OLD | NEW |
| (Empty) |
1 /* | |
2 * Copyright 2011 The WebRTC Project Authors. All rights reserved. | |
3 * | |
4 * Use of this source code is governed by a BSD-style license | |
5 * that can be found in the LICENSE file in the root of the source | |
6 * tree. An additional intellectual property rights grant can be found | |
7 * in the file PATENTS. All contributing project authors may | |
8 * be found in the AUTHORS file in the root of the source tree. | |
9 */ | |
10 | |
11 #include <memory> | |
12 #include <set> | |
13 | |
14 #include "webrtc/p2p/base/dtlstransportchannel.h" | |
15 #include "webrtc/p2p/base/fakeicetransport.h" | |
16 #include "webrtc/p2p/base/packettransportinternal.h" | |
17 #include "webrtc/rtc_base/checks.h" | |
18 #include "webrtc/rtc_base/dscp.h" | |
19 #include "webrtc/rtc_base/gunit.h" | |
20 #include "webrtc/rtc_base/helpers.h" | |
21 #include "webrtc/rtc_base/ssladapter.h" | |
22 #include "webrtc/rtc_base/sslidentity.h" | |
23 #include "webrtc/rtc_base/sslstreamadapter.h" | |
24 #include "webrtc/rtc_base/stringutils.h" | |
25 | |
26 #define MAYBE_SKIP_TEST(feature) \ | |
27 if (!(rtc::SSLStreamAdapter::feature())) { \ | |
28 LOG(LS_INFO) << #feature " feature disabled... skipping"; \ | |
29 return; \ | |
30 } | |
31 | |
32 static const char kIceUfrag1[] = "TESTICEUFRAG0001"; | |
33 static const char kIcePwd1[] = "TESTICEPWD00000000000001"; | |
34 static const size_t kPacketNumOffset = 8; | |
35 static const size_t kPacketHeaderLen = 12; | |
36 static const int kFakePacketId = 0x1234; | |
37 static const int kTimeout = 10000; | |
38 | |
39 static bool IsRtpLeadByte(uint8_t b) { | |
40 return ((b & 0xC0) == 0x80); | |
41 } | |
42 | |
43 cricket::TransportDescription MakeTransportDescription( | |
44 const rtc::scoped_refptr<rtc::RTCCertificate>& cert, | |
45 cricket::ConnectionRole role) { | |
46 std::unique_ptr<rtc::SSLFingerprint> fingerprint; | |
47 if (cert) { | |
48 std::string digest_algorithm; | |
49 EXPECT_TRUE( | |
50 cert->ssl_certificate().GetSignatureDigestAlgorithm(&digest_algorithm)); | |
51 EXPECT_FALSE(digest_algorithm.empty()); | |
52 fingerprint.reset( | |
53 rtc::SSLFingerprint::Create(digest_algorithm, cert->identity())); | |
54 EXPECT_TRUE(fingerprint.get() != NULL); | |
55 EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); | |
56 } | |
57 return cricket::TransportDescription(std::vector<std::string>(), kIceUfrag1, | |
58 kIcePwd1, cricket::ICEMODE_FULL, role, | |
59 fingerprint.get()); | |
60 } | |
61 | |
62 using cricket::ConnectionRole; | |
63 | |
64 enum Flags { NF_REOFFER = 0x1, NF_EXPECT_FAILURE = 0x2 }; | |
65 | |
66 // TODO(deadbeef): Remove the dependency on JsepTransport. This test should be | |
67 // testing DtlsTransportChannel by itself, calling methods to set the | |
68 // configuration directly instead of negotiating TransportDescriptions. | |
69 class DtlsTestClient : public sigslot::has_slots<> { | |
70 public: | |
71 DtlsTestClient(const std::string& name) : name_(name) {} | |
72 void CreateCertificate(rtc::KeyType key_type) { | |
73 certificate_ = | |
74 rtc::RTCCertificate::Create(std::unique_ptr<rtc::SSLIdentity>( | |
75 rtc::SSLIdentity::Generate(name_, key_type))); | |
76 } | |
77 const rtc::scoped_refptr<rtc::RTCCertificate>& certificate() { | |
78 return certificate_; | |
79 } | |
80 void SetupMaxProtocolVersion(rtc::SSLProtocolVersion version) { | |
81 ssl_max_version_ = version; | |
82 } | |
83 void SetupChannels(int count, cricket::IceRole role, int async_delay_ms = 0) { | |
84 transport_.reset( | |
85 new cricket::JsepTransport("dtls content name", certificate_)); | |
86 for (int i = 0; i < count; ++i) { | |
87 cricket::FakeIceTransport* fake_ice_channel = | |
88 new cricket::FakeIceTransport(transport_->mid(), i); | |
89 fake_ice_channel->SetAsync(true); | |
90 fake_ice_channel->SetAsyncDelay(async_delay_ms); | |
91 // Hook the raw packets so that we can verify they are encrypted. | |
92 fake_ice_channel->SignalReadPacket.connect( | |
93 this, &DtlsTestClient::OnFakeTransportChannelReadPacket); | |
94 | |
95 cricket::DtlsTransport* dtls = | |
96 new cricket::DtlsTransport(fake_ice_channel, rtc::CryptoOptions()); | |
97 dtls->SetLocalCertificate(certificate_); | |
98 dtls->ice_transport()->SetIceRole(role); | |
99 dtls->ice_transport()->SetIceTiebreaker( | |
100 (role == cricket::ICEROLE_CONTROLLING) ? 1 : 2); | |
101 dtls->SetSslMaxProtocolVersion(ssl_max_version_); | |
102 dtls->SignalWritableState.connect( | |
103 this, &DtlsTestClient::OnTransportChannelWritableState); | |
104 dtls->SignalReadPacket.connect( | |
105 this, &DtlsTestClient::OnTransportChannelReadPacket); | |
106 dtls->SignalSentPacket.connect( | |
107 this, &DtlsTestClient::OnTransportChannelSentPacket); | |
108 dtls_transports_.push_back(std::unique_ptr<cricket::DtlsTransport>(dtls)); | |
109 fake_ice_transports_.push_back( | |
110 std::unique_ptr<cricket::FakeIceTransport>(fake_ice_channel)); | |
111 transport_->AddChannel(dtls, i); | |
112 } | |
113 } | |
114 | |
115 cricket::JsepTransport* transport() { return transport_.get(); } | |
116 | |
117 cricket::FakeIceTransport* GetFakeIceTransort(int component) { | |
118 for (const auto& ch : fake_ice_transports_) { | |
119 if (ch->component() == component) { | |
120 return ch.get(); | |
121 } | |
122 } | |
123 return nullptr; | |
124 } | |
125 | |
126 cricket::DtlsTransport* GetDtlsTransport(int component) { | |
127 for (const auto& dtls : dtls_transports_) { | |
128 if (dtls->component() == component) { | |
129 return dtls.get(); | |
130 } | |
131 } | |
132 return nullptr; | |
133 } | |
134 | |
135 // Offer DTLS if we have an identity; pass in a remote fingerprint only if | |
136 // both sides support DTLS. | |
137 void Negotiate(DtlsTestClient* peer, cricket::ContentAction action, | |
138 ConnectionRole local_role, ConnectionRole remote_role, | |
139 int flags) { | |
140 Negotiate(certificate_, certificate_ ? peer->certificate_ : nullptr, action, | |
141 local_role, remote_role, flags); | |
