| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 | 318 |
| 319 if (sig & rtc::SE_READ) { | 319 if (sig & rtc::SE_READ) { |
| 320 ReadData(stream); | 320 ReadData(stream); |
| 321 } | 321 } |
| 322 | 322 |
| 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { | 323 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) { |
| 324 WriteData(); | 324 WriteData(); |
| 325 } | 325 } |
| 326 } | 326 } |
| 327 | 327 |
| 328 void SetPeerIdentitiesByDigest(bool correct, bool expect_success) { | 328 void SetPeerIdentitiesByDigest(bool correct) { |
| 329 unsigned char server_digest[20]; | 329 unsigned char digest[20]; |
| 330 size_t server_digest_len; | 330 size_t digest_len; |
| 331 unsigned char client_digest[20]; | |
| 332 size_t client_digest_len; | |
| 333 bool rv; | 331 bool rv; |
| 334 rtc::SSLPeerCertificateDigestError err; | |
| 335 rtc::SSLPeerCertificateDigestError expected_err = | |
| 336 expect_success | |
| 337 ? rtc::SSLPeerCertificateDigestError::NONE | |
| 338 : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED; | |
| 339 | 332 |
| 340 LOG(LS_INFO) << "Setting peer identities by digest"; | 333 LOG(LS_INFO) << "Setting peer identities by digest"; |
| 341 | 334 |
| 342 rv = server_identity_->certificate().ComputeDigest( | 335 rv = server_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, |
| 343 rtc::DIGEST_SHA_1, server_digest, 20, &server_digest_len); | 336 digest, 20, |
| 337 &digest_len); |
| 344 ASSERT_TRUE(rv); | 338 ASSERT_TRUE(rv); |
| 345 rv = client_identity_->certificate().ComputeDigest( | 339 if (!correct) { |
| 346 rtc::DIGEST_SHA_1, client_digest, 20, &client_digest_len); | 340 LOG(LS_INFO) << "Setting bogus digest for server cert"; |
| 341 digest[0]++; |
| 342 } |
| 343 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, |
| 344 digest_len); |
| 347 ASSERT_TRUE(rv); | 345 ASSERT_TRUE(rv); |
| 348 | 346 |
| 349 if (!correct) { | |
| 350 LOG(LS_INFO) << "Setting bogus digest for server cert"; | |
| 351 server_digest[0]++; | |
| 352 } | |
| 353 err = client_ssl_->SetPeerCertificateDigest( | |
| 354 rtc::DIGEST_SHA_1, server_digest, server_digest_len); | |
| 355 EXPECT_EQ(expected_err, err); | |
| 356 | 347 |
| 348 rv = client_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1, |
| 349 digest, 20, &digest_len); |
| 350 ASSERT_TRUE(rv); |
| 357 if (!correct) { | 351 if (!correct) { |
| 358 LOG(LS_INFO) << "Setting bogus digest for client cert"; | 352 LOG(LS_INFO) << "Setting bogus digest for client cert"; |
| 359 client_digest[0]++; | 353 digest[0]++; |
| 360 } | 354 } |
| 361 err = server_ssl_->SetPeerCertificateDigest( | 355 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest, |
| 362 rtc::DIGEST_SHA_1, client_digest, client_digest_len); | 356 digest_len); |
| 363 EXPECT_EQ(expected_err, err); | 357 ASSERT_TRUE(rv); |
| 364 | 358 |
| 365 identities_set_ = true; | 359 identities_set_ = true; |
| 366 } | 360 } |
| 367 | 361 |
| 368 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, | 362 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version, |
| 369 rtc::SSLProtocolVersion client_version) { | 363 rtc::SSLProtocolVersion client_version) { |
| 370 server_ssl_->SetMaxProtocolVersion(server_version); | 364 server_ssl_->SetMaxProtocolVersion(server_version); |
| 371 client_ssl_->SetMaxProtocolVersion(client_version); | 365 client_ssl_->SetMaxProtocolVersion(client_version); |
| 372 } | 366 } |
| 373 | 367 |
| 374 void TestHandshake(bool expect_success = true) { | 368 void TestHandshake(bool expect_success = true) { |
| 375 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 369 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 376 rtc::SSL_MODE_TLS); | 370 rtc::SSL_MODE_TLS); |
| 377 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : | 371 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : |
| 378 rtc::SSL_MODE_TLS); | 372 rtc::SSL_MODE_TLS); |
| 379 | 373 |
| 380 if (!dtls_) { | 374 if (!dtls_) { |
| 381 // Make sure we simulate a reliable network for TLS. | 375 // Make sure we simulate a reliable network for TLS. |
| 382 // This is just a check to make sure that people don't write wrong | 376 // This is just a check to make sure that people don't write wrong |
| 383 // tests. | 377 // tests. |
| 384 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); | 378 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); |
| 385 } | 379 } |
| 386 | 380 |
| 387 if (!identities_set_) | 381 if (!identities_set_) |
| 388 SetPeerIdentitiesByDigest(true, true); | 382 SetPeerIdentitiesByDigest(true); |
