admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add IsAcceptableCipher, use instead of GetDefaultCipher.

Browse Source 
The old code insists on exact cipher suite matches with hardwired expectations. It does this matching parameterized with key type (RSA vs ECDSA) and TLS version (DTLS vs TLS and version 1.0 vs 1.2).

This CL changes things to check against a white-list of cipher suites, with the check parameterized with key type (again RSA vs ECDSA). Then separately checks TLS version since the old implicit check of TLS version by means of resulting cipher suite was too blunt.

Using a white list for cipher suites isn't perfect, but it is safe and requires minimal maintenance. It allows compatibility with not just one exact version of underlying crypto lib, but any version with reasonable defaults.

The CL also re-enables critical tests which had to be disabled recently to allow a boringssl roll.

BUG=webrtc:5634

Review URL: https://codereview.webrtc.org/1774583002

Cr-Commit-Position: refs/heads/master@{#11951}
This commit is contained in:
torbjorng 2016-03-11 00:06:47 -08:00 committed by Commit bot
parent 737f4b8d12
commit 43166b8adf
7 changed files with 159 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
webrtc/api/peerconnection_unittest.cc
View File

@ -1542,8 +1542,7 @@ TEST_F(P2PTestConductor, GetBytesSentStats) {
}
// Test that DTLS 1.0 is used if both sides only support DTLS 1.0.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(P2PTestConductor, DISABLED_GetDtls12None) {
TEST_F(P2PTestConductor, GetDtls12None) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
@ -1555,16 +1554,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12None) {
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ(1, init_observer->GetEnumCounter(
webrtc::kEnumCounterAudioSslCipher,
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
EXPECT_TRUE_WAIT(
rtc::SSLStreamAdapter::IsAcceptableCipher(
initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@ -1586,16 +1579,10 @@ TEST_F(P2PTestConductor, GetDtls12Both) {
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ(1, init_observer->GetEnumCounter(
webrtc::kEnumCounterAudioSslCipher,
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)));
EXPECT_TRUE_WAIT(
rtc::SSLStreamAdapter::IsAcceptableCipher(
initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@ -1606,8 +1593,7 @@ TEST_F(P2PTestConductor, GetDtls12Both) {
// Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the
// received supports 1.0.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) {
TEST_F(P2PTestConductor, GetDtls12Init) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
PeerConnectionFactory::Options recv_options;
@ -1619,16 +1605,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) {
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ(1, init_observer->GetEnumCounter(
webrtc::kEnumCounterAudioSslCipher,
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
EXPECT_TRUE_WAIT(
rtc::SSLStreamAdapter::IsAcceptableCipher(
initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@ -1639,8 +1619,7 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) {
// Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the
// received supports 1.2.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) {
TEST_F(P2PTestConductor, GetDtls12Recv) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
@ -1652,16 +1631,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) {
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ(1, init_observer->GetEnumCounter(
webrtc::kEnumCounterAudioSslCipher,
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
EXPECT_TRUE_WAIT(
rtc::SSLStreamAdapter::IsAcceptableCipher(
initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);

