Add IsAcceptableCipher, use instead of GetDefaultCipher.
The old code insists on exact cipher suite matches with hardwired expectations. It does this matching parameterized with key type (RSA vs ECDSA) and TLS version (DTLS vs TLS and version 1.0 vs 1.2).
This CL changes things to check against a white-list of cipher suites, with the check parameterized with key type (again RSA vs ECDSA). Then separately checks TLS version since the old implicit check of TLS version by means of resulting cipher suite was too blunt.
Using a white list for cipher suites isn't perfect, but it is safe and requires minimal maintenance. It allows compatibility with not just one exact version of underlying crypto lib, but any version with reasonable defaults.
The CL also re-enables critical tests which had to be disabled recently to allow a boringssl roll.
BUG=webrtc:5634
Review URL: https://codereview.webrtc.org/1774583002
Cr-Commit-Position: refs/heads/master@{#11951}
diff --git a/webrtc/api/peerconnection_unittest.cc b/webrtc/api/peerconnection_unittest.cc
index 39bf608..533b9db 100644
--- a/webrtc/api/peerconnection_unittest.cc
+++ b/webrtc/api/peerconnection_unittest.cc
@@ -1542,8 +1542,7 @@
}
// Test that DTLS 1.0 is used if both sides only support DTLS 1.0.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12None) {
+TEST_F(P2PTestConductor, GetDtls12None) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
@@ -1555,16 +1554,10 @@
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
- EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
- initializing_client()->GetDtlsCipherStats(),
- kMaxWaitForStatsMs);
- EXPECT_EQ(1, init_observer->GetEnumCounter(
- webrtc::kEnumCounterAudioSslCipher,
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+ EXPECT_TRUE_WAIT(
+ rtc::SSLStreamAdapter::IsAcceptableCipher(
+ initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+ kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@@ -1586,16 +1579,10 @@
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
- EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)),
- initializing_client()->GetDtlsCipherStats(),
- kMaxWaitForStatsMs);
- EXPECT_EQ(1, init_observer->GetEnumCounter(
- webrtc::kEnumCounterAudioSslCipher,
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)));
-
+ EXPECT_TRUE_WAIT(
+ rtc::SSLStreamAdapter::IsAcceptableCipher(
+ initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+ kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@@ -1606,8 +1593,7 @@
// Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the
// received supports 1.0.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) {
+TEST_F(P2PTestConductor, GetDtls12Init) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
PeerConnectionFactory::Options recv_options;
@@ -1619,16 +1605,10 @@
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
- EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
- initializing_client()->GetDtlsCipherStats(),
- kMaxWaitForStatsMs);
- EXPECT_EQ(1, init_observer->GetEnumCounter(
- webrtc::kEnumCounterAudioSslCipher,
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+ EXPECT_TRUE_WAIT(
+ rtc::SSLStreamAdapter::IsAcceptableCipher(
+ initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+ kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
@@ -1639,8 +1619,7 @@
// Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the
// received supports 1.2.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) {
+TEST_F(P2PTestConductor, GetDtls12Recv) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
@@ -1652,16 +1631,10 @@
initializing_client()->pc()->RegisterUMAObserver(init_observer);
LocalP2PTest();
- EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
- initializing_client()->GetDtlsCipherStats(),
- kMaxWaitForStatsMs);
- EXPECT_EQ(1, init_observer->GetEnumCounter(
- webrtc::kEnumCounterAudioSslCipher,
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+ EXPECT_TRUE_WAIT(
+ rtc::SSLStreamAdapter::IsAcceptableCipher(
+ initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+ kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc
index b2afebb..3e91198 100644
--- a/webrtc/base/opensslstreamadapter.cc
+++ b/webrtc/base/opensslstreamadapter.cc
@@ -147,51 +147,6 @@
#pragma warning(disable : 4310)
#endif // defined(_MSC_VER)
-// Default cipher used between OpenSSL/BoringSSL stream adapters.
-// This needs to be updated when the default of the SSL library changes.
-// static_cast<uint16_t> causes build warnings on windows platform.
-static int kDefaultSslCipher10 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
-static int kDefaultSslEcCipher10 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
-#ifdef OPENSSL_IS_BORINGSSL
-static int kDefaultSslCipher12 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
-static int kDefaultSslEcCipher12 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
-// Fallback cipher for DTLS 1.2 if hardware-accelerated AES-GCM is unavailable.
