Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / 831c5585c7d2b4c4442e3c1255332f1c23b6a983 / . / webrtc / base / sslstreamadapter_unittest.cc
blob: 6abaaa3bb9e678a0d14a796a72e313b0a60b5845 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2011 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11
12#include <algorithm>
13#include <set>
14#include <string>
15
16#include "webrtc/base/gunit.h"
17#include "webrtc/base/helpers.h"
18#include "webrtc/base/scoped_ptr.h"
19#include "webrtc/base/ssladapter.h"
20#include "webrtc/base/sslconfig.h"
21#include "webrtc/base/sslidentity.h"
22#include "webrtc/base/sslstreamadapter.h"
23#include "webrtc/base/stream.h"
henrike@webrtc.orgfded02c2014-09-19 13:10:10 +0000[diff] [blame]24#include "webrtc/test/testsupport/gtest_disable.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]25
26static const int kBlockSize = 4096;
27static const char kAES_CM_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80";
28static const char kAES_CM_HMAC_SHA1_32[] = "AES_CM_128_HMAC_SHA1_32";
29static const char kExporterLabel[] = "label";
30static const unsigned char kExporterContext[] = "context";
31static int kExporterContextLen = sizeof(kExporterContext);
32
33static const char kRSA_PRIVATE_KEY_PEM[] =
34 "-----BEGIN RSA PRIVATE KEY-----\n"
35 "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMYRkbhmI7kVA/rM\n"
36 "czsZ+6JDhDvnkF+vn6yCAGuRPV03zuRqZtDy4N4to7PZu9PjqrRl7nDMXrG3YG9y\n"
37 "rlIAZ72KjcKKFAJxQyAKLCIdawKRyp8RdK3LEySWEZb0AV58IadqPZDTNHHRX8dz\n"
38 "5aTSMsbbkZ+C/OzTnbiMqLL/vg6jAgMBAAECgYAvgOs4FJcgvp+TuREx7YtiYVsH\n"
39 "mwQPTum2z/8VzWGwR8BBHBvIpVe1MbD/Y4seyI2aco/7UaisatSgJhsU46/9Y4fq\n"
40 "2TwXH9QANf4at4d9n/R6rzwpAJOpgwZgKvdQjkfrKTtgLV+/dawvpxUYkRH4JZM1\n"
41 "CVGukMfKNrSVH4Ap4QJBAOJmGV1ASPnB4r4nc99at7JuIJmd7fmuVUwUgYi4XgaR\n"
42 "WhScBsgYwZ/JoywdyZJgnbcrTDuVcWG56B3vXbhdpMsCQQDf9zeJrjnPZ3Cqm79y\n"
43 "kdqANep0uwZciiNiWxsQrCHztywOvbFhdp8iYVFG9EK8DMY41Y5TxUwsHD+67zao\n"
44 "ZNqJAkEA1suLUP/GvL8IwuRneQd2tWDqqRQ/Td3qq03hP7e77XtF/buya3Ghclo5\n"
45 "54czUR89QyVfJEC6278nzA7n2h1uVQJAcG6mztNL6ja/dKZjYZye2CY44QjSlLo0\n"
46 "MTgTSjdfg/28fFn2Jjtqf9Pi/X+50LWI/RcYMC2no606wRk9kyOuIQJBAK6VSAim\n"
47 "1pOEjsYQn0X5KEIrz1G3bfCbB848Ime3U2/FWlCHMr6ch8kCZ5d1WUeJD3LbwMNG\n"
48 "UCXiYxSsu20QNVw=\n"
49 "-----END RSA PRIVATE KEY-----\n";
50
51static const char kCERT_PEM[] =
52 "-----BEGIN CERTIFICATE-----\n"
53 "MIIBmTCCAQKgAwIBAgIEbzBSAjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZX\n"
54 "ZWJSVEMwHhcNMTQwMTAyMTgyNDQ3WhcNMTQwMjAxMTgyNDQ3WjARMQ8wDQYDVQQD\n"
55 "EwZXZWJSVEMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYRkbhmI7kVA/rM\n"
56 "czsZ+6JDhDvnkF+vn6yCAGuRPV03zuRqZtDy4N4to7PZu9PjqrRl7nDMXrG3YG9y\n"
57 "rlIAZ72KjcKKFAJxQyAKLCIdawKRyp8RdK3LEySWEZb0AV58IadqPZDTNHHRX8dz\n"
58 "5aTSMsbbkZ+C/OzTnbiMqLL/vg6jAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAUflI\n"
59 "VUe5Krqf5RVa5C3u/UTAOAUJBiDS3VANTCLBxjuMsvqOG0WvaYWP3HYPgrz0jXK2\n"
60 "LJE/mGw3MyFHEqi81jh95J+ypl6xKW6Rm8jKLR87gUvCaVYn/Z4/P3AqcQTB7wOv\n"
61 "UD0A8qfhfDM+LK6rPAnCsVN0NRDY3jvd6rzix9M=\n"
62 "-----END CERTIFICATE-----\n";
63
64#define MAYBE_SKIP_TEST(feature) \
65 if (!(rtc::SSLStreamAdapter::feature())) { \
66 LOG(LS_INFO) << "Feature disabled... skipping"; \
67 return; \
68 }
69
70class SSLStreamAdapterTestBase;
71
72class SSLDummyStream : public rtc::StreamInterface,
73 public sigslot::has_slots<> {
74 public:
75 explicit SSLDummyStream(SSLStreamAdapterTestBase *test,
76 const std::string &side,
77 rtc::FifoBuffer *in,
78 rtc::FifoBuffer *out) :
79 test_(test),
80 side_(side),
81 in_(in),
82 out_(out),
83 first_packet_(true) {
84 in_->SignalEvent.connect(this, &SSLDummyStream::OnEventIn);
85 out_->SignalEvent.connect(this, &SSLDummyStream::OnEventOut);
86 }
87
88 virtual rtc::StreamState GetState() const { return rtc::SS_OPEN; }
89
90 virtual rtc::StreamResult Read(void* buffer, size_t buffer_len,
91 size_t* read, int* error) {
92 rtc::StreamResult r;
93
94 r = in_->Read(buffer, buffer_len, read, error);
95 if (r == rtc::SR_BLOCK)
96 return rtc::SR_BLOCK;
97 if (r == rtc::SR_EOS)
98 return rtc::SR_EOS;
99
100 if (r != rtc::SR_SUCCESS) {
101 ADD_FAILURE();
102 return rtc::SR_ERROR;
103 }
104
105 return rtc::SR_SUCCESS;
106 }
107
108 // Catch readability events on in and pass them up.
