admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TLS: update SSLStreamAdapter and SSLIdentity tests to various hashes for certificates

Browse Source 
since OpenSSL 3.x deprecated SHA1 there and SHA256 has been the default
in Chrome for a decade. Test all variants with a reduced test suite.

BUG=webrtc:42225468

Change-Id: I728bfd953c3248d6a7804c55ab71009fcc701a45
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/358820
Commit-Queue: Philipp Hancke <phancke@meta.com>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Florent Castelli <orphis@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#42765}
This commit is contained in:
Philipp Hancke 2024-08-08 15:38:39 -07:00 committed by WebRTC LUCI CQ
parent c2a82417e9
commit b16d828895
2 changed files with 152 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
rtc_base/ssl_identity_unittest.cc
View File

@ -10,6 +10,8 @@
#include "rtc_base/ssl_identity.h"
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <string.h>
#include <memory>
@ -340,41 +342,45 @@ class SSLIdentityTest : public ::testing::Test {
};
TEST_F(SSLIdentityTest, FixedDigestSHA1) {
TestDigestForFixedCert(rtc::DIGEST_SHA_1, 20, kTestCertSha1);
TestDigestForFixedCert(rtc::DIGEST_SHA_1, SHA_DIGEST_LENGTH, kTestCertSha1);
}
// HASH_AlgSHA224 is not supported in the chromium linux build.
TEST_F(SSLIdentityTest, FixedDigestSHA224) {
TestDigestForFixedCert(rtc::DIGEST_SHA_224, 28, kTestCertSha224);
TestDigestForFixedCert(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH,
kTestCertSha224);
}
TEST_F(SSLIdentityTest, FixedDigestSHA256) {
TestDigestForFixedCert(rtc::DIGEST_SHA_256, 32, kTestCertSha256);
TestDigestForFixedCert(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH,
kTestCertSha256);
}
TEST_F(SSLIdentityTest, FixedDigestSHA384) {
TestDigestForFixedCert(rtc::DIGEST_SHA_384, 48, kTestCertSha384);
TestDigestForFixedCert(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH,
kTestCertSha384);
}
TEST_F(SSLIdentityTest, FixedDigestSHA512) {
TestDigestForFixedCert(rtc::DIGEST_SHA_512, 64, kTestCertSha512);
TestDigestForFixedCert(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH,
kTestCertSha512);
}
// HASH_AlgSHA224 is not supported in the chromium linux build.
TEST_F(SSLIdentityTest, DigestSHA224) {
TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, 28);
TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH);
}
TEST_F(SSLIdentityTest, DigestSHA256) {
TestDigestForGeneratedCert(rtc::DIGEST_SHA_256, 32);
TestDigestForGeneratedCert(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH);
}
TEST_F(SSLIdentityTest, DigestSHA384) {
TestDigestForGeneratedCert(rtc::DIGEST_SHA_384, 48);
TestDigestForGeneratedCert(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH);
}
TEST_F(SSLIdentityTest, DigestSHA512) {
TestDigestForGeneratedCert(rtc::DIGEST_SHA_512, 64);
TestDigestForGeneratedCert(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH);
}
TEST_F(SSLIdentityTest, IdentityComparison) {
@ -566,7 +572,7 @@ class SSLIdentityExpirationTest : public ::testing::Test {
// clang-format off
};
unsigned char buf[20];
unsigned char buf[EVP_MAX_MD_SIZE];
// Run all examples and check for the expected result.
