| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 | 318 |
| 319 if (sig & rtc::SE_READ) { | 319 if (sig & rtc::SE_READ) { |
| 320 ReadData(stream); | 320 ReadData(stream); |
| 321 } | 321 } |
| 322 | 322 |
| 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { | 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { |
| 324 WriteData(); | 324 WriteData(); |
| 325 } | 325 } |
| 326 } | 326 } |
| 327 | 327 |
| 328 void SetPeerIdentitiesByDigest(bool correct) { | 328 void SetPeerIdentitiesByDigest(bool correct, bool expect_success) { |
| 329 unsigned char digest[20]; | 329 unsigned char server_digest[20]; |
| 330 size_t digest_len; | 330 size_t server_digest_len; |
| 331 unsigned char client_digest[20]; |
| 332 size_t client_digest_len; |
| 331 bool rv; | 333 bool rv; |
| 332 | 334 |
| 333 LOG(LS_INFO) << "Setting peer identities by digest"; | 335 LOG(LS_INFO) << "Setting peer identities by digest"; |
| 334 | 336 |
| 335 rv = server_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, | 337 rv = server_identity_->certificate().ComputeDigest( |
| 336 digest, 20, | 338 rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); |
| 337 &digest_len); | |
| 338 ASSERT_TRUE(rv); | 339 ASSERT_TRUE(rv); |
| 340 rv = client_identity_->certificate().ComputeDigest( |
| 341 rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len); |
| 342 ASSERT_TRUE(rv); |
| 343 |
| 339 if (!correct) { | 344 if (!correct) { |
| 340 LOG(LS_INFO) << "Setting bogus digest for server cert"; | 345 LOG(LS_INFO) << "Setting bogus digest for server cert"; |
| 341 digest[0]++; | 346 server_digest[0]++; |
| 342 } | 347 } |
| 343 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, | 348 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, server_digest, |
| 344 digest_len); | 349 server_digest_len); |
| 345 ASSERT_TRUE(rv); | 350 EXPECT_EQ(expect_success, rv); |
| 346 | 351 |
| 347 | |
| 348 rv = client_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, | |
| 349 digest, 20, &digest_len); | |
| 350 ASSERT_TRUE(rv); | |
| 351 if (!correct) { | 352 if (!correct) { |
| 352 LOG(LS_INFO) << "Setting bogus digest for client cert"; | 353 LOG(LS_INFO) << "Setting bogus digest for client cert"; |
| 353 digest[0]++; | 354 client_digest[0]++; |
| 354 } | 355 } |
| 355 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, | 356 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, client_digest, |
| 356 digest_len); | 357 client_digest_len); |
| 357 ASSERT_TRUE(rv); | 358 EXPECT_EQ(expect_success, rv); |
| 358 | 359 |
| 359 identities_set_ = true; | 360 identities_set_ = true; |
| 360 } | 361 } |
| 361 | 362 |
| 362 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, | 363 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, |
| 363 rtc::SSLProtocolVersion client_version) { | 364 rtc::SSLProtocolVersion client_version) { |
| 364 server_ssl_->SetMaxProtocolVersion(server_version); | 365 server_ssl_->SetMaxProtocolVersion(server_version); |
| 365 client_ssl_->SetMaxProtocolVersion(client_version); | 366 client_ssl_->SetMaxProtocolVersion(client_version); |
| 366 } | 367 } |
| 367 | 368 |
| 368 void TestHandshake(bool expect_success = true) { | 369 void TestHandshake(bool expect_success = true) { |
| 369 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 370 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 370 rtc::SSL_MODE_TLS); | 371 rtc::SSL_MODE_TLS); |
| 371 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 372 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 372 rtc::SSL_MODE_TLS); | 373 rtc::SSL_MODE_TLS); |
| 373 | 374 |
| 374 if (!dtls_) { | 375 if (!dtls_) { |
| 375 // Make sure we simulate a reliable network for TLS. | 376 // Make sure we simulate a reliable network for TLS. |
| 376 // This is just a check to make sure that people don't write wrong | 377 // This is just a check to make sure that people don't write wrong |
| 377 // tests. | 378 // tests. |
| 378 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); | 379 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); |
| 379 } | 380 } |
| 380 | 381 |
| 381 if (!identities_set_) | 382 if (!identities_set_) |
| 382 SetPeerIdentitiesByDigest(true); | 383 SetPeerIdentitiesByDigest(true, true); |
| 383 | 384 |
| 384 // Start the handshake | 385 // Start the handshake |
| 385 int rv; | 386 int rv; |
| 386 | 387 |