109 virtual void OnEventIn(rtc::StreamInterface *stream, int sig,
110 int err) {
111 int mask = (rtc::SE_READ | rtc::SE_CLOSE);
112
113 if (sig & mask) {
114 LOG(LS_INFO) << "SSLDummyStream::OnEvent side=" << side_ << " sig="
115 << sig << " forwarding upward";
116 PostEvent(sig & mask, 0);
117 }
118 }
119
120 // Catch writeability events on out and pass them up.
121 virtual void OnEventOut(rtc::StreamInterface *stream, int sig,
122 int err) {
123 if (sig & rtc::SE_WRITE) {
124 LOG(LS_INFO) << "SSLDummyStream::OnEvent side=" << side_ << " sig="
125 << sig << " forwarding upward";
126
127 PostEvent(sig & rtc::SE_WRITE, 0);
128 }
129 }
130
131 // Write to the outgoing FifoBuffer
132 rtc::StreamResult WriteData(const void* data, size_t data_len,
133 size_t* written, int* error) {
134 return out_->Write(data, data_len, written, error);
135 }
136
137 // Defined later
138 virtual rtc::StreamResult Write(const void* data, size_t data_len,
139 size_t* written, int* error);
140
141 virtual void Close() {
142 LOG(LS_INFO) << "Closing outbound stream";
143 out_->Close();
144 }
145
146 private:
147 SSLStreamAdapterTestBase *test_;
148 const std::string side_;
149 rtc::FifoBuffer *in_;
150 rtc::FifoBuffer *out_;
151 bool first_packet_;
152};
153
154static const int kFifoBufferSize = 4096;
155
156class SSLStreamAdapterTestBase : public testing::Test,
157 public sigslot::has_slots<> {
158 public:
159 SSLStreamAdapterTestBase(const std::string& client_cert_pem,
160 const std::string& client_private_key_pem,
161 bool dtls) :
162 client_buffer_(kFifoBufferSize), server_buffer_(kFifoBufferSize),
163 client_stream_(
164 new SSLDummyStream(this, "c2s", &client_buffer_, &server_buffer_)),
165 server_stream_(
166 new SSLDummyStream(this, "s2c", &server_buffer_, &client_buffer_)),
167 client_ssl_(rtc::SSLStreamAdapter::Create(client_stream_)),
168 server_ssl_(rtc::SSLStreamAdapter::Create(server_stream_)),
169 client_identity_(NULL), server_identity_(NULL),
170 delay_(0), mtu_(1460), loss_(0), lose_first_packet_(false),
171 damage_(false), dtls_(dtls),
172 handshake_wait_(5000), identities_set_(false) {
173 // Set use of the test RNG to get predictable loss patterns.
174 rtc::SetRandomTestMode(true);
175
176 // Set up the slots
177 client_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
178 server_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
179
180 if (!client_cert_pem.empty() && !client_private_key_pem.empty()) {
181 client_identity_ = rtc::SSLIdentity::FromPEMStrings(
182 client_private_key_pem, client_cert_pem);
183 } else {
184 client_identity_ = rtc::SSLIdentity::Generate("client");
185 }
186 server_identity_ = rtc::SSLIdentity::Generate("server");
187
188 client_ssl_->SetIdentity(client_identity_);
189 server_ssl_->SetIdentity(server_identity_);
190 }
191
192 ~SSLStreamAdapterTestBase() {
193 // Put it back for the next test.
194 rtc::SetRandomTestMode(false);
195 }
196
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]197 // Recreate the client/server identities with the specified validity period.
198 // |not_before| and |not_after| are offsets from the current time in number
199 // of seconds.
