diff --git a/webrtc/api/peerconnection_unittest.cc b/webrtc/api/peerconnection_unittest.cc index 39bf608105..533b9dbc42 100644 --- a/webrtc/api/peerconnection_unittest.cc +++ b/webrtc/api/peerconnection_unittest.cc @@ -1542,8 +1542,7 @@ TEST_F(P2PTestConductor, GetBytesSentStats) { } // Test that DTLS 1.0 is used if both sides only support DTLS 1.0. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(P2PTestConductor, DISABLED_GetDtls12None) { +TEST_F(P2PTestConductor, GetDtls12None) { PeerConnectionFactory::Options init_options; init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10; PeerConnectionFactory::Options recv_options; @@ -1555,16 +1554,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12None) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), - initializing_client()->GetDtlsCipherStats(), - kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSslCipher, - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - + EXPECT_TRUE_WAIT( + rtc::SSLStreamAdapter::IsAcceptableCipher( + initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT), + kMaxWaitForStatsMs); EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); @@ -1586,16 +1579,10 @@ TEST_F(P2PTestConductor, GetDtls12Both) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)), - initializing_client()->GetDtlsCipherStats(), - kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSslCipher, - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT))); - + EXPECT_TRUE_WAIT( + rtc::SSLStreamAdapter::IsAcceptableCipher( + initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT), + kMaxWaitForStatsMs); EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); @@ -1606,8 +1593,7 @@ TEST_F(P2PTestConductor, GetDtls12Both) { // Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the // received supports 1.0. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) { +TEST_F(P2PTestConductor, GetDtls12Init) { PeerConnectionFactory::Options init_options; init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12; PeerConnectionFactory::Options recv_options; @@ -1619,16 +1605,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), - initializing_client()->GetDtlsCipherStats(), - kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSslCipher, - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - + EXPECT_TRUE_WAIT( + rtc::SSLStreamAdapter::IsAcceptableCipher( + initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT), + kMaxWaitForStatsMs); EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); @@ -1639,8 +1619,7 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) { // Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the // received supports 1.2. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) { +TEST_F(P2PTestConductor, GetDtls12Recv) { PeerConnectionFactory::Options init_options; init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10; PeerConnectionFactory::Options recv_options; @@ -1652,16 +1631,10 @@ TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) { initializing_client()->pc()->RegisterUMAObserver(init_observer); LocalP2PTest(); - EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)), - initializing_client()->GetDtlsCipherStats(), - kMaxWaitForStatsMs); - EXPECT_EQ(1, init_observer->GetEnumCounter( - webrtc::kEnumCounterAudioSslCipher, - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT))); - + EXPECT_TRUE_WAIT( + rtc::SSLStreamAdapter::IsAcceptableCipher( + initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT), + kMaxWaitForStatsMs); EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite), initializing_client()->GetSrtpCipherStats(), kMaxWaitForStatsMs); diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc index b2afebb75b..3e911987e5 100644 --- a/webrtc/base/opensslstreamadapter.cc +++ b/webrtc/base/opensslstreamadapter.cc @@ -147,51 +147,6 @@ static const SslCipherMapEntry kSslCipherMap[] = { #pragma warning(disable : 4310) #endif // defined(_MSC_VER) -// Default cipher used between OpenSSL/BoringSSL stream adapters. -// This needs to be updated when the default of the SSL library changes. -// static_cast causes build warnings on windows platform. -static int kDefaultSslCipher10 = - static_cast(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA); -static int kDefaultSslEcCipher10 = - static_cast(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); -#ifdef OPENSSL_IS_BORINGSSL -static int kDefaultSslCipher12 = - static_cast(TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256); -static int kDefaultSslEcCipher12 = - static_cast(TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); -// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable. - -#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -// This ciphersuite was added in boringssl 13414b3a..., changing the fallback -// ciphersuite. For compatibility during a transitional period, support old -// boringssl versions. TODO(torbjorng): Remove this. -static int kDefaultSslCipher12NoAesGcm = - static_cast(TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); -#else -static int kDefaultSslCipher12NoAesGcm = - static_cast(TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD); -#endif - -#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -// This ciphersuite was added in boringssl 13414b3a..., changing the fallback -// ciphersuite. For compatibility during a transitional period, support old -// boringssl versions. TODO(torbjorng): Remove this. -static int kDefaultSslEcCipher12NoAesGcm = - static_cast(TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); -#else -static int kDefaultSslEcCipher12NoAesGcm = - static_cast(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD); -#endif - -#else // !OPENSSL_IS_BORINGSSL -// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't -// change between TLS 1.0 and TLS 1.2 with the current setup. -static int kDefaultSslCipher12 = - static_cast(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA); -static int kDefaultSslEcCipher12 = - static_cast(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); -#endif // OPENSSL_IS_BORINGSSL - #if defined(_MSC_VER) #pragma warning(pop) #endif // defined(_MSC_VER) @@ -404,6 +359,28 @@ bool OpenSSLStreamAdapter::GetSslCipherSuite(int* cipher_suite) { return true; } +int OpenSSLStreamAdapter::GetSslVersion() const { + if (state_ != SSL_CONNECTED) + return -1; + + int ssl_version = SSL_version(ssl_); + if (ssl_mode_ == SSL_MODE_DTLS) { + if (ssl_version == DTLS1_VERSION) + return SSL_PROTOCOL_DTLS_10; + else if (ssl_version == DTLS1_2_VERSION) + return SSL_PROTOCOL_DTLS_12; + } else { + if (ssl_version == TLS1_VERSION) + return SSL_PROTOCOL_TLS_10; + else if (ssl_version == TLS1_1_VERSION) + return SSL_PROTOCOL_TLS_11; + else if (ssl_version == TLS1_2_VERSION) + return SSL_PROTOCOL_TLS_12; + } + + return -1; +} + // Key Extractor interface bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label, const uint8_t* context, @@ -1147,46 +1124,71 @@ bool OpenSSLStreamAdapter::HaveExporter() { #endif } -int OpenSSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version, - KeyType key_type) { +#define CDEF(X) \ + { static_cast(TLS1_CK_##X & 0xffff), "TLS_" #X } + +struct cipher_list { + uint16_t cipher; + const char* cipher_str; +}; + +// TODO(torbjorng): Perhaps add more cipher suites to these lists. +static const cipher_list OK_RSA_ciphers[] = { + CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA), + CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA), + CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256), +#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256 + CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256), +#endif + CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), +}; + +static const cipher_list OK_ECDSA_ciphers[] = { + CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), + CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), + CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), +#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256 + CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256), +#endif + CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), +}; +#undef CDEF + +bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) { if (key_type == KT_RSA) { - switch (version) { - case SSL_PROTOCOL_TLS_10: - case SSL_PROTOCOL_TLS_11: - return kDefaultSslCipher10; - case SSL_PROTOCOL_TLS_12: - default: -#ifdef OPENSSL_IS_BORINGSSL - if (EVP_has_aes_hardware()) { - return kDefaultSslCipher12; - } else { - return kDefaultSslCipher12NoAesGcm; - } -#else // !OPENSSL_IS_BORINGSSL - return kDefaultSslCipher12; -#endif + for (const cipher_list& c : OK_RSA_ciphers) { + if (cipher == c.cipher) + return true; } - } else if (key_type == KT_ECDSA) { - switch (version) { - case SSL_PROTOCOL_TLS_10: - case SSL_PROTOCOL_TLS_11: - return kDefaultSslEcCipher10; - case SSL_PROTOCOL_TLS_12: - default: -#ifdef OPENSSL_IS_BORINGSSL - if (EVP_has_aes_hardware()) { - return kDefaultSslEcCipher12; - } else { - return kDefaultSslEcCipher12NoAesGcm; - } -#else // !OPENSSL_IS_BORINGSSL - return kDefaultSslEcCipher12; -#endif - } - } else { - RTC_NOTREACHED(); - return kDefaultSslEcCipher12; } + + if (key_type == KT_ECDSA) { + for (const cipher_list& c : OK_ECDSA_ciphers) { + if (cipher == c.cipher) + return true; + } + } + + return false; +} + +bool OpenSSLStreamAdapter::IsAcceptableCipher(const std::string& cipher, + KeyType key_type) { + if (key_type == KT_RSA) { + for (const cipher_list& c : OK_RSA_ciphers) { + if (cipher == c.cipher_str) + return true; + } + } + + if (key_type == KT_ECDSA) { + for (const cipher_list& c : OK_ECDSA_ciphers) { + if (cipher == c.cipher_str) + return true; + } + } + + return false; } } // namespace rtc diff --git a/webrtc/base/opensslstreamadapter.h b/webrtc/base/opensslstreamadapter.h index e57b2a3293..231d059ca8 100644 --- a/webrtc/base/opensslstreamadapter.h +++ b/webrtc/base/opensslstreamadapter.h @@ -92,6 +92,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { bool GetSslCipherSuite(int* cipher) override; + int GetSslVersion() const override; + // Key Extractor interface bool ExportKeyingMaterial(const std::string& label, const uint8_t* context, @@ -109,9 +111,8 @@ class OpenSSLStreamAdapter : public SSLStreamAdapter { static bool HaveDtlsSrtp(); static bool HaveExporter(); - // TODO(guoweis): Move this away from a static class method. - static int GetDefaultSslCipherForTest(SSLProtocolVersion version, - KeyType key_type); + static bool IsAcceptableCipher(int cipher, KeyType key_type); + static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type); protected: void OnEvent(StreamInterface* stream, int events, int err) override; diff --git a/webrtc/base/sslstreamadapter.cc b/webrtc/base/sslstreamadapter.cc index a2cff3e448..bcecc037ae 100644 --- a/webrtc/base/sslstreamadapter.cc +++ b/webrtc/base/sslstreamadapter.cc @@ -86,11 +86,13 @@ bool SSLStreamAdapter::HaveDtlsSrtp() { bool SSLStreamAdapter::HaveExporter() { return OpenSSLStreamAdapter::HaveExporter(); } -int SSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version, - KeyType key_type) { - return OpenSSLStreamAdapter::GetDefaultSslCipherForTest(version, key_type); +bool SSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) { + return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type); +} +bool SSLStreamAdapter::IsAcceptableCipher(const std::string& cipher, + KeyType key_type) { + return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type); } - std::string SSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) { return OpenSSLStreamAdapter::SslCipherSuiteToName(cipher_suite); } diff --git a/webrtc/base/sslstreamadapter.h b/webrtc/base/sslstreamadapter.h index c57056b14a..a50f674e32 100644 --- a/webrtc/base/sslstreamadapter.h +++ b/webrtc/base/sslstreamadapter.h @@ -161,6 +161,8 @@ class SSLStreamAdapter : public StreamAdapterInterface { // connection (e.g. 0x2F for "TLS_RSA_WITH_AES_128_CBC_SHA"). virtual bool GetSslCipherSuite(int* cipher_suite); + virtual int GetSslVersion() const = 0; + // Key Exporter interface from RFC 5705 // Arguments are: // label -- the exporter label. @@ -189,11 +191,10 @@ class SSLStreamAdapter : public StreamAdapterInterface { static bool HaveDtlsSrtp(); static bool HaveExporter(); - // Returns the default Ssl cipher used between streams of this class - // for the given protocol version. This is used by the unit tests. - // TODO(guoweis): Move this away from a static class method. - static int GetDefaultSslCipherForTest(SSLProtocolVersion version, - KeyType key_type); + // Returns true iff the supplied cipher is deemed to be strong. + // TODO(torbjorng): Consider removing the KeyType argument. + static bool IsAcceptableCipher(int cipher, KeyType key_type); + static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type); // TODO(guoweis): Move this away from a static class method. Currently this is // introduced such that any caller could depend on sslstreamadapter.h without diff --git a/webrtc/base/sslstreamadapter_unittest.cc b/webrtc/base/sslstreamadapter_unittest.cc index afb1337124..2eaa475391 100644 --- a/webrtc/base/sslstreamadapter_unittest.cc +++ b/webrtc/base/sslstreamadapter_unittest.cc @@ -488,6 +488,13 @@ class SSLStreamAdapterTestBase : public testing::Test, return server_ssl_->GetSslCipherSuite(retval); } + int GetSslVersion(bool client) { + if (client) + return client_ssl_->GetSslVersion(); + else + return server_ssl_->GetSslVersion(); + } + bool ExportKeyingMaterial(const char *label, const unsigned char *context, size_t context_len, @@ -1066,8 +1073,7 @@ TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) { // Test getting the used DTLS ciphers. // DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuite) { +TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) { MAYBE_SKIP_TEST(HaveDtls); SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); TestHandshake(); @@ -1077,11 +1083,12 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuite) { int server_cipher; ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); + ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()), - server_cipher); + ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( + server_cipher, ::testing::get<1>(GetParam()).type())); } // Test getting the used DTLS 1.2 ciphers. @@ -1096,16 +1103,16 @@ TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Both) { int server_cipher; ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false)); + ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_12, ::testing::get<1>(GetParam()).type()), - server_cipher); + ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( + server_cipher, ::testing::get<1>(GetParam()).type())); } // DTLS 1.2 enabled for client only -> DTLS 1.0 will be used. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Client) { +TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Client) { MAYBE_SKIP_TEST(HaveDtls); SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); TestHandshake(); @@ -1115,16 +1122,16 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Client) { int server_cipher; ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); + ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()), - server_cipher); + ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( + server_cipher, ::testing::get<1>(GetParam()).type())); } // DTLS 1.2 enabled for server only -> DTLS 1.0 will be used. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Server) { +TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Server) { MAYBE_SKIP_TEST(HaveDtls); SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10); TestHandshake(); @@ -1134,11 +1141,12 @@ TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Server) { int server_cipher; ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); + ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); + ASSERT_EQ(client_cipher, server_cipher); - ASSERT_EQ( - rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()), - server_cipher); + ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( + server_cipher, ::testing::get<1>(GetParam()).type())); } // The RSA keysizes here might look strange, why not include the RFC's size diff --git a/webrtc/p2p/base/dtlstransportchannel_unittest.cc b/webrtc/p2p/base/dtlstransportchannel_unittest.cc index 2abcf8ad5e..18b355ffd4 100644 --- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc +++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc @@ -229,16 +229,17 @@ class DtlsTestClient : public sigslot::has_slots<> { } } - void CheckSsl(int expected_cipher) { + void CheckSsl() { for (std::vector::iterator it = channels_.begin(); it != channels_.end(); ++it) { int cipher; bool rv = (*it)->GetSslCipherSuite(&cipher); - if (negotiated_dtls_ && expected_cipher) { + if (negotiated_dtls_) { ASSERT_TRUE(rv); - ASSERT_EQ(cipher, expected_cipher); + EXPECT_TRUE( + rtc::SSLStreamAdapter::IsAcceptableCipher(cipher, rtc::KT_DEFAULT)); } else { ASSERT_FALSE(rv); } @@ -473,10 +474,9 @@ class DtlsTransportChannelTest : public testing::Test { client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); } - client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - ssl_expected_version_, rtc::KT_DEFAULT)); - client2_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( - ssl_expected_version_, rtc::KT_DEFAULT)); + + client1_.CheckSsl(); + client2_.CheckSsl(); return true; } @@ -632,8 +632,7 @@ TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) { } // Create two channels with DTLS 1.0 and check ciphers. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12None) { +TEST_F(DtlsTransportChannelTest, TestDtls12None) { MAYBE_SKIP_TEST(HaveDtls); SetChannelCount(2); PrepareDtls(true, true, rtc::KT_DEFAULT); @@ -651,8 +650,7 @@ TEST_F(DtlsTransportChannelTest, TestDtls12Both) { } // Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client1) { +TEST_F(DtlsTransportChannelTest, TestDtls12Client1) { MAYBE_SKIP_TEST(HaveDtls); SetChannelCount(2); PrepareDtls(true, true, rtc::KT_DEFAULT); @@ -661,8 +659,7 @@ TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client1) { } // Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers. -// Disabled due to new BoringSSLL version, see webrtc:5634 -TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client2) { +TEST_F(DtlsTransportChannelTest, TestDtls12Client2) { MAYBE_SKIP_TEST(HaveDtls); SetChannelCount(2); PrepareDtls(true, true, rtc::KT_DEFAULT);