generic-library/webrtc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make maximum SSL version configurable through PeerConnectionFactory::Options

Browse Source 
This can be used to activate DTLS 1.2 through a command-line flag from Chromium
later.

BUG=chromium:428343
R=jiayl@webrtc.org, juberti@google.com

Review URL: https://webrtc-codereview.appspot.com/54509004

Cr-Commit-Position: refs/heads/master@{#9328}
This commit is contained in:
Joachim Bauch 2015-05-29 09:40:39 +02:00
parent cc84649389
commit 04e5b49827
11 changed files with 140 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
talk/app/webrtc/peerconnection_unittest.cc
View File

@ -82,6 +82,7 @@ using webrtc::MockDataChannelObserver;
using webrtc::MockSetSessionDescriptionObserver; using webrtc::MockSetSessionDescriptionObserver;
using webrtc::MockStatsObserver; using webrtc::MockStatsObserver;
using webrtc::PeerConnectionInterface; using webrtc::PeerConnectionInterface;
using webrtc::PeerConnectionFactory;
using webrtc::SessionDescriptionInterface; using webrtc::SessionDescriptionInterface;
using webrtc::StreamCollectionInterface; using webrtc::StreamCollectionInterface;
@ -501,7 +502,8 @@ class PeerConnectionTestClientBase
video_decoder_factory_enabled_(false), video_decoder_factory_enabled_(false),
signaling_message_receiver_(NULL) { signaling_message_receiver_(NULL) {
} }
bool Init(const MediaConstraintsInterface* constraints) { bool Init(const MediaConstraintsInterface* constraints,
const PeerConnectionFactory::Options* options) {
EXPECT_TRUE(!peer_connection_); EXPECT_TRUE(!peer_connection_);
EXPECT_TRUE(!peer_connection_factory_); EXPECT_TRUE(!peer_connection_factory_);
allocator_factory_ = webrtc::FakePortAllocatorFactory::Create(); allocator_factory_ = webrtc::FakePortAllocatorFactory::Create();
@ -523,6 +525,9 @@ class PeerConnectionTestClientBase
if (!peer_connection_factory_) { if (!peer_connection_factory_) {
return false; return false;
} }
if (options) {
peer_connection_factory_->SetOptions(*options);
}
peer_connection_ = CreatePeerConnection(allocator_factory_.get(), peer_connection_ = CreatePeerConnection(allocator_factory_.get(),
constraints); constraints);
return peer_connection_.get() != NULL; return peer_connection_.get() != NULL;
@ -619,9 +624,10 @@ class JsepTestClient
public: public:
static JsepTestClient* CreateClient( static JsepTestClient* CreateClient(
const std::string& id, const std::string& id,
const MediaConstraintsInterface* constraints) { const MediaConstraintsInterface* constraints,
const PeerConnectionFactory::Options* options) {
JsepTestClient* client(new JsepTestClient(id)); JsepTestClient* client(new JsepTestClient(id));
if (!client->Init(constraints)) { if (!client->Init(constraints, options)) {
delete client; delete client;
return NULL; return NULL;
} }
@ -967,10 +973,19 @@ class P2PTestConductor : public testing::Test {
bool CreateTestClients(MediaConstraintsInterface* init_constraints, bool CreateTestClients(MediaConstraintsInterface* init_constraints,
MediaConstraintsInterface* recv_constraints) { MediaConstraintsInterface* recv_constraints) {
return CreateTestClients(init_constraints, NULL, recv_constraints, NULL);
}
bool CreateTestClients(MediaConstraintsInterface* init_constraints,
PeerConnectionFactory::Options* init_options,
MediaConstraintsInterface* recv_constraints,