166
webrtc/base/opensslstreamadapter.cc
View File

@ -147,51 +147,6 @@ static const SslCipherMapEntry kSslCipherMap[] = {
#pragma warning(disable : 4310)
#endif // defined(_MSC_VER)
// Default cipher used between OpenSSL/BoringSSL stream adapters.
// This needs to be updated when the default of the SSL library changes.
// static_cast<uint16_t> causes build warnings on windows platform.
static int kDefaultSslCipher10 =
static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
static int kDefaultSslEcCipher10 =
static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
#ifdef OPENSSL_IS_BORINGSSL
static int kDefaultSslCipher12 =
static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
static int kDefaultSslEcCipher12 =
static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable.
#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
// This ciphersuite was added in boringssl 13414b3a..., changing the fallback
// ciphersuite. For compatibility during a transitional period, support old
// boringssl versions. TODO(torbjorng): Remove this.
static int kDefaultSslCipher12NoAesGcm =
static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
#else
static int kDefaultSslCipher12NoAesGcm =
static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD);
#endif
#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
// This ciphersuite was added in boringssl 13414b3a..., changing the fallback
// ciphersuite. For compatibility during a transitional period, support old
// boringssl versions. TODO(torbjorng): Remove this.
static int kDefaultSslEcCipher12NoAesGcm =
static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
#else
static int kDefaultSslEcCipher12NoAesGcm =
static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD);
#endif
#else // !OPENSSL_IS_BORINGSSL
// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't
// change between TLS 1.0 and TLS 1.2 with the current setup.
static int kDefaultSslCipher12 =
static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
static int kDefaultSslEcCipher12 =
static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
#endif // OPENSSL_IS_BORINGSSL
#if defined(_MSC_VER)
#pragma warning(pop)
#endif // defined(_MSC_VER)
@ -404,6 +359,28 @@ bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) {
return true;
}
int OpenSSLStreamAdapter::GetSslVersion() const {
if (state_ != SSL_CONNECTED)
return -1;
int ssl_version = SSL_version(ssl_);
if (ssl_mode_ == SSL_MODE_DTLS) {
if (ssl_version == DTLS1_VERSION)
return SSL_PROTOCOL_DTLS_10;
else if (ssl_version == DTLS1_2_VERSION)
return SSL_PROTOCOL_DTLS_12;
} else {
if (ssl_version == TLS1_VERSION)
return SSL_PROTOCOL_TLS_10;
else if (ssl_version == TLS1_1_VERSION)
return SSL_PROTOCOL_TLS_11;
else if (ssl_version == TLS1_2_VERSION)
return SSL_PROTOCOL_TLS_12;
}
return -1;
}
// Key Extractor interface
bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
const uint8_t* context,
@ -1147,46 +1124,71 @@ bool OpenSSLStreamAdapter::HaveExporter() {
#endif
}
int OpenSSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
KeyType key_type) {
#define CDEF(X) \
{ static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X }
struct cipher_list {
uint16_t cipher;
const char* cipher_str;
};
// TODO(torbjorng): Perhaps add more cipher suites to these lists.
static const cipher_list OK_RSA_ciphers[] = {
CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
#endif
CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
};
static const cipher_list OK_ECDSA_ciphers[] = {
CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
#endif
CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
};
#undef CDEF
bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
if (key_type == KT_RSA) {
switch (version) {
case SSL_PROTOCOL_TLS_10:
case SSL_PROTOCOL_TLS_11:
return kDefaultSslCipher10;
case SSL_PROTOCOL_TLS_12:
default:
#ifdef OPENSSL_IS_BORINGSSL
if (EVP_has_aes_hardware()) {
return kDefaultSslCipher12;
} else {
return kDefaultSslCipher12NoAesGcm;
}
#else // !OPENSSL_IS_BORINGSSL
return kDefaultSslCipher12;
#endif
for (const cipher_list& c : OK_RSA_ciphers) {
if (cipher == c.cipher)
return true;
}
} else if (key_type == KT_ECDSA) {
switch (version) {
case SSL_PROTOCOL_TLS_10:
case SSL_PROTOCOL_TLS_11:
return kDefaultSslEcCipher10;
case SSL_PROTOCOL_TLS_12:
default:
#ifdef OPENSSL_IS_BORINGSSL
if (EVP_has_aes_hardware()) {
return kDefaultSslEcCipher12;
} else {
return kDefaultSslEcCipher12NoAesGcm;
}
#else // !OPENSSL_IS_BORINGSSL
return kDefaultSslEcCipher12;
#endif
}
} else {
RTC_NOTREACHED();
return kDefaultSslEcCipher12;
}
if (key_type == KT_ECDSA) {
for (const cipher_list& c : OK_ECDSA_ciphers) {
if (cipher == c.cipher)
return true;
}
}
return false;
}
bool OpenSSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
KeyType key_type) {
if (key_type == KT_RSA) {
for (const cipher_list& c : OK_RSA_ciphers) {
if (cipher == c.cipher_str)
return true;
}
}
if (key_type == KT_ECDSA) {
for (const cipher_list& c : OK_ECDSA_ciphers) {
if (cipher == c.cipher_str)
return true;
}
}
return false;
}
} // namespace rtc

7
webrtc/base/opensslstreamadapter.h
View File

@ -92,6 +92,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter {
bool GetSslCipherSuite(int* cipher) override;
int GetSslVersion() const override;
// Key Extractor interface
bool ExportKeyingMaterial(const std::string& label,
const uint8_t* context,
@ -109,9 +111,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter {
static bool HaveDtlsSrtp();
static bool HaveExporter();
// TODO(guoweis): Move this away from a static class method.
static int GetDefaultSslCipherForTest(SSLProtocolVersion version,
KeyType key_type);
static bool IsAcceptableCipher(int cipher, KeyType key_type);
static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
protected:
void OnEvent(StreamInterface* stream, int events, int err) override;

