3 * Copyright 2011, Google Inc.
4 * Copyright 2011, RTFM, Inc.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * 1. Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
20 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
21 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 #include "talk/p2p/base/dtlstransport.h"
32 #include "talk/p2p/base/fakesession.h"
33 #include "webrtc/base/common.h"
34 #include "webrtc/base/dscp.h"
35 #include "webrtc/base/gunit.h"
36 #include "webrtc/base/helpers.h"
37 #include "webrtc/base/scoped_ptr.h"
38 #include "webrtc/base/ssladapter.h"
39 #include "webrtc/base/sslidentity.h"
40 #include "webrtc/base/sslstreamadapter.h"
41 #include "webrtc/base/stringutils.h"
42 #include "webrtc/base/thread.h"
44 #define MAYBE_SKIP_TEST(feature) \
45 if (!(rtc::SSLStreamAdapter::feature())) { \
46 LOG(LS_INFO) << "Feature disabled... skipping"; \
50 static const char AES_CM_128_HMAC_SHA1_80[] = "AES_CM_128_HMAC_SHA1_80";
51 static const char kIceUfrag1[] = "TESTICEUFRAG0001";
52 static const char kIcePwd1[] = "TESTICEPWD00000000000001";
53 static const size_t kPacketNumOffset = 8;
54 static const size_t kPacketHeaderLen = 12;
56 static bool IsRtpLeadByte(uint8 b) {
57 return ((b & 0xC0) == 0x80);
60 using cricket::ConnectionRole;
62 enum Flags { NF_REOFFER = 0x1, NF_EXPECT_FAILURE = 0x2 };
64 class DtlsTestClient : public sigslot::has_slots<> {
66 DtlsTestClient(const std::string& name,
67 rtc::Thread* signaling_thread,
68 rtc::Thread* worker_thread) :
70 signaling_thread_(signaling_thread),
71 worker_thread_(worker_thread),
72 protocol_(cricket::ICEPROTO_GOOGLE),
74 use_dtls_srtp_(false),
75 negotiated_dtls_(false),
76 received_dtls_client_hello_(false),
77 received_dtls_server_hello_(false) {
79 void SetIceProtocol(cricket::TransportProtocol proto) {
82 void CreateIdentity() {
83 identity_.reset(rtc::SSLIdentity::Generate(name_));
85 rtc::SSLIdentity* identity() { return identity_.get(); }
87 ASSERT(identity_.get() != NULL);
88 use_dtls_srtp_ = true;
90 void SetupChannels(int count, cricket::IceRole role) {
91 transport_.reset(new cricket::DtlsTransport<cricket::FakeTransport>(
92 signaling_thread_, worker_thread_, "dtls content name", NULL,
94 transport_->SetAsync(true);
95 transport_->SetIceRole(role);
96 transport_->SetIceTiebreaker(
97 (role == cricket::ICEROLE_CONTROLLING) ? 1 : 2);
98 transport_->SignalWritableState.connect(this,
99 &DtlsTestClient::OnTransportWritableState);
101 for (int i = 0; i < count; ++i) {
102 cricket::DtlsTransportChannelWrapper* channel =
103 static_cast<cricket::DtlsTransportChannelWrapper*>(
104 transport_->CreateChannel(i));
105 ASSERT_TRUE(channel != NULL);
106 channel->SignalWritableState.connect(this,
107 &DtlsTestClient::OnTransportChannelWritableState);
108 channel->SignalReadPacket.connect(this,
109 &DtlsTestClient::OnTransportChannelReadPacket);
110 channels_.push_back(channel);
112 // Hook the raw packets so that we can verify they are encrypted.