PeerConnectionFactory::Options* recv_options) {
initiating_client_.reset(SignalingClass::CreateClient("Caller: ", initiating_client_.reset(SignalingClass::CreateClient("Caller: ",
init_constraints)); init_constraints,
init_options));
receiving_client_.reset(SignalingClass::CreateClient("Callee: ", receiving_client_.reset(SignalingClass::CreateClient("Callee: ",
recv_constraints)); recv_constraints,
recv_options));
if (!initiating_client_ || !receiving_client_) { if (!initiating_client_ || !receiving_client_) {
return false; return false;
} }
@ -1307,13 +1322,77 @@ TEST_F(JsepPeerConnectionP2PTestClient, GetBytesSentStats) {
kMaxWaitForStatsMs); kMaxWaitForStatsMs);
} }
// Test that we can get negotiated ciphers. // Test that DTLS 1.0 is used if both sides only support DTLS 1.0.
TEST_F(JsepPeerConnectionP2PTestClient, GetNegotiatedCiphersStats) { TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12None) {
ASSERT_TRUE(CreateTestClients()); PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
recv_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
ASSERT_TRUE(CreateTestClients(NULL, &init_options, NULL, &recv_options));
LocalP2PTest();
EXPECT_EQ_WAIT(
rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(
kDefaultSrtpCipher,
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
}
// Test that DTLS 1.2 is used if both ends support it.
TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Both) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
PeerConnectionFactory::Options recv_options;
recv_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
ASSERT_TRUE(CreateTestClients(NULL, &init_options, NULL, &recv_options));
LocalP2PTest();
EXPECT_EQ_WAIT(
rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_12),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(
kDefaultSrtpCipher,
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
}
// Test that DTLS 1.0 is used if the initator supports DTLS 1.2 and the
// received supports 1.0.
TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Init) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
PeerConnectionFactory::Options recv_options;
recv_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
ASSERT_TRUE(CreateTestClients(NULL, &init_options, NULL, &recv_options));
LocalP2PTest();
EXPECT_EQ_WAIT(
rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
initializing_client()->GetDtlsCipherStats(),
kMaxWaitForStatsMs);
EXPECT_EQ_WAIT(
kDefaultSrtpCipher,
initializing_client()->GetSrtpCipherStats(),
kMaxWaitForStatsMs);
}
// Test that DTLS 1.0 is used if the initator supports DTLS 1.0 and the
// received supports 1.2.
TEST_F(JsepPeerConnectionP2PTestClient, GetDtls12Recv) {
PeerConnectionFactory::Options init_options;
init_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_10;
PeerConnectionFactory::Options recv_options;
recv_options.ssl_max_version = rtc::SSL_PROTOCOL_DTLS_12;
ASSERT_TRUE(CreateTestClients(NULL, &init_options, NULL, &recv_options));
LocalP2PTest(); LocalP2PTest();
// TODO(jbauch): this should check for DTLS 1.0 / 1.2 when we have a way to
// enable DTLS 1.2 on peer connections.
EXPECT_EQ_WAIT( EXPECT_EQ_WAIT(
rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10), rtc::SSLStreamAdapter::GetDefaultSslCipher(rtc::SSL_PROTOCOL_DTLS_10),
initializing_client()->GetDtlsCipherStats(), initializing_client()->GetDtlsCipherStats(),

