dtlstransportchannel_unittest.cc revision 2f042f26a3d0c062c43dc553058a286bd4dd8f19
1/* 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. 3 * 4 * Use of this source code is governed by a BSD-style license 5 * that can be found in the LICENSE file in the root of the source 6 * tree. An additional intellectual property rights grant can be found 7 * in the file PATENTS. All contributing project authors may 8 * be found in the AUTHORS file in the root of the source tree. 9 */ 10 11#include <set> 12 13#include "webrtc/p2p/base/dtlstransport.h" 14#include "webrtc/p2p/base/faketransportcontroller.h" 15#include "webrtc/base/common.h" 16#include "webrtc/base/dscp.h" 17#include "webrtc/base/gunit.h" 18#include "webrtc/base/helpers.h" 19#include "webrtc/base/scoped_ptr.h" 20#include "webrtc/base/ssladapter.h" 21#include "webrtc/base/sslidentity.h" 22#include "webrtc/base/sslstreamadapter.h" 23#include "webrtc/base/stringutils.h" 24 25#define MAYBE_SKIP_TEST(feature) \ 26 if (!(rtc::SSLStreamAdapter::feature())) { \ 27 LOG(LS_INFO) << "Feature disabled... skipping"; \ 28 return; \ 29 } 30 31static const char kIceUfrag1[] = "TESTICEUFRAG0001"; 32static const char kIcePwd1[] = "TESTICEPWD00000000000001"; 33static const size_t kPacketNumOffset = 8; 34static const size_t kPacketHeaderLen = 12; 35static const int kFakePacketId = 0x1234; 36 37static bool IsRtpLeadByte(uint8_t b) { 38 return ((b & 0xC0) == 0x80); 39} 40 41using cricket::ConnectionRole; 42 43enum Flags { NF_REOFFER = 0x1, NF_EXPECT_FAILURE = 0x2 }; 44 45class DtlsTestClient : public sigslot::has_slots<> { 46 public: 47 DtlsTestClient(const std::string& name) 48 : name_(name), 49 packet_size_(0), 50 use_dtls_srtp_(false), 51 ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_10), 52 negotiated_dtls_(false), 53 received_dtls_client_hello_(false), 54 received_dtls_server_hello_(false) {} 55 void CreateCertificate(rtc::KeyType key_type) { 56 certificate_ = 57 rtc::RTCCertificate::Create(rtc::scoped_ptr<rtc::SSLIdentity>( 58 rtc::SSLIdentity::Generate(name_, key_type))); 59 } 60 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate() { 61 return certificate_; 62 } 63 void SetupSrtp() { 64 ASSERT(certificate_); 65 use_dtls_srtp_ = true; 66 } 67 void SetupMaxProtocolVersion(rtc::SSLProtocolVersion version) { 68 ASSERT(!transport_); 69 ssl_max_version_ = version; 70 } 71 void SetupChannels(int count, cricket::IceRole role) { 72 transport_.reset(new cricket::DtlsTransport<cricket::FakeTransport>( 73 "dtls content name", nullptr, certificate_)); 74 transport_->SetAsync(true); 75 transport_->SetIceRole(role); 76 transport_->SetIceTiebreaker( 77 (role == cricket::ICEROLE_CONTROLLING) ? 1 : 2); 78 79 for (int i = 0; i < count; ++i) { 80 cricket::DtlsTransportChannelWrapper* channel = 81 static_cast<cricket::DtlsTransportChannelWrapper*>( 82 transport_->CreateChannel(i)); 83 ASSERT_TRUE(channel != NULL); 84 channel->SetSslMaxProtocolVersion(ssl_max_version_); 85 channel->SignalWritableState.connect(this, 86 &DtlsTestClient::OnTransportChannelWritableState); 87 channel->SignalReadPacket.connect(this, 88 &DtlsTestClient::OnTransportChannelReadPacket); 89 channel->SignalSentPacket.connect( 90 this, &DtlsTestClient::OnTransportChannelSentPacket); 91 channels_.push_back(channel); 92 93 // Hook the raw packets so that we can verify they are encrypted. 94 channel->channel()->SignalReadPacket.connect( 95 this, &DtlsTestClient::OnFakeTransportChannelReadPacket); 96 } 97 } 98 99 cricket::Transport* transport() { return transport_.get(); } 100 101 cricket::FakeTransportChannel* GetFakeChannel(int component) { 102 cricket::TransportChannelImpl* ch = transport_->GetChannel(component); 103 cricket::DtlsTransportChannelWrapper* wrapper = 104 static_cast<cricket::DtlsTransportChannelWrapper*>(ch); 105 return (wrapper) ? 