200 void ResetIdentitiesWithValidity(int not_before, int not_after) {
201 client_stream_ =
202 new SSLDummyStream(this, "c2s", &client_buffer_, &server_buffer_);
203 server_stream_ =
204 new SSLDummyStream(this, "s2c", &server_buffer_, &client_buffer_);
205
206 client_ssl_.reset(rtc::SSLStreamAdapter::Create(client_stream_));
207 server_ssl_.reset(rtc::SSLStreamAdapter::Create(server_stream_));
208
209 client_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
210 server_ssl_->SignalEvent.connect(this, &SSLStreamAdapterTestBase::OnEvent);
211
212 rtc::SSLIdentityParams client_params;
213 client_params.common_name = "client";
214 client_params.not_before = not_before;
215 client_params.not_after = not_after;
216 client_identity_ = rtc::SSLIdentity::GenerateForTest(client_params);
217
218 rtc::SSLIdentityParams server_params;
219 server_params.common_name = "server";
220 server_params.not_before = not_before;
221 server_params.not_after = not_after;
222 server_identity_ = rtc::SSLIdentity::GenerateForTest(server_params);
223
224 client_ssl_->SetIdentity(client_identity_);
225 server_ssl_->SetIdentity(server_identity_);
226 }
227
228 virtual void OnEvent(rtc::StreamInterface *stream, int sig, int err) {
229 LOG(LS_INFO) << "SSLStreamAdapterTestBase::OnEvent sig=" << sig;
230
231 if (sig & rtc::SE_READ) {
232 ReadData(stream);
233 }
234
235 if ((stream == client_ssl_.get()) && (sig & rtc::SE_WRITE)) {
236 WriteData();
237 }
238 }
239
240 void SetPeerIdentitiesByDigest(bool correct) {
241 unsigned char digest[20];
242 size_t digest_len;
243 bool rv;
244
245 LOG(LS_INFO) << "Setting peer identities by digest";
246
247 rv = server_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1,
248 digest, 20,
249 &digest_len);
250 ASSERT_TRUE(rv);
251 if (!correct) {
252 LOG(LS_INFO) << "Setting bogus digest for server cert";
253 digest[0]++;
254 }
255 rv = client_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest,
256 digest_len);
257 ASSERT_TRUE(rv);
258
259
260 rv = client_identity_->certificate().ComputeDigest(rtc::DIGEST_SHA_1,
261 digest, 20, &digest_len);
262 ASSERT_TRUE(rv);
263 if (!correct) {
264 LOG(LS_INFO) << "Setting bogus digest for client cert";
265 digest[0]++;
266 }
267 rv = server_ssl_->SetPeerCertificateDigest(rtc::DIGEST_SHA_1, digest,
268 digest_len);
269 ASSERT_TRUE(rv);
270
271 identities_set_ = true;
272 }
273
Joachim Bauch831c5582015-05-20 12:48:41 +0200[diff] [blame^]274 void SetupProtocolVersions(rtc::SSLProtocolVersion server_version,
275 rtc::SSLProtocolVersion client_version) {
276 server_ssl_->SetMaxProtocolVersion(server_version);
277 client_ssl_->SetMaxProtocolVersion(client_version);
278 }
279
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]280 void TestHandshake(bool expect_success = true) {
281 server_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS :
282 rtc::SSL_MODE_TLS);
283 client_ssl_->SetMode(dtls_ ? rtc::SSL_MODE_DTLS :
284 rtc::SSL_MODE_TLS);
285
286 if (!dtls_) {
287 // Make sure we simulate a reliable network for TLS.
288 // This is just a check to make sure that people don't write wrong
289 // tests.
290 ASSERT((mtu_ == 1460) && (loss_ == 0) && (lose_first_packet_ == 0));
291 }
292
293 if (!identities_set_)
294 SetPeerIdentitiesByDigest(true);
295
296 // Start the handshake
297 int rv;
298
299 server_ssl_->SetServerRole();
300 rv = server_ssl_->StartSSLWithPeer();
301 ASSERT_EQ(0, rv);
302
303 rv = client_ssl_->StartSSLWithPeer();
304 ASSERT_EQ(0, rv);
305
306 // Now run the handshake
307 if (expect_success) {
308 EXPECT_TRUE_WAIT((client_ssl_->GetState() == rtc::SS_OPEN)
309 && (server_ssl_->GetState() == rtc::SS_OPEN),
310 handshake_wait_);
311 } else {
312 EXPECT_TRUE_WAIT(client_ssl_->GetState() == rtc::SS_CLOSED,
313 handshake_wait_);
314 }
315 }
316
317 rtc::StreamResult DataWritten(SSLDummyStream *from, const void *data,
318 size_t data_len, size_t *written,
319 int *error) {
320 // Randomly drop loss_ percent of packets
321 if (rtc::CreateRandomId() % 100 < static_cast<uint32>(loss_)) {
322 LOG(LS_INFO) << "Randomly dropping packet, size=" << data_len;
323 *written = data_len;
324 return rtc::SR_SUCCESS;
325 }
326 if (dtls_ && (data_len > mtu_)) {
327 LOG(LS_INFO) << "Dropping packet > mtu, size=" << data_len;
328 *written = data_len;
329 return rtc::SR_SUCCESS;
330 }
331
332 // Optionally damage application data (type 23). Note that we don't damage
333 // handshake packets and we damage the last byte to keep the header
334 // intact but break the MAC.
