into pieces in order to avoid
+// issues with Git's checks for private keys in repos.
+#define RSA_PRIVATE_KEY_HEADER "-----BEGIN RSA PRIVATE KEY-----\n"
+
+static const char kRSA_PRIVATE_KEY_PEM[] = RSA_PRIVATE_KEY_HEADER
+ "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMYRkbhmI7kVA/rM\n"
+ "czsZ+6JDhDvnkF+vn6yCAGuRPV03zuRqZtDy4N4to7PZu9PjqrRl7nDMXrG3YG9y\n"
+ "rlIAZ72KjcKKFAJxQyAKLCIdawKRyp8RdK3LEySWEZb0AV58IadqPZDTNHHRX8dz\n"
+ "5aTSMsbbkZ+C/OzTnbiMqLL/vg6jAgMBAAECgYAvgOs4FJcgvp+TuREx7YtiYVsH\n"
+ "mwQPTum2z/8VzWGwR8BBHBvIpVe1MbD/Y4seyI2aco/7UaisatSgJhsU46/9Y4fq\n"
+ "2TwXH9QANf4at4d9n/R6rzwpAJOpgwZgKvdQjkfrKTtgLV+/dawvpxUYkRH4JZM1\n"
+ "CVGukMfKNrSVH4Ap4QJBAOJmGV1ASPnB4r4nc99at7JuIJmd7fmuVUwUgYi4XgaR\n"
+ "WhScBsgYwZ/JoywdyZJgnbcrTDuVcWG56B3vXbhdpMsCQQDf9zeJrjnPZ3Cqm79y\n"
+ "kdqANep0uwZciiNiWxsQrCHztywOvbFhdp8iYVFG9EK8DMY41Y5TxUwsHD+67zao\n"
+ "ZNqJAkEA1suLUP/GvL8IwuRneQd2tWDqqRQ/Td3qq03hP7e77XtF/buya3Ghclo5\n"
+ "54czUR89QyVfJEC6278nzA7n2h1uVQJAcG6mztNL6ja/dKZjYZye2CY44QjSlLo0\n"
+ "MTgTSjdfg/28fFn2Jjtqf9Pi/X+50LWI/RcYMC2no606wRk9kyOuIQJBAK6VSAim\n"
+ "1pOEjsYQn0X5KEIrz1G3bfCbB848Ime3U2/FWlCHMr6ch8kCZ5d1WUeJD3LbwMNG\n"
+ "UCXiYxSsu20QNVw=\n"
+ "-----END RSA PRIVATE KEY-----\n";
+
+#undef RSA_PRIVATE_KEY_HEADER
+
+static const char kCERT_PEM[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIBmTCCAQKgAwIBAgIEbzBSAjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZX\n"
+ "ZWJSVEMwHhcNMTQwMTAyMTgyNDQ3WhcNMTQwMjAxMTgyNDQ3WjARMQ8wDQYDVQQD\n"
+ "EwZXZWJSVEMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYRkbhmI7kVA/rM\n"
+ "czsZ+6JDhDvnkF+vn6yCAGuRPV03zuRqZtDy4N4to7PZu9PjqrRl7nDMXrG3YG9y\n"
+ "rlIAZ72KjcKKFAJxQyAKLCIdawKRyp8RdK3LEySWEZb0AV58IadqPZDTNHHRX8dz\n"
+ "5aTSMsbbkZ+C/OzTnbiMqLL/vg6jAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAUflI\n"
+ "VUe5Krqf5RVa5C3u/UTAOAUJBiDS3VANTCLBxjuMsvqOG0WvaYWP3HYPgrz0jXK2\n"
+ "LJE/mGw3MyFHEqi81jh95J+ypl6xKW6Rm8jKLR87gUvCaVYn/Z4/P3AqcQTB7wOv\n"
+ "UD0A8qfhfDM+LK6rPAnCsVN0NRDY3jvd6rzix9M=\n"
+ "-----END CERTIFICATE-----\n";
+
+static const char kIntCert1[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEUjCCAjqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCVVMx\n"
+ "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS\n"
+ "BgNVBAoMC0dvb2dsZSwgSW5jMQwwCgYDVQQLDANHVFAxFzAVBgNVBAMMDnRlbGVw\n"
+ "aG9ueS5nb29nMR0wGwYJKoZIhvcNAQkBFg5ndHBAZ29vZ2xlLmNvbTAeFw0xNzA5\n"
+ "MjYwNDA5MDNaFw0yMDA2MjIwNDA5MDNaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQI\n"
+ "DAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEXMBUGA1UECgwOdGVsZXBob255\n"
+ "Lmdvb2cxFzAVBgNVBAMMDnRlbGVwaG9ueS5nb29nMIGfMA0GCSqGSIb3DQEBAQUA\n"
+ "A4GNADCBiQKBgQDJXWeeU1v1+wlqkVobzI3aN7Uh2iVQA9YCdq5suuabtiD/qoOD\n"
+ "NKpmQqsx7WZGGWSZTDFEBaUpvIK7Hb+nzRqk6iioPCFOFuarm6GxO1xVneImMuE6\n"
+ "tuWb3YZPr+ikChJbl11y5UcSbg0QsbeUc+jHl5umNvrL85Y+z8SP0rxbBwIDAQAB\n"
+ "o2AwXjAdBgNVHQ4EFgQU7tdZobqlN8R8V72FQnRxmqq8tKswHwYDVR0jBBgwFoAU\n"
+ "5GgKMUtcxkQ2dJrtNR5YOlIAPDswDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMC\n"
+ "AQYwDQYJKoZIhvcNAQELBQADggIBADObh9Z+z14FmP9zSenhFtq7hFnmNrSkklk8\n"
+ "eyYWXKfOuIriEQQBZsz76ZcnzStih8Rj+yQ0AXydk4fJ5LOwC2cUqQBar17g6Pd2\n"
+ "8g4SIL4azR9WvtiSvpuGlwp25b+yunaacDne6ebnf/MUiiKT5w61Xo3cEPVfl38e\n"
+ "/Up2l0bioid5enUTmg6LY6RxDO6tnZQkz3XD+nNSwT4ehtkqFpHYWjErj0BbkDM2\n"
+ "hiVc/JsYOZn3DmuOlHVHU6sKwqh3JEyvHO/d7DGzMGWHpHwv2mCTJq6l/sR95Tc2\n"
+ "GaQZgGDVNs9pdEouJCDm9e/PbQWRYhnat82PTkXx/6mDAAwdZlIi/pACzq8K4p7e\n"
+ "6hF0t8uKGnXJubHPXxlnJU6yxZ0yWmivAGjwWK4ur832gKlho4jeMDhiI/T3QPpl\n"
+ "iMNsIvxRhdD+GxJkQP1ezayw8s+Uc9KwKglrkBSRRDLCJUfPOvMmXLUDSTMX7kp4\n"
+ "/Ak1CA8dVLJIlfEjLBUuvAttlP7+7lsKNgxAjCxZkWLXIyGULzNPQwVWkGfCbrQs\n"
+ "XyMvSbFsSIb7blV7eLlmf9a+2RprUUkc2ALXLLCI9YQXmxm2beBfMyNmmebwBJzT\n"
+ "B0OR+5pFFNTJPoNlqpdrDsGrDu7JlUtk0ZLZzYyKXbgy2qXxfd4OWzXXjxpLMszZ\n"
+ "LDIpOAkj\n"
+ "-----END CERTIFICATE-----\n";
+
+static const char kCACert[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIGETCCA/mgAwIBAgIJAKN9r/BdbGUJMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD\n"
+ "VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g\n"
+ "VmlldzEUMBIGA1UECgwLR29vZ2xlLCBJbmMxDDAKBgNVBAsMA0dUUDEXMBUGA1UE\n"
+ "AwwOdGVsZXBob255Lmdvb2cxHTAbBgkqhkiG9w0BCQEWDmd0cEBnb29nbGUuY29t\n"
+ "MB4XDTE3MDcyNzIzMDE0NVoXDTE3MDgyNjIzMDE0NVowgZYxCzAJBgNVBAYTAlVT\n"
+ "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRQw\n"
+ "EgYDVQQKDAtHb29nbGUsIEluYzEMMAoGA1UECwwDR1RQMRcwFQYDVQQDDA50ZWxl\n"
+ "cGhvbnkuZ29vZzEdMBsGCSqGSIb3DQEJARYOZ3RwQGdvb2dsZS5jb20wggIiMA0G\n"
+ "CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCfvpF7aBV5Hp1EHsWoIlL3GeHwh8dS\n"
+ "lv9VQCegN9rD06Ny7MgcED5AiK2vqXmUmOVS+7NbATkdVYN/eozDhKtN3Q3n87kJ\n"
+ "Nt/TD/TcZZHOZIGsRPbrf2URK26E/5KzTzbzXVBOA1e+gSj+EBbltGqb01ZO5ErF\n"
+ "iPGViPM/HpYKdq6mfz2bS5PhU67XZMM2zvToyReQ/Fjm/6PJhwKSRXSgZF5djPhk\n"
+ "2LfOKMLS0AeZtd2C4DFsCU41lfLUkybioDgFuzTQ3TFi1K8A07KYTMmLY/yQppnf\n"
+ "SpNX58shlVhM+Ed37K1Z0rU0OfVCZ5P+KKaSSfMranjlU7zeUIhZYjqq/EYrEhbS\n"
+ "dLnNHwgJrqxzId3kq8uuLM6+VB7JZKnZLfT90GdAbX4+tutNe21smmogF9f80vEy\n"
+ "gM4tOp9rXrvz9vCwWHXVY9kdKemdLAsREoO6MS9k2ctK4jj80o2dROuFC6Q3e7mz\n"