10
webrtc/base/sslstreamadapter.cc
View File

@ -86,11 +86,13 @@ bool SSLStreamAdapter::HaveDtlsSrtp() {
bool SSLStreamAdapter::HaveExporter() {
return OpenSSLStreamAdapter::HaveExporter();
}
int SSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
KeyType key_type) {
return OpenSSLStreamAdapter::GetDefaultSslCipherForTest(version, key_type);
bool SSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
}
bool SSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
KeyType key_type) {
return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
}
std::string SSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
return OpenSSLStreamAdapter::SslCipherSuiteToName(cipher_suite);
}

11
webrtc/base/sslstreamadapter.h
View File

@ -161,6 +161,8 @@ class SSLStreamAdapter : public StreamAdapterInterface {
// connection (e.g. 0x2F for "TLS_RSA_WITH_AES_128_CBC_SHA").
virtual bool GetSslCipherSuite(int* cipher_suite);
virtual int GetSslVersion() const = 0;
// Key Exporter interface from RFC 5705
// Arguments are:
// label -- the exporter label.
@ -189,11 +191,10 @@ class SSLStreamAdapter : public StreamAdapterInterface {
static bool HaveDtlsSrtp();
static bool HaveExporter();
// Returns the default Ssl cipher used between streams of this class
// for the given protocol version. This is used by the unit tests.
// TODO(guoweis): Move this away from a static class method.
static int GetDefaultSslCipherForTest(SSLProtocolVersion version,
KeyType key_type);
// Returns true iff the supplied cipher is deemed to be strong.
// TODO(torbjorng): Consider removing the KeyType argument.
static bool IsAcceptableCipher(int cipher, KeyType key_type);
static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
// TODO(guoweis): Move this away from a static class method. Currently this is
// introduced such that any caller could depend on sslstreamadapter.h without

52
webrtc/base/sslstreamadapter_unittest.cc
View File

@ -488,6 +488,13 @@ class SSLStreamAdapterTestBase : public testing::Test,
return server_ssl_->GetSslCipherSuite(retval);
}
int GetSslVersion(bool client) {
if (client)
return client_ssl_->GetSslVersion();
else
return server_ssl_->GetSslVersion();
}
bool ExportKeyingMaterial(const char *label,
const unsigned char *context,
size_t context_len,
@ -1066,8 +1073,7 @@ TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) {
// Test getting the used DTLS ciphers.
// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuite) {
TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
@ -1077,11 +1083,12 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuite) {
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_EQ(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// Test getting the used DTLS 1.2 ciphers.
@ -1096,16 +1103,16 @@ TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Both) {
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_EQ(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_12, ::testing::get<1>(GetParam()).type()),
server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Client) {
TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Client) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
@ -1115,16 +1122,16 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Client) {
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_EQ(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Server) {
TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Server) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
@ -1134,11 +1141,12 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Server) {
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_EQ(
rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// The RSA keysizes here might look strange, why not include the RFC's size

23
webrtc/p2p/base/dtlstransportchannel_unittest.cc
View File

@ -229,16 +229,17 @@ class DtlsTestClient : public sigslot::has_slots<> {
}
}
void CheckSsl(int expected_cipher) {
void CheckSsl() {
for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
channels_.begin(); it != channels_.end(); ++it) {
int cipher;
bool rv = (*it)->GetSslCipherSuite(&cipher);
if (negotiated_dtls_ && expected_cipher) {
if (negotiated_dtls_) {
ASSERT_TRUE(rv);
ASSERT_EQ(cipher, expected_cipher);
EXPECT_TRUE(
rtc::SSLStreamAdapter::IsAcceptableCipher(cipher, rtc::KT_DEFAULT));
} else {
ASSERT_FALSE(rv);
}
@ -473,10 +474,9 @@ class DtlsTransportChannelTest : public testing::Test {
client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
}
client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
ssl_expected_version_, rtc::KT_DEFAULT));
client2_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
ssl_expected_version_, rtc::KT_DEFAULT));
client1_.CheckSsl();
client2_.CheckSsl();
return true;
}
@ -632,8 +632,7 @@ TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) {
}
// Create two channels with DTLS 1.0 and check ciphers.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12None) {
TEST_F(DtlsTransportChannelTest, TestDtls12None) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);
@ -651,8 +650,7 @@ TEST_F(DtlsTransportChannelTest, TestDtls12Both) {
}
// Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client1) {
TEST_F(DtlsTransportChannelTest, TestDtls12Client1) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);
@ -661,8 +659,7 @@ TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client1) {
}
// Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers.
// Disabled due to new BoringSSLL version, see webrtc:5634
TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client2) {
TEST_F(DtlsTransportChannelTest, TestDtls12Client2) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);