106 static_cast<cricket::FakeTransportChannel*>(wrapper->channel()) : NULL; 107 } 108 109 // Offer DTLS if we have an identity; pass in a remote fingerprint only if 110 // both sides support DTLS. 111 void Negotiate(DtlsTestClient* peer, cricket::ContentAction action, 112 ConnectionRole local_role, ConnectionRole remote_role, 113 int flags) { 114 Negotiate(certificate_, certificate_ ? peer->certificate_ : nullptr, action, 115 local_role, remote_role, flags); 116 } 117 118 // Allow any DTLS configuration to be specified (including invalid ones). 119 void Negotiate(const rtc::scoped_refptr<rtc::RTCCertificate>& local_cert, 120 const rtc::scoped_refptr<rtc::RTCCertificate>& remote_cert, 121 cricket::ContentAction action, 122 ConnectionRole local_role, 123 ConnectionRole remote_role, 124 int flags) { 125 rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint; 126 rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint; 127 if (local_cert) { 128 std::string digest_algorithm; 129 ASSERT_TRUE(local_cert->ssl_certificate().GetSignatureDigestAlgorithm( 130 &digest_algorithm)); 131 ASSERT_FALSE(digest_algorithm.empty()); 132 local_fingerprint.reset(rtc::SSLFingerprint::Create( 133 digest_algorithm, local_cert->identity())); 134 ASSERT_TRUE(local_fingerprint.get() != NULL); 135 EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); 136 } 137 if (remote_cert) { 138 std::string digest_algorithm; 139 ASSERT_TRUE(remote_cert->ssl_certificate().GetSignatureDigestAlgorithm( 140 &digest_algorithm)); 141 ASSERT_FALSE(digest_algorithm.empty()); 142 remote_fingerprint.reset(rtc::SSLFingerprint::Create( 143 digest_algorithm, remote_cert->identity())); 144 ASSERT_TRUE(remote_fingerprint.get() != NULL); 145 EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); 146 } 147 148 if (use_dtls_srtp_ && !(flags & NF_REOFFER)) { 149 // SRTP ciphers will be set only in the beginning. 150 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 151 channels_.begin(); it != channels_.end(); ++it) { 152 std::vector<int> ciphers; 153 ciphers.push_back(rtc::SRTP_AES128_CM_SHA1_80); 154 ASSERT_TRUE((*it)->SetSrtpCryptoSuites(ciphers)); 155 } 156 } 157 158 cricket::TransportDescription local_desc( 159 std::vector<std::string>(), kIceUfrag1, kIcePwd1, cricket::ICEMODE_FULL, 160 local_role, 161 // If remote if the offerer and has no DTLS support, answer will be 162 // without any fingerprint. 163 (action == cricket::CA_ANSWER && !remote_cert) 164 ? nullptr 165 : local_fingerprint.get(), 166 cricket::Candidates()); 167 168 cricket::TransportDescription remote_desc( 169 std::vector<std::string>(), kIceUfrag1, kIcePwd1, cricket::ICEMODE_FULL, 170 remote_role, remote_fingerprint.get(), cricket::Candidates()); 171 172 bool expect_success = (flags & NF_EXPECT_FAILURE) ? false : true; 173 // If |expect_success| is false, expect SRTD or SLTD to fail when 174 // content action is CA_ANSWER. 175 if (action == cricket::CA_OFFER) { 176 ASSERT_TRUE(transport_->SetLocalTransportDescription( 177 local_desc, cricket::CA_OFFER, NULL)); 178 ASSERT_EQ(expect_success, transport_->SetRemoteTransportDescription( 179 remote_desc, cricket::CA_ANSWER, NULL)); 180 } else { 181 ASSERT_TRUE(transport_->SetRemoteTransportDescription( 182 remote_desc, cricket::CA_OFFER, NULL)); 183 ASSERT_EQ(expect_success, transport_->SetLocalTransportDescription( 184 local_desc, cricket::CA_ANSWER, NULL)); 185 } 186 negotiated_dtls_ = (local_cert && remote_cert); 187 } 188 189 bool Connect(DtlsTestClient* peer) { 190 transport_->ConnectChannels(); 191 transport_->SetDestination(peer->transport_.get()); 192 return true; 193 } 194 195 bool all_channels_writable() const { 196 if (channels_.empty()) { 197 return false; 198 } 199 for (cricket::DtlsTransportChannelWrapper* channel : channels_) { 200 if (!channel->writable()) { 201 return false; 202 } 203 } 204 return true; 205 } 206 207 void CheckRole(rtc::SSLRole role) { 208 if (role == rtc::SSL_CLIENT) { 209 ASSERT_FALSE(received_dtls_client_hello_); 210 ASSERT_TRUE(received_dtls_server_hello_); 211 } else { 212 ASSERT_TRUE(received_dtls_client_hello_); 213 ASSERT_FALSE(received_dtls_server_hello_); 214 } 215 } 216 217 void CheckSrtp(int expected_crypto_suite) { 218 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 219 channels_.begin(); it != channels_.end(); ++it) { 