113 channel->channel()->SignalReadPacket.connect(
114 this, &DtlsTestClient::OnFakeTransportChannelReadPacket);
118 cricket::Transport* transport() { return transport_.get(); }
120 cricket::FakeTransportChannel* GetFakeChannel(int component) {
121 cricket::TransportChannelImpl* ch = transport_->GetChannel(component);
122 cricket::DtlsTransportChannelWrapper* wrapper =
123 static_cast<cricket::DtlsTransportChannelWrapper*>(ch);
125 static_cast<cricket::FakeTransportChannel*>(wrapper->channel()) : NULL;
128 // Offer DTLS if we have an identity; pass in a remote fingerprint only if
129 // both sides support DTLS.
130 void Negotiate(DtlsTestClient* peer, cricket::ContentAction action,
131 ConnectionRole local_role, ConnectionRole remote_role,
133 Negotiate(identity_.get(), (identity_) ? peer->identity_.get() : NULL,
134 action, local_role, remote_role, flags);
137 // Allow any DTLS configuration to be specified (including invalid ones).
138 void Negotiate(rtc::SSLIdentity* local_identity,
139 rtc::SSLIdentity* remote_identity,
140 cricket::ContentAction action,
141 ConnectionRole local_role,
142 ConnectionRole remote_role,
144 rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint;
145 rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint;
146 if (local_identity) {
147 local_fingerprint.reset(rtc::SSLFingerprint::Create(
148 rtc::DIGEST_SHA_1, local_identity));
149 ASSERT_TRUE(local_fingerprint.get() != NULL);
151 if (remote_identity) {
152 remote_fingerprint.reset(rtc::SSLFingerprint::Create(
153 rtc::DIGEST_SHA_1, remote_identity));
154 ASSERT_TRUE(remote_fingerprint.get() != NULL);
157 if (use_dtls_srtp_ && !(flags & NF_REOFFER)) {
158 // SRTP ciphers will be set only in the beginning.
159 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
160 channels_.begin(); it != channels_.end(); ++it) {
161 std::vector<std::string> ciphers;
162 ciphers.push_back(AES_CM_128_HMAC_SHA1_80);
163 ASSERT_TRUE((*it)->SetSrtpCiphers(ciphers));
167 std::string transport_type = (protocol_ == cricket::ICEPROTO_GOOGLE) ?
168 cricket::NS_GINGLE_P2P : cricket::NS_JINGLE_ICE_UDP;
169 cricket::TransportDescription local_desc(
170 transport_type, std::vector<std::string>(), kIceUfrag1, kIcePwd1,
171 cricket::ICEMODE_FULL, local_role,
172 // If remote if the offerer and has no DTLS support, answer will be
173 // without any fingerprint.
174 (action == cricket::CA_ANSWER && !remote_identity) ?
175 NULL : local_fingerprint.get(),
176 cricket::Candidates());
178 cricket::TransportDescription remote_desc(
179 transport_type, std::vector<std::string>(), kIceUfrag1, kIcePwd1,
180 cricket::ICEMODE_FULL, remote_role, remote_fingerprint.get(),
181 cricket::Candidates());
183 bool expect_success = (flags & NF_EXPECT_FAILURE) ? false : true;
184 // If |expect_success| is false, expect SRTD or SLTD to fail when
185 // content action is CA_ANSWER.
186 if (action == cricket::CA_OFFER) {
187 ASSERT_TRUE(transport_->SetLocalTransportDescription(
188 local_desc, cricket::CA_OFFER, NULL));
189 ASSERT_EQ(expect_success, transport_->SetRemoteTransportDescription(
190 remote_desc, cricket::CA_ANSWER, NULL));
192 ASSERT_TRUE(transport_->SetRemoteTransportDescription(
193 remote_desc, cricket::CA_OFFER, NULL));
194 ASSERT_EQ(expect_success, transport_->SetLocalTransportDescription(
195 local_desc, cricket::CA_ANSWER, NULL));
197 negotiated_dtls_ = (local_identity && remote_identity);
200 bool Connect(DtlsTestClient* peer) {
201 transport_->ConnectChannels();
202 transport_->SetDestination(peer->transport_.get());
206 bool writable() const { return transport_->writable(); }
208 void CheckRole(rtc::SSLRole role) {
209 if (role == rtc::SSL_CLIENT) {
210 ASSERT_FALSE(received_dtls_client_hello_);
211 ASSERT_TRUE(received_dtls_server_hello_);
213 ASSERT_TRUE(received_dtls_client_hello_);
214 ASSERT_FALSE(received_dtls_server_hello_);
218 void CheckSrtp(const std::string& expected_cipher) {
219 for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
220 channels_.begin(); it != channels_.end(); ++it) {
223 bool rv = (*it)->GetSrtpCipher(&cipher);
224 if (negotiated_dtls_ && !expected_cipher.empty()) {
227 ASSERT_EQ(cipher, expected_cipher);
234 void SendPackets(size_t channel, size_t size, size_t count, bool srtp) {
235 ASSERT(channel < channels_.size());
236 rtc::scoped_ptr<char[]> packet(new char[size]);
239 // Fill the packet with a known value and a sequence number to check
240 // against, and make sure that it doesn't look like DTLS.