+ "RjvZr5Tvi464c2o9o/jNlJ0O6q7V2eQzohD+7VnV5QPpRGXxlIeqpR2zoAg+WtRS\n"
+ "4OgHOVYiD3M6uAlggJA5pcDjMfkEZ+pkhtVcT4qMCEoruk6GbyPxS565oSHu16bH\n"
+ "EjeCqbZOVND5T3oA7nz6aQSs8sJabt0jmxUkGVnE+4ZDIuuRtkRma+0P/96Mtqor\n"
+ "OlpNWY1OBDY64QIDAQABo2AwXjAdBgNVHQ4EFgQU5GgKMUtcxkQ2dJrtNR5YOlIA\n"
+ "PDswHwYDVR0jBBgwFoAU5GgKMUtcxkQ2dJrtNR5YOlIAPDswDwYDVR0TAQH/BAUw\n"
+ "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAARQly5/bB6VUL2C\n"
+ "ykDYgWt48go407pAra6tL2kjpdfxV5PdL7iMZRkeht00vj+BVahIqZKrNOa/f5Fx\n"
+ "vlpahZFu0PDN436aQwRZ9qWut2qDOK0/z9Hhj6NWybquRFwMwqkPG/ivLMDU8Dmj\n"
+ "CIplpngPYNwXCs0KzdjSXYxqxJbwMjQXELD+/RcurY0oTtJMM1/2vKQMzw24UJqe\n"
+ "XLJAlsnd2AnWzWNUEviDZY89j9NdkHerBmV2gGzcU+X5lgOO5M8odBv0ZC9D+a6Z\n"
+ "QPZAOfdGVw60hhGvTW5s/s0dHwCpegRidhs0MD0fTmwwjYFBSmUx3Gztr4JTzOOr\n"
+ "7e5daJuak2ujQ5DqcGBvt1gePjSudb5brS7JQtN8tI/FyrnR4q/OuOwv1EvlC5RG\n"
+ "hLX+TXaWqFxB1Hd8ebKRR40mboFG6KcUI3lLBthDvQE7jnq48QfZMjlMQK0ZF1l7\n"
+ "SrlwRXWA74bU8CLJvnZKKo9p4TsTiDYGSYC6tNHKj5s3TGWL46oqGyZ0KdGNhrtC\n"
+ "rIGenMhth1vPYjyy0XuGBndXT85yi+IM2l8g8oU845+plxIhgpSI8bbC0oLwnhQ5\n"
+ "ARfsiYLkXDE7imSS0CSUmye76372mlzAIB1is4bBB/SzpPQtBuB9LDKtONgpSGHn\n"
+ "dGaXBy+qbVXVyGXaeEbIRjtJ6m92\n"
+ "-----END CERTIFICATE-----\n";
+
+class SSLStreamAdapterTestBase;
+
+class SSLDummyStreamBase : public rtc::StreamInterface,
+ public sigslot::has_slots<> {
+ public:
+ SSLDummyStreamBase(SSLStreamAdapterTestBase* test,
+ absl::string_view side,
+ rtc::StreamInterface* in,
+ rtc::StreamInterface* out)
+ : test_base_(test), side_(side), in_(in), out_(out), first_packet_(true) {
+ in_->SignalEvent.connect(this, &SSLDummyStreamBase::OnEventIn);
+ out_->SignalEvent.connect(this, &SSLDummyStreamBase::OnEventOut);
+ }
+
+ rtc::StreamState GetState() const override { return rtc::SS_OPEN; }
+
+ rtc::StreamResult Read(rtc::ArrayView<uint8_t> buffer,
+ size_t& read,
+ int& error) override {
+ rtc::StreamResult r;
+
+ r = in_->Read(buffer, read, error);
+ if (r == rtc::SR_BLOCK)
+ return rtc::SR_BLOCK;
+ if (r == rtc::SR_EOS)
+ return rtc::SR_EOS;
+
+ if (r != rtc::SR_SUCCESS) {
+ ADD_FAILURE();
+ return rtc::SR_ERROR;
+ }
+
+ return rtc::SR_SUCCESS;
+ }
+
+ // Catch readability events on in and pass them up.
+ void OnEventIn(rtc::StreamInterface* stream, int sig, int err) {
+ int mask = (rtc::SE_READ | rtc::SE_CLOSE);
+
+ if (sig & mask) {
+ RTC_LOG(LS_VERBOSE) << "SSLDummyStreamBase::OnEvent side=" << side_
+ << " sig=" << sig << " forwarding upward";
+ PostEvent(sig & mask, 0);
+ }
+ }
+
+ // Catch writeability events on out and pass them up.
+ void OnEventOut(rtc::StreamInterface* stream, int sig, int err) {
+ if (sig & rtc::SE_WRITE) {
+ RTC_LOG(LS_VERBOSE) << "SSLDummyStreamBase::OnEvent side=" << side_
+ << " sig=" << sig << " forwarding upward";
+
+ PostEvent(sig & rtc::SE_WRITE, 0);
+ }
+ }
+
+ // Write to the outgoing FifoBuffer
+ rtc::StreamResult WriteData(rtc::ArrayView<const uint8_t> data,
+ size_t& written,
+ int& error) {
+ return out_->Write(data, written, error);
+ }
+
+ rtc::StreamResult Write(rtc::ArrayView<const uint8_t> data,
+ size_t& written,
+ int& error) override;
+
+ void Close() override {
+ RTC_LOG(LS_INFO) << "Closing outbound stream";
+ out_->Close();
+ }
+
+ private:
+ void PostEvent(int events, int err) {
+ thread_->PostTask(SafeTask(task_safety_.flag(), [this, events, err]() {
+ SignalEvent(this, events, err);
+ }));
+ }
+
+ webrtc::ScopedTaskSafety task_safety_;
+ rtc::Thread* const thread_ = rtc::Thread::Current();
+ SSLStreamAdapterTestBase* test_base_;
+ const std::string side_;
+ rtc::StreamInterface* in_;
+ rtc::StreamInterface* out_;
+ bool first_packet_;
+};
+
+class SSLDummyStreamTLS : public SSLDummyStreamBase {
+ public:
+ SSLDummyStreamTLS(SSLStreamAdapterTestBase* test,
+ absl::string_view side,
+ rtc::FifoBuffer* in,
+ rtc::FifoBuffer* out)
+ : SSLDummyStreamBase(test, side, in, out) {}
+};
+
+class BufferQueueStream : public rtc::StreamInterface {
+ public:
+ BufferQueueStream(size_t capacity, size_t default_size)
+ : buffer_(capacity, default_size) {}
+
+ // Implementation of abstract StreamInterface methods.
+
+ // A buffer queue stream is always "open".
+ rtc::StreamState GetState() const override { return rtc::SS_OPEN; }
+
+ // Reading a buffer queue stream will either succeed or block.
+ rtc::StreamResult Read(rtc::ArrayView<uint8_t> buffer,
+ size_t& read,
+ int& error) override {
+ const bool was_writable = buffer_.is_writable();
+ if (!buffer_.ReadFront(buffer.data(), buffer.size(), &read))
+ return rtc::SR_BLOCK;
+
+ if (!was_writable)
+ NotifyWritableForTest();
+
+ return rtc::SR_SUCCESS;
+ }
+
+ // Writing to a buffer queue stream will either succeed or block.
+ rtc::StreamResult Write(rtc::ArrayView<const uint8_t> data,
+ size_t& written,
+ int& error) override {
+ const bool was_readable = buffer_.is_readable();
+ if (!buffer_.WriteBack(data.data(), data.size(), &written))
+ return rtc::SR_BLOCK;
+
+ if (!was_readable)
+ NotifyReadableForTest();
+
+ return rtc::SR_SUCCESS;
+ }
+
+ // A buffer queue stream can not be closed.