| 387 server_ssl_->SetServerRole(); | 388 server_ssl_->SetServerRole(); |
| 388 rv = server_ssl_->StartSSLWithPeer(); | 389 rv = server_ssl_->StartSSLWithPeer(); |
| 389 ASSERT_EQ(0, rv); | 390 ASSERT_EQ(0, rv); |
| 390 | 391 |
| 391 rv = client_ssl_->StartSSLWithPeer(); | 392 rv = client_ssl_->StartSSLWithPeer(); |
| 392 ASSERT_EQ(0, rv); | 393 ASSERT_EQ(0, rv); |
| 393 | 394 |
| 394 // Now run the handshake | 395 // Now run the handshake |
| 395 if (expect_success) { | 396 if (expect_success) { |
| 396 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) | 397 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) |
| 397 && (server_ssl_->GetState() == rtc::SS_OPEN), | 398 && (server_ssl_->GetState() == rtc::SS_OPEN), |
| 398 handshake_wait_); | 399 handshake_wait_); |
| 399 } else { | 400 } else { |
| 400 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, | 401 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, |
| 401 handshake_wait_); | 402 handshake_wait_); |
| 402 } | 403 } |
| 403 } | 404 } |
| 404 | 405 |
| 406 // This tests that the handshake can complete before the identity is |
| 407 // verified, and the identity will be verified after the fact. |
| 408 void TestHandshakeWithDelayedIdentity(bool valid_identity) { |
| 409 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); |
| 410 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); |
| 411 |
| 412 if (!dtls_) { |
| 413 // Make sure we simulate a reliable network for TLS. |
| 414 // This is just a check to make sure that people don't write wrong |
| 415 // tests. |
| 416 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); |
| 417 } |
| 418 |
| 419 // Start the handshake |
| 420 int rv; |
| 421 |
| 422 server_ssl_->SetServerRole(); |
| 423 rv = server_ssl_->StartSSLWithPeer(); |
| 424 ASSERT_EQ(0, rv); |
| 425 |
| 426 rv = client_ssl_->StartSSLWithPeer(); |
| 427 ASSERT_EQ(0, rv); |
| 428 |
| 429 // Now run the handshake. |
| 430 EXPECT_TRUE_WAIT( |
| 431 client_ssl_->IsTlsConnected() && server_ssl_->IsTlsConnected(), |
| 432 handshake_wait_); |
| 433 |
| 434 // Until the identity has been verified, the state should still be |
| 435 // SS_OPENING and writes should return SR_BLOCK. |
| 436 EXPECT_EQ(rtc::SS_OPENING, client_ssl_->GetState()); |
| 437 EXPECT_EQ(rtc::SS_OPENING, server_ssl_->GetState()); |
| 438 unsigned char packet[1]; |
| 439 size_t sent; |
| 440 EXPECT_EQ(rtc::SR_BLOCK, client_ssl_->Write(&packet, 1, &sent, 0)); |
| 441 EXPECT_EQ(rtc::SR_BLOCK, server_ssl_->Write(&packet, 1, &sent, 0)); |
| 442 |
| 443 // If we set an invalid identity at this point, SetPeerCertificateDigest |
| 444 // should return false. |
| 445 SetPeerIdentitiesByDigest(valid_identity, valid_identity); |
| 446 // State should then transition to SS_OPEN or SS_CLOSED based on validation |
| 447 // of the identity. |
| 448 if (valid_identity) { |
| 449 EXPECT_EQ(rtc::SS_OPEN, client_ssl_->GetState()); |
| 450 EXPECT_EQ(rtc::SS_OPEN, server_ssl_->GetState()); |
| 451 } else { |
| 452 EXPECT_EQ(rtc::SS_CLOSED, client_ssl_->GetState()); |
| 453 EXPECT_EQ(rtc::SS_CLOSED, server_ssl_->GetState()); |
| 454 } |
| 455 } |
| 456 |
| 405 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, | 457 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, |
| 406 size_t data_len, size_t *written, | 458 size_t data_len, size_t *written, |
| 407 int *error) { | 459 int *error) { |
| 408 // Randomly drop loss_ percent of packets | 460 // Randomly drop loss_ percent of packets |
| 409 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { | 461 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { |
| 410 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; | 462 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; |
| 411 *written = data_len; | 463 *written = data_len; |
| 412 return rtc::SR_SUCCESS; | 464 return rtc::SR_SUCCESS; |
| 413 } | 465 } |
| 414 if (dtls_ && (data_len > mtu_)) { | 466 if (dtls_ && (data_len > mtu_)) { |
| (...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 842 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); | 894 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); |
| 843 ASSERT_EQ(rtc::SR_ERROR, rv); | 895 ASSERT_EQ(rtc::SR_ERROR, rv); |
| 844 | 896 |
| 845 // But after closed read gives you EOS. | 897 // But after closed read gives you EOS. |
| 846 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); | 898 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); |