241 memset(packet.get(), sent & 0xff, size);
242 packet[0] = (srtp) ? 0x80 : 0x00;
243 rtc::SetBE32(packet.get() + kPacketNumOffset,
244 static_cast<uint32>(sent));
246 // Only set the bypass flag if we've activated DTLS.
247 int flags = (identity_.get() && srtp) ? cricket::PF_SRTP_BYPASS : 0;
248 rtc::PacketOptions packet_options;
249 int rv = channels_[channel]->SendPacket(
250 packet.get(), size, packet_options, flags);
252 ASSERT_EQ(size, static_cast<size_t>(rv));
254 } while (sent < count);
257 int SendInvalidSrtpPacket(size_t channel, size_t size) {
258 ASSERT(channel < channels_.size());
259 rtc::scoped_ptr<char[]> packet(new char[size]);
260 // Fill the packet with 0 to form an invalid SRTP packet.
261 memset(packet.get(), 0, size);
263 rtc::PacketOptions packet_options;
264 return channels_[channel]->SendPacket(
265 packet.get(), size, packet_options, cricket::PF_SRTP_BYPASS);
268 void ExpectPackets(size_t channel, size_t size) {
273 size_t NumPacketsReceived() {
274 return received_.size();
277 bool VerifyPacket(const char* data, size_t size, uint32* out_num) {
278 if (size != packet_size_ ||
279 (data[0] != 0 && static_cast<uint8>(data[0]) != 0x80)) {
282 uint32 packet_num = rtc::GetBE32(data + kPacketNumOffset);
283 for (size_t i = kPacketHeaderLen; i < size; ++i) {
284 if (static_cast<uint8>(data[i]) != (packet_num & 0xff)) {
289 *out_num = packet_num;
293 bool VerifyEncryptedPacket(const char* data, size_t size) {
294 // This is an encrypted data packet; let's make sure it's mostly random;
295 // less than 10% of the bytes should be equal to the cleartext packet.
296 if (size <= packet_size_) {
299 uint32 packet_num = rtc::GetBE32(data + kPacketNumOffset);
301 for (size_t i = kPacketNumOffset; i < size; ++i) {
302 if (static_cast<uint8>(data[i]) == (packet_num & 0xff)) {
306 return (num_matches < ((static_cast<int>(size) - 5) / 10));
309 // Transport callbacks
310 void OnTransportWritableState(cricket::Transport* transport) {
311 LOG(LS_INFO) << name_ << ": is writable";
314 // Transport channel callbacks
315 void OnTransportChannelWritableState(cricket::TransportChannel* channel) {
316 LOG(LS_INFO) << name_ << ": Channel '" << channel->component()
320 void OnTransportChannelReadPacket(cricket::TransportChannel* channel,
321 const char* data, size_t size,
322 const rtc::PacketTime& packet_time,
324 uint32 packet_num = 0;
325 ASSERT_TRUE(VerifyPacket(data, size, &packet_num));
326 received_.insert(packet_num);
327 // Only DTLS-SRTP packets should have the bypass flag set.