220 int crypto_suite; 221 222 bool rv = (*it)->GetSrtpCryptoSuite(&crypto_suite); 223 if (negotiated_dtls_ && expected_crypto_suite) { 224 ASSERT_TRUE(rv); 225 226 ASSERT_EQ(crypto_suite, expected_crypto_suite); 227 } else { 228 ASSERT_FALSE(rv); 229 } 230 } 231 } 232 233 void CheckSsl(int expected_cipher) { 234 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 235 channels_.begin(); it != channels_.end(); ++it) { 236 int cipher; 237 238 bool rv = (*it)->GetSslCipherSuite(&cipher); 239 if (negotiated_dtls_ && expected_cipher) { 240 ASSERT_TRUE(rv); 241 242 ASSERT_EQ(cipher, expected_cipher); 243 } else { 244 ASSERT_FALSE(rv); 245 } 246 } 247 } 248 249 void SendPackets(size_t channel, size_t size, size_t count, bool srtp) { 250 ASSERT(channel < channels_.size()); 251 rtc::scoped_ptr<char[]> packet(new char[size]); 252 size_t sent = 0; 253 do { 254 // Fill the packet with a known value and a sequence number to check 255 // against, and make sure that it doesn't look like DTLS. 256 memset(packet.get(), sent & 0xff, size); 257 packet[0] = (srtp) ? 0x80 : 0x00; 258 rtc::SetBE32(packet.get() + kPacketNumOffset, 259 static_cast<uint32_t>(sent)); 260 261 // Only set the bypass flag if we've activated DTLS. 262 int flags = (certificate_ && srtp) ? cricket::PF_SRTP_BYPASS : 0; 263 rtc::PacketOptions packet_options; 264 packet_options.packet_id = kFakePacketId; 265 int rv = channels_[channel]->SendPacket( 266 packet.get(), size, packet_options, flags); 267 ASSERT_GT(rv, 0); 268 ASSERT_EQ(size, static_cast<size_t>(rv)); 269 ++sent; 270 } while (sent < count); 271 } 272 273 int SendInvalidSrtpPacket(size_t channel, size_t size) { 274 ASSERT(channel < channels_.size()); 275 rtc::scoped_ptr<char[]> packet(new char[size]); 276 // Fill the packet with 0 to form an invalid SRTP packet. 277 memset(packet.get(), 0, size); 278 279 rtc::PacketOptions packet_options; 280 return channels_[channel]->SendPacket( 281 packet.get(), size, packet_options, cricket::PF_SRTP_BYPASS); 282 } 283 284 void ExpectPackets(size_t channel, size_t size) { 285 packet_size_ = size; 286 received_.clear(); 287 } 288 289 size_t NumPacketsReceived() { 290 return received_.size(); 291 } 292 293 bool VerifyPacket(const char* data, size_t size, uint32_t* out_num) { 294 if (size != packet_size_ || 295 (data[0] != 0 && static_cast<uint8_t>(data[0]) != 0x80)) { 296 return false; 297 } 298 uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset); 299 for (size_t i = kPacketHeaderLen; i < size; ++i) { 300 if (static_cast<uint8_t>(data[i]) != (packet_num & 0xff)) { 301 return false; 302 } 303 } 304 if (out_num) { 305 *out_num = packet_num; 306 } 307 return true; 308 } 309 bool VerifyEncryptedPacket(const char* data, size_t size) { 310 // This is an encrypted data packet; let's make sure it's mostly random; 311 // less than 10% of the bytes should be equal to the cleartext packet. 312 if (size <= packet_size_) { 313 return false; 314 } 315 uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset); 316 int num_matches = 0; 317 for (size_t i = kPacketNumOffset; i < size; ++i) { 318 if (static_cast<uint8_t>(data[i]) == (packet_num & 0xff)) { 319 ++num_matches; 320 } 321 } 322 return (num_matches < ((static_cast<int>(size) - 5) / 10)); 323 } 324 325 // Transport channel callbacks 326 void OnTransportChannelWritableState(cricket::TransportChannel* channel) { 327 LOG(LS_INFO) << name_ << ": Channel '" << channel->component() 328 << "' is writable"; 329 } 330 331 void OnTransportChannelReadPacket(cricket::TransportChannel* channel, 332 const char* data, size_t size, 333 const rtc::PacketTime& packet_time, 334 int flags) { 335 uint32_t packet_num = 0; 336 ASSERT_TRUE(VerifyPacket(data, size, &packet_num)); 337 received_.insert(packet_num); 338 // Only DTLS-SRTP packets should have the bypass flag set. 339 int expected_flags = 340 (certificate_ && IsRtpLeadByte(data[0])) ? cricket::PF_SRTP_BYPASS : 0; 341 ASSERT_EQ(expected_flags, flags); 342 } 343 344 void OnTransportChannelSentPacket(cricket::TransportChannel* channel, 345 const rtc::SentPacket& sent_packet) { 346 sent_packet_ = sent_packet; 347 } 348 349 rtc::SentPacket sent_packet() const { return sent_packet_; } 350 351 // Hook into the raw packet stream to make sure DTLS packets are encrypted. 