142 } | |
143 | |
144 void SetLocalTransportDescription( | |
145 const rtc::scoped_refptr<rtc::RTCCertificate>& cert, | |
146 cricket::ContentAction action, | |
147 ConnectionRole role, | |
148 int flags) { | |
149 // If |NF_EXPECT_FAILURE| is set, expect SRTD or SLTD to fail when | |
150 // content action is CA_ANSWER. | |
151 bool expect_success = | |
152 !((action == cricket::CA_ANSWER) && (flags & NF_EXPECT_FAILURE)); | |
153 EXPECT_EQ(expect_success, | |
154 transport_->SetLocalTransportDescription( | |
155 MakeTransportDescription(cert, role), action, nullptr)); | |
156 } | |
157 | |
158 void SetRemoteTransportDescription( | |
159 const rtc::scoped_refptr<rtc::RTCCertificate>& cert, | |
160 cricket::ContentAction action, | |
161 ConnectionRole role, | |
162 int flags) { | |
163 // If |NF_EXPECT_FAILURE| is set, expect SRTD or SLTD to fail when | |
164 // content action is CA_ANSWER. | |
165 bool expect_success = | |
166 !((action == cricket::CA_ANSWER) && (flags & NF_EXPECT_FAILURE)); | |
167 EXPECT_EQ(expect_success, | |
168 transport_->SetRemoteTransportDescription( | |
169 MakeTransportDescription(cert, role), action, nullptr)); | |
170 } | |
171 | |
172 // Allow any DTLS configuration to be specified (including invalid ones). | |
173 void Negotiate(const rtc::scoped_refptr<rtc::RTCCertificate>& local_cert, | |
174 const rtc::scoped_refptr<rtc::RTCCertificate>& remote_cert, | |
175 cricket::ContentAction action, | |
176 ConnectionRole local_role, | |
177 ConnectionRole remote_role, | |
178 int flags) { | |
179 if (action == cricket::CA_OFFER) { | |
180 SetLocalTransportDescription(local_cert, cricket::CA_OFFER, local_role, | |
181 flags); | |
182 SetRemoteTransportDescription(remote_cert, cricket::CA_ANSWER, | |
183 remote_role, flags); | |
184 } else { | |
185 SetRemoteTransportDescription(remote_cert, cricket::CA_OFFER, remote_role, | |
186 flags); | |
187 // If remote if the offerer and has no DTLS support, answer will be | |
188 // without any fingerprint. | |
189 SetLocalTransportDescription(remote_cert ? local_cert : nullptr, | |
190 cricket::CA_ANSWER, local_role, flags); | |
191 } | |
192 } | |
193 | |
194 bool Connect(DtlsTestClient* peer, bool asymmetric) { | |
195 for (auto& ice : fake_ice_transports_) { | |
196 ice->SetDestination(peer->GetFakeIceTransort(ice->component()), | |
197 asymmetric); | |
198 } | |
199 return true; | |
200 } | |
201 | |
202 bool all_dtls_transports_writable() const { | |
203 if (dtls_transports_.empty()) { | |
204 return false; | |
205 } | |
206 for (const auto& dtls : dtls_transports_) { | |
207 if (!dtls->writable()) { | |
208 return false; | |
209 } | |
210 } | |
211 return true; | |
212 } | |
213 | |
214 bool all_ice_transports_writable() const { | |
215 if (dtls_transports_.empty()) { | |
216 return false; | |
217 } | |
218 for (const auto& dtls : dtls_transports_) { | |
219 if (!dtls->ice_transport()->writable()) { | |
220 return false; | |
221 } | |
222 } | |
223 return true; | |
224 } | |
225 | |
226 int received_dtls_client_hellos() const { | |
227 return received_dtls_client_hellos_; | |
228 } | |
229 | |
230 int received_dtls_server_hellos() const { | |
231 return received_dtls_server_hellos_; | |
232 } | |
233 | |
234 bool negotiated_dtls() const { | |
235 return transport_->local_description() && | |
236 transport_->local_description()->identity_fingerprint && | |
237 transport_->remote_description() && | |
238 transport_->remote_description()->identity_fingerprint; | |
239 } | |
240 | |
241 void CheckRole(rtc::SSLRole role) { | |
242 if (role == rtc::SSL_CLIENT) { | |
243 ASSERT_EQ(0, received_dtls_client_hellos_); | |
244 ASSERT_GT(received_dtls_server_hellos_, 0); | |
245 } else { | |
246 ASSERT_GT(received_dtls_client_hellos_, 0); | |
247 ASSERT_EQ(0, received_dtls_server_hellos_); | |
248 } | |
249 } | |
250 | |
251 void CheckSrtp(int expected_crypto_suite) { | |
252 for (const auto& dtls : dtls_transports_) { | |
253 int crypto_suite; | |
254 | |
255 bool rv = dtls->GetSrtpCryptoSuite(&crypto_suite); | |
256 if (negotiated_dtls() && expected_crypto_suite) { | |
257 ASSERT_TRUE(rv); | |
258 | |
259 ASSERT_EQ(crypto_suite, expected_crypto_suite); | |
260 } else { | |
261 ASSERT_FALSE(rv); | |
262 } | |
263 } | |
264 } | |
265 | |
266 void CheckSsl() { | |
267 for (const auto& dtls : dtls_transports_) { | |
268 int cipher; | |
269 | |
270 bool rv = dtls->GetSslCipherSuite(&cipher); | |
271 if (negotiated_dtls()) { | |
272 ASSERT_TRUE(rv); | |
273 | |
274 EXPECT_TRUE( | |
275 rtc::SSLStreamAdapter::IsAcceptableCipher(cipher, rtc::KT_DEFAULT)); | |
276 } else { | |
277 ASSERT_FALSE(rv); | |
278 } | |
279 } | |
280 } | |
281 | |
282 void SendPackets(size_t transport, size_t size, size_t count, bool srtp) { | |
283 RTC_CHECK(transport < dtls_transports_.size()); | |
284 std::unique_ptr<char[]> packet(new char[size]); | |
285 size_t sent = 0; | |
286 do { | |
287 // Fill the packet with a known value and a sequence number to check | |
288 // against, and make sure that it doesn't look like DTLS. | |
289 memset(packet.get(), sent & 0xff, size); | |
290 packet[0] = (srtp) ? 0x80 : 0x00; | |
291 rtc::SetBE32(packet.get() + kPacketNumOffset, | |
292 static_cast<uint32_t>(sent)); | |
293 | |
294 // Only set the bypass flag if we've activated DTLS. | |
295 int flags = (certificate_ && srtp) ? cricket::PF_SRTP_BYPASS : 0; | |
296 rtc::PacketOptions packet_options; | |
297 packet_options.packet_id = kFakePacketId; | |
298 int rv = dtls_transports_[transport]->SendPacket(packet.get(), size, | |
299 packet_options, flags); | |
300 ASSERT_GT(rv, 0); | |
301 ASSERT_EQ(size, static_cast<size_t>(rv)); | |
302 ++sent; | |
303 } while (sent < count); | |
304 } | |
305 | |
306 int SendInvalidSrtpPacket(size_t transport, size_t size) { | |
307 RTC_CHECK(transport < dtls_transports_.size()); | |
308 std::unique_ptr<char[]> packet(new char[size]); | |
309 // Fill the packet with 0 to form an invalid SRTP packet. | |
310 memset(packet.get(), 0, size); | |
