| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 | 318 |
| 319 if (sig & rtc::SE_READ) { | 319 if (sig & rtc::SE_READ) { |
| 320 ReadData(stream); | 320 ReadData(stream); |
| 321 } | 321 } |
| 322 | 322 |
| 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { | 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { |
| 324 WriteData(); | 324 WriteData(); |
| 325 } | 325 } |
| 326 } | 326 } |
| 327 | 327 |
| 328 void SetPeerIdentitiesByDigest(bool correct) { | 328 void SetPeerIdentitiesByDigest(bool correct, bool expect_success) { |
| 329 unsigned char digest[20]; | 329 unsigned char server_digest[20]; |
| 330 size_t digest_len; | 330 size_t server_digest_len; |
| 331 unsigned char client_digest[20]; |
| 332 size_t client_digest_len; |
| 331 bool rv; | 333 bool rv; |
| 334 rtc::SSLPeerCertificateDigestError err; |
| 335 rtc::SSLPeerCertificateDigestError expected_err = |
| 336 expect_success |
| 337 ? rtc::SSLPeerCertificateDigestError::NONE |
| 338 : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED; |
| 332 | 339 |
| 333 LOG(LS_INFO) << "Setting peer identities by digest"; | 340 LOG(LS_INFO) << "Setting peer identities by digest"; |
| 334 | 341 |
| 335 rv = server_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, | 342 rv = server_identity_->certificate().ComputeDigest( |
| 336 digest, 20, | 343 rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); |
| 337 &digest_len); | |
| 338 ASSERT_TRUE(rv); | 344 ASSERT_TRUE(rv); |
| 345 rv = client_identity_->certificate().ComputeDigest( |
| 346 rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len); |
| 347 ASSERT_TRUE(rv); |
| 348 |
| 339 if (!correct) { | 349 if (!correct) { |
| 340 LOG(LS_INFO) << "Setting bogus digest for server cert"; | 350 LOG(LS_INFO) << "Setting bogus digest for server cert"; |
| 341 digest[0]++; | 351 server_digest[0]++; |
| 342 } | 352 } |
| 343 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, | 353 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest, |
| 344 digest_len); | 354 server_digest_len, &err); |
| 345 ASSERT_TRUE(rv); | 355 EXPECT_EQ(expected_err, err); |
| 356 EXPECT_EQ(expect_success, rv); |
| 346 | 357 |
| 347 | |
| 348 rv = client_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, | |
| 349 digest, 20, &digest_len); | |
| 350 ASSERT_TRUE(rv); | |
| 351 if (!correct) { | 358 if (!correct) { |
| 352 LOG(LS_INFO) << "Setting bogus digest for client cert"; | 359 LOG(LS_INFO) << "Setting bogus digest for client cert"; |
| 353 digest[0]++; | 360 client_digest[0]++; |
| 354 } | 361 } |
| 355 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, | 362 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest, |
| 356 digest_len); | 363 client_digest_len, &err); |
| 357 ASSERT_TRUE(rv); | 364 EXPECT_EQ(expected_err, err); |
| 365 EXPECT_EQ(expect_success, rv); |
| 358 | 366 |
| 359 identities_set_ = true; | 367 identities_set_ = true; |
| 360 } | 368 } |
| 361 | 369 |
| 362 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, | 370 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, |
| 363 rtc::SSLProtocolVersion client_version) { | 371 rtc::SSLProtocolVersion client_version) { |
| 364 server_ssl_->SetMaxProtocolVersion(server_version); | 372 server_ssl_->SetMaxProtocolVersion(server_version); |
| 365 client_ssl_->SetMaxProtocolVersion(client_version); | 373 client_ssl_->SetMaxProtocolVersion(client_version); |
| 366 } | 374 } |
| 367 | 375 |
| 368 void TestHandshake(bool expect_success = true) { | 376 void TestHandshake(bool expect_success = true) { |
| 369 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 377 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 370 rtc::SSL_MODE_TLS); | 378 rtc::SSL_MODE_TLS); |
