dtlstransportchannel_unittest.cc revision a81a42f584baa0d93a4b93da9632415e8922450c
1/* 2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. 3 * 4 * Use of this source code is governed by a BSD-style license 5 * that can be found in the LICENSE file in the root of the source 6 * tree. An additional intellectual property rights grant can be found 7 * in the file PATENTS. All contributing project authors may 8 * be found in the AUTHORS file in the root of the source tree. 9 */ 10 11#include <set> 12 13#include "webrtc/p2p/base/dtlstransport.h" 14#include "webrtc/p2p/base/fakesession.h" 15#include "webrtc/base/common.h" 16#include "webrtc/base/dscp.h" 17#include "webrtc/base/gunit.h" 18#include "webrtc/base/helpers.h" 19#include "webrtc/base/scoped_ptr.h" 20#include "webrtc/base/ssladapter.h" 21#include "webrtc/base/sslidentity.h" 22#include "webrtc/base/sslstreamadapter.h" 23#include "webrtc/base/stringutils.h" 24#include "webrtc/base/thread.h" 25 26#define MAYBE_SKIP_TEST(feature) \ 27 if (!(rtc::SSLStreamAdapter::feature())) { \ 28 LOG(LS_INFO) << "Feature disabled... skipping"; \ 29 return; \ 30 } 31 32static const char AES_CM_128_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80"; 33static const char kIceUfrag1[] = "TESTICEUFRAG0001"; 34static const char kIcePwd1[] = "TESTICEPWD00000000000001"; 35static const size_t kPacketNumOffset = 8; 36static const size_t kPacketHeaderLen = 12; 37 38static bool IsRtpLeadByte(uint8 b) { 39 return ((b & 0xC0) == 0x80); 40} 41 42using cricket::ConnectionRole; 43 44enum Flags { NF_REOFFER = 0x1, NF_EXPECT_FAILURE = 0x2 }; 45 46class DtlsTestClient : public sigslot::has_slots<> { 47 public: 48 DtlsTestClient(const std::string& name, 49 rtc::Thread* signaling_thread, 50 rtc::Thread* worker_thread) : 51 name_(name), 52 signaling_thread_(signaling_thread), 53 worker_thread_(worker_thread), 54 packet_size_(0), 55 use_dtls_srtp_(false), 56 ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_10), 57 negotiated_dtls_(false), 58 received_dtls_client_hello_(false), 59 received_dtls_server_hello_(false) { 60 } 61 void CreateCertificate(rtc::KeyType key_type) { 62 certificate_ = rtc::RTCCertificate::Create( 63 rtc::scoped_ptr<rtc::SSLIdentity>( 64 rtc::SSLIdentity::Generate(name_, key_type)).Pass()); 65 } 66 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate() { 67 return certificate_; 68 } 69 void SetupSrtp() { 70 ASSERT(certificate_); 71 use_dtls_srtp_ = true; 72 } 73 void SetupMaxProtocolVersion(rtc::SSLProtocolVersion version) { 74 ASSERT(transport_.get() == NULL); 75 ssl_max_version_ = version; 76 } 77 void SetupChannels(int count, cricket::IceRole role) { 78 transport_.reset(new cricket::DtlsTransport<cricket::FakeTransport>( 79 signaling_thread_, worker_thread_, "dtls content name", nullptr, 80 certificate_)); 81 transport_->SetAsync(true); 82 transport_->SetIceRole(role); 83 transport_->SetIceTiebreaker( 84 (role == cricket::ICEROLE_CONTROLLING) ? 1 : 2); 85 transport_->SignalWritableState.connect(this, 86 &DtlsTestClient::OnTransportWritableState); 87 88 for (int i = 0; i < count; ++i) { 89 cricket::DtlsTransportChannelWrapper* channel = 90 static_cast<cricket::DtlsTransportChannelWrapper*>( 91 transport_->CreateChannel(i)); 92 ASSERT_TRUE(channel != NULL); 93 channel->SetSslMaxProtocolVersion(ssl_max_version_); 94 channel->SignalWritableState.connect(this, 95 &DtlsTestClient::OnTransportChannelWritableState); 96 channel->SignalReadPacket.connect(this, 97 &DtlsTestClient::OnTransportChannelReadPacket); 98 channels_.push_back(channel); 99 100 // Hook the raw packets so that we can verify they are encrypted. 101 channel->channel()->SignalReadPacket.connect( 102 this, &DtlsTestClient::OnFakeTransportChannelReadPacket); 103 } 104 } 105 106 cricket::Transport* transport() { return transport_.get(); } 107 108 cricket::FakeTransportChannel* GetFakeChannel(int component) { 109 cricket::TransportChannelImpl* ch = transport_->GetChannel(component); 110 cricket::DtlsTransportChannelWrapper* wrapper = 111 static_cast<cricket::DtlsTransportChannelWrapper*>(ch); 112 return (wrapper) ? 