311 | |
312 rtc::PacketOptions packet_options; | |
313 return dtls_transports_[transport]->SendPacket( | |
314 packet.get(), size, packet_options, cricket::PF_SRTP_BYPASS); | |
315 } | |
316 | |
317 void ExpectPackets(size_t transport, size_t size) { | |
318 packet_size_ = size; | |
319 received_.clear(); | |
320 } | |
321 | |
322 size_t NumPacketsReceived() { | |
323 return received_.size(); | |
324 } | |
325 | |
326 bool VerifyPacket(const char* data, size_t size, uint32_t* out_num) { | |
327 if (size != packet_size_ || | |
328 (data[0] != 0 && static_cast<uint8_t>(data[0]) != 0x80)) { | |
329 return false; | |
330 } | |
331 uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset); | |
332 for (size_t i = kPacketHeaderLen; i < size; ++i) { | |
333 if (static_cast<uint8_t>(data[i]) != (packet_num & 0xff)) { | |
334 return false; | |
335 } | |
336 } | |
337 if (out_num) { | |
338 *out_num = packet_num; | |
339 } | |
340 return true; | |
341 } | |
342 bool VerifyEncryptedPacket(const char* data, size_t size) { | |
343 // This is an encrypted data packet; let's make sure it's mostly random; | |
344 // less than 10% of the bytes should be equal to the cleartext packet. | |
345 if (size <= packet_size_) { | |
346 return false; | |
347 } | |
348 uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset); | |
349 int num_matches = 0; | |
350 for (size_t i = kPacketNumOffset; i < size; ++i) { | |
351 if (static_cast<uint8_t>(data[i]) == (packet_num & 0xff)) { | |
352 ++num_matches; | |
353 } | |
354 } | |
355 return (num_matches < ((static_cast<int>(size) - 5) / 10)); | |
356 } | |
357 | |
358 // Transport channel callbacks | |
359 void OnTransportChannelWritableState( | |
360 rtc::PacketTransportInternal* transport) { | |
361 LOG(LS_INFO) << name_ << ": Channel '" << transport->debug_name() | |
362 << "' is writable"; | |
363 } | |
364 | |
365 void OnTransportChannelReadPacket(rtc::PacketTransportInternal* transport, | |
366 const char* data, | |
367 size_t size, | |
368 const rtc::PacketTime& packet_time, | |
369 int flags) { | |
370 uint32_t packet_num = 0; | |
371 ASSERT_TRUE(VerifyPacket(data, size, &packet_num)); | |
372 received_.insert(packet_num); | |
373 // Only DTLS-SRTP packets should have the bypass flag set. | |
374 int expected_flags = | |
375 (certificate_ && IsRtpLeadByte(data[0])) ? cricket::PF_SRTP_BYPASS : 0; | |
376 ASSERT_EQ(expected_flags, flags); | |
377 } | |
378 | |
379 void OnTransportChannelSentPacket(rtc::PacketTransportInternal* transport, | |
380 const rtc::SentPacket& sent_packet) { | |
381 sent_packet_ = sent_packet; | |
382 } | |
383 | |
384 rtc::SentPacket sent_packet() const { return sent_packet_; } | |
385 | |
386 // Hook into the raw packet stream to make sure DTLS packets are encrypted. | |
387 void OnFakeTransportChannelReadPacket(rtc::PacketTransportInternal* transport, | |
388 const char* data, | |
389 size_t size, | |
390 const rtc::PacketTime& time, | |
391 int flags) { | |
392 // Flags shouldn't be set on the underlying TransportChannel packets. | |
393 ASSERT_EQ(0, flags); | |
394 | |
395 // Look at the handshake packets to see what role we played. | |
396 // Check that non-handshake packets are DTLS data or SRTP bypass. | |
397 if (data[0] == 22 && size > 17) { | |
398 if (data[13] == 1) { | |
399 ++received_dtls_client_hellos_; | |
400 } else if (data[13] == 2) { | |
401 ++received_dtls_server_hellos_; | |
402 } | |
403 } else if (negotiated_dtls() && !(data[0] >= 20 && data[0] <= 22)) { | |
404 ASSERT_TRUE(data[0] == 23 || IsRtpLeadByte(data[0])); | |
405 if (data[0] == 23) { | |
406 ASSERT_TRUE(VerifyEncryptedPacket(data, size)); | |
407 } else if (IsRtpLeadByte(data[0])) { | |
408 ASSERT_TRUE(VerifyPacket(data, size, NULL)); | |
409 } | |
410 } | |
411 } | |
412 | |
413 private: | |
414 std::string name_; | |
415 rtc::scoped_refptr<rtc::RTCCertificate> certificate_; | |
416 std::vector<std::unique_ptr<cricket::FakeIceTransport>> fake_ice_transports_; | |
417 std::vector<std::unique_ptr<cricket::DtlsTransport>> dtls_transports_; | |
418 std::unique_ptr<cricket::JsepTransport> transport_; | |
419 size_t packet_size_ = 0u; | |
420 std::set<int> received_; | |
421 rtc::SSLProtocolVersion ssl_max_version_ = rtc::SSL_PROTOCOL_DTLS_12; | |
422 int received_dtls_client_hellos_ = 0; | |
423 int received_dtls_server_hellos_ = 0; | |
424 rtc::SentPacket sent_packet_; | |
425 }; | |
426 | |
427 // Base class for DtlsTransportChannelTest and DtlsEventOrderingTest, which | |
428 // inherit from different variants of testing::Test. | |
429 // | |
430 // Note that this test always uses a FakeClock, due to the |fake_clock_| member | |
431 // variable. | |
432 class DtlsTransportChannelTestBase { | |
433 public: | |
434 DtlsTransportChannelTestBase() | |
435 : client1_("P1"), | |
436 client2_("P2"), | |
437 channel_ct_(1), | |
438 use_dtls_(false), | |
439 ssl_expected_version_(rtc::SSL_PROTOCOL_DTLS_12) {} | |
440 | |
441 void SetChannelCount(size_t channel_ct) { | |
442 channel_ct_ = static_cast<int>(channel_ct); | |
443 } | |
444 void SetMaxProtocolVersions(rtc::SSLProtocolVersion c1, | |
445 rtc::SSLProtocolVersion c2) { | |
446 client1_.SetupMaxProtocolVersion(c1); | |
447 client2_.SetupMaxProtocolVersion(c2); | |
448 ssl_expected_version_ = std::min(c1, c2); | |
449 } | |
450 void PrepareDtls(bool c1, bool c2, rtc::KeyType key_type) { | |
451 if (c1) { | |
452 client1_.CreateCertificate(key_type); | |
453 } | |
454 if (c2) { | |
455 client2_.CreateCertificate(key_type); | |
456 } | |
457 if (c1 && c2) | |
458 use_dtls_ = true; | |
459 } | |
460 | |
461 // Negotiate local/remote fingerprint before or after the underlying | |
462 // tranpsort is connected? | |
463 enum NegotiateOrdering { NEGOTIATE_BEFORE_CONNECT, CONNECT_BEFORE_NEGOTIATE }; | |
464 bool Connect(ConnectionRole client1_role, | |
465 ConnectionRole client2_role, | |
466 NegotiateOrdering ordering = NEGOTIATE_BEFORE_CONNECT) { | |
467 bool rv; | |
468 if (ordering == NEGOTIATE_BEFORE_CONNECT) { | |