352 void OnFakeTransportChannelReadPacket(cricket::TransportChannel* channel, 353 const char* data, size_t size, 354 const rtc::PacketTime& time, 355 int flags) { 356 // Flags shouldn't be set on the underlying TransportChannel packets. 357 ASSERT_EQ(0, flags); 358 359 // Look at the handshake packets to see what role we played. 360 // Check that non-handshake packets are DTLS data or SRTP bypass. 361 if (negotiated_dtls_) { 362 if (data[0] == 22 && size > 17) { 363 if (data[13] == 1) { 364 received_dtls_client_hello_ = true; 365 } else if (data[13] == 2) { 366 received_dtls_server_hello_ = true; 367 } 368 } else if (!(data[0] >= 20 && data[0] <= 22)) { 369 ASSERT_TRUE(data[0] == 23 || IsRtpLeadByte(data[0])); 370 if (data[0] == 23) { 371 ASSERT_TRUE(VerifyEncryptedPacket(data, size)); 372 } else if (IsRtpLeadByte(data[0])) { 373 ASSERT_TRUE(VerifyPacket(data, size, NULL)); 374 } 375 } 376 } 377 } 378 379 private: 380 std::string name_; 381 rtc::scoped_refptr<rtc::RTCCertificate> certificate_; 382 rtc::scoped_ptr<cricket::FakeTransport> transport_; 383 std::vector<cricket::DtlsTransportChannelWrapper*> channels_; 384 size_t packet_size_; 385 std::set<int> received_; 386 bool use_dtls_srtp_; 387 rtc::SSLProtocolVersion ssl_max_version_; 388 bool negotiated_dtls_; 389 bool received_dtls_client_hello_; 390 bool received_dtls_server_hello_; 391 rtc::SentPacket sent_packet_; 392}; 393 394 395class DtlsTransportChannelTest : public testing::Test { 396 public: 397 DtlsTransportChannelTest() 398 : client1_("P1"), 399 client2_("P2"), 400 channel_ct_(1), 401 use_dtls_(false), 402 use_dtls_srtp_(false), 403 ssl_expected_version_(rtc::SSL_PROTOCOL_DTLS_10) {} 404 405 void SetChannelCount(size_t channel_ct) { 406 channel_ct_ = static_cast<int>(channel_ct); 407 } 408 void SetMaxProtocolVersions(rtc::SSLProtocolVersion c1, 409 rtc::SSLProtocolVersion c2) { 410 client1_.SetupMaxProtocolVersion(c1); 411 client2_.SetupMaxProtocolVersion(c2); 412 ssl_expected_version_ = std::min(c1, c2); 413 } 414 void PrepareDtls(bool c1, bool c2, rtc::KeyType key_type) { 415 if (c1) { 416 client1_.CreateCertificate(key_type); 417 } 418 if (c2) { 419 client2_.CreateCertificate(key_type); 420 } 421 if (c1 && c2) 422 use_dtls_ = true; 423 } 424 void PrepareDtlsSrtp(bool c1, bool c2) { 425 if (!use_dtls_) 426 return; 427 428 if (c1) 429 client1_.SetupSrtp(); 430 if (c2) 431 client2_.SetupSrtp(); 432 433 if (c1 && c2) 434 use_dtls_srtp_ = true; 435 } 436 437 bool Connect(ConnectionRole client1_role, ConnectionRole client2_role) { 438 Negotiate(client1_role, client2_role); 439 440 bool rv = client1_.Connect(&client2_); 441 EXPECT_TRUE(rv); 442 if (!rv) 443 return false; 444 445 EXPECT_TRUE_WAIT( 446 client1_.all_channels_writable() && client2_.all_channels_writable(), 447 10000); 448 if (!client1_.all_channels_writable() || !client2_.all_channels_writable()) 449 return false; 450 451 // Check that we used the right roles. 452 if (use_dtls_) { 453 rtc::SSLRole client1_ssl_role = 454 (client1_role == cricket::CONNECTIONROLE_ACTIVE || 455 (client2_role == cricket::CONNECTIONROLE_PASSIVE && 456 client1_role == cricket::CONNECTIONROLE_ACTPASS)) ? 457 rtc::SSL_CLIENT : rtc::SSL_SERVER; 458 459 rtc::SSLRole client2_ssl_role = 460 (client2_role == cricket::CONNECTIONROLE_ACTIVE || 461 (client1_role == cricket::CONNECTIONROLE_PASSIVE && 462 client2_role == cricket::CONNECTIONROLE_ACTPASS)) ? 463 rtc::SSL_CLIENT : rtc::SSL_SERVER; 464 465 client1_.CheckRole(client1_ssl_role); 466 client2_.CheckRole(client2_ssl_role); 467 } 468 469 // Check that we negotiated the right ciphers. 