commit ed1801492de7650f65b3957ea8d5133120ac9d0a
author Philipp Hancke <phancke@meta.com> Tue Jun 11 16:42:51 2024
committer WebRTC LUCI CQ <webrtc-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Jun 12 19:57:31 2024
tree d9f17fa241e7074573b41a78b4e472e7e1a7b0e3
parent f79120a5f85a4d9d757953d5ade24f25195501f2

Remove more (D)TLS1.0 legacy code

keeping around the DTLS 1.0 constant for unit tests.

BUG=webrtc:40644300

Change-Id: I6d0c3ba1f434bbf3ef1a1b812aeef26943dcf646
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/352530
Reviewed-by: Florent Castelli <orphis@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@meta.com>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#42471}

rtc_base/openssl_stream_adapter.h

diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h
index c3558b3..2620989 100644
--- a/rtc_base/openssl_stream_adapter.h
+++ b/rtc_base/openssl_stream_adapter.h
@@ -107,8 +107,8 @@
   static std::string SslCipherSuiteToName(int crypto_suite);
 
   bool GetSslCipherSuite(int* cipher) override;
-
-  SSLProtocolVersion GetSslVersion() const override;
+  [[deprecated("Use GetSslVersionBytes")]] SSLProtocolVersion GetSslVersion()
+      const override;
   bool GetSslVersionBytes(int* version) const override;
   // Key Extractor interface
   bool ExportKeyingMaterial(absl::string_view label,

rtc_base/ssl_stream_adapter.h

diff --git a/rtc_base/ssl_stream_adapter.h b/rtc_base/ssl_stream_adapter.h
index 701cc44..bd69be7 100644
--- a/rtc_base/ssl_stream_adapter.h
+++ b/rtc_base/ssl_stream_adapter.h
@@ -90,17 +90,13 @@
 enum SSLRole { SSL_CLIENT, SSL_SERVER };
 enum SSLMode { SSL_MODE_TLS, SSL_MODE_DTLS };
 
-// Note: TLS_10, TLS_11, and DTLS_10 will all be ignored, and only DTLS1_2 will
-// be accepted unless the trial flag WebRTC-LegacyTlsProtocols/Enabled/ is
-// passed in or an explicit override is used. Support for the legacy protocol
-// versions will be completely removed in the future.
-// See https://bugs.webrtc.org/10261.
+// TODO bugs.webrtc.org/40644300 remove unused legacy constants.
 enum SSLProtocolVersion {
   SSL_PROTOCOL_NOT_GIVEN = -1,
-  SSL_PROTOCOL_TLS_10 = 0,
-  SSL_PROTOCOL_TLS_11,
-  SSL_PROTOCOL_TLS_12,
-  SSL_PROTOCOL_DTLS_10 = SSL_PROTOCOL_TLS_11,
+  SSL_PROTOCOL_TLS_10 = 0,  // Deprecated and no longer supported.
+  SSL_PROTOCOL_TLS_11 = 1,  // Deprecated and no longer supported.
+  SSL_PROTOCOL_TLS_12 = 2,
+  SSL_PROTOCOL_DTLS_10 = 1,  // Deprecated and no longer supported.
   SSL_PROTOCOL_DTLS_12 = SSL_PROTOCOL_TLS_12,
 };
 enum class SSLPeerCertificateDigestError {
@@ -198,7 +194,8 @@
 
   // Retrieves the enum value for SSL version.
   // Will return -1 until the version has been negotiated.
-  virtual SSLProtocolVersion GetSslVersion() const = 0;
+  [[deprecated("Use GetSslVersionBytes")]] virtual SSLProtocolVersion
+  GetSslVersion() const = 0;
   // Retrieves the 2-byte version from the TLS protocol.
   // Will return false until the version has been negotiated.
   virtual bool GetSslVersionBytes(int* version) const = 0;

rtc_base/ssl_stream_adapter_unittest.cc

diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc
index 6970af6..12e311d 100644
--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@@ -768,11 +768,11 @@
       return server_ssl_->GetSslCipherSuite(retval);
   }
 
-  int GetSslVersion(bool client) {
+  bool GetSslVersionBytes(bool client, int* version) {
     if (client)
-      return client_ssl_->GetSslVersion();
+      return client_ssl_->GetSslVersionBytes(version);
     else
-      return server_ssl_->GetSslVersion();
+      return server_ssl_->GetSslVersionBytes(version);
   }
 
   bool ExportKeyingMaterial(absl::string_view label,
@@ -1604,23 +1604,20 @@
   ASSERT_EQ(kCERT_PEM, server_peer_cert->ToPEMString());
 }
 
-// Test getting the used DTLS 1.2 ciphers.
-// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
-TEST_P(SSLStreamAdapterTestDTLS, TestGetSslCipherSuiteDtls12Both) {
+// Test getting the DTLS 1.2 version.
+TEST_P(SSLStreamAdapterTestDTLS, TestGetSslVersionBytes) {
+  // https://datatracker.ietf.org/doc/html/rfc9147#section-5.3
+  const int kDtls1_2 = 0xFEFD;
   SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
   TestHandshake();
 
-  int client_cipher;
-  ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
-  int server_cipher;
-  ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
+  int client_version;
+  ASSERT_TRUE(GetSslVersionBytes(true, &client_version));
+  EXPECT_EQ(client_version, kDtls1_2);
 
-  ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
-  ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
-
-  ASSERT_EQ(client_cipher, server_cipher);
-  ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
-      server_cipher, ::testing::get<1>(GetParam()).type()));
+  int server_version;
+  ASSERT_TRUE(GetSslVersionBytes(false, &server_version));
+  EXPECT_EQ(server_version, kDtls1_2);
 }
 
 // Test getting the used DTLS ciphers.
@@ -1634,9 +1631,6 @@
   int server_cipher;
   ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
 
-  ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
-  ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
-
   ASSERT_EQ(client_cipher, server_cipher);
   ASSERT_TRUE(rtc::SSLStreamAdapter::IsAcceptableCipher(
       server_cipher, ::testing::get<1>(GetParam()).type()));