From aac19d31369cbeffc8d952be40a538ba08eca36d Mon Sep 17 00:00:00 2001 From: Joachim Reiersen Date: Tue, 9 May 2023 13:05:54 +0300 Subject: [PATCH] Fix SSLStreamAdapterTestDTLSCertChain when building with OpenSSL These tests were failing when building WebRTC against OpenSSL instead of BoringSSL. The reason is that OpenSSLStreamAdapter::SSLVerifyCallback in the BoringSSL mode returns the full cert_chain by calling SSL_get0_peer_certificates. This API does not exist in OpenSSL, instead only a single certificate is fetched via X509_STORE_CTX_get0_cert. ifdef out the parts of the test that assert on cert[1] and cert[2]. An alternative but more involved way to fix these tests could be to use X509_STORE_CTX_get1_chain to fetch the full chain on the OpenSSL path. Bug: webrtc:15153 Change-Id: I1ede6a3c5a63d4afd2de849f5e44fcd67592aa3c Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/304400 Reviewed-by: Harald Alvestrand Reviewed-by: Mirko Bonadei Commit-Queue: Mirko Bonadei Cr-Commit-Position: refs/heads/main@{#40022} --- rtc_base/ssl_stream_adapter_unittest.cc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc index fb909e7ea1..8417314a3a 100644 --- a/rtc_base/ssl_stream_adapter_unittest.cc +++ b/rtc_base/ssl_stream_adapter_unittest.cc @@ -1123,9 +1123,13 @@ TEST_F(SSLStreamAdapterTestDTLSCertChain, TwoCertHandshake) { std::unique_ptr peer_cert_chain = client_ssl_->GetPeerSSLCertChain(); ASSERT_NE(nullptr, peer_cert_chain); - ASSERT_EQ(2u, peer_cert_chain->GetSize()); EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString()); + // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple + // certificates under OpenSSL. Today it only works with BoringSSL. +#ifdef OPENSSL_IS_BORINGSSL + ASSERT_EQ(2u, peer_cert_chain->GetSize()); EXPECT_EQ(kCACert, peer_cert_chain->Get(1).ToPEMString()); +#endif } TEST_F(SSLStreamAdapterTestDTLSCertChain, TwoCertHandshakeWithCopy) { @@ -1135,9 +1139,13 @@ TEST_F(SSLStreamAdapterTestDTLSCertChain, TwoCertHandshakeWithCopy) { std::unique_ptr peer_cert_chain = client_ssl_->GetPeerSSLCertChain(); ASSERT_NE(nullptr, peer_cert_chain); - ASSERT_EQ(2u, peer_cert_chain->GetSize()); EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString()); + // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple + // certificates under OpenSSL. Today it only works with BoringSSL. +#ifdef OPENSSL_IS_BORINGSSL + ASSERT_EQ(2u, peer_cert_chain->GetSize()); EXPECT_EQ(kCACert, peer_cert_chain->Get(1).ToPEMString()); +#endif } TEST_F(SSLStreamAdapterTestDTLSCertChain, ThreeCertHandshake) { @@ -1147,10 +1155,14 @@ TEST_F(SSLStreamAdapterTestDTLSCertChain, ThreeCertHandshake) { std::unique_ptr peer_cert_chain = client_ssl_->GetPeerSSLCertChain(); ASSERT_NE(nullptr, peer_cert_chain); - ASSERT_EQ(3u, peer_cert_chain->GetSize()); EXPECT_EQ(kCERT_PEM, peer_cert_chain->Get(0).ToPEMString()); + // TODO(bugs.webrtc.org/15153): Fix peer_cert_chain to return multiple + // certificates under OpenSSL. Today it only works with BoringSSL. +#ifdef OPENSSL_IS_BORINGSSL + ASSERT_EQ(3u, peer_cert_chain->GetSize()); EXPECT_EQ(kIntCert1, peer_cert_chain->Get(1).ToPEMString()); EXPECT_EQ(kCACert, peer_cert_chain->Get(2).ToPEMString()); +#endif } // Test that closing the connection on one side updates the other side.