469 Negotiate(client1_role, client2_role); | |
470 rv = client1_.Connect(&client2_, false); | |
471 } else { | |
472 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); | |
473 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); | |
474 // This is equivalent to an offer being processed on both sides, but an | |
475 // answer not yet being received on the initiating side. So the | |
476 // connection will be made before negotiation has finished on both sides. | |
477 client1_.SetLocalTransportDescription(client1_.certificate(), | |
478 cricket::CA_OFFER, client1_role, 0); | |
479 client2_.SetRemoteTransportDescription( | |
480 client1_.certificate(), cricket::CA_OFFER, client1_role, 0); | |
481 client2_.SetLocalTransportDescription( | |
482 client2_.certificate(), cricket::CA_ANSWER, client2_role, 0); | |
483 rv = client1_.Connect(&client2_, false); | |
484 client1_.SetRemoteTransportDescription( | |
485 client2_.certificate(), cricket::CA_ANSWER, client2_role, 0); | |
486 } | |
487 | |
488 EXPECT_TRUE(rv); | |
489 if (!rv) | |
490 return false; | |
491 | |
492 EXPECT_TRUE_SIMULATED_WAIT(client1_.all_dtls_transports_writable() && | |
493 client2_.all_dtls_transports_writable(), | |
494 kTimeout, fake_clock_); | |
495 if (!client1_.all_dtls_transports_writable() || | |
496 !client2_.all_dtls_transports_writable()) | |
497 return false; | |
498 | |
499 // Check that we used the right roles. | |
500 if (use_dtls_) { | |
501 rtc::SSLRole client1_ssl_role = | |
502 (client1_role == cricket::CONNECTIONROLE_ACTIVE || | |
503 (client2_role == cricket::CONNECTIONROLE_PASSIVE && | |
504 client1_role == cricket::CONNECTIONROLE_ACTPASS)) ? | |
505 rtc::SSL_CLIENT : rtc::SSL_SERVER; | |
506 | |
507 rtc::SSLRole client2_ssl_role = | |
508 (client2_role == cricket::CONNECTIONROLE_ACTIVE || | |
509 (client1_role == cricket::CONNECTIONROLE_PASSIVE && | |
510 client2_role == cricket::CONNECTIONROLE_ACTPASS)) ? | |
511 rtc::SSL_CLIENT : rtc::SSL_SERVER; | |
512 | |
513 client1_.CheckRole(client1_ssl_role); | |
514 client2_.CheckRole(client2_ssl_role); | |
515 } | |
516 | |
517 if (use_dtls_) { | |
518 // Check that we negotiated the right ciphers. Since GCM ciphers are not | |
519 // negotiated by default, we should end up with SRTP_AES128_CM_SHA1_32. | |
520 client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32); | |
521 client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_32); | |
522 } else { | |
523 // If DTLS isn't actually being used, GetSrtpCryptoSuite should return | |
524 // false. | |
525 client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); | |
526 client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE); | |
527 } | |
528 | |
529 client1_.CheckSsl(); | |
530 client2_.CheckSsl(); | |
531 | |
532 return true; | |
533 } | |
534 | |
535 bool Connect() { | |
536 // By default, Client1 will be Server and Client2 will be Client. | |
537 return Connect(cricket::CONNECTIONROLE_ACTPASS, | |
538 cricket::CONNECTIONROLE_ACTIVE); | |
539 } | |
540 | |
541 void Negotiate() { | |
542 Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE); | |
543 } | |
544 | |
545 void Negotiate(ConnectionRole client1_role, ConnectionRole client2_role) { | |
546 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); | |
547 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); | |
548 // Expect success from SLTD and SRTD. | |
549 client1_.Negotiate(&client2_, cricket::CA_OFFER, | |
550 client1_role, client2_role, 0); | |
551 client2_.Negotiate(&client1_, cricket::CA_ANSWER, | |
552 client2_role, client1_role, 0); | |
553 } | |
554 | |
555 // Negotiate with legacy client |client2|. Legacy client doesn't use setup | |
556 // attributes, except NONE. | |
557 void NegotiateWithLegacy() { | |
558 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING); | |
559 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED); | |
560 // Expect success from SLTD and SRTD. | |
561 client1_.Negotiate(&client2_, cricket::CA_OFFER, | |
562 cricket::CONNECTIONROLE_ACTPASS, | |
563 cricket::CONNECTIONROLE_NONE, 0); | |
564 client2_.Negotiate(&client1_, cricket::CA_ANSWER, | |
565 cricket::CONNECTIONROLE_ACTIVE, | |
566 cricket::CONNECTIONROLE_NONE, 0); | |
567 } | |
568 | |
569 void Renegotiate(DtlsTestClient* reoffer_initiator, | |
570 ConnectionRole client1_role, ConnectionRole client2_role, | |
571 int flags) { | |
572 if (reoffer_initiator == &client1_) { | |
573 client1_.Negotiate(&client2_, cricket::CA_OFFER, | |
574 client1_role, client2_role, flags); | |
575 client2_.Negotiate(&client1_, cricket::CA_ANSWER, | |
576 client2_role, client1_role, flags); | |
577 } else { | |
578 client2_.Negotiate(&client1_, cricket::CA_OFFER, | |
579 client2_role, client1_role, flags); | |
580 client1_.Negotiate(&client2_, cricket::CA_ANSWER, | |
581 client1_role, client2_role, flags); | |
582 } | |
583 } | |
584 | |
585 void TestTransfer(size_t transport, size_t size, size_t count, bool srtp) { | |
586 LOG(LS_INFO) << "Expect packets, size=" << size; | |
587 client2_.ExpectPackets(transport, size); | |
588 client1_.SendPackets(transport, size, count, srtp); | |
589 EXPECT_EQ_SIMULATED_WAIT(count, client2_.NumPacketsReceived(), kTimeout, | |
590 fake_clock_); | |
591 } | |
592 | |
593 protected: | |
594 rtc::ScopedFakeClock fake_clock_; | |
595 DtlsTestClient client1_; | |
596 DtlsTestClient client2_; | |
597 int channel_ct_; | |
598 bool use_dtls_; | |
599 rtc::SSLProtocolVersion ssl_expected_version_; | |
600 }; | |
601 | |
602 class DtlsTransportChannelTest : public DtlsTransportChannelTestBase, | |
603 public ::testing::Test {}; | |
604 | |
605 // Test that transport negotiation of ICE, no DTLS works properly. | |
606 TEST_F(DtlsTransportChannelTest, TestChannelSetupIce) { | |
607 Negotiate(); | |
608 cricket::FakeIceTransport* channel1 = client1_.GetFakeIceTransort(0); | |
609 cricket::FakeIceTransport* channel2 = client2_.GetFakeIceTransort(0); | |
610 ASSERT_TRUE(channel1 != NULL); | |
611 ASSERT_TRUE(channel2 != NULL); | |