113 static_cast<cricket::FakeTransportChannel*>(wrapper->channel()) : NULL; 114 } 115 116 // Offer DTLS if we have an identity; pass in a remote fingerprint only if 117 // both sides support DTLS. 118 void Negotiate(DtlsTestClient* peer, cricket::ContentAction action, 119 ConnectionRole local_role, ConnectionRole remote_role, 120 int flags) { 121 Negotiate(certificate_, certificate_ ? peer->certificate_ : nullptr, 122 action, local_role, remote_role, flags); 123 } 124 125 // Allow any DTLS configuration to be specified (including invalid ones). 126 void Negotiate(const rtc::scoped_refptr<rtc::RTCCertificate>& local_cert, 127 const rtc::scoped_refptr<rtc::RTCCertificate>& remote_cert, 128 cricket::ContentAction action, 129 ConnectionRole local_role, 130 ConnectionRole remote_role, 131 int flags) { 132 rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint; 133 rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint; 134 if (local_cert) { 135 std::string digest_algorithm; 136 ASSERT_TRUE(local_cert->ssl_certificate().GetSignatureDigestAlgorithm( 137 &digest_algorithm)); 138 ASSERT_FALSE(digest_algorithm.empty()); 139 local_fingerprint.reset(rtc::SSLFingerprint::Create( 140 digest_algorithm, local_cert->identity())); 141 ASSERT_TRUE(local_fingerprint.get() != NULL); 142 EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); 143 } 144 if (remote_cert) { 145 std::string digest_algorithm; 146 ASSERT_TRUE(remote_cert->ssl_certificate().GetSignatureDigestAlgorithm( 147 &digest_algorithm)); 148 ASSERT_FALSE(digest_algorithm.empty()); 149 remote_fingerprint.reset(rtc::SSLFingerprint::Create( 150 digest_algorithm, remote_cert->identity())); 151 ASSERT_TRUE(remote_fingerprint.get() != NULL); 152 EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); 153 } 154 155 if (use_dtls_srtp_ && !(flags & NF_REOFFER)) { 156 // SRTP ciphers will be set only in the beginning. 157 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 158 channels_.begin(); it != channels_.end(); ++it) { 159 std::vector<std::string> ciphers; 160 ciphers.push_back(AES_CM_128_HMAC_SHA1_80); 161 ASSERT_TRUE((*it)->SetSrtpCiphers(ciphers)); 162 } 163 } 164 165 cricket::TransportDescription local_desc( 166 std::vector<std::string>(), kIceUfrag1, kIcePwd1, 167 cricket::ICEMODE_FULL, local_role, 168 // If remote if the offerer and has no DTLS support, answer will be 169 // without any fingerprint. 170 (action == cricket::CA_ANSWER && !remote_cert) ? 171 NULL : local_fingerprint.get(), 172 cricket::Candidates()); 173 174 cricket::TransportDescription remote_desc( 175 std::vector<std::string>(), kIceUfrag1, kIcePwd1, 176 cricket::ICEMODE_FULL, remote_role, remote_fingerprint.get(), 177 cricket::Candidates()); 178 179 bool expect_success = (flags & NF_EXPECT_FAILURE) ? false : true; 180 // If |expect_success| is false, expect SRTD or SLTD to fail when 181 // content action is CA_ANSWER. 182 if (action == cricket::CA_OFFER) { 183 ASSERT_TRUE(transport_->SetLocalTransportDescription( 184 local_desc, cricket::CA_OFFER, NULL)); 185 ASSERT_EQ(expect_success, transport_->SetRemoteTransportDescription( 186 remote_desc, cricket::CA_ANSWER, NULL)); 187 } else { 188 ASSERT_TRUE(transport_->SetRemoteTransportDescription( 189 remote_desc, cricket::CA_OFFER, NULL)); 190 ASSERT_EQ(expect_success, transport_->SetLocalTransportDescription( 191 local_desc, cricket::CA_ANSWER, NULL)); 192 } 193 negotiated_dtls_ = (local_cert && remote_cert); 194 } 195 196 bool Connect(DtlsTestClient* peer) { 197 transport_->ConnectChannels(); 198 transport_->SetDestination(peer->transport_.get()); 199 return true; 200 } 201 202 bool writable() const { return transport_->writable(); } 203 204 void CheckRole(rtc::SSLRole role) { 205 if (role == rtc::SSL_CLIENT) { 206 ASSERT_FALSE(received_dtls_client_hello_); 207 ASSERT_TRUE(received_dtls_server_hello_); 208 } else { 209 ASSERT_TRUE(received_dtls_client_hello_); 210 ASSERT_FALSE(received_dtls_server_hello_); 211 } 212 } 213 214 void CheckSrtp(const std::string& expected_cipher) { 215 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 216 channels_.begin(); it != channels_.end(); ++it) { 217 std::string cipher; 218 219 bool rv = (*it)->GetSrtpCipher(&cipher); 220 if (negotiated_dtls_ && !expected_cipher.empty()) { 221 ASSERT_TRUE(rv); 222 223 ASSERT_EQ(cipher, expected_cipher); 224 } else { 225 ASSERT_FALSE(rv); 226 } 227 } 228 } 229 230 void CheckSsl(const std::string& expected_cipher) { 231 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it = 232 channels_.begin(); it != channels_.end(); ++it) { 233 std::string cipher; 234 235 bool rv = (*it)->GetSslCipher(&cipher); 236 if (negotiated_dtls_ && !expected_cipher.empty()) { 237 ASSERT_TRUE(rv); 238 239 ASSERT_EQ(cipher, expected_cipher); 240 } else { 241 ASSERT_FALSE(rv); 242 } 243 } 244 } 245 246 void SendPackets(size_t channel, size_t size, size_t count, bool srtp) { 247 ASSERT(channel < channels_.size()); 248 rtc::scoped_ptr<char[]> packet(new char[size]); 249 size_t sent = 0; 250 do { 251 // Fill the packet with a known value and a sequence number to check 252 // against, and make sure that it doesn't look like DTLS. 253 memset(packet.get(), sent & 0xff, size); 254 packet[0] = (srtp) ? 0x80 : 0x00; 255 rtc::SetBE32(packet.get() + kPacketNumOffset, 256 static_cast<uint32>(sent)); 257 258 // Only set the bypass flag if we've activated DTLS. 259 int flags = (certificate_ && srtp) ? cricket::PF_SRTP_BYPASS : 0; 260 rtc::PacketOptions packet_options; 261 int rv = channels_[channel]->SendPacket( 262 packet.get(), size, packet_options, flags); 263 ASSERT_GT(rv, 0); 264 ASSERT_EQ(size, static_cast<size_t>(rv)); 265 ++sent; 266 } while (sent < count); 267 } 268 269 int SendInvalidSrtpPacket(size_t channel, size_t size) { 270 ASSERT(channel < channels_.size()); 271 rtc::scoped_ptr<char[]> packet(new char[size]); 272 // Fill the packet with 0 to form an invalid SRTP packet. 273 memset(packet.get(), 0, size); 274 275 rtc::PacketOptions packet_options; 276 return channels_[channel]->SendPacket( 277 packet.get(), size, packet_options, cricket::PF_SRTP_BYPASS); 278 } 279 280 void ExpectPackets(size_t channel, size_t size) { 281 packet_size_ = size; 282 received_.clear(); 283 } 284 285 size_t NumPacketsReceived() { 286 return received_.size(); 287 } 288 289 bool VerifyPacket(const char* data, size_t size, uint32* out_num) { 290 if (size != packet_size_ || 291 (data[0] != 0 && static_cast<uint8>(data[0]) != 0x80)) { 292 return false; 293 } 294 uint32 packet_num = rtc::GetBE32(data + kPacketNumOffset); 295 for (size_t i = kPacketHeaderLen; i < size; ++i) { 296 if (static_cast<uint8>(data[i]) != (packet_num & 0xff)) { 297 return false; 298 } 299 } 300 if (out_num) { 301 *out_num = packet_num; 302 } 303 return true; 304 } 305 bool VerifyEncryptedPacket(const char* data, size_t size) { 306 // This is an encrypted data packet; let's make sure it's mostly random; 307 // less than 10% of the bytes should be equal to the cleartext packet. 308 if (size <= packet_size_) { 309 return false; 310 } 311 uint32 packet_num = rtc::GetBE32(data + kPacketNumOffset); 312 int num_matches = 0; 313 for (size_t i = kPacketNumOffset; i < size; ++i) { 314 if (static_cast<uint8>(data[i]) == (packet_num & 0xff)) { 315 ++num_matches; 316 } 317 } 318 return (num_matches < ((static_cast<int>(size) - 5) / 10)); 319 } 320 321 // Transport callbacks 322 void OnTransportWritableState(cricket::Transport* transport) { 323 LOG(LS_INFO) << name_ << ": is writable"; 324 } 325 326 // Transport channel callbacks 327 void OnTransportChannelWritableState(cricket::TransportChannel* channel) { 328 LOG(LS_INFO) << name_ << ": Channel '" << channel->component() 329 << "' is writable"; 330 } 331 332 void OnTransportChannelReadPacket(cricket::TransportChannel* channel, 333 const char* data, size_t size, 334 const rtc::PacketTime& packet_time, 335 int flags) { 336 uint32 packet_num = 0; 337 ASSERT_TRUE(VerifyPacket(data, size, &packet_num)); 338 received_.insert(packet_num); 339 // Only DTLS-SRTP packets should have the bypass flag set. 340 int expected_flags = (certificate_ && IsRtpLeadByte(data[0])) ? 