-
-#ifdef TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-// This ciphersuite was added in boringssl 13414b3a..., changing the fallback
-// ciphersuite. For compatibility during a transitional period, support old
-// boringssl versions. TODO(torbjorng): Remove this.
-static int kDefaultSslCipher12NoAesGcm =
- static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
-#else
-static int kDefaultSslCipher12NoAesGcm =
- static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD);
-#endif
-
-#ifdef TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-// This ciphersuite was added in boringssl 13414b3a..., changing the fallback
-// ciphersuite. For compatibility during a transitional period, support old
-// boringssl versions. TODO(torbjorng): Remove this.
-static int kDefaultSslEcCipher12NoAesGcm =
- static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
-#else
-static int kDefaultSslEcCipher12NoAesGcm =
- static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD);
-#endif
-
-#else // !OPENSSL_IS_BORINGSSL
-// OpenSSL sorts differently than BoringSSL, so the default cipher doesn't
-// change between TLS 1.0 and TLS 1.2 with the current setup.
-static int kDefaultSslCipher12 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA);
-static int kDefaultSslEcCipher12 =
- static_cast<uint16_t>(TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
-#endif // OPENSSL_IS_BORINGSSL
-
#if defined(_MSC_VER)
#pragma warning(pop)
#endif // defined(_MSC_VER)
@@ -404,6 +359,28 @@
return true;
}
+int OpenSSLStreamAdapter::GetSslVersion() const {
+ if (state_ != SSL_CONNECTED)
+ return -1;
+
+ int ssl_version = SSL_version(ssl_);
+ if (ssl_mode_ == SSL_MODE_DTLS) {
+ if (ssl_version == DTLS1_VERSION)
+ return SSL_PROTOCOL_DTLS_10;
+ else if (ssl_version == DTLS1_2_VERSION)
+ return SSL_PROTOCOL_DTLS_12;
+ } else {
+ if (ssl_version == TLS1_VERSION)
+ return SSL_PROTOCOL_TLS_10;
+ else if (ssl_version == TLS1_1_VERSION)
+ return SSL_PROTOCOL_TLS_11;
+ else if (ssl_version == TLS1_2_VERSION)
+ return SSL_PROTOCOL_TLS_12;
+ }
+
+ return -1;
+}
+
// Key Extractor interface
bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
const uint8_t* context,
@@ -1147,46 +1124,71 @@
#endif
}
-int OpenSSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
- KeyType key_type) {
+#define CDEF(X) \
+ { static_cast<uint16_t>(TLS1_CK_##X & 0xffff), "TLS_" #X }
+
+struct cipher_list {
+ uint16_t cipher;
+ const char* cipher_str;
+};
+
+// TODO(torbjorng): Perhaps add more cipher suites to these lists.
+static const cipher_list OK_RSA_ciphers[] = {
+ CDEF(ECDHE_RSA_WITH_AES_128_CBC_SHA),
+ CDEF(ECDHE_RSA_WITH_AES_256_CBC_SHA),
+ CDEF(ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+#ifdef TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA256
+ CDEF(ECDHE_RSA_WITH_AES_256_GCM_SHA256),
+#endif
+ CDEF(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
+};
+
+static const cipher_list OK_ECDSA_ciphers[] = {
+ CDEF(ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
+ CDEF(ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
+ CDEF(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+#ifdef TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
+ CDEF(ECDHE_ECDSA_WITH_AES_256_GCM_SHA256),
+#endif
+ CDEF(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
+};
+#undef CDEF
+
+bool OpenSSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
if (key_type == KT_RSA) {
- switch (version) {
- case SSL_PROTOCOL_TLS_10:
- case SSL_PROTOCOL_TLS_11:
- return kDefaultSslCipher10;
- case SSL_PROTOCOL_TLS_12:
- default:
-#ifdef OPENSSL_IS_BORINGSSL
- if (EVP_has_aes_hardware()) {
- return kDefaultSslCipher12;
- } else {
- return kDefaultSslCipher12NoAesGcm;
- }
-#else // !OPENSSL_IS_BORINGSSL
- return kDefaultSslCipher12;