| 389 | 383 |
| 390 // Start the handshake | 384 // Start the handshake |
| 391 int rv; | 385 int rv; |
| 392 | 386 |
| 393 server_ssl_->SetServerRole(); | 387 server_ssl_->SetServerRole(); |
| 394 rv = server_ssl_->StartSSL(); | 388 rv = server_ssl_->StartSSL(); |
| 395 ASSERT_EQ(0, rv); | 389 ASSERT_EQ(0, rv); |
| 396 | 390 |
| 397 rv = client_ssl_->StartSSL(); | 391 rv = client_ssl_->StartSSL(); |
| 398 ASSERT_EQ(0, rv); | 392 ASSERT_EQ(0, rv); |
| 399 | 393 |
| 400 // Now run the handshake | 394 // Now run the handshake |
| 401 if (expect_success) { | 395 if (expect_success) { |
| 402 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) | 396 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN) |
| 403 && (server_ssl_->GetState() == rtc::SS_OPEN), | 397 && (server_ssl_->GetState() == rtc::SS_OPEN), |
| 404 handshake_wait_); | 398 handshake_wait_); |
| 405 } else { | 399 } else { |
| 406 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, | 400 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED, |
| 407 handshake_wait_); | 401 handshake_wait_); |
| 408 } | 402 } |
| 409 } | 403 } |
| 410 | 404 |
| 411 // This tests that the handshake can complete before the identity is | |
| 412 // verified, and the identity will be verified after the fact. | |
| 413 void TestHandshakeWithDelayedIdentity(bool valid_identity) { | |
| 414 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); | |
| 415 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS : rtc::SSL_MODE_TLS); | |
| 416 | |
| 417 if (!dtls_) { | |
| 418 // Make sure we simulate a reliable network for TLS. | |
| 419 // This is just a check to make sure that people don't write wrong | |
| 420 // tests. | |
| 421 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0)); | |
| 422 } | |
| 423 | |
| 424 // Start the handshake | |
| 425 int rv; | |
| 426 | |
| 427 server_ssl_->SetServerRole(); | |
| 428 rv = server_ssl_->StartSSL(); | |
| 429 ASSERT_EQ(0, rv); | |
| 430 | |
| 431 rv = client_ssl_->StartSSL(); | |
| 432 ASSERT_EQ(0, rv); | |
| 433 | |
| 434 // Now run the handshake. | |
| 435 EXPECT_TRUE_WAIT( | |
| 436 client_ssl_->IsTlsConnected() && server_ssl_->IsTlsConnected(), | |
| 437 handshake_wait_); | |
| 438 | |
| 439 // Until the identity has been verified, the state should still be | |
| 440 // SS_OPENING and writes should return SR_BLOCK. | |
| 441 EXPECT_EQ(rtc::SS_OPENING, client_ssl_->GetState()); | |
| 442 EXPECT_EQ(rtc::SS_OPENING, server_ssl_->GetState()); | |
| 443 unsigned char packet[1]; | |
| 444 size_t sent; | |
| 445 EXPECT_EQ(rtc::SR_BLOCK, client_ssl_->Write(&packet, 1, &sent, 0)); | |
| 446 EXPECT_EQ(rtc::SR_BLOCK, server_ssl_->Write(&packet, 1, &sent, 0)); | |
| 447 | |
| 448 // If we set an invalid identity at this point, SetPeerCertificateDigest | |
| 449 // should return false. | |
| 450 SetPeerIdentitiesByDigest(valid_identity, valid_identity); | |
| 451 // State should then transition to SS_OPEN or SS_CLOSED based on validation | |
| 452 // of the identity. | |
| 453 if (valid_identity) { | |
| 454 EXPECT_EQ(rtc::SS_OPEN, client_ssl_->GetState()); | |
| 455 EXPECT_EQ(rtc::SS_OPEN, server_ssl_->GetState()); | |
| 456 } else { | |
| 457 EXPECT_EQ(rtc::SS_CLOSED, client_ssl_->GetState()); | |
| 458 EXPECT_EQ(rtc::SS_CLOSED, server_ssl_->GetState()); | |
| 459 } | |
| 460 } | |
| 461 | |
| 462 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, | 405 rtc::StreamResult DataWritten(SSLDummyStreamBase *from, const void *data, |
| 463 size_t data_len, size_t *written, | 406 size_t data_len, size_t *written, |
| 464 int *error) { | 407 int *error) { |
| 465 // Randomly drop loss_ percent of packets | 408 // Randomly drop loss_ percent of packets |
| 466 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { | 409 if (rtc::CreateRandomId() % 100 < static_cast<uint32_t>(loss_)) { |
| 467 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; | 410 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len; |
| 468 *written = data_len; | 411 *written = data_len; |
| 469 return rtc::SR_SUCCESS; | 412 return rtc::SR_SUCCESS; |
| 470 } | 413 } |
| 471 if (dtls_ && (data_len > mtu_)) { | 414 if (dtls_ && (data_len > mtu_)) { |
| (...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 899 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); | 842 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL); |
| 900 ASSERT_EQ(rtc::SR_ERROR, rv); | 843 ASSERT_EQ(rtc::SR_ERROR, rv); |
| 901 | 844 |
| 902 // But after closed read gives you EOS. | 845 // But after closed read gives you EOS. |