for (const auto& entry : data) {

232
rtc_base/ssl_stream_adapter_unittest.cc
View File

@ -10,6 +10,9 @@
#include "rtc_base/ssl_stream_adapter.h"
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <cstddef>
#include <cstdint>
#include <cstring>
@ -375,11 +378,15 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
absl::string_view client_private_key_pem,
bool dtls,
rtc::KeyParams client_key_type = rtc::KeyParams(rtc::KT_DEFAULT),
rtc::KeyParams server_key_type = rtc::KeyParams(rtc::KT_DEFAULT))
rtc::KeyParams server_key_type = rtc::KeyParams(rtc::KT_DEFAULT),
std::pair<std::string, size_t> digest =
std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH))
: client_cert_pem_(client_cert_pem),
client_private_key_pem_(client_private_key_pem),
client_key_type_(client_key_type),
server_key_type_(server_key_type),
digest_algorithm_(digest.first),
digest_length_(digest.second),
delay_(0),
mtu_(1460),
loss_(0),
@ -474,9 +481,9 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
}
void SetPeerIdentitiesByDigest(bool correct, bool expect_success) {
unsigned char server_digest[20];
unsigned char server_digest[EVP_MAX_MD_SIZE];
size_t server_digest_len;
unsigned char client_digest[20];
unsigned char client_digest[EVP_MAX_MD_SIZE];
size_t client_digest_len;
bool rv;
rtc::SSLPeerCertificateDigestError err;
@ -488,17 +495,17 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
RTC_LOG(LS_INFO) << "Setting peer identities by digest";
rv = server_identity()->certificate().ComputeDigest(
rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
digest_algorithm_, server_digest, digest_length_, &server_digest_len);
ASSERT_TRUE(rv);
rv = client_identity()->certificate().ComputeDigest(
rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len);
digest_algorithm_, client_digest, digest_length_, &client_digest_len);
ASSERT_TRUE(rv);
if (!correct) {
RTC_LOG(LS_INFO) << "Setting bogus digest for server cert";
server_digest[0]++;
}
rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest,
rv = client_ssl_->SetPeerCertificateDigest(digest_algorithm_, server_digest,
server_digest_len, &err);
EXPECT_EQ(expected_err, err);
EXPECT_EQ(expect_success, rv);
@ -507,7 +514,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
RTC_LOG(LS_INFO) << "Setting bogus digest for client cert";
client_digest[0]++;
}
rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest,
rv = server_ssl_->SetPeerCertificateDigest(digest_algorithm_, client_digest,
client_digest_len, &err);
EXPECT_EQ(expected_err, err);
EXPECT_EQ(expect_success, rv);
@ -632,20 +639,20 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
// Collect both of the certificate digests; needs to be done before calling
// SetPeerCertificateDigest as that may reset the identity.
unsigned char server_digest[20];
unsigned char server_digest[EVP_MAX_MD_SIZE];
size_t server_digest_len;
unsigned char client_digest[20];
unsigned char client_digest[EVP_MAX_MD_SIZE];
size_t client_digest_len;
bool rv;
ASSERT_THAT(server_identity(), NotNull());
rv = server_identity()->certificate().ComputeDigest(
rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len);
digest_algorithm_, server_digest, digest_length_, &server_digest_len);
ASSERT_TRUE(rv);
ASSERT_THAT(client_identity(), NotNull());
rv = client_identity()->certificate().ComputeDigest(
rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len);
digest_algorithm_, client_digest, digest_length_, &client_digest_len);
ASSERT_TRUE(rv);
if (!valid_identity) {
@ -660,7 +667,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
valid_identity
? rtc::SSLPeerCertificateDigestError::NONE
: rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED;
rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest,
rv = client_ssl_->SetPeerCertificateDigest(digest_algorithm_, server_digest,
server_digest_len, &err);
EXPECT_EQ(expected_err, err);
EXPECT_EQ(valid_identity, rv);
@ -679,7 +686,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
}
// Set the peer certificate digest for the server.
rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest,
rv = server_ssl_->SetPeerCertificateDigest(digest_algorithm_, client_digest,
client_digest_len, &err);
EXPECT_EQ(expected_err, err);
EXPECT_EQ(valid_identity, rv);
@ -838,6 +845,8 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
std::string client_private_key_pem_;
rtc::KeyParams client_key_type_;
rtc::KeyParams server_key_type_;
std::string digest_algorithm_;
size_t digest_length_;
std::unique_ptr<rtc::SSLStreamAdapter> client_ssl_;
std::unique_ptr<rtc::SSLStreamAdapter> server_ssl_;
int delay_;
@ -852,8 +861,10 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
class SSLStreamAdapterTestDTLSBase : public SSLStreamAdapterTestBase {
public:
SSLStreamAdapterTestDTLSBase(rtc::KeyParams param1, rtc::KeyParams param2)
: SSLStreamAdapterTestBase("", "", true, param1, param2),
SSLStreamAdapterTestDTLSBase(rtc::KeyParams param1,
rtc::KeyParams param2,
std::pair<std::string, size_t> digest)
: SSLStreamAdapterTestBase("", "", true, param1, param2, digest),
packet_size_(1000),
count_(0),
sent_(0) {}
@ -974,19 +985,6 @@ class SSLStreamAdapterTestDTLSBase : public SSLStreamAdapterTestBase {
std::set<int> received_;
};
class SSLStreamAdapterTestDTLS
: public SSLStreamAdapterTestDTLSBase,
public WithParamInterface<tuple<rtc::KeyParams, rtc::KeyParams>> {
public:
SSLStreamAdapterTestDTLS()
: SSLStreamAdapterTestDTLSBase(::testing::get<0>(GetParam()),
::testing::get<1>(GetParam())) {}
SSLStreamAdapterTestDTLS(absl::string_view cert_pem,
absl::string_view private_key_pem)
: SSLStreamAdapterTestDTLSBase(cert_pem, private_key_pem) {}
};
rtc::StreamResult SSLDummyStream::Write(rtc::ArrayView<const uint8_t> data,
size_t& written,
int& error) {
@ -1005,19 +1003,18 @@ rtc::StreamResult SSLDummyStream::Write(rtc::ArrayView<const uint8_t> data,
error);
}
class SSLStreamAdapterTestDTLSFromPEMStrings : public SSLStreamAdapterTestDTLS {
public:
SSLStreamAdapterTestDTLSFromPEMStrings()
: SSLStreamAdapterTestDTLS(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {}
};
// Test fixture for certificate chaining. Server will push more than one
// certificate.
class SSLStreamAdapterTestDTLSCertChain : public SSLStreamAdapterTestDTLS {
// certificate. Note: these tests use RSA keys and SHA1 digests.
class SSLStreamAdapterTestDTLSCertChain : public SSLStreamAdapterTestDTLSBase {
public:
SSLStreamAdapterTestDTLSCertChain() : SSLStreamAdapterTestDTLS("", "") {}
SSLStreamAdapterTestDTLSCertChain() : SSLStreamAdapterTestDTLSBase("", "") {}
void SetUp() override {
InitializeClientAndServerStreams();
// These tests apparently need a longer DTLS timeout due to the larger
// handshake. If the client triggers a resend before the handshake is
// complete, the handshake fails.
client_ssl_->SetInitialRetransmissionTimeout(/*timeout_ms=*/1000);
server_ssl_->SetInitialRetransmissionTimeout(/*timeout_ms=*/1000);
std::unique_ptr<rtc::SSLIdentity> client_identity;
if (!client_cert_pem_.empty() && !client_private_key_pem_.empty()) {
@ -1081,22 +1078,86 @@ TEST_F(SSLStreamAdapterTestDTLSCertChain, ThreeCertHandshake) {
#endif
}
// Basic tests: DTLS
// Test that we can make a handshake work
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) {
class SSLStreamAdapterTestDTLSHandshake
: public SSLStreamAdapterTestDTLSBase,
public WithParamInterface<tuple<rtc::KeyParams,
rtc::KeyParams,
std::pair<std::string, size_t>>> {
public:
SSLStreamAdapterTestDTLSHandshake()
: SSLStreamAdapterTestDTLSBase(::testing::get<0>(GetParam()),
::testing::get<1>(GetParam()),
::testing::get<2>(GetParam())) {}
};
// Test that we can make a handshake work with different parameters.
TEST_P(SSLStreamAdapterTestDTLSHandshake, TestDTLSConnect) {
TestHandshake();
}
// Test getting the used DTLS ciphers.
// DTLS 1.2 is max version for client and server.
TEST_P(SSLStreamAdapterTestDTLSHandshake, TestGetSslCipherSuite) {
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// The RSA keysizes here might look strange, why not include the RFC's size
// 2048?. The reason is test case slowness; testing two sizes to exercise
// parametrization is sufficient.
// Test different key sizes with SHA-256, then different signature algorithms
// with ECDSA.