+ void Close() override {}
+
+ protected:
+ void NotifyReadableForTest() { PostEvent(rtc::SE_READ, 0); }
+ void NotifyWritableForTest() { PostEvent(rtc::SE_WRITE, 0); }
+
+ private:
+ void PostEvent(int events, int err) {
+ thread_->PostTask(SafeTask(task_safety_.flag(), [this, events, err]() {
+ SignalEvent(this, events, err);
+ }));
+ }
+
+ rtc::Thread* const thread_ = rtc::Thread::Current();
+ webrtc::ScopedTaskSafety task_safety_;
+ rtc::BufferQueue buffer_;
+};
+
+class SSLDummyStreamDTLS : public SSLDummyStreamBase {
+ public:
+ SSLDummyStreamDTLS(SSLStreamAdapterTestBase* test,
+ absl::string_view side,
+ BufferQueueStream* in,
+ BufferQueueStream* out)
+ : SSLDummyStreamBase(test, side, in, out) {}
+};
+
+static const int kFifoBufferSize = 4096;
+static const int kBufferCapacity = 1;
+static const size_t kDefaultBufferSize = 2048;
+
+class SSLStreamAdapterTestBase : public ::testing::Test,
+ public sigslot::has_slots<> {
+ public:
+ SSLStreamAdapterTestBase(
+ absl::string_view client_cert_pem,
+ absl::string_view client_private_key_pem,
+ bool dtls,
+ rtc::KeyParams client_key_type = rtc::KeyParams(rtc::KT_DEFAULT),
+ rtc::KeyParams server_key_type = rtc::KeyParams(rtc::KT_DEFAULT))
+ : client_cert_pem_(client_cert_pem),
+ client_private_key_pem_(client_private_key_pem),
+ client_key_type_(client_key_type),
+ server_key_type_(server_key_type),
+ client_stream_(nullptr),
+ server_stream_(nullptr),
+ delay_(0),
+ mtu_(1460),
+ loss_(0),
+ lose_first_packet_(false),
+ damage_(false),
+ dtls_(dtls),
+ handshake_wait_(5000),
+ identities_set_(false) {
+ // Set use of the test RNG to get predictable loss patterns.
+ rtc::SetRandomTestMode(true);
+ }
+
+ ~SSLStreamAdapterTestBase() override {
+ // Put it back for the next test.
+ rtc::SetRandomTestMode(false);
+ }
+
+ void SetUp() override {
+ CreateStreams();
+
+ client_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(client_stream_));
+ server_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(server_stream_));
+
+ // Set up the slots
+ client_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
+ server_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
+
+ std::unique_ptr<rtc::SSLIdentity> client_identity;
+ if (!client_cert_pem_.empty() && !client_private_key_pem_.empty()) {
+ client_identity = rtc::SSLIdentity::CreateFromPEMStrings(
+ client_private_key_pem_, client_cert_pem_);
+ } else {
+ client_identity = rtc::SSLIdentity::Create("client", client_key_type_);
+ }
+ auto server_identity = rtc::SSLIdentity::Create("server", server_key_type_);
+
+ client_ssl_->SetIdentity(std::move(client_identity));
+ server_ssl_->SetIdentity(std::move(server_identity));
+ }
+
+ void TearDown() override {
+ client_ssl_.reset(nullptr);
+ server_ssl_.reset(nullptr);
+ }
+
+ virtual void CreateStreams() = 0;
+
+ // Recreate the client/server identities with the specified validity period.
+ // `not_before` and `not_after` are offsets from the current time in number
+ // of seconds.
+ void ResetIdentitiesWithValidity(int not_before, int not_after) {
+ CreateStreams();
+
+ client_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(client_stream_));
+ server_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(server_stream_));
+
+ client_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
+ server_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
+
+ time_t now = time(nullptr);
+
+ rtc::SSLIdentityParams client_params;
+ client_params.key_params = rtc::KeyParams(rtc::KT_DEFAULT);
+ client_params.common_name = "client";
+ client_params.not_before = now + not_before;
+ client_params.not_after = now + not_after;
+ auto client_identity = rtc::SSLIdentity::CreateForTest(client_params);
+
+ rtc::SSLIdentityParams server_params;
+ server_params.key_params = rtc::KeyParams(rtc::KT_DEFAULT);
+ server_params.common_name = "server";
+ server_params.not_before = now + not_before;
+ server_params.not_after = now + not_after;
+ auto server_identity = rtc::SSLIdentity::CreateForTest(server_params);
+
+ client_ssl_->SetIdentity(std::move(client_identity));
+ server_ssl_->SetIdentity(std::move(server_identity));
+ }
+
+ virtual void OnEvent(rtc::StreamInterface* stream, int sig, int err) {
+ RTC_LOG(LS_VERBOSE) << "SSLStreamAdapterTestBase::OnEvent sig=" << sig;
+
+ if (sig & rtc::SE_READ) {
+ ReadData(stream);
+ }
+
+ if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) {
+ WriteData();
+ }
+ }
+
+ void SetPeerIdentitiesByDigest(bool correct, bool expect_success) {
+ unsigned char server_digest[20];
+ size_t server_digest_len;
+ unsigned char client_digest[20];
+ size_t client_digest_len;
+ bool rv;
+ rtc::SSLPeerCertificateDigestError err;
+ rtc::SSLPeerCertificateDigestError expected_err =
+ expect_success
+ ? rtc::SSLPeerCertificateDigestError::NONE
+ : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED;
+
+ RTC_LOG(LS_INFO) << "Setting peer identities by digest";
+
+ rv = server_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
+ ASSERT_TRUE(rv);
+ rv = client_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len);
+ ASSERT_TRUE(rv);
+
+ if (!correct) {
+ RTC_LOG(LS_INFO) << "Setting bogus digest for server cert";
+ server_digest[0]++;
+ }
+ rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest,
+ server_digest_len, &err);
+ EXPECT_EQ(expected_err, err);
+ EXPECT_EQ(expect_success, rv);
+
+ if (!correct) {
+ RTC_LOG(LS_INFO) << "Setting bogus digest for client cert";
+ client_digest[0]++;
+ }
+ rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest,
+ client_digest_len, &err);
+ EXPECT_EQ(expected_err, err);
+ EXPECT_EQ(expect_success, rv);
+
+ identities_set_ = true;
+ }
+
+ void SetupProtocolVersions(rtc::SSLProtocolVersion server_version,
+ rtc::SSLProtocolVersion client_version) {
+ server_ssl_->SetMaxProtocolVersion(server_version);
+ client_ssl_->SetMaxProtocolVersion(client_version);
+ }
+
+ void TestHandshake(bool expect_success = true) {
+ server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+ client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+
+ if (!dtls_) {
+ // Make sure we simulate a reliable network for TLS.
+ // This is just a check to make sure that people don't write wrong
+ // tests.
+ RTC_CHECK_EQ(1460, mtu_);
+ RTC_CHECK(!loss_);
+ RTC_CHECK(!lose_first_packet_);
+ }
+
+ if (!identities_set_)
+ SetPeerIdentitiesByDigest(true, true);
+
+ // Start the handshake
+ int rv;
+
+ server_ssl_->SetServerRole();
+ rv = server_ssl_->StartSSL();
+ ASSERT_EQ(0, rv);
+
+ rv = client_ssl_->StartSSL();
+ ASSERT_EQ(0, rv);
+
+ // Now run the handshake
+ if (expect_success) {
+ EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) &&
+ (server_ssl_->GetState() == rtc::SS_OPEN),
+ handshake_wait_);
+ } else {
+ EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED,
+ handshake_wait_);
+ }
+ }
+
+ // This tests that we give up after 12 DTLS resends.
+ void TestHandshakeTimeout() {
+ rtc::ScopedFakeClock clock;
+ int64_t time_start = clock.TimeNanos();
+ webrtc::TimeDelta time_increment = webrtc::TimeDelta::Millis(1000);
+ server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+ client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+
+ if (!dtls_) {
+ // Make sure we simulate a reliable network for TLS.
+ // This is just a check to make sure that people don't write wrong
+ // tests.
+ RTC_CHECK_EQ(1460, mtu_);
+ RTC_CHECK(!loss_);
+ RTC_CHECK(!lose_first_packet_);
+ }
+
+ if (!identities_set_)
+ SetPeerIdentitiesByDigest(true, true);
+
+ // Start the handshake
+ int rv;
+
+ server_ssl_->SetServerRole();
+ rv = server_ssl_->StartSSL();
+ ASSERT_EQ(0, rv);
+
+ rv = client_ssl_->StartSSL();
+ ASSERT_EQ(0, rv);
+
+ // Now wait for the handshake to timeout (or fail after an hour of simulated
+ // time).