9
talk/app/webrtc/peerconnectioninterface.h
View File

@ -79,6 +79,7 @@
#include "talk/app/webrtc/umametrics.h" #include "talk/app/webrtc/umametrics.h"
#include "webrtc/base/fileutils.h" #include "webrtc/base/fileutils.h"
#include "webrtc/base/network.h" #include "webrtc/base/network.h"
#include "webrtc/base/sslstreamadapter.h"
#include "webrtc/base/socketaddress.h" #include "webrtc/base/socketaddress.h"
namespace rtc { namespace rtc {
@ -518,7 +519,8 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface {
Options() : Options() :
disable_encryption(false), disable_encryption(false),
disable_sctp_data_channels(false), disable_sctp_data_channels(false),
network_ignore_mask(rtc::kDefaultNetworkIgnoreMask) { network_ignore_mask(rtc::kDefaultNetworkIgnoreMask),
ssl_max_version(rtc::SSL_PROTOCOL_DTLS_10) {
} }
bool disable_encryption; bool disable_encryption;
bool disable_sctp_data_channels; bool disable_sctp_data_channels;
@ -527,6 +529,11 @@ class PeerConnectionFactoryInterface : public rtc::RefCountInterface {
// ADAPTER_TYPE_ETHERNET | ADAPTER_TYPE_LOOPBACK will ignore Ethernet and // ADAPTER_TYPE_ETHERNET | ADAPTER_TYPE_LOOPBACK will ignore Ethernet and
// loopback interfaces. // loopback interfaces.
int network_ignore_mask; int network_ignore_mask;
// Sets the maximum supported protocol version. The highest version
// supported by both ends will be used for the connection, i.e. if one
// party supports DTLS 1.0 and the other DTLS 1.2, DTLS 1.0 will be used.
rtc::SSLProtocolVersion ssl_max_version;
}; };
virtual void SetOptions(const Options& options) = 0; virtual void SetOptions(const Options& options) = 0;

1
talk/app/webrtc/webrtcsession.cc
View File

@ -524,6 +524,7 @@ bool WebRtcSession::Initialize(
const PeerConnectionInterface::RTCConfiguration& rtc_configuration) { const PeerConnectionInterface::RTCConfiguration& rtc_configuration) {
bundle_policy_ = rtc_configuration.bundle_policy; bundle_policy_ = rtc_configuration.bundle_policy;
rtcp_mux_policy_ = rtc_configuration.rtcp_mux_policy; rtcp_mux_policy_ = rtc_configuration.rtcp_mux_policy;
SetSslMaxProtocolVersion(options.ssl_max_version);
// TODO(perkj): Take |constraints| into consideration. Return false if not all // TODO(perkj): Take |constraints| into consideration. Return false if not all
// mandatory constraints can be fulfilled. Note that |constraints| // mandatory constraints can be fulfilled. Note that |constraints|

13
webrtc/p2p/base/dtlstransport.h
View File

@ -33,7 +33,8 @@ class DtlsTransport : public Base {
rtc::SSLIdentity* identity) rtc::SSLIdentity* identity)
: Base(signaling_thread, worker_thread, content_name, allocator), : Base(signaling_thread, worker_thread, content_name, allocator),
identity_(identity), identity_(identity),
secure_role_(rtc::SSL_CLIENT) { secure_role_(rtc::SSL_CLIENT),
ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_10) {
} }
~DtlsTransport() { ~DtlsTransport() {
@ -50,6 +51,11 @@ class DtlsTransport : public Base {
return true; return true;
} }
virtual bool SetSslMaxProtocolVersion_w(rtc::SSLProtocolVersion version) {
ssl_max_version_ = version;
return true;
}
virtual bool ApplyLocalTransportDescription_w(TransportChannelImpl* channel, virtual bool ApplyLocalTransportDescription_w(TransportChannelImpl* channel,
std::string* error_desc) { std::string* error_desc) {
rtc::SSLFingerprint* local_fp = rtc::SSLFingerprint* local_fp =
@ -189,8 +195,10 @@ class DtlsTransport : public Base {
} }
virtual DtlsTransportChannelWrapper* CreateTransportChannel(int component) { virtual DtlsTransportChannelWrapper* CreateTransportChannel(int component) {
return new DtlsTransportChannelWrapper( DtlsTransportChannelWrapper* channel = new DtlsTransportChannelWrapper(
this, Base::CreateTransportChannel(component)); this, Base::CreateTransportChannel(component));
channel->SetSslMaxProtocolVersion(ssl_max_version_);
return channel;
} }
virtual void DestroyTransportChannel(TransportChannelImpl* channel) { virtual void DestroyTransportChannel(TransportChannelImpl* channel) {
@ -231,6 +239,7 @@ class DtlsTransport : public Base {
rtc::SSLIdentity* identity_; rtc::SSLIdentity* identity_;
rtc::SSLRole secure_role_; rtc::SSLRole secure_role_;
rtc::SSLProtocolVersion ssl_max_version_;
rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint_; rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint_;
}; };