INSTANTIATE_TEST_SUITE_P(
SSLStreamAdapterTestDTLSHandshakeKeyParameters,
SSLStreamAdapterTestDTLSHandshake,
Combine(Values(rtc::KeyParams::RSA(1024, 65537),
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
Values(rtc::KeyParams::RSA(1024, 65537),
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
Values(std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH))));
INSTANTIATE_TEST_SUITE_P(
SSLStreamAdapterTestDTLSHandshakeSignatureAlgorithms,
SSLStreamAdapterTestDTLSHandshake,
Combine(Values(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
Values(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
Values(std::make_pair(rtc::DIGEST_SHA_1, SHA_DIGEST_LENGTH),
std::make_pair(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH),
std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH),
std::make_pair(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH),
std::make_pair(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH))));
// Basic tests done with ECDSA certificates and SHA-256.
class SSLStreamAdapterTestDTLS : public SSLStreamAdapterTestDTLSBase {
public:
SSLStreamAdapterTestDTLS()
: SSLStreamAdapterTestDTLSBase(
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)) {}
};
// Test that we can make a handshake work if the first packet in
// each direction is lost. This gives us predictable loss
// rather than having to tune random
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) {
SetLoseFirstPacket(true);
TestHandshake();
}
// Test a handshake with loss and delay
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) {
SetLoseFirstPacket(true);
SetDelay(2000);
SetHandshakeWait(20000);
@ -1105,47 +1166,47 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) {
// Test a handshake with small MTU
// Disabled due to https://code.google.com/p/webrtc/issues/detail?id=3910
TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) {
TEST_F(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) {
SetMtu(700);
SetHandshakeWait(20000);
TestHandshake();
}
// Test a handshake with total loss and timing out.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectTimeout) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectTimeout) {
SetLoss(100);
TestHandshakeTimeout();
}
// Test transfer -- trivial
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransfer) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransfer) {
TestHandshake();
TestTransfer(100);
}
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) {
TestHandshake();
SetLoss(10);
TestTransfer(100);
}
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) {
SetDamage(); // Must be called first because first packet
// write happens at end of handshake.
TestHandshake();
TestTransfer(100);
}
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) {
TestHandshakeWithDelayedIdentity(true);
}
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) {
TestHandshakeWithDelayedIdentity(false);
}
// Test DTLS-SRTP with SrtpAes128CmSha1_80
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) {
const std::vector<int> crypto_suites = {rtc::kSrtpAes128CmSha1_80};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
SetDtlsSrtpCryptoSuites(crypto_suites, false);
@ -1161,7 +1222,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) {
}
// Test DTLS-SRTP with SrtpAes128CmSha1_32
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) {
const std::vector<int> crypto_suites = {rtc::kSrtpAes128CmSha1_32};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
SetDtlsSrtpCryptoSuites(crypto_suites, false);
@ -1177,7 +1238,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) {
}
// Test DTLS-SRTP with incompatible cipher suites -- should not converge.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) {
SetDtlsSrtpCryptoSuites({rtc::kSrtpAes128CmSha1_80}, true);
SetDtlsSrtpCryptoSuites({rtc::kSrtpAes128CmSha1_32}, false);
TestHandshake();
@ -1190,7 +1251,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) {
// Test DTLS-SRTP with each side being mixed -- should select the stronger
// cipher.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) {
const std::vector<int> crypto_suites = {rtc::kSrtpAes128CmSha1_80,
rtc::kSrtpAes128CmSha1_32};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
@ -1207,7 +1268,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) {
}
// Test DTLS-SRTP with SrtpAeadAes128Gcm.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) {
std::vector<int> crypto_suites = {rtc::kSrtpAeadAes128Gcm};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
SetDtlsSrtpCryptoSuites(crypto_suites, false);
@ -1223,7 +1284,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) {
}
// Test DTLS-SRTP with all GCM-256 ciphers.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) {
std::vector<int> crypto_suites = {rtc::kSrtpAeadAes256Gcm};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
SetDtlsSrtpCryptoSuites(crypto_suites, false);
@ -1239,7 +1300,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) {
}
// Test DTLS-SRTP with incompatbile GCM-128/-256 ciphers -- should not converge.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) {
SetDtlsSrtpCryptoSuites({rtc::kSrtpAeadAes128Gcm}, true);
SetDtlsSrtpCryptoSuites({rtc::kSrtpAeadAes256Gcm}, false);
TestHandshake();
@ -1251,7 +1312,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) {
}
// Test DTLS-SRTP with both GCM-128/-256 ciphers -- should select GCM-256.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) {
std::vector<int> crypto_suites = {rtc::kSrtpAeadAes256Gcm,
rtc::kSrtpAeadAes128Gcm};
SetDtlsSrtpCryptoSuites(crypto_suites, true);
@ -1268,7 +1329,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) {
}
// Test SRTP cipher suite lengths.