| 371 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 379 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 372 rtc::SSL_MODE_TLS); | 380 rtc::SSL_MODE_TLS); |
| 373 | 381 |
| 374 if (!dtls_) { | 382 if (!dtls_) { |
| 375 // Make sure we simulate a reliable network for TLS. | 383 // Make sure we simulate a reliable network for TLS. |
| 376 // This is just a check to make sure that people don't write wrong | 384 // This is just a check to make sure that people don't write wrong |
| 377 // tests. | 385 // tests. |
| 378 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); | 386 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); |
| 379 } | 387 } |
| 380 | 388 |
| 381 if (!identities_set_) | 389 if (!identities_set_) |
| 382 SetPeerIdentitiesByDigest(true); | 390 SetPeerIdentitiesByDigest(true, true); |
| 383 | 391 |
| 384 // Start the handshake | 392 // Start the handshake |
| 385 int rv; | 393 int rv; |
| 386 | 394 |
| 387 server_ssl_->SetServerRole(); | 395 server_ssl_->SetServerRole(); |
| 388 rv = server_ssl_->StartSSL(); | 396 rv = server_ssl_->StartSSL(); |
| 389 ASSERT_EQ(0, rv); | 397 ASSERT_EQ(0, rv); |
| 390 | 398 |
| 391 rv = client_ssl_->StartSSL(); | 399 rv = client_ssl_->StartSSL(); |
| 392 ASSERT_EQ(0, rv); | 400 ASSERT_EQ(0, rv); |
| 393 | 401 |
| 394 // Now run the handshake | 402 // Now run the handshake |
| 395 if (expect_success) { | 403 if (expect_success) { |
| 396 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) | 404 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) |
| 397 && (server_ssl_->GetState() == rtc::SS_OPEN), | 405 && (server_ssl_->GetState() == rtc::SS_OPEN), |
| 398 handshake_wait_); | 406 handshake_wait_); |
| 399 } else { | 407 } else { |
| 400 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, | 408 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, |
| 401 handshake_wait_); | 409 handshake_wait_); |
| 402 } | 410 } |
| 403 } | 411 } |
| 404 | 412 |
| 413 // This tests that the handshake can complete before the identity is |
| 414 // verified, and the identity will be verified after the fact. |
| 415 void TestHandshakeWithDelayedIdentity(bool valid_identity) { |
| 416 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); |
| 417 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); |
| 418 |
| 419 if (!dtls_) { |
| 420 // Make sure we simulate a reliable network for TLS. |
| 421 // This is just a check to make sure that people don't write wrong |
| 422 // tests. |
| 423 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); |
| 424 } |
| 425 |
| 426 // Start the handshake |
| 427 int rv; |
| 428 |
| 429 server_ssl_->SetServerRole(); |
| 430 rv = server_ssl_->StartSSL(); |
| 431 ASSERT_EQ(0, rv); |
| 432 |
| 433 rv = client_ssl_->StartSSL(); |
| 434 ASSERT_EQ(0, rv); |
| 435 |
| 436 // Now run the handshake. |
| 437 EXPECT_TRUE_WAIT( |
| 438 client_ssl_->IsTlsConnected() && server_ssl_->IsTlsConnected(), |
| 439 handshake_wait_); |
| 440 |
| 441 // Until the identity has been verified, the state should still be |
| 442 // SS_OPENING and writes should return SR_BLOCK. |
| 443 EXPECT_EQ(rtc::SS_OPENING, client_ssl_->GetState()); |
| 444 EXPECT_EQ(rtc::SS_OPENING, server_ssl_->GetState()); |
| 445 unsigned char packet[1]; |
| 446 size_t sent; |
| 447 EXPECT_EQ(rtc::SR_BLOCK, client_ssl_->Write(&packet, 1, &sent, 0)); |
| 448 EXPECT_EQ(rtc::SR_BLOCK, server_ssl_->Write(&packet, 1, &sent, 0)); |
| 449 |
| 450 // If we set an invalid identity at this point, SetPeerCertificateDigest |
| 451 // should return false. |
| 452 SetPeerIdentitiesByDigest(valid_identity, valid_identity); |
| 453 // State should then transition to SS_OPEN or SS_CLOSED based on validation |
| 454 // of the identity. |
| 455 if (valid_identity) { |
