Add IsAcceptableCipher, use instead of GetDefaultCipher. The old code insists on exact cipher suite matches with hardwired expectations. It does this matching parameterized with key type (RSA vs ECDSA) and TLS version (DTLS vs TLS and version 1.0 vs 1.2). This CL changes things to check against a white-list of cipher suites, with the check parameterized with key type (again RSA vs ECDSA). Then separately checks TLS version since the old implicit check of TLS version by means of resulting cipher suite was too blunt. Using a white list for cipher suites isn't perfect, but it is safe and requires minimal maintenance. It allows compatibility with not just one exact version of underlying crypto lib, but any version with reasonable defaults. The CL also re-enables critical tests which had to be disabled recently to allow a boringssl roll. BUG=webrtc:5634 Review URL: https://codereview.webrtc.org/1774583002 Cr-Commit-Position: refs/heads/master@{#11951}

commit: 43166b8adf749c6672eca0cd4a39399cf27d4761 [log] [tgz]
author: torbjorng <torbjorng@webrtc.org> Fri Mar 11 08:06:47 2016
committer: Commit bot <commit-bot@chromium.org> Fri Mar 11 08:06:55 2016
tree: ba54717954e0e7cb202ef67738b976f3fc73d2b1
parent: 737f4b8d12a44909814f8f481579a2e88adc834e [diff] [blame]
diff --git a/webrtc/api/peerconnection_unittest.cc b/webrtc/api/peerconnection_unittest.cc
index 39bf608..533b9db 100644
--- a/webrtc/api/peerconnection_unittest.cc
+++ b/webrtc/api/peerconnection_unittest.cc

@@ -1542,8 +1542,7 @@
 }
 
 // Test that DTLS 1.0 is used if both sides only support DTLS 1.0.
-// Disabled due to new BoringSSLL version, see  webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12None) {
+TEST_F(P2PTestConductor, GetDtls12None) {
   PeerConnectionFactory::Options init_options;
   init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
   PeerConnectionFactory::Options recv_options;
@@ -1555,16 +1554,10 @@
   initializing_client()->pc()->RegisterUMAObserver(init_observer);
   LocalP2PTest();
 
-  EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
-                     rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                         rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
-                 initializing_client()->GetDtlsCipherStats(),
-                 kMaxWaitForStatsMs);
-  EXPECT_EQ(1, init_observer->GetEnumCounter(
-                   webrtc::kEnumCounterAudioSslCipher,
-                   rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                       rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+  EXPECT_TRUE_WAIT(
+      rtc::SSLStreamAdapter::IsAcceptableCipher(
+          initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+      kMaxWaitForStatsMs);
   EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
                  initializing_client()->GetSrtpCipherStats(),
                  kMaxWaitForStatsMs);
@@ -1586,16 +1579,10 @@
   initializing_client()->pc()->RegisterUMAObserver(init_observer);
   LocalP2PTest();
 
-  EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
-                     rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                         rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)),
-                 initializing_client()->GetDtlsCipherStats(),
-                 kMaxWaitForStatsMs);
-  EXPECT_EQ(1, init_observer->GetEnumCounter(
-                   webrtc::kEnumCounterAudioSslCipher,
-                   rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                       rtc::SSL_PROTOCOL_DTLS_12, rtc::KT_DEFAULT)));
-
+  EXPECT_TRUE_WAIT(
+      rtc::SSLStreamAdapter::IsAcceptableCipher(
+          initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+      kMaxWaitForStatsMs);
   EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
                  initializing_client()->GetSrtpCipherStats(),
                  kMaxWaitForStatsMs);
@@ -1606,8 +1593,7 @@
 
 // Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the
 // received supports 1.0.
-// Disabled due to new BoringSSLL version, see  webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12Init) {
+TEST_F(P2PTestConductor, GetDtls12Init) {
   PeerConnectionFactory::Options init_options;
   init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
   PeerConnectionFactory::Options recv_options;
@@ -1619,16 +1605,10 @@
   initializing_client()->pc()->RegisterUMAObserver(init_observer);
   LocalP2PTest();
 
-  EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
-                     rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                         rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
-                 initializing_client()->GetDtlsCipherStats(),
-                 kMaxWaitForStatsMs);
-  EXPECT_EQ(1, init_observer->GetEnumCounter(
-                   webrtc::kEnumCounterAudioSslCipher,
-                   rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                       rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+  EXPECT_TRUE_WAIT(
+      rtc::SSLStreamAdapter::IsAcceptableCipher(
+          initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+      kMaxWaitForStatsMs);
   EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
                  initializing_client()->GetSrtpCipherStats(),
                  kMaxWaitForStatsMs);
@@ -1639,8 +1619,7 @@
 
 // Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the
 // received supports 1.2.
-// Disabled due to new BoringSSLL version, see  webrtc:5634
-TEST_F(P2PTestConductor, DISABLED_GetDtls12Recv) {
+TEST_F(P2PTestConductor, GetDtls12Recv) {
   PeerConnectionFactory::Options init_options;
   init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
   PeerConnectionFactory::Options recv_options;
@@ -1652,16 +1631,10 @@
   initializing_client()->pc()->RegisterUMAObserver(init_observer);
   LocalP2PTest();
 
-  EXPECT_EQ_WAIT(rtc::SSLStreamAdapter::SslCipherSuiteToName(
-                     rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                         rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)),
-                 initializing_client()->GetDtlsCipherStats(),
-                 kMaxWaitForStatsMs);
-  EXPECT_EQ(1, init_observer->GetEnumCounter(
-                   webrtc::kEnumCounterAudioSslCipher,
-                   rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
-                       rtc::SSL_PROTOCOL_DTLS_10, rtc::KT_DEFAULT)));
-
+  EXPECT_TRUE_WAIT(
+      rtc::SSLStreamAdapter::IsAcceptableCipher(
+          initializing_client()->GetDtlsCipherStats(), rtc::KT_DEFAULT),
+      kMaxWaitForStatsMs);
   EXPECT_EQ_WAIT(rtc::SrtpCryptoSuiteToName(kDefaultSrtpCryptoSuite),
                  initializing_client()->GetSrtpCipherStats(),
                  kMaxWaitForStatsMs);
commit	43166b8adf749c6672eca0cd4a39399cf27d4761	[log] [tgz]
author	torbjorng <torbjorng@webrtc.org>	Fri Mar 11 08:06:47 2016
committer	Commit bot <commit-bot@chromium.org>	Fri Mar 11 08:06:55 2016
tree	ba54717954e0e7cb202ef67738b976f3fc73d2b1
parent	737f4b8d12a44909814f8f481579a2e88adc834e [diff] [blame]