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) {
int key_len;
int salt_len;
@ -1297,10 +1358,10 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) {
}
// Test an exporter
TEST_P(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
TEST_F(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
TestHandshake();
unsigned char client_out[20];
unsigned char server_out[20];
unsigned char client_out[EVP_MAX_MD_SIZE];
unsigned char server_out[EVP_MAX_MD_SIZE];
bool result;
result = ExportKeyingMaterial(kExporterLabel, kExporterContext,
@ -1317,7 +1378,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
}
// Test not yet valid certificates are not rejected.
TEST_P(SSLStreamAdapterTestDTLS, TestCertNotYetValid) {
TEST_F(SSLStreamAdapterTestDTLS, TestCertNotYetValid) {
long one_day = 60 * 60 * 24;
// Make the certificates not valid until one day later.
ResetIdentitiesWithValidity(one_day, one_day);
@ -1325,13 +1386,20 @@ TEST_P(SSLStreamAdapterTestDTLS, TestCertNotYetValid) {
}
// Test expired certificates are not rejected.
TEST_P(SSLStreamAdapterTestDTLS, TestCertExpired) {
TEST_F(SSLStreamAdapterTestDTLS, TestCertExpired) {
long one_day = 60 * 60 * 24;
// Make the certificates already expired.
ResetIdentitiesWithValidity(-one_day, -one_day);
TestHandshake();
}
class SSLStreamAdapterTestDTLSFromPEMStrings
: public SSLStreamAdapterTestDTLSBase {
public:
SSLStreamAdapterTestDTLSFromPEMStrings()
: SSLStreamAdapterTestDTLSBase(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {}
};
// Test data transfer using certs created from strings.
TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestTransfer) {
TestHandshake();
@ -1365,7 +1433,7 @@ TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) {
}
// Test getting the DTLS 1.2 version.
TEST_P(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) {
TEST_F(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) {
// https://datatracker.ietf.org/doc/html/rfc9147#section-5.3
const int kDtls1_2 = 0xFEFD;
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
@ -1380,35 +1448,6 @@ TEST_P(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) {
EXPECT_EQ(server_version, kDtls1_2);
}
// Test getting the used DTLS ciphers.
// DTLS 1.2 is max version for client and server.
TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) {
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(client_cipher, server_cipher);
ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
server_cipher, ::testing::get<1>(GetParam()).type()));
}
// The RSA keysizes here might look strange, why not include the RFC's size
// 2048?. The reason is test case slowness; testing two sizes to exercise
// parametrization is sufficient.
INSTANTIATE_TEST_SUITE_P(
SSLStreamAdapterTestsDTLS,
SSLStreamAdapterTestDTLS,
Combine(Values(rtc::KeyParams::RSA(1024, 65537),
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)),
Values(rtc::KeyParams::RSA(1024, 65537),
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256))));
// Tests for enabling the (D)TLS extension permutation which randomizes the
// order of extensions in the client hello.
// These tests are a no-op under OpenSSL.
@ -1417,9 +1456,10 @@ class SSLStreamAdapterTestDTLSExtensionPermutation
: public SSLStreamAdapterTestDTLSBase {
public:
SSLStreamAdapterTestDTLSExtensionPermutation()
: SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) {
}
: SSLStreamAdapterTestDTLSBase(
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)) {}
void Initialize(absl::string_view client_experiment,
absl::string_view server_experiment) {