| 456 EXPECT_EQ(rtc::SS_OPEN, client_ssl_->GetState()); |
| 457 EXPECT_EQ(rtc::SS_OPEN, server_ssl_->GetState()); |
| 458 } else { |
| 459 EXPECT_EQ(rtc::SS_CLOSED, client_ssl_->GetState()); |
| 460 EXPECT_EQ(rtc::SS_CLOSED, server_ssl_->GetState()); |
| 461 } |
| 462 } |
| 463 |
| 405 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, | 464 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, |
| 406 size_t data_len, size_t *written, | 465 size_t data_len, size_t *written, |
| 407 int *error) { | 466 int *error) { |
| 408 // Randomly drop loss_ percent of packets | 467 // Randomly drop loss_ percent of packets |
| 409 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { | 468 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { |
| 410 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; | 469 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; |
| 411 *written = data_len; | 470 *written = data_len; |
| 412 return rtc::SR_SUCCESS; | 471 return rtc::SR_SUCCESS; |
| 413 } | 472 } |
| 414 if (dtls_ && (data_len > mtu_)) { | 473 if (dtls_ && (data_len > mtu_)) { |
| (...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 842 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); | 901 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); |
| 843 ASSERT_EQ(rtc::SR_ERROR, rv); | 902 ASSERT_EQ(rtc::SR_ERROR, rv); |
| 844 | 903 |
| 845 // But after closed read gives you EOS. | 904 // But after closed read gives you EOS. |
| 846 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); | 905 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); |
| 847 ASSERT_EQ(rtc::SR_EOS, rv); | 906 ASSERT_EQ(rtc::SR_EOS, rv); |
| 848 }; | 907 }; |
| 849 | 908 |
| 850 // Test a handshake with a bogus peer digest | 909 // Test a handshake with a bogus peer digest |
| 851 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { | 910 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { |
| 852 SetPeerIdentitiesByDigest(false); | 911 SetPeerIdentitiesByDigest(false, true); |
| 853 TestHandshake(false); | 912 TestHandshake(false); |
| 854 }; | 913 }; |
| 855 | 914 |
| 915 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentity) { |
| 916 TestHandshakeWithDelayedIdentity(true); |
| 917 }; |
| 918 |
| 919 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentityWithBogusDigest) { |
| 920 TestHandshakeWithDelayedIdentity(false); |
| 921 }; |
| 922 |
| 923 // Test that the correct error is returned when SetPeerCertificateDigest is |
| 924 // called with an unknown algorithm. |
| 925 TEST_P(SSLStreamAdapterTestTLS, |
| 926 TestSetPeerCertificateDigestWithUnknownAlgorithm) { |
| 927 unsigned char server_digest[20]; |
| 928 size_t server_digest_len; |
| 929 bool rv; |
| 930 rtc::SSLPeerCertificateDigestError err; |
| 931 |
| 932 rv = server_identity_->certificate().ComputeDigest( |
| 933 rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); |
| 934 ASSERT_TRUE(rv); |
| 935 |
| 936 rv = client_ssl_->SetPeerCertificateDigest("unknown algorithm", server_digest, |
| 937 server_digest_len, &err); |
| 938 EXPECT_EQ(rtc::SSLPeerCertificateDigestError::UNKNOWN_ALGORITHM, err); |
| 939 EXPECT_FALSE(rv); |
| 940 } |
| 941 |
| 942 // Test that the correct error is returned when SetPeerCertificateDigest is |
| 943 // called with an invalid digest length. |
| 944 TEST_P(SSLStreamAdapterTestTLS, TestSetPeerCertificateDigestWithInvalidLength) { |
| 945 unsigned char server_digest[20]; |
| 946 size_t server_digest_len; |
| 947 bool rv; |
| 948 rtc::SSLPeerCertificateDigestError err; |
| 949 |
| 950 rv = server_identity_->certificate().ComputeDigest( |
| 951 rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); |
| 952 ASSERT_TRUE(rv); |
| 953 |