341 cricket::PF_SRTP_BYPASS : 0; 342 ASSERT_EQ(expected_flags, flags); 343 } 344 345 // Hook into the raw packet stream to make sure DTLS packets are encrypted. 346 void OnFakeTransportChannelReadPacket(cricket::TransportChannel* channel, 347 const char* data, size_t size, 348 const rtc::PacketTime& time, 349 int flags) { 350 // Flags shouldn't be set on the underlying TransportChannel packets. 351 ASSERT_EQ(0, flags); 352 353 // Look at the handshake packets to see what role we played. 354 // Check that non-handshake packets are DTLS data or SRTP bypass. 355 if (negotiated_dtls_) { 356 if (data[0] == 22 && size > 17) { 357 if (data[13] == 1) { 358 received_dtls_client_hello_ = true; 359 } else if (data[13] == 2) { 360 received_dtls_server_hello_ = true; 361 } 362 } else if (!(data[0] >= 20 && data[0] <= 22)) { 363 ASSERT_TRUE(data[0] == 23 || IsRtpLeadByte(data[0])); 364 if (data[0] == 23) { 365 ASSERT_TRUE(VerifyEncryptedPacket(data, size)); 366 } else if (IsRtpLeadByte(data[0])) { 367 ASSERT_TRUE(VerifyPacket(data, size, NULL)); 368 } 369 } 370 } 371 } 372 373 private: 374 std::string name_; 375 rtc::Thread* signaling_thread_; 376 rtc::Thread* worker_thread_; 377 rtc::scoped_refptr<rtc::RTCCertificate> certificate_; 378 rtc::scoped_ptr<cricket::FakeTransport> transport_; 379 std::vector<cricket::DtlsTransportChannelWrapper*> channels_; 380 size_t packet_size_; 381 std::set<int> received_; 382 bool use_dtls_srtp_; 383 rtc::SSLProtocolVersion ssl_max_version_; 384 bool negotiated_dtls_; 385 bool received_dtls_client_hello_; 386 bool received_dtls_server_hello_; 387}; 388 389 390class DtlsTransportChannelTest : public testing::Test { 391 public: 392 DtlsTransportChannelTest() : 393 client1_("P1", rtc::Thread::Current(), 394 rtc::Thread::Current()), 395 client2_("P2", rtc::Thread::Current(), 396 rtc::Thread::Current()), 397 channel_ct_(1), 398 use_dtls_(false), 399 use_dtls_srtp_(false), 400 ssl_expected_version_(rtc::SSL_PROTOCOL_DTLS_10) { 401 } 402 403 void SetChannelCount(size_t channel_ct) { 404 channel_ct_ = static_cast<int>(channel_ct); 405 } 406 void SetMaxProtocolVersions(rtc::SSLProtocolVersion c1, 407 rtc::SSLProtocolVersion c2) { 408 client1_.SetupMaxProtocolVersion(c1); 409 client2_.SetupMaxProtocolVersion(c2); 410 ssl_expected_version_ = std::min(c1, c2); 411 } 412 void PrepareDtls(bool c1, bool c2, rtc::KeyType key_type) { 413 if (c1) { 414 client1_.CreateCertificate(key_type); 415 } 416 if (c2) { 417 client2_.CreateCertificate(key_type); 418 } 419 if (c1 && c2) 420 use_dtls_ = true; 421 } 422 void PrepareDtlsSrtp(bool c1, bool c2) { 423 if (!use_dtls_) 424 return; 425 426 if (c1) 427 client1_.SetupSrtp(); 428 if (c2) 429 client2_.SetupSrtp(); 430 431 if (c1 && c2) 432 use_dtls_srtp_ = true; 433 } 434 435 bool Connect(ConnectionRole client1_role, ConnectionRole client2_role) { 436 Negotiate(client1_role, client2_role); 437 438 bool rv = client1_.Connect(&client2_); 439 EXPECT_TRUE(rv); 440 if (!rv) 441 return false; 442 443 EXPECT_TRUE_WAIT(client1_.writable() && client2_.writable(), 10000); 444 if (!client1_.writable() || !client2_.writable()) 445 return false; 446 447 // Check that we used the right roles. 448 if (use_dtls_) { 449 rtc::SSLRole client1_ssl_role = 450 (client1_role == cricket::CONNECTIONROLE_ACTIVE || 451 (client2_role == cricket::CONNECTIONROLE_PASSIVE && 452 client1_role == cricket::CONNECTIONROLE_ACTPASS)) ? 453 rtc::SSL_CLIENT : rtc::SSL_SERVER; 454 455 rtc::SSLRole client2_ssl_role = 456 (client2_role == cricket::CONNECTIONROLE_ACTIVE || 457 (client1_role == cricket::CONNECTIONROLE_PASSIVE && 458 client2_role == cricket::CONNECTIONROLE_ACTPASS)) ? 