+ while (client_ssl_->GetState() == rtc::SS_OPENING &&
+ (rtc::TimeDiff(clock.TimeNanos(), time_start) <
+ 3600 * rtc::kNumNanosecsPerSec)) {
+ EXPECT_TRUE_WAIT(!((client_ssl_->GetState() == rtc::SS_OPEN) &&
+ (server_ssl_->GetState() == rtc::SS_OPEN)),
+ 1000);
+ clock.AdvanceTime(time_increment);
+ }
+ RTC_CHECK_EQ(client_ssl_->GetState(), rtc::SS_CLOSED);
+ }
+
+ // This tests that the handshake can complete before the identity is verified,
+ // and the identity will be verified after the fact. It also verifies that
+ // packets can't be read or written before the identity has been verified.
+ void TestHandshakeWithDelayedIdentity(bool valid_identity) {
+ server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+ client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS);
+
+ if (!dtls_) {
+ // Make sure we simulate a reliable network for TLS.
+ // This is just a check to make sure that people don't write wrong
+ // tests.
+ RTC_CHECK_EQ(1460, mtu_);
+ RTC_CHECK(!loss_);
+ RTC_CHECK(!lose_first_packet_);
+ }
+
+ // Start the handshake
+ server_ssl_->SetServerRole();
+ ASSERT_EQ(0, server_ssl_->StartSSL());
+ ASSERT_EQ(0, client_ssl_->StartSSL());
+
+ // Now run the handshake.
+ EXPECT_TRUE_WAIT(
+ client_ssl_->IsTlsConnected() && server_ssl_->IsTlsConnected(),
+ handshake_wait_);
+
+ // Until the identity has been verified, the state should still be
+ // SS_OPENING and writes should return SR_BLOCK.
+ EXPECT_EQ(rtc::SS_OPENING, client_ssl_->GetState());
+ EXPECT_EQ(rtc::SS_OPENING, server_ssl_->GetState());
+ uint8_t packet[1];
+ size_t sent;
+ int error;
+ EXPECT_EQ(rtc::SR_BLOCK, client_ssl_->Write(packet, sent, error));
+ EXPECT_EQ(rtc::SR_BLOCK, server_ssl_->Write(packet, sent, error));
+
+ // Collect both of the certificate digests; needs to be done before calling
+ // SetPeerCertificateDigest as that may reset the identity.
+ unsigned char server_digest[20];
+ size_t server_digest_len;
+ unsigned char client_digest[20];
+ size_t client_digest_len;
+ bool rv;
+
+ rv = server_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
+ ASSERT_TRUE(rv);
+ rv = client_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len);
+ ASSERT_TRUE(rv);
+
+ if (!valid_identity) {
+ RTC_LOG(LS_INFO) << "Setting bogus digest for client/server certs";
+ client_digest[0]++;
+ server_digest[0]++;
+ }
+
+ // Set the peer certificate digest for the client.
+ rtc::SSLPeerCertificateDigestError err;
+ rtc::SSLPeerCertificateDigestError expected_err =
+ valid_identity
+ ? rtc::SSLPeerCertificateDigestError::NONE
+ : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED;
+ rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest,
+ server_digest_len, &err);
+ EXPECT_EQ(expected_err, err);
+ EXPECT_EQ(valid_identity, rv);
+ // State should then transition to SS_OPEN or SS_CLOSED based on validation
+ // of the identity.
+ if (valid_identity) {
+ EXPECT_EQ(rtc::SS_OPEN, client_ssl_->GetState());
+ // If the client sends a packet while the server still hasn't verified the
+ // client identity, the server should continue to return SR_BLOCK.
+ int error;
+ EXPECT_EQ(rtc::SR_SUCCESS, client_ssl_->Write(packet, sent, error));
+ size_t read;
+ EXPECT_EQ(rtc::SR_BLOCK, server_ssl_->Read(packet, read, error));
+ } else {
+ EXPECT_EQ(rtc::SS_CLOSED, client_ssl_->GetState());
+ }
+
+ // Set the peer certificate digest for the server.
+ rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest,
+ client_digest_len, &err);
+ EXPECT_EQ(expected_err, err);
+ EXPECT_EQ(valid_identity, rv);
+ if (valid_identity) {
+ EXPECT_EQ(rtc::SS_OPEN, server_ssl_->GetState());
+ } else {
+ EXPECT_EQ(rtc::SS_CLOSED, server_ssl_->GetState());
+ }
+ }
+
+ rtc::StreamResult DataWritten(SSLDummyStreamBase* from,
+ const void* data,
+ size_t data_len,
+ size_t& written,
+ int& error) {
+ // Randomly drop loss_ percent of packets
+ if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) {
+ RTC_LOG(LS_VERBOSE) << "Randomly dropping packet, size=" << data_len;
+ written = data_len;
+ return rtc::SR_SUCCESS;
+ }
+ if (dtls_ && (data_len > mtu_)) {
+ RTC_LOG(LS_VERBOSE) << "Dropping packet > mtu, size=" << data_len;
+ written = data_len;
+ return rtc::SR_SUCCESS;
+ }
+
+ // Optionally damage application data (type 23). Note that we don't damage
+ // handshake packets and we damage the last byte to keep the header
+ // intact but break the MAC.
+ if (damage_ && (*static_cast<const unsigned char*>(data) == 23)) {
+ std::vector<uint8_t> buf(data_len);
+
+ RTC_LOG(LS_VERBOSE) << "Damaging packet";
+
+ memcpy(&buf[0], data, data_len);
+ buf[data_len - 1]++;
+ return from->WriteData(rtc::MakeArrayView(&buf[0], data_len), written,
+ error);
+ }
+
+ return from->WriteData(
+ rtc::MakeArrayView(reinterpret_cast<const uint8_t*>(data), data_len),
+ written, error);
+ }
+
+ void SetDelay(int delay) { delay_ = delay; }
+ int GetDelay() { return delay_; }
+
+ void SetLoseFirstPacket(bool lose) { lose_first_packet_ = lose; }
+ bool GetLoseFirstPacket() { return lose_first_packet_; }
+
+ void SetLoss(int percent) { loss_ = percent; }
+
+ void SetDamage() { damage_ = true; }
+
+ void SetMtu(size_t mtu) { mtu_ = mtu; }
+
+ void SetHandshakeWait(int wait) { handshake_wait_ = wait; }
+
+ void SetDtlsSrtpCryptoSuites(const std::vector<int>& ciphers, bool client) {
+ if (client)
+ client_ssl_->SetDtlsSrtpCryptoSuites(ciphers);
+ else
+ server_ssl_->SetDtlsSrtpCryptoSuites(ciphers);
+ }
+
+ bool GetDtlsSrtpCryptoSuite(bool client, int* retval) {
+ if (client)
+ return client_ssl_->GetDtlsSrtpCryptoSuite(retval);
+ else
+ return server_ssl_->GetDtlsSrtpCryptoSuite(retval);
+ }
+
+ std::unique_ptr<rtc::SSLCertificate> GetPeerCertificate(bool client) {
+ std::unique_ptr<rtc::SSLCertChain> chain;
+ if (client)
+ chain = client_ssl_->GetPeerSSLCertChain();
+ else
+ chain = server_ssl_->GetPeerSSLCertChain();
+ return (chain && chain->GetSize()) ? chain->Get(0).Clone() : nullptr;
+ }
+
+ bool GetSslCipherSuite(bool client, int* retval) {
+ if (client)
+ return client_ssl_->GetSslCipherSuite(retval);
+ else
+ return server_ssl_->GetSslCipherSuite(retval);
+ }
+
+ int GetSslVersion(bool client) {
+ if (client)
+ return client_ssl_->GetSslVersion();
+ else
+ return server_ssl_->GetSslVersion();
+ }
+
+ bool ExportKeyingMaterial(absl::string_view label,
+ const unsigned char* context,
+ size_t context_len,
+ bool use_context,
+ bool client,
+ unsigned char* result,
+ size_t result_len) {
+ if (client)
+ return client_ssl_->ExportKeyingMaterial(label, context, context_len,
+ use_context, result, result_len);
+ else
+ return server_ssl_->ExportKeyingMaterial(label, context, context_len,
+ use_context, result, result_len);
+ }
+
+ // To be implemented by subclasses.