612 EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole()); | |
613 EXPECT_EQ(1U, channel1->IceTiebreaker()); | |
614 EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag()); | |
615 EXPECT_EQ(kIcePwd1, channel1->ice_pwd()); | |
616 EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole()); | |
617 EXPECT_EQ(2U, channel2->IceTiebreaker()); | |
618 } | |
619 | |
620 // Connect without DTLS, and transfer some data. | |
621 TEST_F(DtlsTransportChannelTest, TestTransfer) { | |
622 ASSERT_TRUE(Connect()); | |
623 TestTransfer(0, 1000, 100, false); | |
624 } | |
625 | |
626 // Connect without DTLS, and transfer some data. | |
627 TEST_F(DtlsTransportChannelTest, TestOnSentPacket) { | |
628 ASSERT_TRUE(Connect()); | |
629 EXPECT_EQ(client1_.sent_packet().send_time_ms, -1); | |
630 TestTransfer(0, 1000, 100, false); | |
631 EXPECT_EQ(kFakePacketId, client1_.sent_packet().packet_id); | |
632 EXPECT_GE(client1_.sent_packet().send_time_ms, 0); | |
633 } | |
634 | |
635 // Create two channels without DTLS, and transfer some data. | |
636 TEST_F(DtlsTransportChannelTest, TestTransferTwoChannels) { | |
637 SetChannelCount(2); | |
638 ASSERT_TRUE(Connect()); | |
639 TestTransfer(0, 1000, 100, false); | |
640 TestTransfer(1, 1000, 100, false); | |
641 } | |
642 | |
643 // Connect without DTLS, and transfer SRTP data. | |
644 TEST_F(DtlsTransportChannelTest, TestTransferSrtp) { | |
645 ASSERT_TRUE(Connect()); | |
646 TestTransfer(0, 1000, 100, true); | |
647 } | |
648 | |
649 // Create two channels without DTLS, and transfer SRTP data. | |
650 TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) { | |
651 SetChannelCount(2); | |
652 ASSERT_TRUE(Connect()); | |
653 TestTransfer(0, 1000, 100, true); | |
654 TestTransfer(1, 1000, 100, true); | |
655 } | |
656 | |
657 // Connect with DTLS, and transfer some data. | |
658 TEST_F(DtlsTransportChannelTest, TestTransferDtls) { | |
659 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
660 ASSERT_TRUE(Connect()); | |
661 TestTransfer(0, 1000, 100, false); | |
662 } | |
663 | |
664 // Create two channels with DTLS, and transfer some data. | |
665 TEST_F(DtlsTransportChannelTest, TestTransferDtlsTwoChannels) { | |
666 SetChannelCount(2); | |
667 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
668 ASSERT_TRUE(Connect()); | |
669 TestTransfer(0, 1000, 100, false); | |
670 TestTransfer(1, 1000, 100, false); | |
671 } | |
672 | |
673 // Connect with DTLS, combine multiple DTLS records into one packet. | |
674 // Our DTLS implementation doesn't do this, but other implementations may; | |
675 // see https://tools.ietf.org/html/rfc6347#section-4.1.1. | |
676 // This has caused interoperability problems with ORTCLib in the past. | |
677 TEST_F(DtlsTransportChannelTest, TestTransferDtlsCombineRecords) { | |
678 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
679 ASSERT_TRUE(Connect()); | |
680 // Our DTLS implementation always sends one record per packet, so to simulate | |
681 // an endpoint that sends multiple records per packet, we configure the fake | |
682 // ICE transport to combine every two consecutive packets into a single | |
683 // packet. | |
684 cricket::FakeIceTransport* transport = client1_.GetFakeIceTransort(0); | |
685 transport->combine_outgoing_packets(true); | |
686 TestTransfer(0, 500, 100, false); | |
687 } | |
688 | |
689 // Connect with A doing DTLS and B not, and transfer some data. | |
690 TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) { | |
691 PrepareDtls(true, false, rtc::KT_DEFAULT); | |
692 ASSERT_TRUE(Connect()); | |
693 TestTransfer(0, 1000, 100, false); | |
694 } | |
695 | |
696 // Connect with B doing DTLS and A not, and transfer some data. | |
697 TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) { | |
698 PrepareDtls(false, true, rtc::KT_DEFAULT); | |
699 ASSERT_TRUE(Connect()); | |
700 TestTransfer(0, 1000, 100, false); | |
701 } | |
702 | |
703 // Create two channels with DTLS 1.0 and check ciphers. | |
704 TEST_F(DtlsTransportChannelTest, TestDtls12None) { | |
705 SetChannelCount(2); | |
706 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
707 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); | |
708 ASSERT_TRUE(Connect()); | |
709 } | |
710 | |
711 // Create two channels with DTLS 1.2 and check ciphers. | |
712 TEST_F(DtlsTransportChannelTest, TestDtls12Both) { | |
713 SetChannelCount(2); | |
714 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
715 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); | |
716 ASSERT_TRUE(Connect()); | |
717 } | |
718 | |
719 // Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers. | |
720 TEST_F(DtlsTransportChannelTest, TestDtls12Client1) { | |
721 SetChannelCount(2); | |
722 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
723 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10); | |
724 ASSERT_TRUE(Connect()); | |
725 } | |
726 | |
727 // Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers. | |
728 TEST_F(DtlsTransportChannelTest, TestDtls12Client2) { | |
729 SetChannelCount(2); | |
730 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
731 SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); | |
732 ASSERT_TRUE(Connect()); | |
733 } | |
734 | |
735 // Connect with DTLS, negotiating DTLS-SRTP, and transfer SRTP using bypass. | |
736 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtp) { | |
737 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
738 ASSERT_TRUE(Connect()); | |
739 TestTransfer(0, 1000, 100, true); | |
740 } | |
741 | |
742 // Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1 | |
743 // returned. | |
744 TEST_F(DtlsTransportChannelTest, TestTransferDtlsInvalidSrtpPacket) { | |
745 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
746 ASSERT_TRUE(Connect()); | |
747 int result = client1_.SendInvalidSrtpPacket(0, 100); | |
748 ASSERT_EQ(-1, result); | |
749 } | |
750 | |
751 // Connect with DTLS. A does DTLS-SRTP but B does not. | |
752 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpRejected) { | |