328 int expected_flags = (identity_.get() && IsRtpLeadByte(data[0])) ?
329 cricket::PF_SRTP_BYPASS : 0;
330 ASSERT_EQ(expected_flags, flags);
333 // Hook into the raw packet stream to make sure DTLS packets are encrypted.
334 void OnFakeTransportChannelReadPacket(cricket::TransportChannel* channel,
335 const char* data, size_t size,
336 const rtc::PacketTime& time,
338 // Flags shouldn't be set on the underlying TransportChannel packets.
341 // Look at the handshake packets to see what role we played.
342 // Check that non-handshake packets are DTLS data or SRTP bypass.
343 if (negotiated_dtls_) {
344 if (data[0] == 22 && size > 17) {
346 received_dtls_client_hello_ = true;
347 } else if (data[13] == 2) {
348 received_dtls_server_hello_ = true;
350 } else if (!(data[0] >= 20 && data[0] <= 22)) {
351 ASSERT_TRUE(data[0] == 23 || IsRtpLeadByte(data[0]));
353 ASSERT_TRUE(VerifyEncryptedPacket(data, size));
354 } else if (IsRtpLeadByte(data[0])) {
355 ASSERT_TRUE(VerifyPacket(data, size, NULL));
363 rtc::Thread* signaling_thread_;
364 rtc::Thread* worker_thread_;
365 cricket::TransportProtocol protocol_;
366 rtc::scoped_ptr<rtc::SSLIdentity> identity_;
367 rtc::scoped_ptr<cricket::FakeTransport> transport_;
368 std::vector<cricket::DtlsTransportChannelWrapper*> channels_;
370 std::set<int> received_;
372 bool negotiated_dtls_;
373 bool received_dtls_client_hello_;
374 bool received_dtls_server_hello_;
378 class DtlsTransportChannelTest : public testing::Test {
380 static void SetUpTestCase() {
381 rtc::InitializeSSL();
384 static void TearDownTestCase() {
388 DtlsTransportChannelTest() :
389 client1_("P1", rtc::Thread::Current(),
390 rtc::Thread::Current()),
391 client2_("P2", rtc::Thread::Current(),
392 rtc::Thread::Current()),
395 use_dtls_srtp_(false) {
398 void SetChannelCount(size_t channel_ct) {
399 channel_ct_ = static_cast<int>(channel_ct);
401 void PrepareDtls(bool c1, bool c2) {
403 client1_.CreateIdentity();
406 client2_.CreateIdentity();
411 void PrepareDtlsSrtp(bool c1, bool c2) {
416 client1_.SetupSrtp();
418 client2_.SetupSrtp();
421 use_dtls_srtp_ = true;
424 bool Connect(ConnectionRole client1_role, ConnectionRole client2_role) {
425 Negotiate(client1_role, client2_role);
427 bool rv = client1_.Connect(&client2_);
432 EXPECT_TRUE_WAIT(client1_.writable() && client2_.writable(), 10000);
433 if (!client1_.writable() || !client2_.writable())
436 // Check that we used the right roles.
438 rtc::SSLRole client1_ssl_role =
439 (client1_role == cricket::CONNECTIONROLE_ACTIVE ||
440 (client2_role == cricket::CONNECTIONROLE_PASSIVE &&
441 client1_role == cricket::CONNECTIONROLE_ACTPASS)) ?
442 rtc::SSL_CLIENT : rtc::SSL_SERVER;
444 rtc::SSLRole client2_ssl_role =
445 (client2_role == cricket::CONNECTIONROLE_ACTIVE ||
446 (client1_role == cricket::CONNECTIONROLE_PASSIVE &&
447 client2_role == cricket::CONNECTIONROLE_ACTPASS)) ?
448 rtc::SSL_CLIENT : rtc::SSL_SERVER;
450 client1_.CheckRole(client1_ssl_role);
451 client2_.CheckRole(client2_ssl_role);
454 // Check that we negotiated the right ciphers.