| 903 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); | 846 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL); |
| 904 ASSERT_EQ(rtc::SR_EOS, rv); | 847 ASSERT_EQ(rtc::SR_EOS, rv); |
| 905 }; | 848 }; |
| 906 | 849 |
| 907 // Test a handshake with a bogus peer digest | 850 // Test a handshake with a bogus peer digest |
| 908 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { | 851 TEST_P(SSLStreamAdapterTestTLS, TestTLSBogusDigest) { |
| 909 SetPeerIdentitiesByDigest(false, true); | 852 SetPeerIdentitiesByDigest(false); |
| 910 TestHandshake(false); | 853 TestHandshake(false); |
| 911 }; | 854 }; |
| 912 | 855 |
| 913 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentity) { | |
| 914 TestHandshakeWithDelayedIdentity(true); | |
| 915 }; | |
| 916 | |
| 917 TEST_P(SSLStreamAdapterTestTLS, TestTLSDelayedIdentityWithBogusDigest) { | |
| 918 TestHandshakeWithDelayedIdentity(false); | |
| 919 }; | |
| 920 | |
| 921 // Test moving a bunch of data | 856 // Test moving a bunch of data |
| 922 | 857 |
| 923 // Basic tests: DTLS | 858 // Basic tests: DTLS |
| 924 // Test that we can make a handshake work | 859 // Test that we can make a handshake work |
| 925 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { | 860 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSConnect) { |
| 926 MAYBE_SKIP_TEST(HaveDtls); | 861 MAYBE_SKIP_TEST(HaveDtls); |
| 927 TestHandshake(); | 862 TestHandshake(); |
| 928 }; | 863 }; |
| 929 | 864 |
| 930 // Test that we can make a handshake work if the first packet in | 865 // Test that we can make a handshake work if the first packet in |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 969 }; | 904 }; |
| 970 | 905 |
| 971 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { | 906 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) { |
| 972 MAYBE_SKIP_TEST(HaveDtls); | 907 MAYBE_SKIP_TEST(HaveDtls); |
| 973 SetDamage(); // Must be called first because first packet | 908 SetDamage(); // Must be called first because first packet |
| 974 // write happens at end of handshake. | 909 // write happens at end of handshake. |
| 975 TestHandshake(); | 910 TestHandshake(); |
| 976 TestTransfer(100); | 911 TestTransfer(100); |
| 977 }; | 912 }; |
| 978 | 913 |
| 979 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentity) { | |
| 980 TestHandshakeWithDelayedIdentity(true); | |
| 981 }; | |
| 982 | |
| 983 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSDelayedIdentityWithBogusDigest) { | |
| 984 TestHandshakeWithDelayedIdentity(false); | |
| 985 }; | |
| 986 | |
| 987 // Test DTLS-SRTP with all high ciphers | 914 // Test DTLS-SRTP with all high ciphers |
| 988 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { | 915 TEST_P(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) { |
| 989 MAYBE_SKIP_TEST(HaveDtlsSrtp); | 916 MAYBE_SKIP_TEST(HaveDtlsSrtp); |
| 990 std::vector<int> high; | 917 std::vector<int> high; |
| 991 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); | 918 high.push_back(rtc::SRTP_AES128_CM_SHA1_80); |
| 992 SetDtlsSrtpCryptoSuites(high, true); | 919 SetDtlsSrtpCryptoSuites(high, true); |
| 993 SetDtlsSrtpCryptoSuites(high, false); | 920 SetDtlsSrtpCryptoSuites(high, false); |
| 994 TestHandshake(); | 921 TestHandshake(); |
| 995 | 922 |
| 996 int client_cipher; | 923 int client_cipher; |
| (...skipping 334 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1331 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1258 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| 1332 INSTANTIATE_TEST_CASE_P( | 1259 INSTANTIATE_TEST_CASE_P( |
| 1333 SSLStreamAdapterTestsDTLS, | 1260 SSLStreamAdapterTestsDTLS, |
| 1334 SSLStreamAdapterTestDTLS, | 1261 SSLStreamAdapterTestDTLS, |
| 1335 Combine(Values(rtc::KeyParams::RSA(1024, 65537), | 1262 Combine(Values(rtc::KeyParams::RSA(1024, 65537), |
| 1336 rtc::KeyParams::RSA(1152, 65537), | 1263 rtc::KeyParams::RSA(1152, 65537), |
| 1337 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), | 1264 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)), |
| 1338 Values(rtc::KeyParams::RSA(1024, 65537), | 1265 Values(rtc::KeyParams::RSA(1024, 65537), |
| 1339 rtc::KeyParams::RSA(1152, 65537), | 1266 rtc::KeyParams::RSA(1152, 65537), |
| 1340 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); | 1267 rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2352863003:
Revert of Allow the DTLS fingerprint verification to occur after the handshake. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master