5
webrtc/p2p/base/dtlstransportchannel.cc
View File

@ -163,15 +163,16 @@ bool DtlsTransportChannelWrapper::GetLocalIdentity(
return true; return true;
} }
void DtlsTransportChannelWrapper::SetMaxProtocolVersion( bool DtlsTransportChannelWrapper::SetSslMaxProtocolVersion(
rtc::SSLProtocolVersion version) { rtc::SSLProtocolVersion version) {
if (dtls_state_ != STATE_NONE) { if (dtls_state_ != STATE_NONE) {
LOG(LS_ERROR) << "Not changing max. protocol version " LOG(LS_ERROR) << "Not changing max. protocol version "
<< "while DTLS is negotiating"; << "while DTLS is negotiating";
return; return false;
} }
ssl_max_version_ = version; ssl_max_version_ = version;
return true;
} }
bool DtlsTransportChannelWrapper::SetSslRole(rtc::SSLRole role) { bool DtlsTransportChannelWrapper::SetSslRole(rtc::SSLRole role) {

2
webrtc/p2p/base/dtlstransportchannel.h
View File

@ -129,7 +129,7 @@ class DtlsTransportChannelWrapper : public TransportChannelImpl {
return channel_->SessionId(); return channel_->SessionId();
} }
virtual void SetMaxProtocolVersion(rtc::SSLProtocolVersion version); virtual bool SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version);
// Set up the ciphers to use for DTLS-SRTP. If this method is not called // Set up the ciphers to use for DTLS-SRTP. If this method is not called
// before DTLS starts, or |ciphers| is empty, SRTP keys won't be negotiated. // before DTLS starts, or |ciphers| is empty, SRTP keys won't be negotiated.

2
webrtc/p2p/base/dtlstransportchannel_unittest.cc
View File

@ -90,7 +90,7 @@ class DtlsTestClient : public sigslot::has_slots<> {
static_cast<cricket::DtlsTransportChannelWrapper*>( static_cast<cricket::DtlsTransportChannelWrapper*>(
transport_->CreateChannel(i)); transport_->CreateChannel(i));
ASSERT_TRUE(channel != NULL); ASSERT_TRUE(channel != NULL);
channel->SetMaxProtocolVersion(ssl_max_version_); channel->SetSslMaxProtocolVersion(ssl_max_version_);
channel->SignalWritableState.connect(this, channel->SignalWritableState.connect(this,
&DtlsTestClient::OnTransportChannelWritableState); &DtlsTestClient::OnTransportChannelWritableState);
channel->SignalReadPacket.connect(this, channel->SignalReadPacket.connect(this,

11
webrtc/p2p/base/session.cc
View File

@ -342,6 +342,7 @@ BaseSession::BaseSession(rtc::Thread* signaling_thread,
transport_type_(NS_GINGLE_P2P), transport_type_(NS_GINGLE_P2P),
initiator_(initiator), initiator_(initiator),
identity_(NULL), identity_(NULL),
ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_10),
ice_tiebreaker_(rtc::CreateRandomId64()), ice_tiebreaker_(rtc::CreateRandomId64()),
role_switch_(false) { role_switch_(false) {
ASSERT(signaling_thread->IsCurrent()); ASSERT(signaling_thread->IsCurrent());
@ -404,6 +405,15 @@ bool BaseSession::SetIdentity(rtc::SSLIdentity* identity) {
return true; return true;
} }
bool BaseSession::SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version) {
if (state_ != STATE_INIT) {
return false;
}
ssl_max_version_ = version;
return true;
}
bool BaseSession::PushdownTransportDescription(ContentSource source, bool BaseSession::PushdownTransportDescription(ContentSource source,
ContentAction action, ContentAction action,
std::string* error_desc) { std::string* error_desc) {
@ -501,6 +511,7 @@ TransportProxy* BaseSession::GetOrCreateTransportProxy(
Transport* transport = CreateTransport(content_name); Transport* transport = CreateTransport(content_name);
transport->SetIceRole(initiator_ ? ICEROLE_CONTROLLING : ICEROLE_CONTROLLED); transport->SetIceRole(initiator_ ? ICEROLE_CONTROLLING : ICEROLE_CONTROLLED);
transport->SetIceTiebreaker(ice_tiebreaker_); transport->SetIceTiebreaker(ice_tiebreaker_);
transport->SetSslMaxProtocolVersion(ssl_max_version_);
// TODO: Connect all the Transport signals to TransportProxy // TODO: Connect all the Transport signals to TransportProxy
// then to the BaseSession. // then to the BaseSession.
transport->SignalConnecting.connect( transport->SignalConnecting.connect(