753 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
754 ASSERT_TRUE(Connect()); | |
755 } | |
756 | |
757 // Connect with DTLS. B does DTLS-SRTP but A does not. | |
758 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpNotOffered) { | |
759 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
760 ASSERT_TRUE(Connect()); | |
761 } | |
762 | |
763 // Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP. | |
764 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpTwoChannels) { | |
765 SetChannelCount(2); | |
766 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
767 ASSERT_TRUE(Connect()); | |
768 TestTransfer(0, 1000, 100, true); | |
769 TestTransfer(1, 1000, 100, true); | |
770 } | |
771 | |
772 // Create a single channel with DTLS, and send normal data and SRTP data on it. | |
773 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpDemux) { | |
774 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
775 ASSERT_TRUE(Connect()); | |
776 TestTransfer(0, 1000, 100, false); | |
777 TestTransfer(0, 1000, 100, true); | |
778 } | |
779 | |
780 // Testing when the remote is passive. | |
781 TEST_F(DtlsTransportChannelTest, TestTransferDtlsAnswererIsPassive) { | |
782 SetChannelCount(2); | |
783 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
784 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
785 cricket::CONNECTIONROLE_PASSIVE)); | |
786 TestTransfer(0, 1000, 100, true); | |
787 TestTransfer(1, 1000, 100, true); | |
788 } | |
789 | |
790 // Testing with the legacy DTLS client which doesn't use setup attribute. | |
791 // In this case legacy is the answerer. | |
792 TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) { | |
793 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
794 NegotiateWithLegacy(); | |
795 EXPECT_EQ(rtc::SSL_SERVER, *client1_.transport()->GetSslRole()); | |
796 EXPECT_EQ(rtc::SSL_CLIENT, *client2_.transport()->GetSslRole()); | |
797 } | |
798 | |
799 // Testing re offer/answer after the session is estbalished. Roles will be | |
800 // kept same as of the previous negotiation. | |
801 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromOfferer) { | |
802 SetChannelCount(2); | |
803 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
804 // Initial role for client1 is ACTPASS and client2 is ACTIVE. | |
805 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
806 cricket::CONNECTIONROLE_ACTIVE)); | |
807 TestTransfer(0, 1000, 100, true); | |
808 TestTransfer(1, 1000, 100, true); | |
809 // Using input roles for the re-offer. | |
810 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, | |
811 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); | |
812 TestTransfer(0, 1000, 100, true); | |
813 TestTransfer(1, 1000, 100, true); | |
814 } | |
815 | |
816 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromAnswerer) { | |
817 SetChannelCount(2); | |
818 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
819 // Initial role for client1 is ACTPASS and client2 is ACTIVE. | |
820 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
821 cricket::CONNECTIONROLE_ACTIVE)); | |
822 TestTransfer(0, 1000, 100, true); | |
823 TestTransfer(1, 1000, 100, true); | |
824 // Using input roles for the re-offer. | |
825 Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE, | |
826 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); | |
827 TestTransfer(0, 1000, 100, true); | |
828 TestTransfer(1, 1000, 100, true); | |
829 } | |
830 | |
831 // Test that any change in role after the intial setup will result in failure. | |
832 TEST_F(DtlsTransportChannelTest, TestDtlsRoleReversal) { | |
833 SetChannelCount(2); | |
834 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
835 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
836 cricket::CONNECTIONROLE_PASSIVE)); | |
837 | |
838 // Renegotiate from client2 with actpass and client1 as active. | |
839 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS, | |
840 cricket::CONNECTIONROLE_ACTIVE, | |
841 NF_REOFFER | NF_EXPECT_FAILURE); | |
842 } | |
843 | |
844 // Test that using different setup attributes which results in similar ssl | |
845 // role as the initial negotiation will result in success. | |
846 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferWithDifferentSetupAttr) { | |
847 SetChannelCount(2); | |
848 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
849 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
850 cricket::CONNECTIONROLE_PASSIVE)); | |
851 // Renegotiate from client2 with actpass and client1 as active. | |
852 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE, | |
853 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER); | |
854 TestTransfer(0, 1000, 100, true); | |
855 TestTransfer(1, 1000, 100, true); | |
856 } | |
857 | |
858 // Test that re-negotiation can be started before the clients become connected | |
859 // in the first negotiation. | |
860 TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) { | |
861 SetChannelCount(2); | |
862 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
863 Negotiate(); | |
864 | |
865 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS, | |
866 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER); | |
867 bool rv = client1_.Connect(&client2_, false); | |
868 EXPECT_TRUE(rv); | |
869 EXPECT_TRUE_SIMULATED_WAIT(client1_.all_dtls_transports_writable() && | |
870 client2_.all_dtls_transports_writable(), | |
871 kTimeout, fake_clock_); | |
872 | |
873 TestTransfer(0, 1000, 100, true); | |
874 TestTransfer(1, 1000, 100, true); | |
875 } | |
876 | |
877 // Test Certificates state after negotiation but before connection. | |
878 TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) { | |
879 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
880 Negotiate(); | |
881 | |
882 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; | |
883 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; | |
884 std::unique_ptr<rtc::SSLCertificate> remote_cert1; | |