335 if (damage_ && (*static_cast<const unsigned char *>(data) == 23)) {
336 std::vector<char> buf(data_len);
337
338 LOG(LS_INFO) << "Damaging packet";
339
340 memcpy(&buf[0], data, data_len);
341 buf[data_len - 1]++;
342
343 return from->WriteData(&buf[0], data_len, written, error);
344 }
345
346 return from->WriteData(data, data_len, written, error);
347 }
348
349 void SetDelay(int delay) {
350 delay_ = delay;
351 }
352 int GetDelay() { return delay_; }
353
354 void SetLoseFirstPacket(bool lose) {
355 lose_first_packet_ = lose;
356 }
357 bool GetLoseFirstPacket() { return lose_first_packet_; }
358
359 void SetLoss(int percent) {
360 loss_ = percent;
361 }
362
363 void SetDamage() {
364 damage_ = true;
365 }
366
367 void SetMtu(size_t mtu) {
368 mtu_ = mtu;
369 }
370
371 void SetHandshakeWait(int wait) {
372 handshake_wait_ = wait;
373 }
374
375 void SetDtlsSrtpCiphers(const std::vector<std::string> &ciphers,
376 bool client) {
377 if (client)
378 client_ssl_->SetDtlsSrtpCiphers(ciphers);
379 else
380 server_ssl_->SetDtlsSrtpCiphers(ciphers);
381 }
382
383 bool GetDtlsSrtpCipher(bool client, std::string *retval) {
384 if (client)
385 return client_ssl_->GetDtlsSrtpCipher(retval);
386 else
387 return server_ssl_->GetDtlsSrtpCipher(retval);
388 }
389
390 bool GetPeerCertificate(bool client, rtc::SSLCertificate** cert) {
391 if (client)
392 return client_ssl_->GetPeerCertificate(cert);
393 else
394 return server_ssl_->GetPeerCertificate(cert);
395 }
396
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000[diff] [blame]397 bool GetSslCipher(bool client, std::string *retval) {
398 if (client)
399 return client_ssl_->GetSslCipher(retval);
400 else
401 return server_ssl_->GetSslCipher(retval);
402 }
403
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]404 bool ExportKeyingMaterial(const char *label,
405 const unsigned char *context,
406 size_t context_len,
407 bool use_context,
408 bool client,
409 unsigned char *result,
410 size_t result_len) {
411 if (client)
412 return client_ssl_->ExportKeyingMaterial(label,
413 context, context_len,
414 use_context,
415 result, result_len);
416 else
417 return server_ssl_->ExportKeyingMaterial(label,
418 context, context_len,
419 use_context,
420 result, result_len);
421 }
422
423 // To be implemented by subclasses.
424 virtual void WriteData() = 0;
425 virtual void ReadData(rtc::StreamInterface *stream) = 0;
426 virtual void TestTransfer(int size) = 0;
427
428 protected:
429 rtc::FifoBuffer client_buffer_;
430 rtc::FifoBuffer server_buffer_;
431 SSLDummyStream *client_stream_; // freed by client_ssl_ destructor
432 SSLDummyStream *server_stream_; // freed by server_ssl_ destructor
433 rtc::scoped_ptr<rtc::SSLStreamAdapter> client_ssl_;
434 rtc::scoped_ptr<rtc::SSLStreamAdapter> server_ssl_;
435 rtc::SSLIdentity *client_identity_; // freed by client_ssl_ destructor
436 rtc::SSLIdentity *server_identity_; // freed by server_ssl_ destructor
437 int delay_;
438 size_t mtu_;
439 int loss_;
440 bool lose_first_packet_;
441 bool damage_;
442 bool dtls_;
443 int handshake_wait_;
444 bool identities_set_;
445};
446
447class SSLStreamAdapterTestTLS : public SSLStreamAdapterTestBase {
448 public:
449 SSLStreamAdapterTestTLS() :
450 SSLStreamAdapterTestBase("", "", false) {
451 };
452
453 // Test data transfer for TLS
454 virtual void TestTransfer(int size) {
455 LOG(LS_INFO) << "Starting transfer test with " << size << " bytes";
456 // Create some dummy data to send.
457 size_t received;
458
459 send_stream_.ReserveSize(size);
460 for (int i = 0; i < size; ++i) {
461 char ch = static_cast<char>(i);
462 send_stream_.Write(&ch, 1, NULL, NULL);
463 }
464 send_stream_.Rewind();
465
466 // Prepare the receive stream.