470 if (use_dtls_srtp_) { 471 client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); 472 client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80); 473 } else { 474 client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); 475 client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); 476 } 477 client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( 478 ssl_expected_version_, rtc::KT_DEFAULT)); 479 client2_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest( 480 ssl_expected_version_, rtc::KT_DEFAULT)); 481 482 return true; 483 } 484 485 bool Connect() { 486 // By default, Client1 will be Server and Client2 will be Client. 487 return Connect(cricket::CONNECTIONROLE_ACTPASS, 488 cricket::CONNECTIONROLE_ACTIVE); 489 } 490 491 void Negotiate() { 492 Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE); 493 } 494 495 void Negotiate(ConnectionRole client1_role, ConnectionRole client2_role) { 496 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); 497 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); 498 // Expect success from SLTD and SRTD. 499 client1_.Negotiate(&client2_, cricket::CA_OFFER, 500 client1_role, client2_role, 0); 501 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 502 client2_role, client1_role, 0); 503 } 504 505 // Negotiate with legacy client |client2|. Legacy client doesn't use setup 506 // attributes, except NONE. 507 void NegotiateWithLegacy() { 508 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); 509 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); 510 // Expect success from SLTD and SRTD. 511 client1_.Negotiate(&client2_, cricket::CA_OFFER, 512 cricket::CONNECTIONROLE_ACTPASS, 513 cricket::CONNECTIONROLE_NONE, 0); 514 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 515 cricket::CONNECTIONROLE_ACTIVE, 516 cricket::CONNECTIONROLE_NONE, 0); 517 } 518 519 void Renegotiate(DtlsTestClient* reoffer_initiator, 520 ConnectionRole client1_role, ConnectionRole client2_role, 521 int flags) { 522 if (reoffer_initiator == &client1_) { 523 client1_.Negotiate(&client2_, cricket::CA_OFFER, 524 client1_role, client2_role, flags); 525 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 526 client2_role, client1_role, flags); 527 } else { 528 client2_.Negotiate(&client1_, cricket::CA_OFFER, 529 client2_role, client1_role, flags); 530 client1_.Negotiate(&client2_, cricket::CA_ANSWER, 531 client1_role, client2_role, flags); 532 } 533 } 534 535 void TestTransfer(size_t channel, size_t size, size_t count, bool srtp) { 536 LOG(LS_INFO) << "Expect packets, size=" << size; 537 client2_.ExpectPackets(channel, size); 538 client1_.SendPackets(channel, size, count, srtp); 539 EXPECT_EQ_WAIT(count, client2_.NumPacketsReceived(), 10000); 540 } 541 542 protected: 543 DtlsTestClient client1_; 544 DtlsTestClient client2_; 545 int channel_ct_; 546 bool use_dtls_; 547 bool use_dtls_srtp_; 548 rtc::SSLProtocolVersion ssl_expected_version_; 549}; 550 551// Test that transport negotiation of ICE, no DTLS works properly. 552TEST_F(DtlsTransportChannelTest, TestChannelSetupIce) { 553 Negotiate(); 554 cricket::FakeTransportChannel* channel1 = client1_.GetFakeChannel(0); 555 cricket::FakeTransportChannel* channel2 = client2_.GetFakeChannel(0); 556 ASSERT_TRUE(channel1 != NULL); 557 ASSERT_TRUE(channel2 != NULL); 558 EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole()); 559 EXPECT_EQ(1U, channel1->IceTiebreaker()); 560 EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag()); 561 EXPECT_EQ(kIcePwd1, channel1->ice_pwd()); 562 EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole()); 563 EXPECT_EQ(2U, channel2->IceTiebreaker()); 564} 565 566// Connect without DTLS, and transfer some data. 567TEST_F(DtlsTransportChannelTest, TestTransfer) { 568 ASSERT_TRUE(Connect()); 569 TestTransfer(0, 1000, 100, false); 570} 571 572// Connect without DTLS, and transfer some data. 573TEST_F(DtlsTransportChannelTest, TestOnSentPacket) { 574 ASSERT_TRUE(Connect()); 575 EXPECT_EQ(client1_.sent_packet().send_time_ms, -1); 576 TestTransfer(0, 1000, 100, false); 577 EXPECT_EQ(kFakePacketId, client1_.sent_packet().packet_id); 578 EXPECT_GE(client1_.sent_packet().send_time_ms, 0); 579} 580 581// Create two channels without DTLS, and transfer some data. 582TEST_F(DtlsTransportChannelTest, TestTransferTwoChannels) { 