459 rtc::SSL_CLIENT : rtc::SSL_SERVER; 460 461 client1_.CheckRole(client1_ssl_role); 462 client2_.CheckRole(client2_ssl_role); 463 } 464 465 // Check that we negotiated the right ciphers. 466 if (use_dtls_srtp_) { 467 client1_.CheckSrtp(AES_CM_128_HMAC_SHA1_80); 468 client2_.CheckSrtp(AES_CM_128_HMAC_SHA1_80); 469 } else { 470 client1_.CheckSrtp(""); 471 client2_.CheckSrtp(""); 472 } 473 client1_.CheckSsl( 474 rtc::SSLStreamAdapter::GetDefaultSslCipher(ssl_expected_version_)); 475 client2_.CheckSsl( 476 rtc::SSLStreamAdapter::GetDefaultSslCipher(ssl_expected_version_)); 477 478 return true; 479 } 480 481 bool Connect() { 482 // By default, Client1 will be Server and Client2 will be Client. 483 return Connect(cricket::CONNECTIONROLE_ACTPASS, 484 cricket::CONNECTIONROLE_ACTIVE); 485 } 486 487 void Negotiate() { 488 Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE); 489 } 490 491 void Negotiate(ConnectionRole client1_role, ConnectionRole client2_role) { 492 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); 493 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); 494 // Expect success from SLTD and SRTD. 495 client1_.Negotiate(&client2_, cricket::CA_OFFER, 496 client1_role, client2_role, 0); 497 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 498 client2_role, client1_role, 0); 499 } 500 501 // Negotiate with legacy client |client2|. Legacy client doesn't use setup 502 // attributes, except NONE. 503 void NegotiateWithLegacy() { 504 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); 505 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); 506 // Expect success from SLTD and SRTD. 507 client1_.Negotiate(&client2_, cricket::CA_OFFER, 508 cricket::CONNECTIONROLE_ACTPASS, 509 cricket::CONNECTIONROLE_NONE, 0); 510 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 511 cricket::CONNECTIONROLE_ACTIVE, 512 cricket::CONNECTIONROLE_NONE, 0); 513 } 514 515 void Renegotiate(DtlsTestClient* reoffer_initiator, 516 ConnectionRole client1_role, ConnectionRole client2_role, 517 int flags) { 518 if (reoffer_initiator == &client1_) { 519 client1_.Negotiate(&client2_, cricket::CA_OFFER, 520 client1_role, client2_role, flags); 521 client2_.Negotiate(&client1_, cricket::CA_ANSWER, 522 client2_role, client1_role, flags); 523 } else { 524 client2_.Negotiate(&client1_, cricket::CA_OFFER, 525 client2_role, client1_role, flags); 526 client1_.Negotiate(&client2_, cricket::CA_ANSWER, 527 client1_role, client2_role, flags); 528 } 529 } 530 531 void TestTransfer(size_t channel, size_t size, size_t count, bool srtp) { 532 LOG(LS_INFO) << "Expect packets, size=" << size; 533 client2_.ExpectPackets(channel, size); 534 client1_.SendPackets(channel, size, count, srtp); 535 EXPECT_EQ_WAIT(count, client2_.NumPacketsReceived(), 10000); 536 } 537 538 protected: 539 DtlsTestClient client1_; 540 DtlsTestClient client2_; 541 int channel_ct_; 542 bool use_dtls_; 543 bool use_dtls_srtp_; 544 rtc::SSLProtocolVersion ssl_expected_version_; 545}; 546 547// Test that transport negotiation of ICE, no DTLS works properly. 548TEST_F(DtlsTransportChannelTest, TestChannelSetupIce) { 549 Negotiate(); 550 cricket::FakeTransportChannel* channel1 = client1_.GetFakeChannel(0); 551 cricket::FakeTransportChannel* channel2 = client2_.GetFakeChannel(0); 552 ASSERT_TRUE(channel1 != NULL); 553 ASSERT_TRUE(channel2 != NULL); 554 EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole()); 555 EXPECT_EQ(1U, channel1->IceTiebreaker()); 556 EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag()); 557 EXPECT_EQ(kIcePwd1, channel1->ice_pwd()); 558 EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole()); 559 EXPECT_EQ(2U, channel2->IceTiebreaker()); 560} 561 562// Connect without DTLS, and transfer some data. 563TEST_F(DtlsTransportChannelTest, TestTransfer) { 564 ASSERT_TRUE(Connect()); 565 TestTransfer(0, 1000, 100, false); 566} 567 568// Create two channels without DTLS, and transfer some data. 569TEST_F(DtlsTransportChannelTest, TestTransferTwoChannels) { 