3
webrtc/p2p/base/session.h
View File

@ -323,6 +323,8 @@ class BaseSession : public sigslot::has_slots<>,
// Specifies the identity to use in this session. // Specifies the identity to use in this session.
bool SetIdentity(rtc::SSLIdentity* identity); bool SetIdentity(rtc::SSLIdentity* identity);
bool SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version);
bool PushdownTransportDescription(ContentSource source, bool PushdownTransportDescription(ContentSource source,
ContentAction action, ContentAction action,
std::string* error_desc); std::string* error_desc);
@ -445,6 +447,7 @@ class BaseSession : public sigslot::has_slots<>,
const std::string transport_type_; const std::string transport_type_;
bool initiator_; bool initiator_;
rtc::SSLIdentity* identity_; rtc::SSLIdentity* identity_;
rtc::SSLProtocolVersion ssl_max_version_;
rtc::scoped_ptr<const SessionDescription> local_description_; rtc::scoped_ptr<const SessionDescription> local_description_;
rtc::scoped_ptr<SessionDescription> remote_description_; rtc::scoped_ptr<SessionDescription> remote_description_;
uint64 ice_tiebreaker_; uint64 ice_tiebreaker_;

5
webrtc/p2p/base/transport.cc
View File

@ -458,6 +458,11 @@ bool Transport::GetSslRole(rtc::SSLRole* ssl_role) const {
&Transport::GetSslRole_w, this, ssl_role)); &Transport::GetSslRole_w, this, ssl_role));
} }
bool Transport::SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version) {
return worker_thread_->Invoke<bool>(Bind(
&Transport::SetSslMaxProtocolVersion_w, this, version));
}
void Transport::OnRemoteCandidates(const std::vector<Candidate>& candidates) { void Transport::OnRemoteCandidates(const std::vector<Candidate>& candidates) {
for (std::vector<Candidate>::const_iterator iter = candidates.begin(); for (std::vector<Candidate>::const_iterator iter = candidates.begin();
iter != candidates.end(); iter != candidates.end();

7
webrtc/p2p/base/transport.h
View File

@ -264,6 +264,9 @@ class Transport : public rtc::MessageHandler,
virtual bool GetSslRole(rtc::SSLRole* ssl_role) const; virtual bool GetSslRole(rtc::SSLRole* ssl_role) const;
// Must be called before channel is starting to connect.
virtual bool SetSslMaxProtocolVersion(rtc::SSLProtocolVersion version);
protected: protected:
// These are called by Create/DestroyChannel above in order to create or // These are called by Create/DestroyChannel above in order to create or
// destroy the appropriate type of channel. // destroy the appropriate type of channel.
@ -320,6 +323,10 @@ class Transport : public rtc::MessageHandler,
return false; return false;
} }
virtual bool SetSslMaxProtocolVersion_w(rtc::SSLProtocolVersion version) {
return false;
}
private: private:
struct ChannelMapEntry { struct ChannelMapEntry {
ChannelMapEntry() : impl_(NULL), candidates_allocated_(false), ref_(0) {} ChannelMapEntry() : impl_(NULL), candidates_allocated_(false), ref_(0) {}