467 recv_stream_.ReserveSize(size);
468
469 // Start sending
470 WriteData();
471
472 // Wait for the client to close
473 EXPECT_TRUE_WAIT(server_ssl_->GetState() == rtc::SS_CLOSED, 10000);
474
475 // Now check the data
476 recv_stream_.GetSize(&received);
477
478 EXPECT_EQ(static_cast<size_t>(size), received);
479 EXPECT_EQ(0, memcmp(send_stream_.GetBuffer(),
480 recv_stream_.GetBuffer(), size));
481 }
482
483 void WriteData() {
484 size_t position, tosend, size;
485 rtc::StreamResult rv;
486 size_t sent;
487 char block[kBlockSize];
488
489 send_stream_.GetSize(&size);
490 if (!size)
491 return;
492
493 for (;;) {
494 send_stream_.GetPosition(&position);
495 if (send_stream_.Read(block, sizeof(block), &tosend, NULL) !=
496 rtc::SR_EOS) {
497 rv = client_ssl_->Write(block, tosend, &sent, 0);
498
499 if (rv == rtc::SR_SUCCESS) {
500 send_stream_.SetPosition(position + sent);
501 LOG(LS_VERBOSE) << "Sent: " << position + sent;
502 } else if (rv == rtc::SR_BLOCK) {
503 LOG(LS_VERBOSE) << "Blocked...";
504 send_stream_.SetPosition(position);
505 break;
506 } else {
507 ADD_FAILURE();
508 break;
509 }
510 } else {
511 // Now close
512 LOG(LS_INFO) << "Wrote " << position << " bytes. Closing";
513 client_ssl_->Close();
514 break;
515 }
516 }
517 };
518
519 virtual void ReadData(rtc::StreamInterface *stream) {
520 char buffer[1600];
521 size_t bread;
522 int err2;
523 rtc::StreamResult r;
524
525 for (;;) {
526 r = stream->Read(buffer, sizeof(buffer), &bread, &err2);
527
528 if (r == rtc::SR_ERROR || r == rtc::SR_EOS) {
529 // Unfortunately, errors are the way that the stream adapter
530 // signals close in OpenSSL
531 stream->Close();
532 return;
533 }
534
535 if (r == rtc::SR_BLOCK)
536 break;
537
538 ASSERT_EQ(rtc::SR_SUCCESS, r);
539 LOG(LS_INFO) << "Read " << bread;
540
541 recv_stream_.Write(buffer, bread, NULL, NULL);
542 }
543 }
544
545 private:
546 rtc::MemoryStream send_stream_;
547 rtc::MemoryStream recv_stream_;
548};
549
550class SSLStreamAdapterTestDTLS : public SSLStreamAdapterTestBase {
551 public:
552 SSLStreamAdapterTestDTLS() :
553 SSLStreamAdapterTestBase("", "", true),
554 packet_size_(1000), count_(0), sent_(0) {
555 }
556
557 SSLStreamAdapterTestDTLS(const std::string& cert_pem,
558 const std::string& private_key_pem) :
559 SSLStreamAdapterTestBase(cert_pem, private_key_pem, true),
560 packet_size_(1000), count_(0), sent_(0) {
561 }
562
563 virtual void WriteData() {
564 unsigned char *packet = new unsigned char[1600];
565
566 do {
567 memset(packet, sent_ & 0xff, packet_size_);
568 *(reinterpret_cast<uint32_t *>(packet)) = sent_;
569
570 size_t sent;
571 int rv = client_ssl_->Write(packet, packet_size_, &sent, 0);
572 if (rv == rtc::SR_SUCCESS) {
573 LOG(LS_VERBOSE) << "Sent: " << sent_;
574 sent_++;
575 } else if (rv == rtc::SR_BLOCK) {
576 LOG(LS_VERBOSE) << "Blocked...";
577 break;
578 } else {
579 ADD_FAILURE();
580 break;
581 }
582 } while (sent_ < count_);
583
584 delete [] packet;
585 }
586
587 virtual void ReadData(rtc::StreamInterface *stream) {
588 unsigned char buffer[2000];
589 size_t bread;
590 int err2;
591 rtc::StreamResult r;
592
593 for (;;) {
594 r = stream->Read(buffer, 2000, &bread, &err2);
595
596 if (r == rtc::SR_ERROR) {
597 // Unfortunately, errors are the way that the stream adapter
598 // signals close right now
599 stream->Close();
600 return;
601 }
602
603 if (r == rtc::SR_BLOCK)
604 break;
605
606 ASSERT_EQ(rtc::SR_SUCCESS, r);
607 LOG(LS_INFO) << "Read " << bread;
608
609 // Now parse the datagram
610 ASSERT_EQ(packet_size_, bread);
611 unsigned char* ptr_to_buffer = buffer;
612 uint32_t packet_num = *(reinterpret_cast<uint32_t *>(ptr_to_buffer));
613
614 for (size_t i = 4; i < packet_size_; i++) {
615 ASSERT_EQ((packet_num & 0xff), buffer[i]);
616 }
617 received_.insert(packet_num);
618 }
619 }
620
621 virtual void TestTransfer(int count) {
622 count_ = count;
623
624 WriteData();
625
626 EXPECT_TRUE_WAIT(sent_ == count_, 10000);
627 LOG(LS_INFO) << "sent_ == " << sent_;
628
629 if (damage_) {
630 WAIT(false, 2000);
631 EXPECT_EQ(0U, received_.size());
632 } else if (loss_ == 0) {
633 EXPECT_EQ_WAIT(static_cast<size_t>(sent_), received_.size(), 1000);
634 } else {
635 LOG(LS_INFO) << "Sent " << sent_ << " packets; received " <<
636 received_.size();
637 }
638 };
639
640 private:
641 size_t packet_size_;
642 int count_;
643 int sent_;
644 std::set<int> received_;
645};
646
647
648rtc::StreamResult SSLDummyStream::Write(const void* data, size_t data_len,
649 size_t* written, int* error) {
650 *written = data_len;
651
652 LOG(LS_INFO) << "Writing to loopback " << data_len;
653
654 if (first_packet_) {
655 first_packet_ = false;
656 if (test_->GetLoseFirstPacket()) {
657 LOG(LS_INFO) << "Losing initial packet of length " << data_len;
658 return rtc::SR_SUCCESS;
659 }
660 }
661
662 return test_->DataWritten(this, data, data_len, written, error);
663
664 return rtc::SR_SUCCESS;
665};
666
667class SSLStreamAdapterTestDTLSFromPEMStrings : public SSLStreamAdapterTestDTLS {
668 public:
669 SSLStreamAdapterTestDTLSFromPEMStrings() :
670 SSLStreamAdapterTestDTLS(kCERT_PEM, kRSA_PRIVATE_KEY_PEM) {
671 }
672};
673
674// Basic tests: TLS
675
676// Test that we cannot read/write if we have not yet handshaked.