885 std::unique_ptr<rtc::SSLCertificate> remote_cert2; | |
886 | |
887 // After negotiation, each side has a distinct local certificate, but still no | |
888 // remote certificate, because connection has not yet occurred. | |
889 ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1)); | |
890 ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2)); | |
891 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), | |
892 certificate2->ssl_certificate().ToPEMString()); | |
893 ASSERT_FALSE(client1_.GetDtlsTransport(0)->GetRemoteSSLCertificate()); | |
894 ASSERT_FALSE(client2_.GetDtlsTransport(0)->GetRemoteSSLCertificate()); | |
895 } | |
896 | |
897 // Test Certificates state after connection. | |
898 TEST_F(DtlsTransportChannelTest, TestCertificatesAfterConnect) { | |
899 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
900 ASSERT_TRUE(Connect()); | |
901 | |
902 rtc::scoped_refptr<rtc::RTCCertificate> certificate1; | |
903 rtc::scoped_refptr<rtc::RTCCertificate> certificate2; | |
904 | |
905 // After connection, each side has a distinct local certificate. | |
906 ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1)); | |
907 ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2)); | |
908 ASSERT_NE(certificate1->ssl_certificate().ToPEMString(), | |
909 certificate2->ssl_certificate().ToPEMString()); | |
910 | |
911 // Each side's remote certificate is the other side's local certificate. | |
912 std::unique_ptr<rtc::SSLCertificate> remote_cert1 = | |
913 client1_.GetDtlsTransport(0)->GetRemoteSSLCertificate(); | |
914 ASSERT_TRUE(remote_cert1); | |
915 ASSERT_EQ(remote_cert1->ToPEMString(), | |
916 certificate2->ssl_certificate().ToPEMString()); | |
917 std::unique_ptr<rtc::SSLCertificate> remote_cert2 = | |
918 client2_.GetDtlsTransport(0)->GetRemoteSSLCertificate(); | |
919 ASSERT_TRUE(remote_cert2); | |
920 ASSERT_EQ(remote_cert2->ToPEMString(), | |
921 certificate1->ssl_certificate().ToPEMString()); | |
922 } | |
923 | |
924 // Test that packets are retransmitted according to the expected schedule. | |
925 // Each time a timeout occurs, the retransmission timer should be doubled up to | |
926 // 60 seconds. The timer defaults to 1 second, but for WebRTC we should be | |
927 // initializing it to 50ms. | |
928 TEST_F(DtlsTransportChannelTest, TestRetransmissionSchedule) { | |
929 // We can only change the retransmission schedule with a recently-added | |
930 // BoringSSL API. Skip the test if not built with BoringSSL. | |
931 MAYBE_SKIP_TEST(IsBoringSsl); | |
932 | |
933 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
934 // Exchange transport descriptions. | |
935 Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE); | |
936 | |
937 // Make client2_ writable, but not client1_. | |
938 // This means client1_ will send DTLS client hellos but get no response. | |
939 EXPECT_TRUE(client2_.Connect(&client1_, true)); | |
940 EXPECT_TRUE_SIMULATED_WAIT(client2_.all_ice_transports_writable(), kTimeout, | |
941 fake_clock_); | |
942 | |
943 // Wait for the first client hello to be sent. | |
944 EXPECT_EQ_WAIT(1, client1_.received_dtls_client_hellos(), kTimeout); | |
945 EXPECT_FALSE(client1_.all_ice_transports_writable()); | |
946 | |
947 static int timeout_schedule_ms[] = {50, 100, 200, 400, 800, 1600, | |
948 3200, 6400, 12800, 25600, 51200, 60000}; | |
949 | |
950 int expected_hellos = 1; | |
951 for (size_t i = 0; | |
952 i < (sizeof(timeout_schedule_ms) / sizeof(timeout_schedule_ms[0])); | |
953 ++i) { | |
954 // For each expected retransmission time, advance the fake clock a | |
955 // millisecond before the expected time and verify that no unexpected | |
956 // retransmissions were sent. Then advance it the final millisecond and | |
957 // verify that the expected retransmission was sent. | |
958 fake_clock_.AdvanceTime( | |
959 rtc::TimeDelta::FromMilliseconds(timeout_schedule_ms[i] - 1)); | |
960 EXPECT_EQ(expected_hellos, client1_.received_dtls_client_hellos()); | |
961 fake_clock_.AdvanceTime(rtc::TimeDelta::FromMilliseconds(1)); | |
962 EXPECT_EQ(++expected_hellos, client1_.received_dtls_client_hellos()); | |
963 } | |
964 } | |
965 | |
966 // Test that a DTLS connection can be made even if the underlying transport | |
967 // is connected before DTLS fingerprints/roles have been negotiated. | |
968 TEST_F(DtlsTransportChannelTest, TestConnectBeforeNegotiate) { | |
969 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
970 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS, | |
971 cricket::CONNECTIONROLE_ACTIVE, | |
972 CONNECT_BEFORE_NEGOTIATE)); | |
973 TestTransfer(0, 1000, 100, false); | |
974 } | |
975 | |
976 // The following events can occur in many different orders: | |
977 // 1. Caller receives remote fingerprint. | |
978 // 2. Caller is writable. | |
979 // 3. Caller receives ClientHello. | |
980 // 4. DTLS handshake finishes. | |
981 // | |
982 // The tests below cover all causally consistent permutations of these events; | |
983 // the caller must be writable and receive a ClientHello before the handshake | |
984 // finishes, but otherwise any ordering is possible. | |
985 // | |
986 // For each permutation, the test verifies that a connection is established and | |
987 // fingerprint verified without any DTLS packet needing to be retransmitted. | |
988 // | |
989 // Each permutation is also tested with valid and invalid fingerprints, | |
990 // ensuring that the handshake fails with an invalid fingerprint. | |
991 enum DtlsTransportEvent { | |
992 CALLER_RECEIVES_FINGERPRINT, | |
993 CALLER_WRITABLE, | |
994 CALLER_RECEIVES_CLIENTHELLO, | |
995 HANDSHAKE_FINISHES | |
996 }; | |
997 | |
998 class DtlsEventOrderingTest | |
999 : public DtlsTransportChannelTestBase, | |
1000 public ::testing::TestWithParam< | |
1001 ::testing::tuple<std::vector<DtlsTransportEvent>, bool>> { | |
1002 protected: | |
1003 // If |valid_fingerprint| is false, the caller will receive a fingerprint | |
1004 // that doesn't match the callee's certificate, so the handshake should fail. | |
