diff --git a/rtc_base/ssl_identity_unittest.cc b/rtc_base/ssl_identity_unittest.cc index 11fff7f31e..9c3c8cc3be 100644 --- a/rtc_base/ssl_identity_unittest.cc +++ b/rtc_base/ssl_identity_unittest.cc @@ -10,6 +10,8 @@ #include "rtc_base/ssl_identity.h" +#include +#include #include #include @@ -340,41 +342,45 @@ class SSLIdentityTest : public ::testing::Test { }; TEST_F(SSLIdentityTest, FixedDigestSHA1) { - TestDigestForFixedCert(rtc::DIGEST_SHA_1, 20, kTestCertSha1); + TestDigestForFixedCert(rtc::DIGEST_SHA_1, SHA_DIGEST_LENGTH, kTestCertSha1); } // HASH_AlgSHA224 is not supported in the chromium linux build. TEST_F(SSLIdentityTest, FixedDigestSHA224) { - TestDigestForFixedCert(rtc::DIGEST_SHA_224, 28, kTestCertSha224); + TestDigestForFixedCert(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH, + kTestCertSha224); } TEST_F(SSLIdentityTest, FixedDigestSHA256) { - TestDigestForFixedCert(rtc::DIGEST_SHA_256, 32, kTestCertSha256); + TestDigestForFixedCert(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH, + kTestCertSha256); } TEST_F(SSLIdentityTest, FixedDigestSHA384) { - TestDigestForFixedCert(rtc::DIGEST_SHA_384, 48, kTestCertSha384); + TestDigestForFixedCert(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH, + kTestCertSha384); } TEST_F(SSLIdentityTest, FixedDigestSHA512) { - TestDigestForFixedCert(rtc::DIGEST_SHA_512, 64, kTestCertSha512); + TestDigestForFixedCert(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH, + kTestCertSha512); } // HASH_AlgSHA224 is not supported in the chromium linux build. TEST_F(SSLIdentityTest, DigestSHA224) { - TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, 28); + TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH); } TEST_F(SSLIdentityTest, DigestSHA256) { - TestDigestForGeneratedCert(rtc::DIGEST_SHA_256, 32); + TestDigestForGeneratedCert(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH); } TEST_F(SSLIdentityTest, DigestSHA384) { - TestDigestForGeneratedCert(rtc::DIGEST_SHA_384, 48); + TestDigestForGeneratedCert(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH); } TEST_F(SSLIdentityTest, DigestSHA512) { - TestDigestForGeneratedCert(rtc::DIGEST_SHA_512, 64); + TestDigestForGeneratedCert(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH); } TEST_F(SSLIdentityTest, IdentityComparison) { @@ -566,7 +572,7 @@ class SSLIdentityExpirationTest : public ::testing::Test { // clang-format off }; - unsigned char buf[20]; + unsigned char buf[EVP_MAX_MD_SIZE]; // Run all examples and check for the expected result. for (const auto& entry : data) { diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc index 588b8b153a..1e45a57b4d 100644 --- a/rtc_base/ssl_stream_adapter_unittest.cc +++ b/rtc_base/ssl_stream_adapter_unittest.cc @@ -10,6 +10,9 @@ #include "rtc_base/ssl_stream_adapter.h" +#include +#include + #include #include #include @@ -375,11 +378,15 @@ class SSLStreamAdapterTestBase : public ::testing::Test, absl::string_view client_private_key_pem, bool dtls, rtc::KeyParams client_key_type = rtc::KeyParams(rtc::KT_DEFAULT), - rtc::KeyParams server_key_type = rtc::KeyParams(rtc::KT_DEFAULT)) + rtc::KeyParams server_key_type = rtc::KeyParams(rtc::KT_DEFAULT), + std::pair digest = + std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)) : client_cert_pem_(client_cert_pem), client_private_key_pem_(client_private_key_pem), client_key_type_(client_key_type), server_key_type_(server_key_type), + digest_algorithm_(digest.first), + digest_length_(digest.second), delay_(0), mtu_(1460), loss_(0), @@ -474,9 +481,9 @@ class SSLStreamAdapterTestBase : public ::testing::Test, } void SetPeerIdentitiesByDigest(bool correct, bool expect_success) { - unsigned char server_digest[20]; + unsigned char server_digest[EVP_MAX_MD_SIZE]; size_t server_digest_len; - unsigned char client_digest[20]; + unsigned char client_digest[EVP_MAX_MD_SIZE]; size_t client_digest_len; bool rv; rtc::SSLPeerCertificateDigestError err; @@ -488,17 +495,17 @@ class SSLStreamAdapterTestBase : public ::testing::Test, RTC_LOG(LS_INFO) << "Setting peer identities by digest"; rv = server_identity()->certificate().ComputeDigest( - rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); + digest_algorithm_, server_digest, digest_length_, &server_digest_len); ASSERT_TRUE(rv); rv = client_identity()->certificate().ComputeDigest( - rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len); + digest_algorithm_, client_digest, digest_length_, &client_digest_len); ASSERT_TRUE(rv); if (!correct) { RTC_LOG(LS_INFO) << "Setting bogus digest for server cert"; server_digest[0]++; } - rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest, + rv = client_ssl_->SetPeerCertificateDigest(digest_algorithm_, server_digest, server_digest_len, &err); EXPECT_EQ(expected_err, err); EXPECT_EQ(expect_success, rv); @@ -507,7 +514,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test, RTC_LOG(LS_INFO) << "Setting bogus digest for client cert"; client_digest[0]++; } - rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest, + rv = server_ssl_->SetPeerCertificateDigest(digest_algorithm_, client_digest, client_digest_len, &err); EXPECT_EQ(expected_err, err); EXPECT_EQ(expect_success, rv); @@ -632,20 +639,20 @@ class SSLStreamAdapterTestBase : public ::testing::Test, // Collect both of the certificate digests; needs to be done before calling // SetPeerCertificateDigest as that may reset the identity. - unsigned char server_digest[20]; + unsigned char server_digest[EVP_MAX_MD_SIZE]; size_t server_digest_len; - unsigned char client_digest[20]; + unsigned char client_digest[EVP_MAX_MD_SIZE]; size_t client_digest_len; bool rv; ASSERT_THAT(server_identity(), NotNull()); rv = server_identity()->certificate().ComputeDigest( - rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); + digest_algorithm_, server_digest, digest_length_, &server_digest_len); ASSERT_TRUE(rv); ASSERT_THAT(client_identity(), NotNull()); rv = client_identity()->certificate().ComputeDigest( - rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len); + digest_algorithm_, client_digest, digest_length_, &client_digest_len); ASSERT_TRUE(rv); if (!valid_identity) { @@ -660,7 +667,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test, valid_identity ? rtc::SSLPeerCertificateDigestError::NONE : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED; - rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest, + rv = client_ssl_->SetPeerCertificateDigest(digest_algorithm_, server_digest, server_digest_len, &err); EXPECT_EQ(expected_err, err); EXPECT_EQ(valid_identity, rv); @@ -679,7 +686,7 @@ class SSLStreamAdapterTestBase : public ::testing::Test, } // Set the peer certificate digest for the server. - rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest, + rv = server_ssl_->SetPeerCertificateDigest(digest_algorithm_, client_digest, client_digest_len, &err); EXPECT_EQ(expected_err, err); EXPECT_EQ(valid_identity, rv); @@ -838,6 +845,8 @@ class SSLStreamAdapterTestBase : public ::testing::Test, std::string client_private_key_pem_; rtc::KeyParams client_key_type_; rtc::KeyParams server_key_type_; + std::string digest_algorithm_; + size_t digest_length_; std::unique_ptr client_ssl_; std::unique_ptr server_ssl_; int delay_; @@ -852,8 +861,10 @@ class SSLStreamAdapterTestBase : public ::testing::Test, class SSLStreamAdapterTestDTLSBase : public SSLStreamAdapterTestBase { public: - SSLStreamAdapterTestDTLSBase(rtc::KeyParams param1, rtc::KeyParams param2) - : SSLStreamAdapterTestBase("", "", true, param1, param2), + SSLStreamAdapterTestDTLSBase(rtc::KeyParams param1, + rtc::KeyParams param2, + std::pair digest) + : SSLStreamAdapterTestBase("", "", true, param1, param2, digest), packet_size_(1000), count_(0), sent_(0) {} @@ -974,19 +985,6 @@ class SSLStreamAdapterTestDTLSBase : public SSLStreamAdapterTestBase { std::set received_; }; -class SSLStreamAdapterTestDTLS - : public SSLStreamAdapterTestDTLSBase, - public WithParamInterface> { - public: - SSLStreamAdapterTestDTLS() - : SSLStreamAdapterTestDTLSBase(::testing::get<0>(GetParam()), - ::testing::get<1>(GetParam())) {} - - SSLStreamAdapterTestDTLS(absl::string_view cert_pem, - absl::string_view private_key_pem) - : SSLStreamAdapterTestDTLSBase(cert_pem, private_key_pem) {} -}; - rtc::StreamResult SSLDummyStream::Write(rtc::ArrayView data, size_t& written, int& error) { @@ -1005,19 +1003,18 @@ rtc::StreamResult SSLDummyStream::Write(rtc::ArrayView data, error); } -class