583 SetChannelCount(2); 584 ASSERT_TRUE(Connect()); 585 TestTransfer(0, 1000, 100, false); 586 TestTransfer(1, 1000, 100, false); 587} 588 589// Connect without DTLS, and transfer SRTP data. 590TEST_F(DtlsTransportChannelTest, TestTransferSrtp) { 591 ASSERT_TRUE(Connect()); 592 TestTransfer(0, 1000, 100, true); 593} 594 595// Create two channels without DTLS, and transfer SRTP data. 596TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) { 597 SetChannelCount(2); 598 ASSERT_TRUE(Connect()); 599 TestTransfer(0, 1000, 100, true); 600 TestTransfer(1, 1000, 100, true); 601} 602 603// Connect with DTLS, and transfer some data. 604TEST_F(DtlsTransportChannelTest, TestTransferDtls) { 605 MAYBE_SKIP_TEST(HaveDtls); 606 PrepareDtls(true, true, rtc::KT_DEFAULT); 607 ASSERT_TRUE(Connect()); 608 TestTransfer(0, 1000, 100, false); 609} 610 611// Create two channels with DTLS, and transfer some data. 612TEST_F(DtlsTransportChannelTest, TestTransferDtlsTwoChannels) { 613 MAYBE_SKIP_TEST(HaveDtls); 614 SetChannelCount(2); 615 PrepareDtls(true, true, rtc::KT_DEFAULT); 616 ASSERT_TRUE(Connect()); 617 TestTransfer(0, 1000, 100, false); 618 TestTransfer(1, 1000, 100, false); 619} 620 621// Connect with A doing DTLS and B not, and transfer some data. 622TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) { 623 PrepareDtls(true, false, rtc::KT_DEFAULT); 624 ASSERT_TRUE(Connect()); 625 TestTransfer(0, 1000, 100, false); 626} 627 628// Connect with B doing DTLS and A not, and transfer some data. 629TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) { 630 PrepareDtls(false, true, rtc::KT_DEFAULT); 631 ASSERT_TRUE(Connect()); 632 TestTransfer(0, 1000, 100, false); 633} 634 635// Create two channels with DTLS 1.0 and check ciphers. 636TEST_F(DtlsTransportChannelTest, TestDtls12None) { 637 MAYBE_SKIP_TEST(HaveDtls); 638 SetChannelCount(2); 639 PrepareDtls(true, true, rtc::KT_DEFAULT); 640 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); 641 ASSERT_TRUE(Connect()); 642} 643 644#if defined(MEMORY_SANITIZER) 645// Fails under MemorySanitizer: 646// See https://code.google.com/p/webrtc/issues/detail?id=5381. 647#define MAYBE_TestDtls12Both DISABLED_TestDtls12Both 648#else 649#define MAYBE_TestDtls12Both TestDtls12Both 650#endif 651// Create two channels with DTLS 1.2 and check ciphers. 652TEST_F(DtlsTransportChannelTest, MAYBE_TestDtls12Both) { 653 MAYBE_SKIP_TEST(HaveDtls); 654 SetChannelCount(2); 655 PrepareDtls(true, true, rtc::KT_DEFAULT); 656 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); 657 ASSERT_TRUE(Connect()); 658} 659 660// Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers. 661TEST_F(DtlsTransportChannelTest, TestDtls12Client1) { 662 MAYBE_SKIP_TEST(HaveDtls); 663 SetChannelCount(2); 664 PrepareDtls(true, true, rtc::KT_DEFAULT); 665 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10); 666 ASSERT_TRUE(Connect()); 667} 668 669// Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers. 670TEST_F(DtlsTransportChannelTest, TestDtls12Client2) { 671 MAYBE_SKIP_TEST(HaveDtls); 672 SetChannelCount(2); 673 PrepareDtls(true, true, rtc::KT_DEFAULT); 674 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); 675 ASSERT_TRUE(Connect()); 676} 677 678// Connect with DTLS, negotiate DTLS-SRTP, and transfer SRTP using bypass. 679TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtp) { 680 MAYBE_SKIP_TEST(HaveDtlsSrtp); 681 PrepareDtls(true, true, rtc::KT_DEFAULT); 682 PrepareDtlsSrtp(true, true); 683 ASSERT_TRUE(Connect()); 684 TestTransfer(0, 1000, 100, true); 685} 686 687// Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1 688// returned. 