+ virtual void WriteData() = 0;
+ virtual void ReadData(rtc::StreamInterface* stream) = 0;
+ virtual void TestTransfer(int size) = 0;
+
+ protected:
+ rtc::SSLIdentity* client_identity() const {
+ if (!client_ssl_) {
+ return nullptr;
+ }
+ return client_ssl_->GetIdentityForTesting();
+ }
+ rtc::SSLIdentity* server_identity() const {
+ if (!server_ssl_) {
+ return nullptr;
+ }
+ return server_ssl_->GetIdentityForTesting();
+ }
+
+ rtc::AutoThread main_thread_;
+ std::string client_cert_pem_;
+ std::string client_private_key_pem_;
+ rtc::KeyParams client_key_type_;
+ rtc::KeyParams server_key_type_;
+ SSLDummyStreamBase* client_stream_; // freed by client_ssl_ destructor
+ SSLDummyStreamBase* server_stream_; // freed by server_ssl_ destructor
+ std::unique_ptr<rtc::SSLStreamAdapter> client_ssl_;
+ std::unique_ptr<rtc::SSLStreamAdapter> server_ssl_;
+ int delay_;
+ size_t mtu_;
+ int loss_;
+ bool lose_first_packet_;
+ bool damage_;
+ bool dtls_;
+ int handshake_wait_;
+ bool identities_set_;
+};
+
+class SSLStreamAdapterTestTLS
+ : public SSLStreamAdapterTestBase,
+ public WithParamInterface<tuple<rtc::KeyParams, rtc::KeyParams>> {
+ public:
+ SSLStreamAdapterTestTLS()
+ : SSLStreamAdapterTestBase("",
+ "",
+ false,
+ ::testing::get<0>(GetParam()),
+ ::testing::get<1>(GetParam())),
+ client_buffer_(kFifoBufferSize),
+ server_buffer_(kFifoBufferSize) {}
+
+ void CreateStreams() override {
+ client_stream_ =
+ new SSLDummyStreamTLS(this, "c2s", &client_buffer_, &server_buffer_);
+ server_stream_ =
+ new SSLDummyStreamTLS(this, "s2c", &server_buffer_, &client_buffer_);
+ }
+
+ // Test data transfer for TLS
+ void TestTransfer(int size) override {
+ RTC_LOG(LS_INFO) << "Starting transfer test with " << size << " bytes";
+ // Create some dummy data to send.
+ size_t received;
+
+ send_stream_.ReserveSize(size);
+ for (int i = 0; i < size; ++i) {
+ uint8_t ch = static_cast<uint8_t>(i);
+ size_t written;
+ int error;
+ send_stream_.Write(rtc::MakeArrayView(&ch, 1), written, error);
+ }
+ send_stream_.Rewind();
+
+ // Prepare the receive stream.
+ recv_stream_.ReserveSize(size);
+
+ // Start sending
+ WriteData();
+
+ // Wait for the client to close
+ EXPECT_TRUE_WAIT(server_ssl_->GetState() == rtc::SS_CLOSED, 10000);
+
+ // Now check the data
+ recv_stream_.GetSize(&received);
+
+ EXPECT_EQ(static_cast<size_t>(size), received);
+ EXPECT_EQ(0,
+ memcmp(send_stream_.GetBuffer(), recv_stream_.GetBuffer(), size));
+ }
+
+ void WriteData() override {
+ size_t position, tosend, size;
+ rtc::StreamResult rv;
+ size_t sent;
+ uint8_t block[kBlockSize];
+
+ send_stream_.GetSize(&size);
+ if (!size)
+ return;
+
+ for (;;) {
+ send_stream_.GetPosition(&position);
+ int dummy_error;
+ if (send_stream_.Read(block, tosend, dummy_error) != rtc::SR_EOS) {
+ int error;
+ rv = client_ssl_->Write(rtc::MakeArrayView(block, tosend), sent, error);
+
+ if (rv == rtc::SR_SUCCESS) {
+ send_stream_.SetPosition(position + sent);
+ RTC_LOG(LS_VERBOSE) << "Sent: " << position + sent;
+ } else if (rv == rtc::SR_BLOCK) {
+ RTC_LOG(LS_VERBOSE) << "Blocked...";
+ send_stream_.SetPosition(position);
+ break;
+ } else {
+ ADD_FAILURE();
+ break;
+ }
+ } else {
+ // Now close
+ RTC_LOG(LS_INFO) << "Wrote " << position << " bytes. Closing";
+ client_ssl_->Close();
+ break;
+ }
+ }
+ }
+
+ void ReadData(rtc::StreamInterface* stream) override {
+ uint8_t buffer[1600];
+ size_t bread;
+ int err2;
+ rtc::StreamResult r;
+
+ for (;;) {
+ r = stream->Read(buffer, bread, err2);
+
+ if (r == rtc::SR_ERROR || r == rtc::SR_EOS) {
+ // Unfortunately, errors are the way that the stream adapter
+ // signals close in OpenSSL.
+ stream->Close();
+ return;
+ }
+
+ if (r == rtc::SR_BLOCK)
+ break;
+
+ ASSERT_EQ(rtc::SR_SUCCESS, r);
+ RTC_LOG(LS_VERBOSE) << "Read " << bread;
+ size_t written;
+ int error;
+ recv_stream_.Write(rtc::MakeArrayView(buffer, bread), written, error);
+ }
+ }
+
+ private:
+ rtc::FifoBuffer client_buffer_;
+ rtc::FifoBuffer server_buffer_;
+ rtc::MemoryStream send_stream_;
+ rtc::MemoryStream recv_stream_;
+};
+
+class SSLStreamAdapterTestDTLSBase : public SSLStreamAdapterTestBase {
+ public:
+ SSLStreamAdapterTestDTLSBase(rtc::KeyParams param1, rtc::KeyParams param2)
+ : SSLStreamAdapterTestBase("", "", true, param1, param2),
+ client_buffer_(kBufferCapacity, kDefaultBufferSize),
+ server_buffer_(kBufferCapacity, kDefaultBufferSize),
+ packet_size_(1000),
+ count_(0),
+ sent_(0) {}
+
+ SSLStreamAdapterTestDTLSBase(absl::string_view cert_pem,
+ absl::string_view private_key_pem)
+ : SSLStreamAdapterTestBase(cert_pem, private_key_pem, true),
+ client_buffer_(kBufferCapacity, kDefaultBufferSize),
+ server_buffer_(kBufferCapacity, kDefaultBufferSize),
+ packet_size_(1000),
+ count_(0),
+ sent_(0) {}
+
+ void CreateStreams() override {
+ client_stream_ =
+ new SSLDummyStreamDTLS(this, "c2s", &client_buffer_, &server_buffer_);
+ server_stream_ =
+ new SSLDummyStreamDTLS(this, "s2c", &server_buffer_, &client_buffer_);
+ }
+
+ void WriteData() override {
+ uint8_t* packet = new uint8_t[1600];
+
+ while (sent_ < count_) {
+ unsigned int rand_state = sent_;
+ packet[0] = sent_;
+ for (size_t i = 1; i < packet_size_; i++) {
+ // This is a simple LC PRNG. Keep in synch with identical code below.
+ rand_state = (rand_state * 251 + 19937) >> 7;
+ packet[i] = rand_state & 0xff;
+ }
+
+ size_t sent;
+ int error;
+ rtc::StreamResult rv = client_ssl_->Write(
+ rtc::MakeArrayView(packet, packet_size_), sent, error);
+ if (rv == rtc::SR_SUCCESS) {
+ RTC_LOG(LS_VERBOSE) << "Sent: " << sent_;
+ sent_++;
+ } else if (rv == rtc::SR_BLOCK) {
+ RTC_LOG(LS_VERBOSE) << "Blocked...";
+ break;
+ } else {
+ ADD_FAILURE();
+ break;
+ }
+ }
+
+ delete[] packet;
+ }
+
+ void ReadData(rtc::StreamInterface* stream) override {
+ uint8_t buffer[2000];
+ size_t bread;
+ int err2;
+ rtc::StreamResult r;
+
+ for (;;) {
+ r = stream->Read(buffer, bread, err2);
+
+ if (r == rtc::SR_ERROR) {
+ // Unfortunately, errors are the way that the stream adapter
+ // signals close right now
+ stream->Close();
+ return;
+ }
+
+ if (r == rtc::SR_BLOCK)
+ break;
+
+ ASSERT_EQ(rtc::SR_SUCCESS, r);
+ RTC_LOG(LS_VERBOSE) << "Read " << bread;
+
+ // Now parse the datagram
+ ASSERT_EQ(packet_size_, bread);
+ unsigned char packet_num = buffer[0];
+
+ unsigned int rand_state = packet_num;
+ for (size_t i = 1; i < packet_size_; i++) {
+ // This is a simple LC PRNG. Keep in synch with identical code above.