-#endif
+ for (const cipher_list& c : OK_RSA_ciphers) {
+ if (cipher == c.cipher)
+ return true;
}
- } else if (key_type == KT_ECDSA) {
- switch (version) {
- case SSL_PROTOCOL_TLS_10:
- case SSL_PROTOCOL_TLS_11:
- return kDefaultSslEcCipher10;
- case SSL_PROTOCOL_TLS_12:
- default:
-#ifdef OPENSSL_IS_BORINGSSL
- if (EVP_has_aes_hardware()) {
- return kDefaultSslEcCipher12;
- } else {
- return kDefaultSslEcCipher12NoAesGcm;
- }
-#else // !OPENSSL_IS_BORINGSSL
- return kDefaultSslEcCipher12;
-#endif
- }
- } else {
- RTC_NOTREACHED();
- return kDefaultSslEcCipher12;
}
+
+ if (key_type == KT_ECDSA) {
+ for (const cipher_list& c : OK_ECDSA_ciphers) {
+ if (cipher == c.cipher)
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool OpenSSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
+ KeyType key_type) {
+ if (key_type == KT_RSA) {
+ for (const cipher_list& c : OK_RSA_ciphers) {
+ if (cipher == c.cipher_str)
+ return true;
+ }
+ }
+
+ if (key_type == KT_ECDSA) {
+ for (const cipher_list& c : OK_ECDSA_ciphers) {
+ if (cipher == c.cipher_str)
+ return true;
+ }
+ }
+
+ return false;
}
} // namespace rtc
diff --git a/webrtc/base/opensslstreamadapter.h b/webrtc/base/opensslstreamadapter.h
index e57b2a3..231d059 100644
--- a/webrtc/base/opensslstreamadapter.h
+++ b/webrtc/base/opensslstreamadapter.h
@@ -92,6 +92,8 @@
bool GetSslCipherSuite(int* cipher) override;
+ int GetSslVersion() const override;
+
// Key Extractor interface
bool ExportKeyingMaterial(const std::string& label,
const uint8_t* context,
@@ -109,9 +111,8 @@
static bool HaveDtlsSrtp();
static bool HaveExporter();
- // TODO(guoweis): Move this away from a static class method.
- static int GetDefaultSslCipherForTest(SSLProtocolVersion version,
- KeyType key_type);
+ static bool IsAcceptableCipher(int cipher, KeyType key_type);
+ static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
protected:
void OnEvent(StreamInterface* stream, int events, int err) override;
diff --git a/webrtc/base/sslstreamadapter.cc b/webrtc/base/sslstreamadapter.cc
index a2cff3e..bcecc03 100644
--- a/webrtc/base/sslstreamadapter.cc
+++ b/webrtc/base/sslstreamadapter.cc
@@ -86,11 +86,13 @@
bool SSLStreamAdapter::HaveExporter() {
return OpenSSLStreamAdapter::HaveExporter();
}
-int SSLStreamAdapter::GetDefaultSslCipherForTest(SSLProtocolVersion version,
- KeyType key_type) {
- return OpenSSLStreamAdapter::GetDefaultSslCipherForTest(version, key_type);
+bool SSLStreamAdapter::IsAcceptableCipher(int cipher, KeyType key_type) {
+ return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
}
-
+bool SSLStreamAdapter::IsAcceptableCipher(const std::string& cipher,
+ KeyType key_type) {
+ return OpenSSLStreamAdapter::IsAcceptableCipher(cipher, key_type);
+}
std::string SSLStreamAdapter::SslCipherSuiteToName(int cipher_suite) {
return OpenSSLStreamAdapter::SslCipherSuiteToName(cipher_suite);
}
diff --git a/webrtc/base/sslstreamadapter.h b/webrtc/base/sslstreamadapter.h
index c57056b..a50f674 100644
--- a/webrtc/base/sslstreamadapter.h
+++ b/webrtc/base/sslstreamadapter.h
@@ -161,6 +161,8 @@
// connection (e.g. 0x2F for "TLS_RSA_WITH_AES_128_CBC_SHA").
virtual bool GetSslCipherSuite(int* cipher_suite);
+ virtual int GetSslVersion() const = 0;
+
// Key Exporter interface from RFC 5705
// Arguments are:
// label -- the exporter label.
@@ -189,11 +191,10 @@
static bool HaveDtlsSrtp();
static bool HaveExporter();
- // Returns the default Ssl cipher used between streams of this class
- // for the given protocol version. This is used by the unit tests.
- // TODO(guoweis): Move this away from a static class method.
- static int GetDefaultSslCipherForTest(SSLProtocolVersion version,
- KeyType key_type);
+ // Returns true iff the supplied cipher is deemed to be strong.