570 SetChannelCount(2); 571 ASSERT_TRUE(Connect()); 572 TestTransfer(0, 1000, 100, false); 573 TestTransfer(1, 1000, 100, false); 574} 575 576// Connect without DTLS, and transfer SRTP data. 577TEST_F(DtlsTransportChannelTest, TestTransferSrtp) { 578 ASSERT_TRUE(Connect()); 579 TestTransfer(0, 1000, 100, true); 580} 581 582// Create two channels without DTLS, and transfer SRTP data. 583TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) { 584 SetChannelCount(2); 585 ASSERT_TRUE(Connect()); 586 TestTransfer(0, 1000, 100, true); 587 TestTransfer(1, 1000, 100, true); 588} 589 590// Connect with DTLS, and transfer some data. 591TEST_F(DtlsTransportChannelTest, TestTransferDtls) { 592 MAYBE_SKIP_TEST(HaveDtls); 593 PrepareDtls(true, true, rtc::KT_DEFAULT); 594 ASSERT_TRUE(Connect()); 595 TestTransfer(0, 1000, 100, false); 596} 597 598// Create two channels with DTLS, and transfer some data. 599TEST_F(DtlsTransportChannelTest, TestTransferDtlsTwoChannels) { 600 MAYBE_SKIP_TEST(HaveDtls); 601 SetChannelCount(2); 602 PrepareDtls(true, true, rtc::KT_DEFAULT); 603 ASSERT_TRUE(Connect()); 604 TestTransfer(0, 1000, 100, false); 605 TestTransfer(1, 1000, 100, false); 606} 607 608// Connect with A doing DTLS and B not, and transfer some data. 609TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) { 610 PrepareDtls(true, false, rtc::KT_DEFAULT); 611 ASSERT_TRUE(Connect()); 612 TestTransfer(0, 1000, 100, false); 613} 614 615// Connect with B doing DTLS and A not, and transfer some data. 616TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) { 617 PrepareDtls(false, true, rtc::KT_DEFAULT); 618 ASSERT_TRUE(Connect()); 619 TestTransfer(0, 1000, 100, false); 620} 621 622// Create two channels with DTLS 1.0 and check ciphers. 623TEST_F(DtlsTransportChannelTest, TestDtls12None) { 624 MAYBE_SKIP_TEST(HaveDtls); 625 SetChannelCount(2); 626 PrepareDtls(true, true, rtc::KT_DEFAULT); 627 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); 628 ASSERT_TRUE(Connect()); 629} 630 631// Create two channels with DTLS 1.2 and check ciphers. 632TEST_F(DtlsTransportChannelTest, TestDtls12Both) { 633 MAYBE_SKIP_TEST(HaveDtls); 634 SetChannelCount(2); 635 PrepareDtls(true, true, rtc::KT_DEFAULT); 636 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); 637 ASSERT_TRUE(Connect()); 638} 639 640// Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers. 641TEST_F(DtlsTransportChannelTest, TestDtls12Client1) { 642 MAYBE_SKIP_TEST(HaveDtls); 643 SetChannelCount(2); 644 PrepareDtls(true, true, rtc::KT_DEFAULT); 645 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10); 646 ASSERT_TRUE(Connect()); 647} 648 649// Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers. 650TEST_F(DtlsTransportChannelTest, TestDtls12Client2) { 651 MAYBE_SKIP_TEST(HaveDtls); 652 SetChannelCount(2); 653 PrepareDtls(true, true, rtc::KT_DEFAULT); 654 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); 655 ASSERT_TRUE(Connect()); 656} 657 658// Connect with DTLS, negotiate DTLS-SRTP, and transfer SRTP using bypass. 659TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtp) { 660 MAYBE_SKIP_TEST(HaveDtlsSrtp); 661 PrepareDtls(true, true, rtc::KT_DEFAULT); 662 PrepareDtlsSrtp(true, true); 663 ASSERT_TRUE(Connect()); 664 TestTransfer(0, 1000, 100, true); 665} 666 667// Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1 668// returned. 669TEST_F(DtlsTransportChannelTest, TestTransferDtlsInvalidSrtpPacket) { 670 MAYBE_SKIP_TEST(HaveDtls); 671 PrepareDtls(true, true, rtc::KT_DEFAULT); 672 PrepareDtlsSrtp(true, true); 673 ASSERT_TRUE(Connect()); 674 int result = client1_.SendInvalidSrtpPacket(0, 100); 675 ASSERT_EQ(-1, result); 676} 677 678// Connect with DTLS. A does DTLS-SRTP but B does not. 679TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpRejected) { 680 MAYBE_SKIP_TEST(HaveDtlsSrtp); 681 PrepareDtls(true, true, rtc::KT_DEFAULT); 682 PrepareDtlsSrtp(true, false); 683 ASSERT_TRUE(Connect()); 684} 685 686// Connect with DTLS. B