+ rand_state = (rand_state * 251 + 19937) >> 7;
+ ASSERT_EQ(rand_state & 0xff, buffer[i]);
+ }
+ received_.insert(packet_num);
+ }
+ }
+
+ void TestTransfer(int count) override {
+ count_ = count;
+
+ WriteData();
+
+ EXPECT_TRUE_WAIT(sent_ == count_, 10000);
+ RTC_LOG(LS_INFO) << "sent_ == " << sent_;
+
+ if (damage_) {
+ WAIT(false, 2000);
+ EXPECT_EQ(0U, received_.size());
+ } else if (loss_ == 0) {
+ EXPECT_EQ_WAIT(static_cast<size_t>(sent_), received_.size(), 1000);
+ } else {
+ RTC_LOG(LS_INFO) << "Sent " << sent_ << " packets; received "
+ << received_.size();
+ }
+ }
+
+ protected:
+ BufferQueueStream client_buffer_;
+ BufferQueueStream server_buffer_;
+
+ private:
+ size_t packet_size_;
+ int count_;
+ int sent_;
+ std::set<int> received_;
+};
+
+class SSLStreamAdapterTestDTLS
+ : public SSLStreamAdapterTestDTLSBase,
+ public WithParamInterface<tuple<rtc::KeyParams, rtc::KeyParams>> {
+ public:
+ SSLStreamAdapterTestDTLS()
+ : SSLStreamAdapterTestDTLSBase(::testing::get<0>(GetParam()),
+ ::testing::get<1>(GetParam())) {}
+
+ SSLStreamAdapterTestDTLS(absl::string_view cert_pem,
+ absl::string_view private_key_pem)
+ : SSLStreamAdapterTestDTLSBase(cert_pem, private_key_pem) {}
+};
+
+rtc::StreamResult SSLDummyStreamBase::Write(rtc::ArrayView<const uint8_t> data,
+ size_t& written,
+ int& error) {
+ RTC_LOG(LS_VERBOSE) << "Writing to loopback " << data.size();
+
+ if (first_packet_) {
+ first_packet_ = false;
+ if (test_base_->GetLoseFirstPacket()) {
+ RTC_LOG(LS_INFO) << "Losing initial packet of length " << data.size();
+ written = data.size(); // Fake successful writing also to writer.
+ return rtc::SR_SUCCESS;
+ }
+ }
+
+ return test_base_->DataWritten(this, data.data(), data.size(), written,
+ error);
+}
+
+class SSLStreamAdapterTestDTLSFromPEMStrings : public SSLStreamAdapterTestDTLS {
+ public:
+ SSLStreamAdapterTestDTLSFromPEMStrings()
+ : SSLStreamAdapterTestDTLS(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {}
+};
+
+// Test fixture for certificate chaining. Server will push more than one
+// certificate.
+class SSLStreamAdapterTestDTLSCertChain : public SSLStreamAdapterTestDTLS {
+ public:
+ SSLStreamAdapterTestDTLSCertChain() : SSLStreamAdapterTestDTLS("", "") {}
+ void SetUp() override {
+ CreateStreams();
+
+ client_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(client_stream_));
+ server_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(server_stream_));
+
+ // Set up the slots
+ client_ssl_->SignalEvent.connect(
+ reinterpret_cast<SSLStreamAdapterTestBase*>(this),
+ &SSLStreamAdapterTestBase::OnEvent);
+ server_ssl_->SignalEvent.connect(
+ reinterpret_cast<SSLStreamAdapterTestBase*>(this),
+ &SSLStreamAdapterTestBase::OnEvent);
+
+ std::unique_ptr<rtc::SSLIdentity> client_identity;
+ if (!client_cert_pem_.empty() && !client_private_key_pem_.empty()) {
+ client_identity = rtc::SSLIdentity::CreateFromPEMStrings(
+ client_private_key_pem_, client_cert_pem_);
+ } else {
+ client_identity = rtc::SSLIdentity::Create("client", client_key_type_);
+ }
+
+ client_ssl_->SetIdentity(std::move(client_identity));
+ }
+};
+
+// Basic tests: TLS
+
+// Test that we can make a handshake work
+TEST_P(SSLStreamAdapterTestTLS, TestTLSConnect) {
+ TestHandshake();
+}
+
+TEST_P(SSLStreamAdapterTestTLS, GetPeerCertChainWithOneCertificate) {
+ TestHandshake();
+ std::unique_ptr<rtc::SSLCertChain> cert_chain =
+ client_ssl_->GetPeerSSLCertChain();
+ ASSERT_NE(nullptr, cert_chain);
+ EXPECT_EQ(1u, cert_chain->GetSize());
+ EXPECT_EQ(cert_chain->Get(0).ToPEMString(),
+ server_identity()->certificate().ToPEMString());
+}
+
+TEST_F(SSLStreamAdapterTestDTLSCertChain, TwoCertHandshake) {
+ auto server_identity = rtc::SSLIdentity::CreateFromPEMChainStrings(
+ kRSA_PRIVATE_KEY_PEM, std::string(kCERT_PEM) + kCACert);
+ server_ssl_->SetIdentity(std::move(server_identity));
+ TestHandshake();
+ std::unique_ptr<rtc::SSLCertChain> peer_cert_chain =
+ client_ssl_->GetPeerSSLCertChain();
+ ASSERT_NE(nullptr, peer_cert_chain);
+ EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString());
+ // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple
+ // certificates under OpenSSL. Today it only works with BoringSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+ ASSERT_EQ(2u, peer_cert_chain->GetSize());
+ EXPECT_EQ(kCACert, peer_cert_chain->Get(1).ToPEMString());
+#endif
+}
+
+TEST_F(SSLStreamAdapterTestDTLSCertChain, TwoCertHandshakeWithCopy) {
+ server_ssl_->SetIdentity(rtc::SSLIdentity::CreateFromPEMChainStrings(
+ kRSA_PRIVATE_KEY_PEM, std::string(kCERT_PEM) + kCACert));
+ TestHandshake();
+ std::unique_ptr<rtc::SSLCertChain> peer_cert_chain =
+ client_ssl_->GetPeerSSLCertChain();
+ ASSERT_NE(nullptr, peer_cert_chain);
+ EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString());
+ // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple
+ // certificates under OpenSSL. Today it only works with BoringSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+ ASSERT_EQ(2u, peer_cert_chain->GetSize());
+ EXPECT_EQ(kCACert, peer_cert_chain->Get(1).ToPEMString());
+#endif
+}
+
+TEST_F(SSLStreamAdapterTestDTLSCertChain, ThreeCertHandshake) {
+ server_ssl_->SetIdentity(rtc::SSLIdentity::CreateFromPEMChainStrings(
+ kRSA_PRIVATE_KEY_PEM, std::string(kCERT_PEM) + kIntCert1 + kCACert));
+ TestHandshake();
+ std::unique_ptr<rtc::SSLCertChain> peer_cert_chain =
+ client_ssl_->GetPeerSSLCertChain();
+ ASSERT_NE(nullptr, peer_cert_chain);
+ EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString());
+ // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple
+ // certificates under OpenSSL. Today it only works with BoringSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+ ASSERT_EQ(3u, peer_cert_chain->GetSize());
+ EXPECT_EQ(kIntCert1, peer_cert_chain->Get(1).ToPEMString());
+ EXPECT_EQ(kCACert, peer_cert_chain->Get(2).ToPEMString());
+#endif
+}
+
+// Test that closing the connection on one side updates the other side.
+TEST_P(SSLStreamAdapterTestTLS, TestTLSClose) {
+ TestHandshake();
+ client_ssl_->Close();
+ EXPECT_EQ_WAIT(rtc::SS_CLOSED, server_ssl_->GetState(), handshake_wait_);
+}
+
+// Test transfer -- trivial
+TEST_P(SSLStreamAdapterTestTLS, TestTLSTransfer) {
+ TestHandshake();
+ TestTransfer(100000);
+}
+
+// Test read-write after close.
+TEST_P(SSLStreamAdapterTestTLS, ReadWriteAfterClose) {
+ TestHandshake();
+ TestTransfer(100000);
+ client_ssl_->Close();
+
+ rtc::StreamResult rv;
+ uint8_t block[kBlockSize];
+ size_t dummy;
+ int error;
+
+ // It's an error to write after closed.
+ rv = client_ssl_->Write(block, dummy, error);
+ ASSERT_EQ(rtc::SR_ERROR, rv);
+
+ // But after closed read gives you EOS.
+ rv = client_ssl_->Read(block, dummy, error);
+ ASSERT_EQ(rtc::SR_EOS, rv);
+}
+
+// Test a handshake with a bogus peer digest
+TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) {
+ SetPeerIdentitiesByDigest(false, true);
+ TestHandshake(false);
+}
+
+TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentity) {
+ TestHandshakeWithDelayedIdentity(true);
+}
+
+TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentityWithBogusDigest) {
+ TestHandshakeWithDelayedIdentity(false);
+}
+
+// Test that the correct error is returned when SetPeerCertificateDigest is
+// called with an unknown algorithm.