1005 void TestEventOrdering(const std::vector<DtlsTransportEvent>& events, | |
1006 bool valid_fingerprint) { | |
1007 // Pre-setup: Set local certificate on both caller and callee, and | |
1008 // remote fingerprint on callee, but neither is writable and the caller | |
1009 // doesn't have the callee's fingerprint. | |
1010 PrepareDtls(true, true, rtc::KT_DEFAULT); | |
1011 // Simulate packets being sent and arriving asynchronously. | |
1012 // Otherwise the entire DTLS handshake would occur in one clock tick, and | |
1013 // we couldn't inject method calls in the middle of it. | |
1014 int simulated_delay_ms = 10; | |
1015 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING, | |
1016 simulated_delay_ms); | |
1017 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED, | |
1018 simulated_delay_ms); | |
1019 client1_.SetLocalTransportDescription(client1_.certificate(), | |
1020 cricket::CA_OFFER, | |
1021 cricket::CONNECTIONROLE_ACTPASS, 0); | |
1022 client2_.Negotiate(&client1_, cricket::CA_ANSWER, | |
1023 cricket::CONNECTIONROLE_ACTIVE, | |
1024 cricket::CONNECTIONROLE_ACTPASS, 0); | |
1025 | |
1026 for (DtlsTransportEvent e : events) { | |
1027 switch (e) { | |
1028 case CALLER_RECEIVES_FINGERPRINT: | |
1029 if (valid_fingerprint) { | |
1030 client1_.SetRemoteTransportDescription( | |
1031 client2_.certificate(), cricket::CA_ANSWER, | |
1032 cricket::CONNECTIONROLE_ACTIVE, 0); | |
1033 } else { | |
1034 // Create a fingerprint with a correct algorithm but an invalid | |
1035 // digest. | |
1036 cricket::TransportDescription remote_desc = | |
1037 MakeTransportDescription(client2_.certificate(), | |
1038 cricket::CONNECTIONROLE_ACTIVE); | |
1039 ++(remote_desc.identity_fingerprint->digest[0]); | |
1040 // Even if certificate verification fails inside this method, | |
1041 // it should return true as long as the fingerprint was formatted | |
1042 // correctly. | |
1043 EXPECT_TRUE(client1_.transport()->SetRemoteTransportDescription( | |
1044 remote_desc, cricket::CA_ANSWER, nullptr)); | |
1045 } | |
1046 break; | |
1047 case CALLER_WRITABLE: | |
1048 EXPECT_TRUE(client1_.Connect(&client2_, true)); | |
1049 EXPECT_TRUE_SIMULATED_WAIT(client1_.all_ice_transports_writable(), | |
1050 kTimeout, fake_clock_); | |
1051 break; | |
1052 case CALLER_RECEIVES_CLIENTHELLO: | |
1053 // Sanity check that a ClientHello hasn't already been received. | |
1054 EXPECT_EQ(0, client1_.received_dtls_client_hellos()); | |
1055 // Making client2_ writable will cause it to send the ClientHello. | |
1056 EXPECT_TRUE(client2_.Connect(&client1_, true)); | |
1057 EXPECT_TRUE_SIMULATED_WAIT(client2_.all_ice_transports_writable(), | |
1058 kTimeout, fake_clock_); | |
1059 EXPECT_EQ_SIMULATED_WAIT(1, client1_.received_dtls_client_hellos(), | |
1060 kTimeout, fake_clock_); | |
1061 break; | |
1062 case HANDSHAKE_FINISHES: | |
1063 // Sanity check that the handshake hasn't already finished. | |
1064 EXPECT_FALSE(client1_.GetDtlsTransport(0)->IsDtlsConnected() || | |
1065 client1_.GetDtlsTransport(0)->dtls_state() == | |
1066 cricket::DTLS_TRANSPORT_FAILED); | |
1067 EXPECT_TRUE_SIMULATED_WAIT( | |
1068 client1_.GetDtlsTransport(0)->IsDtlsConnected() || | |
1069 client1_.GetDtlsTransport(0)->dtls_state() == | |
1070 cricket::DTLS_TRANSPORT_FAILED, | |
1071 kTimeout, fake_clock_); | |
1072 break; | |
1073 } | |
1074 } | |
1075 | |
1076 cricket::DtlsTransportState expected_final_state = | |
1077 valid_fingerprint ? cricket::DTLS_TRANSPORT_CONNECTED | |
1078 : cricket::DTLS_TRANSPORT_FAILED; | |
1079 EXPECT_EQ_SIMULATED_WAIT(expected_final_state, | |
1080 client1_.GetDtlsTransport(0)->dtls_state(), | |
1081 kTimeout, fake_clock_); | |
1082 EXPECT_EQ_SIMULATED_WAIT(expected_final_state, | |
1083 client2_.GetDtlsTransport(0)->dtls_state(), | |
1084 kTimeout, fake_clock_); | |
1085 | |
1086 // Channel should be writable iff there was a valid fingerprint. | |
1087 EXPECT_EQ(valid_fingerprint, client1_.GetDtlsTransport(0)->writable()); | |
1088 EXPECT_EQ(valid_fingerprint, client2_.GetDtlsTransport(0)->writable()); | |
1089 | |
1090 // Check that no hello needed to be retransmitted. | |
1091 EXPECT_EQ(1, client1_.received_dtls_client_hellos()); | |
1092 EXPECT_EQ(1, client2_.received_dtls_server_hellos()); | |
1093 | |
1094 if (valid_fingerprint) { | |
1095 TestTransfer(0, 1000, 100, false); | |
1096 } | |
1097 } | |
1098 }; | |
1099 | |
1100 TEST_P(DtlsEventOrderingTest, TestEventOrdering) { | |
1101 TestEventOrdering(::testing::get<0>(GetParam()), | |
1102 ::testing::get<1>(GetParam())); | |
1103 } | |
1104 | |
1105 INSTANTIATE_TEST_CASE_P( | |
1106 TestEventOrdering, | |
1107 DtlsEventOrderingTest, | |
1108 ::testing::Combine( | |
1109 ::testing::Values( | |
1110 std::vector<DtlsTransportEvent>{ | |
1111 CALLER_RECEIVES_FINGERPRINT, CALLER_WRITABLE, | |
1112 CALLER_RECEIVES_CLIENTHELLO, HANDSHAKE_FINISHES}, | |
1113 std::vector<DtlsTransportEvent>{ | |
1114 CALLER_WRITABLE, CALLER_RECEIVES_FINGERPRINT, | |
1115 CALLER_RECEIVES_CLIENTHELLO, HANDSHAKE_FINISHES}, | |
1116 std::vector<DtlsTransportEvent>{ | |
1117 CALLER_WRITABLE, CALLER_RECEIVES_CLIENTHELLO, | |
1118 CALLER_RECEIVES_FINGERPRINT, HANDSHAKE_FINISHES}, | |
1119 std::vector<DtlsTransportEvent>{ | |
1120 CALLER_WRITABLE, CALLER_RECEIVES_CLIENTHELLO, | |
1121 HANDSHAKE_FINISHES, CALLER_RECEIVES_FINGERPRINT}, | |
1122 std::vector<DtlsTransportEvent>{ | |
1123 CALLER_RECEIVES_FINGERPRINT, CALLER_RECEIVES_CLIENTHELLO, | |
1124 CALLER_WRITABLE, HANDSHAKE_FINISHES}, | |
1125 std::vector<DtlsTransportEvent>{ | |
1126 CALLER_RECEIVES_CLIENTHELLO, CALLER_RECEIVES_FINGERPRINT, | |
1127 CALLER_WRITABLE, HANDSHAKE_FINISHES}, | |
1128 std::vector<DtlsTransportEvent>{ | |
1129 CALLER_RECEIVES_CLIENTHELLO, CALLER_WRITABLE, | |
1130 CALLER_RECEIVES_FINGERPRINT, HANDSHAKE_FINISHES}, | |
1131 std::vector<DtlsTransportEvent>{CALLER_RECEIVES_CLIENTHELLO, | |
1132 CALLER_WRITABLE, HANDSHAKE_FINISHES, | |
1133 CALLER_RECEIVES_FINGERPRINT}), | |
1134 ::testing::Bool())); | |
OLD | NEW |