455 if (use_dtls_srtp_) {
456 client1_.CheckSrtp(AES_CM_128_HMAC_SHA1_80);
457 client2_.CheckSrtp(AES_CM_128_HMAC_SHA1_80);
459 client1_.CheckSrtp("");
460 client2_.CheckSrtp("");
467 // By default, Client1 will be Server and Client2 will be Client.
468 return Connect(cricket::CONNECTIONROLE_ACTPASS,
469 cricket::CONNECTIONROLE_ACTIVE);
473 Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE);
476 void Negotiate(ConnectionRole client1_role, ConnectionRole client2_role) {
477 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING);
478 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED);
479 // Expect success from SLTD and SRTD.
480 client1_.Negotiate(&client2_, cricket::CA_OFFER,
481 client1_role, client2_role, 0);
482 client2_.Negotiate(&client1_, cricket::CA_ANSWER,
483 client2_role, client1_role, 0);
486 // Negotiate with legacy client |client2|. Legacy client doesn't use setup
487 // attributes, except NONE.
488 void NegotiateWithLegacy() {
489 client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING);
490 client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED);
491 // Expect success from SLTD and SRTD.
492 client1_.Negotiate(&client2_, cricket::CA_OFFER,
493 cricket::CONNECTIONROLE_ACTPASS,
494 cricket::CONNECTIONROLE_NONE, 0);
495 client2_.Negotiate(&client1_, cricket::CA_ANSWER,
496 cricket::CONNECTIONROLE_ACTIVE,
497 cricket::CONNECTIONROLE_NONE, 0);
500 void Renegotiate(DtlsTestClient* reoffer_initiator,
501 ConnectionRole client1_role, ConnectionRole client2_role,
503 if (reoffer_initiator == &client1_) {
504 client1_.Negotiate(&client2_, cricket::CA_OFFER,
505 client1_role, client2_role, flags);
506 client2_.Negotiate(&client1_, cricket::CA_ANSWER,
507 client2_role, client1_role, flags);
509 client2_.Negotiate(&client1_, cricket::CA_OFFER,
510 client2_role, client1_role, flags);
511 client1_.Negotiate(&client2_, cricket::CA_ANSWER,
512 client1_role, client2_role, flags);
516 void TestTransfer(size_t channel, size_t size, size_t count, bool srtp) {
517 LOG(LS_INFO) << "Expect packets, size=" << size;
518 client2_.ExpectPackets(channel, size);
519 client1_.SendPackets(channel, size, count, srtp);
520 EXPECT_EQ_WAIT(count, client2_.NumPacketsReceived(), 10000);
524 DtlsTestClient client1_;
525 DtlsTestClient client2_;
531 // Test that transport negotiation of ICE, no DTLS works properly.
532 TEST_F(DtlsTransportChannelTest, TestChannelSetupIce) {
533 client1_.SetIceProtocol(cricket::ICEPROTO_RFC5245);
534 client2_.SetIceProtocol(cricket::ICEPROTO_RFC5245);
536 cricket::FakeTransportChannel* channel1 = client1_.GetFakeChannel(0);
537 cricket::FakeTransportChannel* channel2 = client2_.GetFakeChannel(0);
538 ASSERT_TRUE(channel1 != NULL);
539 ASSERT_TRUE(channel2 != NULL);
540 EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole());
541 EXPECT_EQ(1U, channel1->IceTiebreaker());
542 EXPECT_EQ(cricket::ICEPROTO_RFC5245, channel1->protocol());
543 EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag());
544 EXPECT_EQ(kIcePwd1, channel1->ice_pwd());
545 EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole());
546 EXPECT_EQ(2U, channel2->IceTiebreaker());
547 EXPECT_EQ(cricket::ICEPROTO_RFC5245, channel2->protocol());
550 // Test that transport negotiation of GICE, no DTLS works properly.