+TEST_P(SSLStreamAdapterTestTLS,
+ TestSetPeerCertificateDigestWithUnknownAlgorithm) {
+ unsigned char server_digest[20];
+ size_t server_digest_len;
+ bool rv;
+ rtc::SSLPeerCertificateDigestError err;
+
+ rv = server_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
+ ASSERT_TRUE(rv);
+
+ rv = client_ssl_->SetPeerCertificateDigest("unknown algorithm", server_digest,
+ server_digest_len, &err);
+ EXPECT_EQ(rtc::SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM, err);
+ EXPECT_FALSE(rv);
+}
+
+// Test that the correct error is returned when SetPeerCertificateDigest is
+// called with an invalid digest length.
+TEST_P(SSLStreamAdapterTestTLS, TestSetPeerCertificateDigestWithInvalidLength) {
+ unsigned char server_digest[20];
+ size_t server_digest_len;
+ bool rv;
+ rtc::SSLPeerCertificateDigestError err;
+
+ rv = server_identity()->certificate().ComputeDigest(
+ rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
+ ASSERT_TRUE(rv);
+
+ rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest,
+ server_digest_len - 1, &err);
+ EXPECT_EQ(rtc::SSLPeerCertificateDigestError::INVALID_LENGTH, err);
+ EXPECT_FALSE(rv);
+}
+
+// Test moving a bunch of data
+
+// Basic tests: DTLS
+// Test that we can make a handshake work
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) {
+ TestHandshake();
+}
+
+// Test that we can make a handshake work if the first packet in
+// each direction is lost. This gives us predictable loss
+// rather than having to tune random
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) {
+ SetLoseFirstPacket(true);
+ TestHandshake();
+}
+
+// Test a handshake with loss and delay
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) {
+ SetLoseFirstPacket(true);
+ SetDelay(2000);
+ SetHandshakeWait(20000);
+ TestHandshake();
+}
+
+// Test a handshake with small MTU
+// Disabled due to https://code.google.com/p/webrtc/issues/detail?id=3910
+TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) {
+ SetMtu(700);
+ SetHandshakeWait(20000);
+ TestHandshake();
+}
+
+// Test a handshake with total loss and timing out.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectTimeout) {
+ SetLoss(100);
+ TestHandshakeTimeout();
+}
+
+// Test transfer -- trivial
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransfer) {
+ TestHandshake();
+ TestTransfer(100);
+}
+
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) {
+ TestHandshake();
+ SetLoss(10);
+ TestTransfer(100);
+}
+
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) {
+ SetDamage(); // Must be called first because first packet
+ // write happens at end of handshake.
+ TestHandshake();
+ TestTransfer(100);
+}
+
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) {
+ TestHandshakeWithDelayedIdentity(true);
+}
+
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) {
+ TestHandshakeWithDelayedIdentity(false);
+}
+
+// Test DTLS-SRTP with all high ciphers
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) {
+ std::vector<int> high;
+ high.push_back(rtc::kSrtpAes128CmSha1_80);
+ SetDtlsSrtpCryptoSuites(high, true);
+ SetDtlsSrtpCryptoSuites(high, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAes128CmSha1_80);
+}
+
+// Test DTLS-SRTP with all low ciphers
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpLow) {
+ std::vector<int> low;
+ low.push_back(rtc::kSrtpAes128CmSha1_32);
+ SetDtlsSrtpCryptoSuites(low, true);
+ SetDtlsSrtpCryptoSuites(low, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAes128CmSha1_32);
+}
+
+// Test DTLS-SRTP with a mismatch -- should not converge
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHighLow) {
+ std::vector<int> high;
+ high.push_back(rtc::kSrtpAes128CmSha1_80);
+ std::vector<int> low;
+ low.push_back(rtc::kSrtpAes128CmSha1_32);
+ SetDtlsSrtpCryptoSuites(high, true);
+ SetDtlsSrtpCryptoSuites(low, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_FALSE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_FALSE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+}
+
+// Test DTLS-SRTP with each side being mixed -- should select high
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) {
+ std::vector<int> mixed;
+ mixed.push_back(rtc::kSrtpAes128CmSha1_80);
+ mixed.push_back(rtc::kSrtpAes128CmSha1_32);
+ SetDtlsSrtpCryptoSuites(mixed, true);
+ SetDtlsSrtpCryptoSuites(mixed, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAes128CmSha1_80);
+}
+
+// Test DTLS-SRTP with all GCM-128 ciphers.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM128) {
+ std::vector<int> gcm128;
+ gcm128.push_back(rtc::kSrtpAeadAes128Gcm);
+ SetDtlsSrtpCryptoSuites(gcm128, true);
+ SetDtlsSrtpCryptoSuites(gcm128, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAeadAes128Gcm);
+}
+
+// Test DTLS-SRTP with all GCM-256 ciphers.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) {
+ std::vector<int> gcm256;
+ gcm256.push_back(rtc::kSrtpAeadAes256Gcm);
+ SetDtlsSrtpCryptoSuites(gcm256, true);
+ SetDtlsSrtpCryptoSuites(gcm256, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAeadAes256Gcm);
+}
+
+// Test DTLS-SRTP with mixed GCM-128/-256 ciphers -- should not converge.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMismatch) {
+ std::vector<int> gcm128;
+ gcm128.push_back(rtc::kSrtpAeadAes128Gcm);
+ std::vector<int> gcm256;
+ gcm256.push_back(rtc::kSrtpAeadAes256Gcm);
+ SetDtlsSrtpCryptoSuites(gcm128, true);
+ SetDtlsSrtpCryptoSuites(gcm256, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_FALSE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_FALSE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+}
+
+// Test DTLS-SRTP with both GCM-128/-256 ciphers -- should select GCM-256.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) {
+ std::vector<int> gcmBoth;
+ gcmBoth.push_back(rtc::kSrtpAeadAes256Gcm);
+ gcmBoth.push_back(rtc::kSrtpAeadAes128Gcm);
+ SetDtlsSrtpCryptoSuites(gcmBoth, true);
+ SetDtlsSrtpCryptoSuites(gcmBoth, false);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetDtlsSrtpCryptoSuite(false, &server_cipher));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_EQ(client_cipher, rtc::kSrtpAeadAes256Gcm);
+}
+
+// Test SRTP cipher suite lengths.
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) {
+ int key_len;
+ int salt_len;
+
+ ASSERT_FALSE(rtc::GetSrtpKeyAndSaltLengths(rtc::kSrtpInvalidCryptoSuite,
+ &key_len, &salt_len));
+
+ ASSERT_TRUE(rtc::GetSrtpKeyAndSaltLengths(rtc::kSrtpAes128CmSha1_32, &key_len,
+ &salt_len));
+ ASSERT_EQ(128 / 8, key_len);
+ ASSERT_EQ(112 / 8, salt_len);
+
+ ASSERT_TRUE(rtc::GetSrtpKeyAndSaltLengths(rtc::kSrtpAes128CmSha1_80, &key_len,
+ &salt_len));
+ ASSERT_EQ(128 / 8, key_len);
+ ASSERT_EQ(112 / 8, salt_len);
+
+ ASSERT_TRUE(rtc::GetSrtpKeyAndSaltLengths(rtc::kSrtpAeadAes128Gcm, &key_len,
+ &salt_len));
+ ASSERT_EQ(128 / 8, key_len);
+ ASSERT_EQ(96 / 8, salt_len);
+
+ ASSERT_TRUE(rtc::GetSrtpKeyAndSaltLengths(rtc::kSrtpAeadAes256Gcm, &key_len,
+ &salt_len));
+ ASSERT_EQ(256 / 8, key_len);
+ ASSERT_EQ(96 / 8, salt_len);
+}
+
+// Test an exporter
+TEST_P(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
+ TestHandshake();
+ unsigned char client_out[20];
+ unsigned char server_out[20];
+
+ bool result;
+ result = ExportKeyingMaterial(kExporterLabel, kExporterContext,
+ kExporterContextLen, true, true, client_out,
+ sizeof(client_out));
+ ASSERT_TRUE(result);
+
+ result = ExportKeyingMaterial(kExporterLabel, kExporterContext,
+ kExporterContextLen, true, false, server_out,
+ sizeof(server_out));
+ ASSERT_TRUE(result);
+
+ ASSERT_TRUE(!memcmp(client_out, server_out, sizeof(client_out)));
+}
+
+// Test not yet valid certificates are not rejected.