+ // TODO(torbjorng): Consider removing the KeyType argument.
+ static bool IsAcceptableCipher(int cipher, KeyType key_type);
+ static bool IsAcceptableCipher(const std::string& cipher, KeyType key_type);
// TODO(guoweis): Move this away from a static class method. Currently this is
// introduced such that any caller could depend on sslstreamadapter.h without
diff --git a/webrtc/base/sslstreamadapter_unittest.cc b/webrtc/base/sslstreamadapter_unittest.cc
index afb1337..2eaa475 100644
--- a/webrtc/base/sslstreamadapter_unittest.cc
+++ b/webrtc/base/sslstreamadapter_unittest.cc
@@ -488,6 +488,13 @@
return server_ssl_->GetSslCipherSuite(retval);
}
+ int GetSslVersion(bool client) {
+ if (client)
+ return client_ssl_->GetSslVersion();
+ else
+ return server_ssl_->GetSslVersion();
+ }
+
bool ExportKeyingMaterial(const char *label,
const unsigned char *context,
size_t context_len,
@@ -1066,8 +1073,7 @@
// Test getting the used DTLS ciphers.
// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuite) {
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuite) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
@@ -1077,11 +1083,12 @@
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
ASSERT_EQ(client_cipher, server_cipher);
- ASSERT_EQ(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
- server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
}
// Test getting the used DTLS 1.2 ciphers.
@@ -1096,16 +1103,16 @@
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
+
ASSERT_EQ(client_cipher, server_cipher);
- ASSERT_EQ(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_12, ::testing::get<1>(GetParam()).type()),
- server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
}
// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Client) {
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Client) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
@@ -1115,16 +1122,16 @@
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
ASSERT_EQ(client_cipher, server_cipher);
- ASSERT_EQ(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
- server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
}
// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_P(SSLStreamAdapterTestDTLS, DISABLED_TestGetSslCipherSuiteDtls12Server) {
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Server) {
MAYBE_SKIP_TEST(HaveDtls);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
@@ -1134,11 +1141,12 @@
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
+ ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
+
ASSERT_EQ(client_cipher, server_cipher);
- ASSERT_EQ(
- rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- rtc::SSL_PROTOCOL_DTLS_10, ::testing::get<1>(GetParam()).type()),
- server_cipher);
+ ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
+ server_cipher, ::testing::get<1>(GetParam()).type()));
}
// The RSA keysizes here might look strange, why not include the RFC's size
diff --git a/webrtc/p2p/base/dtlstransportchannel_unittest.cc b/webrtc/p2p/base/dtlstransportchannel_unittest.cc
index 2abcf8a..18b355f 100644
--- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc
+++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc
@@ -229,16 +229,17 @@
}
}
- void CheckSsl(int expected_cipher) {
+ void CheckSsl() {
for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
channels_.begin(); it != channels_.end(); ++it) {
int cipher;
bool rv = (*it)->GetSslCipherSuite(&cipher);
- if (negotiated_dtls_ && expected_cipher) {
+ if (negotiated_dtls_) {
ASSERT_TRUE(rv);
- ASSERT_EQ(cipher, expected_cipher);
+ EXPECT_TRUE(
+ rtc::SSLStreamAdapter::IsAcceptableCipher(cipher, rtc::KT_DEFAULT));
} else {
ASSERT_FALSE(rv);
}
@@ -473,10 +474,9 @@
client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
}
- client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- ssl_expected_version_, rtc::KT_DEFAULT));
- client2_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
- ssl_expected_version_, rtc::KT_DEFAULT));
+
+ client1_.CheckSsl();
+ client2_.CheckSsl();
return true;
}
@@ -632,8 +632,7 @@
}
// Create two channels with DTLS 1.0 and check ciphers.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12None) {
+TEST_F(DtlsTransportChannelTest, TestDtls12None) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);
@@ -651,8 +650,7 @@
}
// Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client1) {
+TEST_F(DtlsTransportChannelTest, TestDtls12Client1) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);
@@ -661,8 +659,7 @@
}
// Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers.
-// Disabled due to new BoringSSLL version, see webrtc:5634
-TEST_F(DtlsTransportChannelTest, DISABLED_TestDtls12Client2) {
+TEST_F(DtlsTransportChannelTest, TestDtls12Client2) {
MAYBE_SKIP_TEST(HaveDtls);
SetChannelCount(2);
PrepareDtls(true, true, rtc::KT_DEFAULT);