551 TEST_F(DtlsTransportChannelTest, TestChannelSetupGice) {
552 client1_.SetIceProtocol(cricket::ICEPROTO_GOOGLE);
553 client2_.SetIceProtocol(cricket::ICEPROTO_GOOGLE);
555 cricket::FakeTransportChannel* channel1 = client1_.GetFakeChannel(0);
556 cricket::FakeTransportChannel* channel2 = client2_.GetFakeChannel(0);
557 ASSERT_TRUE(channel1 != NULL);
558 ASSERT_TRUE(channel2 != NULL);
559 EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole());
560 EXPECT_EQ(1U, channel1->IceTiebreaker());
561 EXPECT_EQ(cricket::ICEPROTO_GOOGLE, channel1->protocol());
562 EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag());
563 EXPECT_EQ(kIcePwd1, channel1->ice_pwd());
564 EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole());
565 EXPECT_EQ(2U, channel2->IceTiebreaker());
566 EXPECT_EQ(cricket::ICEPROTO_GOOGLE, channel2->protocol());
569 // Connect without DTLS, and transfer some data.
570 TEST_F(DtlsTransportChannelTest, TestTransfer) {
571 ASSERT_TRUE(Connect());
572 TestTransfer(0, 1000, 100, false);
575 // Create two channels without DTLS, and transfer some data.
576 TEST_F(DtlsTransportChannelTest, TestTransferTwoChannels) {
578 ASSERT_TRUE(Connect());
579 TestTransfer(0, 1000, 100, false);
580 TestTransfer(1, 1000, 100, false);
583 // Connect without DTLS, and transfer SRTP data.
584 TEST_F(DtlsTransportChannelTest, TestTransferSrtp) {
585 ASSERT_TRUE(Connect());
586 TestTransfer(0, 1000, 100, true);
589 // Create two channels without DTLS, and transfer SRTP data.
590 TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) {
592 ASSERT_TRUE(Connect());
593 TestTransfer(0, 1000, 100, true);
594 TestTransfer(1, 1000, 100, true);
597 // Connect with DTLS, and transfer some data.
598 TEST_F(DtlsTransportChannelTest, TestTransferDtls) {
599 MAYBE_SKIP_TEST(HaveDtls);
600 PrepareDtls(true, true);
601 ASSERT_TRUE(Connect());
602 TestTransfer(0, 1000, 100, false);
605 // Create two channels with DTLS, and transfer some data.
606 TEST_F(DtlsTransportChannelTest, TestTransferDtlsTwoChannels) {
607 MAYBE_SKIP_TEST(HaveDtls);
609 PrepareDtls(true, true);
610 ASSERT_TRUE(Connect());
611 TestTransfer(0, 1000, 100, false);
612 TestTransfer(1, 1000, 100, false);
615 // Connect with A doing DTLS and B not, and transfer some data.
616 TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) {
617 PrepareDtls(true, false);
618 ASSERT_TRUE(Connect());
619 TestTransfer(0, 1000, 100, false);
622 // Connect with B doing DTLS and A not, and transfer some data.
623 TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) {
624 PrepareDtls(false, true);
625 ASSERT_TRUE(Connect());
626 TestTransfer(0, 1000, 100, false);
629 // Connect with DTLS, negotiate DTLS-SRTP, and transfer SRTP using bypass.
630 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtp) {
631 MAYBE_SKIP_TEST(HaveDtlsSrtp);
632 PrepareDtls(true, true);
633 PrepareDtlsSrtp(true, true);
634 ASSERT_TRUE(Connect());
635 TestTransfer(0, 1000, 100, true);
638 // Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1
640 TEST_F(DtlsTransportChannelTest, TestTransferDtlsInvalidSrtpPacket) {
641 MAYBE_SKIP_TEST(HaveDtls);
642 PrepareDtls(true, true);
643 PrepareDtlsSrtp(true, true);
644 ASSERT_TRUE(Connect());
645 int result = client1_.SendInvalidSrtpPacket(0, 100);
646 ASSERT_EQ(-1, result);
649 // Connect with DTLS. A does DTLS-SRTP but B does not.