677// This test only applies to NSS because OpenSSL has passthrough
678// semantics for I/O before the handshake is started.
679#if SSL_USE_NSS
680TEST_F(SSLStreamAdapterTestTLS, TestNoReadWriteBeforeConnect) {
681 rtc::StreamResult rv;
682 char block[kBlockSize];
683 size_t dummy;
684
685 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL);
686 ASSERT_EQ(rtc::SR_BLOCK, rv);
687
688 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL);
689 ASSERT_EQ(rtc::SR_BLOCK, rv);
690}
691#endif
692
693
694// Test that we can make a handshake work
695TEST_F(SSLStreamAdapterTestTLS, TestTLSConnect) {
696 TestHandshake();
697};
698
jiayl@webrtc.orgf1d751c2014-09-25 16:38:46 +0000[diff] [blame]699// Test that closing the connection on one side updates the other side.
700TEST_F(SSLStreamAdapterTestTLS, TestTLSClose) {
701 TestHandshake();
702 client_ssl_->Close();
703 EXPECT_EQ_WAIT(rtc::SS_CLOSED, server_ssl_->GetState(), handshake_wait_);
704};
705
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]706// Test transfer -- trivial
707TEST_F(SSLStreamAdapterTestTLS, TestTLSTransfer) {
708 TestHandshake();
709 TestTransfer(100000);
710};
711
712// Test read-write after close.
713TEST_F(SSLStreamAdapterTestTLS, ReadWriteAfterClose) {
714 TestHandshake();
715 TestTransfer(100000);
716 client_ssl_->Close();
717
718 rtc::StreamResult rv;
719 char block[kBlockSize];
720 size_t dummy;
721
722 // It's an error to write after closed.
723 rv = client_ssl_->Write(block, sizeof(block), &dummy, NULL);
724 ASSERT_EQ(rtc::SR_ERROR, rv);
725
726 // But after closed read gives you EOS.
727 rv = client_ssl_->Read(block, sizeof(block), &dummy, NULL);
728 ASSERT_EQ(rtc::SR_EOS, rv);
729};
730
731// Test a handshake with a bogus peer digest
732TEST_F(SSLStreamAdapterTestTLS, TestTLSBogusDigest) {
733 SetPeerIdentitiesByDigest(false);
734 TestHandshake(false);
735};
736
737// Test moving a bunch of data
738
739// Basic tests: DTLS
740// Test that we can make a handshake work
741TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnect) {
742 MAYBE_SKIP_TEST(HaveDtls);
743 TestHandshake();
744};
745
746// Test that we can make a handshake work if the first packet in
747// each direction is lost. This gives us predictable loss
748// rather than having to tune random
749TEST_F(SSLStreamAdapterTestDTLS, TestDTLSConnectWithLostFirstPacket) {
750 MAYBE_SKIP_TEST(HaveDtls);
751 SetLoseFirstPacket(true);
752 TestHandshake();
753};
754
755// Test a handshake with loss and delay
756TEST_F(SSLStreamAdapterTestDTLS,
757 TestDTLSConnectWithLostFirstPacketDelay2s) {
758 MAYBE_SKIP_TEST(HaveDtls);
759 SetLoseFirstPacket(true);
760 SetDelay(2000);
761 SetHandshakeWait(20000);
762 TestHandshake();
763};
764
765// Test a handshake with small MTU
pbos@webrtc.org127ca3f2014-10-09 07:52:03 +0000[diff] [blame]766// Disabled due to https://code.google.com/p/webrtc/issues/detail?id=3910
767TEST_F(SSLStreamAdapterTestDTLS, DISABLED_TestDTLSConnectWithSmallMtu) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]768 MAYBE_SKIP_TEST(HaveDtls);
769 SetMtu(700);
770 SetHandshakeWait(20000);
771 TestHandshake();
772};
773
774// Test transfer -- trivial
775TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransfer) {
776 MAYBE_SKIP_TEST(HaveDtls);
777 TestHandshake();
778 TestTransfer(100);
779};
780
781TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithLoss) {
782 MAYBE_SKIP_TEST(HaveDtls);
783 TestHandshake();
784 SetLoss(10);
785 TestTransfer(100);
786};
787
788TEST_F(SSLStreamAdapterTestDTLS, TestDTLSTransferWithDamage) {
789 MAYBE_SKIP_TEST(HaveDtls);
790 SetDamage(); // Must be called first because first packet
791 // write happens at end of handshake.