SSLStreamAdapterTestDTLSFromPEMStrings : public SSLStreamAdapterTestDTLS { - public: - SSLStreamAdapterTestDTLSFromPEMStrings() - : SSLStreamAdapterTestDTLS(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {} -}; - // Test fixture for certificate chaining. Server will push more than one -// certificate. -class SSLStreamAdapterTestDTLSCertChain : public SSLStreamAdapterTestDTLS { +// certificate. Note: these tests use RSA keys and SHA1 digests. +class SSLStreamAdapterTestDTLSCertChain : public SSLStreamAdapterTestDTLSBase { public: - SSLStreamAdapterTestDTLSCertChain() : SSLStreamAdapterTestDTLS("", "") {} + SSLStreamAdapterTestDTLSCertChain() : SSLStreamAdapterTestDTLSBase("", "") {} void SetUp() override { InitializeClientAndServerStreams(); + // These tests apparently need a longer DTLS timeout due to the larger + // handshake. If the client triggers a resend before the handshake is + // complete, the handshake fails. + client_ssl_->SetInitialRetransmissionTimeout(/*timeout_ms=*/1000); + server_ssl_->SetInitialRetransmissionTimeout(/*timeout_ms=*/1000); std::unique_ptr client_identity; if (!client_cert_pem_.empty() && !client_private_key_pem_.empty()) { @@ -1081,22 +1078,86 @@ TEST_F(SSLStreamAdapterTestDTLSCertChain, ThreeCertHandshake) { #endif } -// Basic tests: DTLS -// Test that we can make a handshake work -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { +class SSLStreamAdapterTestDTLSHandshake + : public SSLStreamAdapterTestDTLSBase, + public WithParamInterface>> { + public: + SSLStreamAdapterTestDTLSHandshake() + : SSLStreamAdapterTestDTLSBase(::testing::get<0>(GetParam()), + ::testing::get<1>(GetParam()), + ::testing::get<2>(GetParam())) {} +}; + +// Test that we can make a handshake work with different parameters. +TEST_P(SSLStreamAdapterTestDTLSHandshake, TestDTLSConnect) { TestHandshake(); } +// Test getting the used DTLS ciphers. +// DTLS 1.2 is max version for client and server. +TEST_P(SSLStreamAdapterTestDTLSHandshake, TestGetSslCipherSuite) { + SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); + TestHandshake(); + + int client_cipher; + ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); + int server_cipher; + ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); + + ASSERT_EQ(client_cipher, server_cipher); + ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( + server_cipher, ::testing::get<1>(GetParam()).type())); +} + +// The RSA keysizes here might look strange, why not include the RFC's size +// 2048?. The reason is test case slowness; testing two sizes to exercise +// parametrization is sufficient. +// Test different key sizes with SHA-256, then different signature algorithms +// with ECDSA. +INSTANTIATE_TEST_SUITE_P( + SSLStreamAdapterTestDTLSHandshakeKeyParameters, + SSLStreamAdapterTestDTLSHandshake, + Combine(Values(rtc::KeyParams::RSA(1024, 65537), + rtc::KeyParams::RSA(1152, 65537), + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), + Values(rtc::KeyParams::RSA(1024, 65537), + rtc::KeyParams::RSA(1152, 65537), + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), + Values(std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)))); + +INSTANTIATE_TEST_SUITE_P( + SSLStreamAdapterTestDTLSHandshakeSignatureAlgorithms, + SSLStreamAdapterTestDTLSHandshake, + Combine(Values(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), + Values(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), + Values(std::make_pair(rtc::DIGEST_SHA_1, SHA_DIGEST_LENGTH), + std::make_pair(rtc::DIGEST_SHA_224, SHA224_DIGEST_LENGTH), + std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH), + std::make_pair(rtc::DIGEST_SHA_384, SHA384_DIGEST_LENGTH), + std::make_pair(rtc::DIGEST_SHA_512, SHA512_DIGEST_LENGTH)))); + +// Basic tests done with ECDSA certificates and SHA-256. +class SSLStreamAdapterTestDTLS : public SSLStreamAdapterTestDTLSBase { + public: + SSLStreamAdapterTestDTLS() + : SSLStreamAdapterTestDTLSBase( + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), + std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)) {} +}; + // Test that we can make a handshake work if the first packet in // each direction is lost. This gives us predictable loss // rather than having to tune random -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) { SetLoseFirstPacket(true); TestHandshake(); } // Test a handshake with loss and delay -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) { SetLoseFirstPacket(true); SetDelay(2000); SetHandshakeWait(20000); @@ -1105,47 +1166,47 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacketDelay2s) { // Test a handshake with small MTU // Disabled due to https://code.google.com/p/webrtc/issues/detail?id=3910 -TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) { +TEST_F(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) { SetMtu(700); SetHandshakeWait(20000); TestHandshake(); } // Test a handshake with total loss and timing out. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnectTimeout) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectTimeout) { SetLoss(100); TestHandshakeTimeout(); } // Test transfer -- trivial -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransfer) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransfer) { TestHandshake(); TestTransfer(100); } -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) { TestHandshake(); SetLoss(10); TestTransfer(100); } -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { SetDamage(); // Must be called first because first packet // write happens at end of handshake. TestHandshake(); TestTransfer(100); } -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) { TestHandshakeWithDelayedIdentity(true); } -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) { TestHandshakeWithDelayedIdentity(false); } // Test DTLS-SRTP with SrtpAes128CmSha1_80 -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) { const std::vector crypto_suites = {rtc::kSrtpAes128CmSha1_80}; SetDtlsSrtpCryptoSuites(crypto_suites, true); SetDtlsSrtpCryptoSuites(crypto_suites, false); @@ -1161,7 +1222,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_80) { } // Test DTLS-SRTP with SrtpAes128CmSha1_32 -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) { const std::vector crypto_suites = {rtc::kSrtpAes128CmSha1_32}; SetDtlsSrtpCryptoSuites(crypto_suites, true); SetDtlsSrtpCryptoSuites(crypto_suites, false); @@ -1177,7 +1238,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAes128CmSha1_32) { } // Test DTLS-SRTP with incompatible cipher suites -- should not converge. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) { SetDtlsSrtpCryptoSuites({rtc::kSrtpAes128CmSha1_80}, true); SetDtlsSrtpCryptoSuites({rtc::kSrtpAes128CmSha1_32}, false); TestHandshake(); @@ -1190,7 +1251,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleCipherSuites) { // Test DTLS-SRTP with each side being mixed -- should select the stronger // cipher. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) { const std::vector crypto_suites = {rtc::kSrtpAes128CmSha1_80, rtc::kSrtpAes128CmSha1_32}; SetDtlsSrtpCryptoSuites(crypto_suites, true); @@ -1207,7 +1268,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) { } // Test DTLS-SRTP with SrtpAeadAes128Gcm. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) { std::vector crypto_suites = {rtc::kSrtpAeadAes128Gcm}; SetDtlsSrtpCryptoSuites(crypto_suites, true); SetDtlsSrtpCryptoSuites(crypto_suites, false); @@ -1223,7 +1284,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpAeadAes128Gcm) { } // Test DTLS-SRTP with all GCM-256 ciphers. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) { std::vector crypto_suites = {rtc::kSrtpAeadAes256Gcm}; SetDtlsSrtpCryptoSuites(crypto_suites, true); SetDtlsSrtpCryptoSuites(crypto_suites, false); @@ -1239,7 +1300,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCM256) { } // Test DTLS-SRTP with incompatbile GCM-128/-256 ciphers -- should not converge. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) { SetDtlsSrtpCryptoSuites({rtc::kSrtpAeadAes128Gcm}, true); SetDtlsSrtpCryptoSuites({rtc::kSrtpAeadAes256Gcm}, false); TestHandshake(); @@ -1251,7 +1312,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpIncompatibleGcmCipherSuites) { } // Test DTLS-SRTP with both GCM-128/-256 ciphers -- should select GCM-256. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) { std::vector crypto_suites = {rtc::kSrtpAeadAes256Gcm, rtc::kSrtpAeadAes128Gcm}; SetDtlsSrtpCryptoSuites(crypto_suites, true); @@ -1268,7 +1329,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpGCMMixed) { } // Test SRTP cipher suite lengths. -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) { int key_len; int salt_len; @@ -1297,10 +1358,10 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpKeyAndSaltLengths) { } // Test an exporter -TEST_P(SSLStreamAdapterTestDTLS, TestDTLSExporter) { +TEST_F(SSLStreamAdapterTestDTLS, TestDTLSExporter) { TestHandshake(); - unsigned char client_out[20]; - unsigned char server_out[20]; + unsigned char client_out[EVP_MAX_MD_SIZE]; + unsigned char server_out[EVP_MAX_MD_SIZE]; bool result; result = ExportKeyingMaterial(kExporterLabel, kExporterContext, @@ -1317,7 +1378,7 @@ TEST_P(SSLStreamAdapterTestDTLS, TestDTLSExporter) { } // Test not yet valid certificates are not rejected. -TEST_P(SSLStreamAdapterTestDTLS, TestCertNotYetValid) { +TEST_F(SSLStreamAdapterTestDTLS, TestCertNotYetValid) { long one_day = 60 * 60 * 24; // Make the certificates not valid until one day later. ResetIdentitiesWithValidity(one_day, one_day); @@ -1325,13 +1386,20 @@ TEST_P(SSLStreamAdapterTestDTLS, TestCertNotYetValid) { } // Test expired certificates are not rejected. -TEST_P(SSLStreamAdapterTestDTLS, TestCertExpired) { +TEST_F(SSLStreamAdapterTestDTLS, TestCertExpired) { long one_day = 60 * 60 * 24; // Make the certificates already expired. ResetIdentitiesWithValidity(-one_day, -one_day); TestHandshake(); } +class SSLStreamAdapterTestDTLSFromPEMStrings + : public SSLStreamAdapterTestDTLSBase { + public: + SSLStreamAdapterTestDTLSFromPEMStrings() + : SSLStreamAdapterTestDTLSBase(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {} +}; + // Test data transfer using certs created from strings. TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestTransfer) { TestHandshake(); @@ -1365,7 +1433,7 @@ TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) { } // Test getting the DTLS 1.2 version. -TEST_P(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) { +TEST_F(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) { // https://datatracker.ietf.org/doc/html/rfc9147#section-5.3 const int kDtls1_2 = 0xFEFD; SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); @@ -1380,35 +1448,6 @@ TEST_P(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) { EXPECT_EQ(server_version, kDtls1_2); } -// Test getting the used DTLS ciphers. -// DTLS 1.2 is max version for client and server. -TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) { - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); - TestHandshake(); - - int client_cipher; - ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); - int server_cipher; - ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); - - ASSERT_EQ(client_cipher, server_cipher); - ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher( - server_cipher, ::testing::get<1>(GetParam()).type())); -} - -// The RSA keysizes here might look strange, why not include the RFC's size -// 2048?. The reason is test case slowness; testing two sizes to exercise -// parametrization is sufficient. -INSTANTIATE_TEST_SUITE_P( - SSLStreamAdapterTestsDTLS, - SSLStreamAdapterTestDTLS, - Combine(Values(rtc::KeyParams::RSA(1024, 65537), - rtc::KeyParams::RSA(1152, 65537), - rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), - Values(rtc::KeyParams::RSA(1024, 65537), - rtc::KeyParams::RSA(1152, 65537), - rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); - // Tests for enabling the (D)TLS extension permutation which randomizes the // order of extensions in the client hello. // These tests are a no-op under OpenSSL. @@ -1417,9 +1456,10 @@ class SSLStreamAdapterTestDTLSExtensionPermutation : public SSLStreamAdapterTestDTLSBase { public: SSLStreamAdapterTestDTLSExtensionPermutation() - : SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), - rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) { - } + : SSLStreamAdapterTestDTLSBase( + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), + rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), + std::make_pair(rtc::DIGEST_SHA_256, SHA256_DIGEST_LENGTH)) {} void Initialize(absl::string_view client_experiment, absl::string_view server_experiment) {