650 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpRejected) {
651 MAYBE_SKIP_TEST(HaveDtlsSrtp);
652 PrepareDtls(true, true);
653 PrepareDtlsSrtp(true, false);
654 ASSERT_TRUE(Connect());
657 // Connect with DTLS. B does DTLS-SRTP but A does not.
658 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpNotOffered) {
659 MAYBE_SKIP_TEST(HaveDtlsSrtp);
660 PrepareDtls(true, true);
661 PrepareDtlsSrtp(false, true);
662 ASSERT_TRUE(Connect());
665 // Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP.
666 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpTwoChannels) {
667 MAYBE_SKIP_TEST(HaveDtlsSrtp);
669 PrepareDtls(true, true);
670 PrepareDtlsSrtp(true, true);
671 ASSERT_TRUE(Connect());
672 TestTransfer(0, 1000, 100, true);
673 TestTransfer(1, 1000, 100, true);
676 // Create a single channel with DTLS, and send normal data and SRTP data on it.
677 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpDemux) {
678 MAYBE_SKIP_TEST(HaveDtlsSrtp);
679 PrepareDtls(true, true);
680 PrepareDtlsSrtp(true, true);
681 ASSERT_TRUE(Connect());
682 TestTransfer(0, 1000, 100, false);
683 TestTransfer(0, 1000, 100, true);
686 // Testing when the remote is passive.
687 TEST_F(DtlsTransportChannelTest, TestTransferDtlsAnswererIsPassive) {
688 MAYBE_SKIP_TEST(HaveDtlsSrtp);
690 PrepareDtls(true, true);
691 PrepareDtlsSrtp(true, true);
692 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
693 cricket::CONNECTIONROLE_PASSIVE));
694 TestTransfer(0, 1000, 100, true);
695 TestTransfer(1, 1000, 100, true);
698 // Testing with the legacy DTLS client which doesn't use setup attribute.
699 // In this case legacy is the answerer.
700 TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) {
701 MAYBE_SKIP_TEST(HaveDtlsSrtp);
702 PrepareDtls(true, true);
703 NegotiateWithLegacy();
704 rtc::SSLRole channel1_role;
705 rtc::SSLRole channel2_role;
706 EXPECT_TRUE(client1_.transport()->GetSslRole(&channel1_role));
707 EXPECT_TRUE(client2_.transport()->GetSslRole(&channel2_role));
708 EXPECT_EQ(rtc::SSL_SERVER, channel1_role);
709 EXPECT_EQ(rtc::SSL_CLIENT, channel2_role);
712 // Testing re offer/answer after the session is estbalished. Roles will be
713 // kept same as of the previous negotiation.
714 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromOfferer) {
715 MAYBE_SKIP_TEST(HaveDtlsSrtp);
717 PrepareDtls(true, true);
718 PrepareDtlsSrtp(true, true);
719 // Initial role for client1 is ACTPASS and client2 is ACTIVE.
720 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
721 cricket::CONNECTIONROLE_ACTIVE));
722 TestTransfer(0, 1000, 100, true);
723 TestTransfer(1, 1000, 100, true);
724 // Using input roles for the re-offer.
725 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
726 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
727 TestTransfer(0, 1000, 100, true);
728 TestTransfer(1, 1000, 100, true);
731 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromAnswerer) {
732 MAYBE_SKIP_TEST(HaveDtlsSrtp);
734 PrepareDtls(true, true);
735 PrepareDtlsSrtp(true, true);
736 // Initial role for client1 is ACTPASS and client2 is ACTIVE.
737 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
738 cricket::CONNECTIONROLE_ACTIVE));
739 TestTransfer(0, 1000, 100, true);
740 TestTransfer(1, 1000, 100, true);
741 // Using input roles for the re-offer.
742 Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE,
743 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
744 TestTransfer(0, 1000, 100, true);
745 TestTransfer(1, 1000, 100, true);
748 // Test that any change in role after the intial setup will result in failure.