+TEST_P(SSLStreamAdapterTestDTLS, TestCertNotYetValid) {
+ long one_day = 60 * 60 * 24;
+ // Make the certificates not valid until one day later.
+ ResetIdentitiesWithValidity(one_day, one_day);
+ TestHandshake();
+}
+
+// Test expired certificates are not rejected.
+TEST_P(SSLStreamAdapterTestDTLS, TestCertExpired) {
+ long one_day = 60 * 60 * 24;
+ // Make the certificates already expired.
+ ResetIdentitiesWithValidity(-one_day, -one_day);
+ TestHandshake();
+}
+
+// Test data transfer using certs created from strings.
+TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestTransfer) {
+ TestHandshake();
+ TestTransfer(100);
+}
+
+// Test getting the remote certificate.
+TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) {
+ // Peer certificates haven't been received yet.
+ ASSERT_FALSE(GetPeerCertificate(true));
+ ASSERT_FALSE(GetPeerCertificate(false));
+
+ TestHandshake();
+
+ // The client should have a peer certificate after the handshake.
+ std::unique_ptr<rtc::SSLCertificate> client_peer_cert =
+ GetPeerCertificate(true);
+ ASSERT_TRUE(client_peer_cert);
+
+ // It's not kCERT_PEM.
+ std::string client_peer_string = client_peer_cert->ToPEMString();
+ ASSERT_NE(kCERT_PEM, client_peer_string);
+
+ // The server should have a peer certificate after the handshake.
+ std::unique_ptr<rtc::SSLCertificate> server_peer_cert =
+ GetPeerCertificate(false);
+ ASSERT_TRUE(server_peer_cert);
+
+ // It's kCERT_PEM
+ ASSERT_EQ(kCERT_PEM, server_peer_cert->ToPEMString());
+}
+
+// Test getting the used DTLS 1.2 ciphers.
+// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Both) {
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
+}
+
+// Test getting the used DTLS ciphers.
+// DTLS 1.2 is max version for client and server.
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) {
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
+}
+
+// The RSA keysizes here might look strange, why not include the RFC's size
+// 2048?. The reason is test case slowness; testing two sizes to exercise
+// parametrization is sufficient.
+INSTANTIATE_TEST_SUITE_P(
+ SSLStreamAdapterTestsTLS,
+ SSLStreamAdapterTestTLS,
+ Combine(Values(rtc::KeyParams::RSA(1024, 65537),
+ rtc::KeyParams::RSA(1152, 65537),
+ rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
+ Values(rtc::KeyParams::RSA(1024, 65537),
+ rtc::KeyParams::RSA(1152, 65537),
+ rtc::KeyParams::ECDSA(rtc::EC_NIST_P256))));
+INSTANTIATE_TEST_SUITE_P(
+ SSLStreamAdapterTestsDTLS,
+ SSLStreamAdapterTestDTLS,
+ Combine(Values(rtc::KeyParams::RSA(1024, 65537),
+ rtc::KeyParams::RSA(1152, 65537),
+ rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
+ Values(rtc::KeyParams::RSA(1024, 65537),
+ rtc::KeyParams::RSA(1152, 65537),
+ rtc::KeyParams::ECDSA(rtc::EC_NIST_P256))));
+
+// Tests for enabling / disabling legacy TLS protocols in DTLS.
+class SSLStreamAdapterTestDTLSLegacyProtocols
+ : public SSLStreamAdapterTestDTLSBase {
+ public:
+ SSLStreamAdapterTestDTLSLegacyProtocols()
+ : SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
+ rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) {
+ }
+
+ // Do not use the SetUp version from the parent class.
+ void SetUp() override {}
+
+ // The legacy TLS protocols flag is read when the OpenSSLStreamAdapter is
+ // initialized, so we set the experiment while creationg client_ssl_
+ // and server_ssl_.
+
+ void ConfigureClient(absl::string_view experiment) {
+ webrtc::test::ScopedFieldTrials trial{std::string(experiment)};
+ client_stream_ =
+ new SSLDummyStreamDTLS(this, "c2s", &client_buffer_, &server_buffer_);
+ client_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(client_stream_));
+ client_ssl_->SignalEvent.connect(
+ static_cast<SSLStreamAdapterTestBase*>(this),
+ &SSLStreamAdapterTestBase::OnEvent);
+ auto client_identity = rtc::SSLIdentity::Create("client", client_key_type_);
+ client_ssl_->SetIdentity(std::move(client_identity));
+ }
+
+ void ConfigureServer(absl::string_view experiment) {
+ webrtc::test::ScopedFieldTrials trial{std::string(experiment)};
+ server_stream_ =
+ new SSLDummyStreamDTLS(this, "s2c", &server_buffer_, &client_buffer_);
+ server_ssl_ =
+ rtc::SSLStreamAdapter::Create(absl::WrapUnique(server_stream_));
+ server_ssl_->SignalEvent.connect(
+ static_cast<SSLStreamAdapterTestBase*>(this),
+ &SSLStreamAdapterTestBase::OnEvent);
+ server_ssl_->SetIdentity(
+ rtc::SSLIdentity::Create("server", server_key_type_));
+ }
+};
+
+// Test getting the used DTLS ciphers.
+// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, TestGetSslCipherSuite) {
+ ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+}
+
+// Test getting the used DTLS 1.2 ciphers.
+// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslCipherSuiteDtls12Both) {
+ ConfigureClient("");
+ ConfigureServer("");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+}
+
+// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslCipherSuiteDtls12Client) {
+ ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+}
+
+// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslCipherSuiteDtls12Server) {
+ ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake();
+
+ int client_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
+ int server_cipher;
+ ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
+ ASSERT_EQ(client_cipher, server_cipher);
+}
+
+// Client has legacy TLS versions disabled, server has DTLS 1.0 only.
+// This is meant to cause a failure.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyDisabledServer10) {
+ ConfigureClient("");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
+ // Handshake should fail.
+ TestHandshake(false);
+}
+
+// Both client and server have legacy TLS versions disabled and support
+// DTLS 1.2. This should work.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyDisabledServer12) {
+ ConfigureClient("");
+ ConfigureServer("");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
+ TestHandshake();
+}
+
+// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
+// This should work.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyEnabledClient10Server10) {
+ ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake();
+}
+
+// Legacy protocols are disabled in the client, max TLS version is 1.0
+// This should be a configuration error, and handshake should fail.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyDisabledClient10Server10) {
+ ConfigureClient("");
+ ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake(false);
+}
+
+// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
+// This should work.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyOverrideEnabledClient10Server10) {
+ rtc::SetAllowLegacyTLSProtocols(true);
+ ConfigureClient("");
+ ConfigureServer("");
+ // Remove override.
+ rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake();
+}
+
+// Client has legacy TLS disabled and server has legacy TLS enabled via
+// override. Handshake for DTLS 1.0 should fail.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyOverrideDisabledClient10EnabledServer10) {
+ rtc::SetAllowLegacyTLSProtocols(false);
+ ConfigureClient("");
+ rtc::SetAllowLegacyTLSProtocols(true);
+ ConfigureServer("");
+ // Remove override.
+ rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake(false);
+}
+
+// Client has legacy TLS enabled and server has legacy TLS disabled via
+// override. Handshake for DTLS 1.0 should fail.
+TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
+ TestGetSslVersionLegacyOverrideEnabledClient10DisabledServer10) {
+ rtc::SetAllowLegacyTLSProtocols(true);
+ ConfigureClient("");
+ rtc::SetAllowLegacyTLSProtocols(false);
+ ConfigureServer("");
+ // Remove override.
+ rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
+ SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
+ TestHandshake(false);
+}
+
+// These tests are a no-op under OpenSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+// TODO(https://bugs.webrtc.org/10261): when removing
+// SSLStreamAdapterTestDTLSLegacyProtocols that this class
+// inherits from move the code to this class.
+class SSLStreamAdapterTestDTLSExtensionPermutation
+ : public SSLStreamAdapterTestDTLSLegacyProtocols {
+ public:
+ SSLStreamAdapterTestDTLSExtensionPermutation()
+ : SSLStreamAdapterTestDTLSLegacyProtocols() {}
+};
+
+// Tests for enabling the (D)TLS extension permutation which randomizes the
+// order of extensions in the client hello.
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+ ClientDefaultServerDefault) {
+ ConfigureClient("");
+ ConfigureServer("");
+ TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+ ClientDefaultServerPermute) {
+ ConfigureClient("");
+ ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+ TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+ ClientPermuteServerDefault) {
+ ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+ ConfigureServer("");
+ TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+ ClientPermuteServerPermute) {
+ ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+ ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+ TestHandshake();
+}
+#endif // OPENSSL_IS_BORINGSSL
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-16 11:03:19 +0000