689TEST_F(DtlsTransportChannelTest, TestTransferDtlsInvalidSrtpPacket) { 690 MAYBE_SKIP_TEST(HaveDtls); 691 PrepareDtls(true, true, rtc::KT_DEFAULT); 692 PrepareDtlsSrtp(true, true); 693 ASSERT_TRUE(Connect()); 694 int result = client1_.SendInvalidSrtpPacket(0, 100); 695 ASSERT_EQ(-1, result); 696} 697 698// Connect with DTLS. A does DTLS-SRTP but B does not. 699TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpRejected) { 700 MAYBE_SKIP_TEST(HaveDtlsSrtp); 701 PrepareDtls(true, true, rtc::KT_DEFAULT); 702 PrepareDtlsSrtp(true, false); 703 ASSERT_TRUE(Connect()); 704} 705 706// Connect with DTLS. B does DTLS-SRTP but A does not. 707TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpNotOffered) { 708 MAYBE_SKIP_TEST(HaveDtlsSrtp); 709 PrepareDtls(true, true, rtc::KT_DEFAULT); 710 PrepareDtlsSrtp(false, true); 711 ASSERT_TRUE(Connect()); 712} 713 714// Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP. 715TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpTwoChannels) { 716 MAYBE_SKIP_TEST(HaveDtlsSrtp); 717 SetChannelCount(2); 718 PrepareDtls(true, true, rtc::KT_DEFAULT); 719 PrepareDtlsSrtp(true, true); 720 ASSERT_TRUE(Connect()); 721 TestTransfer(0, 1000, 100, true); 722 TestTransfer(1, 1000, 100, true); 723} 724 725// Create a single channel with DTLS, and send normal data and SRTP data on it. 726TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpDemux) { 727 MAYBE_SKIP_TEST(HaveDtlsSrtp); 728 PrepareDtls(true, true, rtc::KT_DEFAULT); 729 PrepareDtlsSrtp(true, true); 730 ASSERT_TRUE(Connect()); 731 TestTransfer(0, 1000, 100, false); 732 TestTransfer(0, 1000, 100, true); 733} 734 735// Testing when the remote is passive. 736TEST_F(DtlsTransportChannelTest, TestTransferDtlsAnswererIsPassive) { 737 MAYBE_SKIP_TEST(HaveDtlsSrtp); 738 SetChannelCount(2); 739 PrepareDtls(true, true, rtc::KT_DEFAULT); 740 PrepareDtlsSrtp(true, true); 741 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 742 cricket::CONNECTIONROLE_PASSIVE)); 743 TestTransfer(0, 1000, 100, true); 744 TestTransfer(1, 1000, 100, true); 745} 746 747// Testing with the legacy DTLS client which doesn't use setup attribute. 748// In this case legacy is the answerer. 749TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) { 750 MAYBE_SKIP_TEST(HaveDtlsSrtp); 751 PrepareDtls(true, true, rtc::KT_DEFAULT); 752 NegotiateWithLegacy(); 753 rtc::SSLRole channel1_role; 754 rtc::SSLRole channel2_role; 755 EXPECT_TRUE(client1_.transport()->GetSslRole(&channel1_role)); 756 EXPECT_TRUE(client2_.transport()->GetSslRole(&channel2_role)); 757 EXPECT_EQ(rtc::SSL_SERVER, channel1_role); 758 EXPECT_EQ(rtc::SSL_CLIENT, channel2_role); 759} 760 761// Testing re offer/answer after the session is estbalished. Roles will be 762// kept same as of the previous negotiation. 763TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromOfferer) { 764 MAYBE_SKIP_TEST(HaveDtlsSrtp); 765 SetChannelCount(2); 766 PrepareDtls(true, true, rtc::KT_DEFAULT); 767 PrepareDtlsSrtp(true, true); 768 // Initial role for client1 is ACTPASS and client2 is ACTIVE. 769 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 770 cricket::CONNECTIONROLE_ACTIVE)); 771 TestTransfer(0, 1000, 100, true); 772 TestTransfer(1, 1000, 100, true); 773 // Using input roles for the re-offer. 774 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, 775 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); 776 TestTransfer(0, 1000, 100, true); 777 TestTransfer(1, 1000, 100, true); 778} 779 780TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromAnswerer) { 781 MAYBE_SKIP_TEST(HaveDtlsSrtp); 782 SetChannelCount(2); 783 PrepareDtls(true, true, rtc::KT_DEFAULT); 784 PrepareDtlsSrtp(true, true); 785 // Initial role for client1 is ACTPASS and client2 is ACTIVE. 786 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 787 cricket::CONNECTIONROLE_ACTIVE)); 788 TestTransfer(0, 1000, 100, true); 789 TestTransfer(1, 1000, 100, true); 790 // Using input roles for the re-offer. 791 Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE, 792 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); 793 TestTransfer(0, 1000, 100, true); 794 TestTransfer(1, 1000, 100, true); 795} 796 797// Test that any change in role after the intial setup will result in failure. 798TEST_F(DtlsTransportChannelTest, TestDtlsRoleReversal) { 799 MAYBE_SKIP_TEST(HaveDtlsSrtp); 800 SetChannelCount(2); 801 PrepareDtls(true, true, rtc::KT_DEFAULT); 802 PrepareDtlsSrtp(true, true); 803 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 804 cricket::CONNECTIONROLE_PASSIVE)); 805 806 // Renegotiate from client2 with actpass and client1 as active. 