| 847 ASSERT_EQ(rtc::SR_EOS, rv); | 899 ASSERT_EQ(rtc::SR_EOS, rv); |
| 848 }; | 900 }; |
| 849 | 901 |
| 850 // Test a handshake with a bogus peer digest | 902 // Test a handshake with a bogus peer digest |
| 851 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { | 903 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { |
| 852 SetPeerIdentitiesByDigest(false); | 904 SetPeerIdentitiesByDigest(false, true); |
| 853 TestHandshake(false); | 905 TestHandshake(false); |
| 854 }; | 906 }; |
| 855 | 907 |
| 908 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentity) { |
| 909 TestHandshakeWithDelayedIdentity(true); |
| 910 }; |
| 911 |
| 912 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentityWithBogusDigest) { |
| 913 TestHandshakeWithDelayedIdentity(false); |
| 914 }; |
| 915 |
| 856 // Test moving a bunch of data | 916 // Test moving a bunch of data |
| 857 | 917 |
| 858 // Basic tests: DTLS | 918 // Basic tests: DTLS |
| 859 // Test that we can make a handshake work | 919 // Test that we can make a handshake work |
| 860 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { | 920 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { |
| 861 MAYBE_SKIP_TEST(HaveDtls); | 921 MAYBE_SKIP_TEST(HaveDtls); |
| 862 TestHandshake(); | 922 TestHandshake(); |
| 863 }; | 923 }; |
| 864 | 924 |
| 865 // Test that we can make a handshake work if the first packet in | 925 // Test that we can make a handshake work if the first packet in |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 904 }; | 964 }; |
| 905 | 965 |
| 906 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { | 966 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { |
| 907 MAYBE_SKIP_TEST(HaveDtls); | 967 MAYBE_SKIP_TEST(HaveDtls); |
| 908 SetDamage(); // Must be called first because first packet | 968 SetDamage(); // Must be called first because first packet |
| 909 // write happens at end of handshake. | 969 // write happens at end of handshake. |
| 910 TestHandshake(); | 970 TestHandshake(); |
| 911 TestTransfer(100); | 971 TestTransfer(100); |
| 912 }; | 972 }; |
| 913 | 973 |
| 974 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) { |
| 975 TestHandshakeWithDelayedIdentity(true); |
| 976 }; |
| 977 |
| 978 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) { |
| 979 TestHandshakeWithDelayedIdentity(false); |
| 980 }; |
| 981 |
| 914 // Test DTLS-SRTP with all high ciphers | 982 // Test DTLS-SRTP with all high ciphers |
| 915 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { | 983 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { |
| 916 MAYBE_SKIP_TEST(HaveDtlsSrtp); | 984 MAYBE_SKIP_TEST(HaveDtlsSrtp); |
| 917 std::vector<int> high; | 985 std::vector<int> high; |
| 918 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); | 986 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); |
| 919 SetDtlsSrtpCryptoSuites(high, true); | 987 SetDtlsSrtpCryptoSuites(high, true); |
| 920 SetDtlsSrtpCryptoSuites(high, false); | 988 SetDtlsSrtpCryptoSuites(high, false); |
| 921 TestHandshake(); | 989 TestHandshake(); |
| 922 | 990 |
| 923 int client_cipher; | 991 int client_cipher; |
| (...skipping 234 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1158 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1226 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| 1159 INSTANTIATE_TEST_CASE_P( | 1227 INSTANTIATE_TEST_CASE_P( |
| 1160 SSLStreamAdapterTestsDTLS, | 1228 SSLStreamAdapterTestsDTLS, |
| 1161 SSLStreamAdapterTestDTLS, | 1229 SSLStreamAdapterTestDTLS, |
| 1162 Combine(Values(rtc::KeyParams::RSA(1024, 65537), | 1230 Combine(Values(rtc::KeyParams::RSA(1024, 65537), |
| 1163 rtc::KeyParams::RSA(1152, 65537), | 1231 rtc::KeyParams::RSA(1152, 65537), |
| 1164 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), | 1232 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), |
| 1165 Values(rtc::KeyParams::RSA(1024, 65537), | 1233 Values(rtc::KeyParams::RSA(1024, 65537), |
| 1166 rtc::KeyParams::RSA(1152, 65537), | 1234 rtc::KeyParams::RSA(1152, 65537), |
| 1167 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1235 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2163683003:
Relanding: Allow the DTLS fingerprint verification to occur after the handshake. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master