792 TestHandshake();
793 TestTransfer(100);
794};
795
796// Test DTLS-SRTP with all high ciphers
797TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpHigh) {
798 MAYBE_SKIP_TEST(HaveDtlsSrtp);
799 std::vector<std::string> high;
800 high.push_back(kAES_CM_HMAC_SHA1_80);
801 SetDtlsSrtpCiphers(high, true);
802 SetDtlsSrtpCiphers(high, false);
803 TestHandshake();
804
805 std::string client_cipher;
806 ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher));
807 std::string server_cipher;
808 ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher));
809
810 ASSERT_EQ(client_cipher, server_cipher);
811 ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_80);
812};
813
814// Test DTLS-SRTP with all low ciphers
815TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpLow) {
816 MAYBE_SKIP_TEST(HaveDtlsSrtp);
817 std::vector<std::string> low;
818 low.push_back(kAES_CM_HMAC_SHA1_32);
819 SetDtlsSrtpCiphers(low, true);
820 SetDtlsSrtpCiphers(low, false);
821 TestHandshake();
822
823 std::string client_cipher;
824 ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher));
825 std::string server_cipher;
826 ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher));
827
828 ASSERT_EQ(client_cipher, server_cipher);
829 ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_32);
830};
831
832
833// Test DTLS-SRTP with a mismatch -- should not converge
834TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpHighLow) {
835 MAYBE_SKIP_TEST(HaveDtlsSrtp);
836 std::vector<std::string> high;
837 high.push_back(kAES_CM_HMAC_SHA1_80);
838 std::vector<std::string> low;
839 low.push_back(kAES_CM_HMAC_SHA1_32);
840 SetDtlsSrtpCiphers(high, true);
841 SetDtlsSrtpCiphers(low, false);
842 TestHandshake();
843
844 std::string client_cipher;
845 ASSERT_FALSE(GetDtlsSrtpCipher(true, &client_cipher));
846 std::string server_cipher;
847 ASSERT_FALSE(GetDtlsSrtpCipher(false, &server_cipher));
848};
849
850// Test DTLS-SRTP with each side being mixed -- should select high
851TEST_F(SSLStreamAdapterTestDTLS, TestDTLSSrtpMixed) {
852 MAYBE_SKIP_TEST(HaveDtlsSrtp);
853 std::vector<std::string> mixed;
854 mixed.push_back(kAES_CM_HMAC_SHA1_80);
855 mixed.push_back(kAES_CM_HMAC_SHA1_32);
856 SetDtlsSrtpCiphers(mixed, true);
857 SetDtlsSrtpCiphers(mixed, false);
858 TestHandshake();
859
860 std::string client_cipher;
861 ASSERT_TRUE(GetDtlsSrtpCipher(true, &client_cipher));
862 std::string server_cipher;
863 ASSERT_TRUE(GetDtlsSrtpCipher(false, &server_cipher));
864
865 ASSERT_EQ(client_cipher, server_cipher);
866 ASSERT_EQ(client_cipher, kAES_CM_HMAC_SHA1_80);
867};
868
869// Test an exporter
870TEST_F(SSLStreamAdapterTestDTLS, TestDTLSExporter) {
871 MAYBE_SKIP_TEST(HaveExporter);
872 TestHandshake();
873 unsigned char client_out[20];
874 unsigned char server_out[20];
875
876 bool result;
877 result = ExportKeyingMaterial(kExporterLabel,
878 kExporterContext, kExporterContextLen,
879 true, true,
880 client_out, sizeof(client_out));
881 ASSERT_TRUE(result);
882
883 result = ExportKeyingMaterial(kExporterLabel,
884 kExporterContext, kExporterContextLen,
885 true, false,
886 server_out, sizeof(server_out));
887 ASSERT_TRUE(result);
888
889 ASSERT_TRUE(!memcmp(client_out, server_out, sizeof(client_out)));
890}
891
892// Test not yet valid certificates are not rejected.
893TEST_F(SSLStreamAdapterTestDTLS, TestCertNotYetValid) {
894 MAYBE_SKIP_TEST(HaveDtls);
895 long one_day = 60 * 60 * 24;
896 // Make the certificates not valid until one day later.
897 ResetIdentitiesWithValidity(one_day, one_day);
898 TestHandshake();
899}
900
901// Test expired certificates are not rejected.
902TEST_F(SSLStreamAdapterTestDTLS, TestCertExpired) {
903 MAYBE_SKIP_TEST(HaveDtls);
904 long one_day = 60 * 60 * 24;
905 // Make the certificates already expired.