807 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS, 808 cricket::CONNECTIONROLE_ACTIVE, 809 NF_REOFFER | NF_EXPECT_FAILURE); 810} 811 812// Test that using different setup attributes which results in similar ssl 813// role as the initial negotiation will result in success. 814TEST_F(DtlsTransportChannelTest, TestDtlsReOfferWithDifferentSetupAttr) { 815 MAYBE_SKIP_TEST(HaveDtlsSrtp); 816 SetChannelCount(2); 817 PrepareDtls(true, true, rtc::KT_DEFAULT); 818 PrepareDtlsSrtp(true, true); 819 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 820 cricket::CONNECTIONROLE_PASSIVE)); 821 // Renegotiate from client2 with actpass and client1 as active. 822 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE, 823 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); 824 TestTransfer(0, 1000, 100, true); 825 TestTransfer(1, 1000, 100, true); 826} 827 828// Test that re-negotiation can be started before the clients become connected 829// in the first negotiation. 830TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) { 831 MAYBE_SKIP_TEST(HaveDtlsSrtp); 832 SetChannelCount(2); 833 PrepareDtls(true, true, rtc::KT_DEFAULT); 834 PrepareDtlsSrtp(true, true); 835 Negotiate(); 836 837 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, 838 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); 839 bool rv = client1_.Connect(&client2_); 840 EXPECT_TRUE(rv); 841 EXPECT_TRUE_WAIT( 842 client1_.all_channels_writable() && client2_.all_channels_writable(), 843 10000); 844 845 TestTransfer(0, 1000, 100, true); 846 TestTransfer(1, 1000, 100, true); 847} 848 849// Test Certificates state after negotiation but before connection. 850TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) { 851 MAYBE_SKIP_TEST(HaveDtls); 852 PrepareDtls(true, true, rtc::KT_DEFAULT); 853 Negotiate(); 854 855 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; 856 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; 857 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1; 858 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2; 859 860 // After negotiation, each side has a distinct local certificate, but still no 861 // remote certificate, because connection has not yet occurred. 862 ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1)); 863 ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2)); 864 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), 865 certificate2->ssl_certificate().ToPEMString()); 866 ASSERT_FALSE( 867 client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept())); 868 ASSERT_FALSE(remote_cert1 != NULL); 869 ASSERT_FALSE( 870 client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept())); 871 ASSERT_FALSE(remote_cert2 != NULL); 872} 873 874// Test Certificates state after connection. 875TEST_F(DtlsTransportChannelTest, TestCertificatesAfterConnect) { 876 MAYBE_SKIP_TEST(HaveDtls); 877 PrepareDtls(true, true, rtc::KT_DEFAULT); 878 ASSERT_TRUE(Connect()); 879 880 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; 881 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; 882 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1; 883 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2; 884 885 // After connection, each side has a distinct local certificate. 886 ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1)); 887 ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2)); 888 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), 889 certificate2->ssl_certificate().ToPEMString()); 890 891 // Each side's remote certificate is the other side's local certificate. 892 ASSERT_TRUE( 893 client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept())); 894 ASSERT_EQ(remote_cert1->ToPEMString(), 895 certificate2->ssl_certificate().ToPEMString()); 896 ASSERT_TRUE( 897 client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept())); 898 ASSERT_EQ(remote_cert2->ToPEMString(), 899 certificate1->ssl_certificate().ToPEMString()); 900} 901