does DTLS-SRTP but A does not. 687TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpNotOffered) { 688 MAYBE_SKIP_TEST(HaveDtlsSrtp); 689 PrepareDtls(true, true, rtc::KT_DEFAULT); 690 PrepareDtlsSrtp(false, true); 691 ASSERT_TRUE(Connect()); 692} 693 694// Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP. 695TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpTwoChannels) { 696 MAYBE_SKIP_TEST(HaveDtlsSrtp); 697 SetChannelCount(2); 698 PrepareDtls(true, true, rtc::KT_DEFAULT); 699 PrepareDtlsSrtp(true, true); 700 ASSERT_TRUE(Connect()); 701 TestTransfer(0, 1000, 100, true); 702 TestTransfer(1, 1000, 100, true); 703} 704 705// Create a single channel with DTLS, and send normal data and SRTP data on it. 706TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpDemux) { 707 MAYBE_SKIP_TEST(HaveDtlsSrtp); 708 PrepareDtls(true, true, rtc::KT_DEFAULT); 709 PrepareDtlsSrtp(true, true); 710 ASSERT_TRUE(Connect()); 711 TestTransfer(0, 1000, 100, false); 712 TestTransfer(0, 1000, 100, true); 713} 714 715// Testing when the remote is passive. 716TEST_F(DtlsTransportChannelTest, TestTransferDtlsAnswererIsPassive) { 717 MAYBE_SKIP_TEST(HaveDtlsSrtp); 718 SetChannelCount(2); 719 PrepareDtls(true, true, rtc::KT_DEFAULT); 720 PrepareDtlsSrtp(true, true); 721 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 722 cricket::CONNECTIONROLE_PASSIVE)); 723 TestTransfer(0, 1000, 100, true); 724 TestTransfer(1, 1000, 100, true); 725} 726 727// Testing with the legacy DTLS client which doesn't use setup attribute. 728// In this case legacy is the answerer. 729TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) { 730 MAYBE_SKIP_TEST(HaveDtlsSrtp); 731 PrepareDtls(true, true, rtc::KT_DEFAULT); 732 NegotiateWithLegacy(); 733 rtc::SSLRole channel1_role; 734 rtc::SSLRole channel2_role; 735 EXPECT_TRUE(client1_.transport()->GetSslRole(&channel1_role)); 736 EXPECT_TRUE(client2_.transport()->GetSslRole(&channel2_role)); 737 EXPECT_EQ(rtc::SSL_SERVER, channel1_role); 738 EXPECT_EQ(rtc::SSL_CLIENT, channel2_role); 739} 740 741// Testing re offer/answer after the session is estbalished. Roles will be 742// kept same as of the previous negotiation. 743TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromOfferer) { 744 MAYBE_SKIP_TEST(HaveDtlsSrtp); 745 SetChannelCount(2); 746 PrepareDtls(true, true, rtc::KT_DEFAULT); 747 PrepareDtlsSrtp(true, true); 748 // Initial role for client1 is ACTPASS and client2 is ACTIVE. 749 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 750 cricket::CONNECTIONROLE_ACTIVE)); 751 TestTransfer(0, 1000, 100, true); 752 TestTransfer(1, 1000, 100, true); 753 // Using input roles for the re-offer. 754 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, 755 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); 756 TestTransfer(0, 1000, 100, true); 757 TestTransfer(1, 1000, 100, true); 758} 759 760TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromAnswerer) { 761 MAYBE_SKIP_TEST(HaveDtlsSrtp); 762 SetChannelCount(2); 763 PrepareDtls(true, true, rtc::KT_DEFAULT); 764 PrepareDtlsSrtp(true, true); 765 // Initial role for client1 is ACTPASS and client2 is ACTIVE. 766 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 767 cricket::CONNECTIONROLE_ACTIVE)); 768 TestTransfer(0, 1000, 100, true); 769 TestTransfer(1, 1000, 100, true); 770 // Using input roles for the re-offer. 771 Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE, 772 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); 773 TestTransfer(0, 1000, 100, true); 774 TestTransfer(1, 1000, 100, true); 775} 776 777// Test that any change in role after the intial setup will result in failure. 778TEST_F(DtlsTransportChannelTest, TestDtlsRoleReversal) { 779 MAYBE_SKIP_TEST(HaveDtlsSrtp); 780 SetChannelCount(2); 781 PrepareDtls(true, true, rtc::KT_DEFAULT); 782 PrepareDtlsSrtp(true, true); 783 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 784 cricket::CONNECTIONROLE_PASSIVE)); 785 786 // Renegotiate from client2 with actpass and client1 as active. 