906 ResetIdentitiesWithValidity(-one_day, -one_day);
907 TestHandshake();
908}
909
910// Test data transfer using certs created from strings.
911TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestTransfer) {
912 MAYBE_SKIP_TEST(HaveDtls);
913 TestHandshake();
914 TestTransfer(100);
915}
916
917// Test getting the remote certificate.
918TEST_F(SSLStreamAdapterTestDTLSFromPEMStrings, TestDTLSGetPeerCertificate) {
919 MAYBE_SKIP_TEST(HaveDtls);
920
921 // Peer certificates haven't been received yet.
922 rtc::scoped_ptr<rtc::SSLCertificate> client_peer_cert;
923 ASSERT_FALSE(GetPeerCertificate(true, client_peer_cert.accept()));
924 ASSERT_FALSE(client_peer_cert != NULL);
925
926 rtc::scoped_ptr<rtc::SSLCertificate> server_peer_cert;
927 ASSERT_FALSE(GetPeerCertificate(false, server_peer_cert.accept()));
928 ASSERT_FALSE(server_peer_cert != NULL);
929
930 TestHandshake();
931
932 // The client should have a peer certificate after the handshake.
933 ASSERT_TRUE(GetPeerCertificate(true, client_peer_cert.accept()));
934 ASSERT_TRUE(client_peer_cert != NULL);
935
936 // It's not kCERT_PEM.
937 std::string client_peer_string = client_peer_cert->ToPEMString();
938 ASSERT_NE(kCERT_PEM, client_peer_string);
939
940 // It must not have a chain, because the test certs are self-signed.
941 rtc::SSLCertChain* client_peer_chain;
942 ASSERT_FALSE(client_peer_cert->GetChain(&client_peer_chain));
943
944 // The server should have a peer certificate after the handshake.
945 ASSERT_TRUE(GetPeerCertificate(false, server_peer_cert.accept()));
946 ASSERT_TRUE(server_peer_cert != NULL);
947
948 // It's kCERT_PEM
949 ASSERT_EQ(kCERT_PEM, server_peer_cert->ToPEMString());
950
951 // It must not have a chain, because the test certs are self-signed.
952 rtc::SSLCertChain* server_peer_chain;
953 ASSERT_FALSE(server_peer_cert->GetChain(&server_peer_chain));
954}
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000[diff] [blame]955
956// Test getting the used DTLS ciphers.
Joachim Bauch831c5582015-05-20 12:48:41 +0200[diff] [blame^]957// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000[diff] [blame]958TEST_F(SSLStreamAdapterTestDTLS, TestGetSslCipher) {
959 MAYBE_SKIP_TEST(HaveDtls);
Joachim Bauch831c5582015-05-20 12:48:41 +0200[diff] [blame^]960 SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000[diff] [blame]961 TestHandshake();
962
963 std::string client_cipher;
964 ASSERT_TRUE(GetSslCipher(true, &client_cipher));
965 std::string server_cipher;
966 ASSERT_TRUE(GetSslCipher(false, &server_cipher));
967
968 ASSERT_EQ(client_cipher, server_cipher);
Joachim Bauch831c5582015-05-20 12:48:41 +0200[diff] [blame^]969 ASSERT_EQ(
970 rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
971 client_cipher);
972}
973
974// Test getting the used DTLS 1.2 ciphers.
975// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
976TEST_F(SSLStreamAdapterTestDTLS, TestGetSslCipherDtls12Both) {
977 MAYBE_SKIP_TEST(HaveDtls);
978 SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
979 TestHandshake();
980
981 std::string client_cipher;
982 ASSERT_TRUE(GetSslCipher(true, &client_cipher));
983 std::string server_cipher;
984 ASSERT_TRUE(GetSslCipher(false, &server_cipher));
985
986 ASSERT_EQ(client_cipher, server_cipher);
987 ASSERT_EQ(
988 rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_12),
989 client_cipher);
990}
991
992// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
993TEST_F(SSLStreamAdapterTestDTLS, TestGetSslCipherDtls12Client) {
994 MAYBE_SKIP_TEST(HaveDtls);
995 SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
996 TestHandshake();
997
998 std::string client_cipher;
999 ASSERT_TRUE(GetSslCipher(true, &client_cipher));
1000 std::string server_cipher;
1001 ASSERT_TRUE(GetSslCipher(false, &server_cipher));
1002
1003 ASSERT_EQ(client_cipher, server_cipher);
1004 ASSERT_EQ(
1005 rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
1006 client_cipher);
1007}
1008
1009// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
1010TEST_F(SSLStreamAdapterTestDTLS, TestGetSslCipherDtls12Server) {
1011 MAYBE_SKIP_TEST(HaveDtls);
1012 SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
1013 TestHandshake();
1014
1015 std::string client_cipher;
1016 ASSERT_TRUE(GetSslCipher(true, &client_cipher));
1017 std::string server_cipher;
1018 ASSERT_TRUE(GetSslCipher(false, &server_cipher));
1019
1020 ASSERT_EQ(client_cipher, server_cipher);
1021 ASSERT_EQ(
1022 rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
1023 client_cipher);
pthatcher@webrtc.org3ee4fe52015-02-11 22:34:36 +0000[diff] [blame]1024}