749 TEST_F(DtlsTransportChannelTest, TestDtlsRoleReversal) {
750 MAYBE_SKIP_TEST(HaveDtlsSrtp);
752 PrepareDtls(true, true);
753 PrepareDtlsSrtp(true, true);
754 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
755 cricket::CONNECTIONROLE_PASSIVE));
757 // Renegotiate from client2 with actpass and client1 as active.
758 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS,
759 cricket::CONNECTIONROLE_ACTIVE,
760 NF_REOFFER | NF_EXPECT_FAILURE);
763 // Test that using different setup attributes which results in similar ssl
764 // role as the initial negotiation will result in success.
765 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferWithDifferentSetupAttr) {
766 MAYBE_SKIP_TEST(HaveDtlsSrtp);
768 PrepareDtls(true, true);
769 PrepareDtlsSrtp(true, true);
770 ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
771 cricket::CONNECTIONROLE_PASSIVE));
772 // Renegotiate from client2 with actpass and client1 as active.
773 Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE,
774 cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
775 TestTransfer(0, 1000, 100, true);
776 TestTransfer(1, 1000, 100, true);
779 // Test that re-negotiation can be started before the clients become connected
780 // in the first negotiation.
781 TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) {
782 MAYBE_SKIP_TEST(HaveDtlsSrtp);
784 PrepareDtls(true, true);
785 PrepareDtlsSrtp(true, true);
788 Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
789 cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
790 bool rv = client1_.Connect(&client2_);
792 EXPECT_TRUE_WAIT(client1_.writable() && client2_.writable(), 10000);
794 TestTransfer(0, 1000, 100, true);
795 TestTransfer(1, 1000, 100, true);
798 // Test Certificates state after negotiation but before connection.
799 TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) {
800 MAYBE_SKIP_TEST(HaveDtls);
801 PrepareDtls(true, true);
804 rtc::scoped_ptr<rtc::SSLIdentity> identity1;
805 rtc::scoped_ptr<rtc::SSLIdentity> identity2;
806 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
807 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
809 // After negotiation, each side has a distinct local certificate, but still no
810 // remote certificate, because connection has not yet occurred.
811 ASSERT_TRUE(client1_.transport()->GetIdentity(identity1.accept()));
812 ASSERT_TRUE(client2_.transport()->GetIdentity(identity2.accept()));
813 ASSERT_NE(identity1->certificate().ToPEMString(),
814 identity2->certificate().ToPEMString());
816 client1_.transport()->GetRemoteCertificate(remote_cert1.accept()));
817 ASSERT_FALSE(remote_cert1 != NULL);
819 client2_.transport()->GetRemoteCertificate(remote_cert2.accept()));
820 ASSERT_FALSE(remote_cert2 != NULL);
823 // Test Certificates state after connection.
824 TEST_F(DtlsTransportChannelTest, TestCertificatesAfterConnect) {
825 MAYBE_SKIP_TEST(HaveDtls);
826 PrepareDtls(true, true);
827 ASSERT_TRUE(Connect());
829 rtc::scoped_ptr<rtc::SSLIdentity> identity1;
830 rtc::scoped_ptr<rtc::SSLIdentity> identity2;
831 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
832 rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
834 // After connection, each side has a distinct local certificate.
835 ASSERT_TRUE(client1_.transport()->GetIdentity(identity1.accept()));
836 ASSERT_TRUE(client2_.transport()->GetIdentity(identity2.accept()));
837 ASSERT_NE(identity1->certificate().ToPEMString(),
838 identity2->certificate().ToPEMString());
840 // Each side's remote certificate is the other side's local certificate.
842 client1_.transport()->GetRemoteCertificate(remote_cert1.accept()));
843 ASSERT_EQ(remote_cert1->ToPEMString(),
844 identity2->certificate().ToPEMString());
846 client2_.transport()->GetRemoteCertificate(remote_cert2.accept()));
847 ASSERT_EQ(remote_cert2->ToPEMString(),
848 identity1->certificate().ToPEMString());