787 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS, 788 cricket::CONNECTIONROLE_ACTIVE, 789 NF_REOFFER | NF_EXPECT_FAILURE); 790} 791 792// Test that using different setup attributes which results in similar ssl 793// role as the initial negotiation will result in success. 794TEST_F(DtlsTransportChannelTest, TestDtlsReOfferWithDifferentSetupAttr) { 795 MAYBE_SKIP_TEST(HaveDtlsSrtp); 796 SetChannelCount(2); 797 PrepareDtls(true, true, rtc::KT_DEFAULT); 798 PrepareDtlsSrtp(true, true); 799 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, 800 cricket::CONNECTIONROLE_PASSIVE)); 801 // Renegotiate from client2 with actpass and client1 as active. 802 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE, 803 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); 804 TestTransfer(0, 1000, 100, true); 805 TestTransfer(1, 1000, 100, true); 806} 807 808// Test that re-negotiation can be started before the clients become connected 809// in the first negotiation. 810TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) { 811 MAYBE_SKIP_TEST(HaveDtlsSrtp); 812 SetChannelCount(2); 813 PrepareDtls(true, true, rtc::KT_DEFAULT); 814 PrepareDtlsSrtp(true, true); 815 Negotiate(); 816 817 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, 818 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); 819 bool rv = client1_.Connect(&client2_); 820 EXPECT_TRUE(rv); 821 EXPECT_TRUE_WAIT(client1_.writable() && client2_.writable(), 10000); 822 823 TestTransfer(0, 1000, 100, true); 824 TestTransfer(1, 1000, 100, true); 825} 826 827// Test Certificates state after negotiation but before connection. 828TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) { 829 MAYBE_SKIP_TEST(HaveDtls); 830 PrepareDtls(true, true, rtc::KT_DEFAULT); 831 Negotiate(); 832 833 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; 834 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; 835 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1; 836 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2; 837 838 // After negotiation, each side has a distinct local certificate, but still no 839 // remote certificate, because connection has not yet occurred. 840 ASSERT_TRUE(client1_.transport()->GetCertificate(&certificate1)); 841 ASSERT_TRUE(client2_.transport()->GetCertificate(&certificate2)); 842 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), 843 certificate2->ssl_certificate().ToPEMString()); 844 ASSERT_FALSE( 845 client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept())); 846 ASSERT_FALSE(remote_cert1 != NULL); 847 ASSERT_FALSE( 848 client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept())); 849 ASSERT_FALSE(remote_cert2 != NULL); 850} 851 852// Test Certificates state after connection. 853TEST_F(DtlsTransportChannelTest, TestCertificatesAfterConnect) { 854 MAYBE_SKIP_TEST(HaveDtls); 855 PrepareDtls(true, true, rtc::KT_DEFAULT); 856 ASSERT_TRUE(Connect()); 857 858 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; 859 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; 860 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1; 861 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2; 862 863 // After connection, each side has a distinct local certificate. 864 ASSERT_TRUE(client1_.transport()->GetCertificate(&certificate1)); 865 ASSERT_TRUE(client2_.transport()->GetCertificate(&certificate2)); 866 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), 867 certificate2->ssl_certificate().ToPEMString()); 868 869 // Each side's remote certificate is the other side's local certificate. 870 ASSERT_TRUE( 871 client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept())); 872 ASSERT_EQ(remote_cert1->ToPEMString(), 873 certificate2->ssl_certificate().ToPEMString()); 874 ASSERT_TRUE( 875 client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept())); 876 ASSERT_EQ(remote_cert2->ToPEMString(), 877 certificate1->ssl_certificate().ToPEMString()); 878} 879