| 954 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest, |
| 955 server_digest_len - 1, &err); |
| 956 EXPECT_EQ(rtc::SSLPeerCertificateDigestError::INVALID_LENGTH, err); |
| 957 EXPECT_FALSE(rv); |
| 958 } |
| 959 |
| 856 // Test moving a bunch of data | 960 // Test moving a bunch of data |
| 857 | 961 |
| 858 // Basic tests: DTLS | 962 // Basic tests: DTLS |
| 859 // Test that we can make a handshake work | 963 // Test that we can make a handshake work |
| 860 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { | 964 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { |
| 861 MAYBE_SKIP_TEST(HaveDtls); | 965 MAYBE_SKIP_TEST(HaveDtls); |
| 862 TestHandshake(); | 966 TestHandshake(); |
| 863 }; | 967 }; |
| 864 | 968 |
| 865 // Test that we can make a handshake work if the first packet in | 969 // Test that we can make a handshake work if the first packet in |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 904 }; | 1008 }; |
| 905 | 1009 |
| 906 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { | 1010 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { |
| 907 MAYBE_SKIP_TEST(HaveDtls); | 1011 MAYBE_SKIP_TEST(HaveDtls); |
| 908 SetDamage(); // Must be called first because first packet | 1012 SetDamage(); // Must be called first because first packet |
| 909 // write happens at end of handshake. | 1013 // write happens at end of handshake. |
| 910 TestHandshake(); | 1014 TestHandshake(); |
| 911 TestTransfer(100); | 1015 TestTransfer(100); |
| 912 }; | 1016 }; |
| 913 | 1017 |
| 1018 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) { |
| 1019 TestHandshakeWithDelayedIdentity(true); |
| 1020 }; |
| 1021 |
| 1022 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) { |
| 1023 TestHandshakeWithDelayedIdentity(false); |
| 1024 }; |
| 1025 |
| 914 // Test DTLS-SRTP with all high ciphers | 1026 // Test DTLS-SRTP with all high ciphers |
| 915 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { | 1027 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { |
| 916 MAYBE_SKIP_TEST(HaveDtlsSrtp); | 1028 MAYBE_SKIP_TEST(HaveDtlsSrtp); |
| 917 std::vector<int> high; | 1029 std::vector<int> high; |
| 918 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); | 1030 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); |
| 919 SetDtlsSrtpCryptoSuites(high, true); | 1031 SetDtlsSrtpCryptoSuites(high, true); |
| 920 SetDtlsSrtpCryptoSuites(high, false); | 1032 SetDtlsSrtpCryptoSuites(high, false); |
| 921 TestHandshake(); | 1033 TestHandshake(); |
| 922 | 1034 |
| 923 int client_cipher; | 1035 int client_cipher; |
| (...skipping 334 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1258 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1370 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| 1259 INSTANTIATE_TEST_CASE_P( | 1371 INSTANTIATE_TEST_CASE_P( |
| 1260 SSLStreamAdapterTestsDTLS, | 1372 SSLStreamAdapterTestsDTLS, |
| 1261 SSLStreamAdapterTestDTLS, | 1373 SSLStreamAdapterTestDTLS, |
| 1262 Combine(Values(rtc::KeyParams::RSA(1024, 65537), | 1374 Combine(Values(rtc::KeyParams::RSA(1024, 65537), |
| 1263 rtc::KeyParams::RSA(1152, 65537), | 1375 rtc::KeyParams::RSA(1152, 65537), |
| 1264 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), | 1376 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), |
| 1265 Values(rtc::KeyParams::RSA(1024, 65537), | 1377 Values(rtc::KeyParams::RSA(1024, 65537), |
| 1266 rtc::KeyParams::RSA(1152, 65537), | 1378 rtc::KeyParams::RSA(1152, 65537), |
| 1267 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1379 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2163683003:
Relanding: Allow the DTLS fingerprint verification to occur after the handshake. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master