1 /*
2  *  Copyright 2011 The WebRTC Project Authors. All rights reserved.
3  *
4  *  Use of this source code is governed by a BSD-style license
5  *  that can be found in the LICENSE file in the root of the source
6  *  tree. An additional intellectual property rights grant can be found
7  *  in the file PATENTS.  All contributing project authors may
8  *  be found in the AUTHORS file in the root of the source tree.
9  */
10 
11 #include <set>
12 
13 #include "webrtc/p2p/base/dtlstransport.h"
14 #include "webrtc/p2p/base/faketransportcontroller.h"
15 #include "webrtc/base/common.h"
16 #include "webrtc/base/dscp.h"
17 #include "webrtc/base/gunit.h"
18 #include "webrtc/base/helpers.h"
19 #include "webrtc/base/scoped_ptr.h"
20 #include "webrtc/base/ssladapter.h"
21 #include "webrtc/base/sslidentity.h"
22 #include "webrtc/base/sslstreamadapter.h"
23 #include "webrtc/base/stringutils.h"
24 
25 #define MAYBE_SKIP_TEST(feature)                    \
26   if (!(rtc::SSLStreamAdapter::feature())) {  \
27     LOG(LS_INFO) << "Feature disabled... skipping"; \
28     return;                                         \
29   }
30 
31 static const char kIceUfrag1[] = "TESTICEUFRAG0001";
32 static const char kIcePwd1[] = "TESTICEPWD00000000000001";
33 static const size_t kPacketNumOffset = 8;
34 static const size_t kPacketHeaderLen = 12;
35 static const int kFakePacketId = 0x1234;
36 
IsRtpLeadByte(uint8_t b)37 static bool IsRtpLeadByte(uint8_t b) {
38   return ((b & 0xC0) == 0x80);
39 }
40 
41 using cricket::ConnectionRole;
42 
43 enum Flags { NF_REOFFER = 0x1, NF_EXPECT_FAILURE = 0x2 };
44 
45 class DtlsTestClient : public sigslot::has_slots<> {
46  public:
DtlsTestClient(const std::string & name)47   DtlsTestClient(const std::string& name)
48       : name_(name),
49         packet_size_(0),
50         use_dtls_srtp_(false),
51         ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_12),
52         negotiated_dtls_(false),
53         received_dtls_client_hello_(false),
54         received_dtls_server_hello_(false) {}
CreateCertificate(rtc::KeyType key_type)55   void CreateCertificate(rtc::KeyType key_type) {
56     certificate_ =
57         rtc::RTCCertificate::Create(rtc::scoped_ptr<rtc::SSLIdentity>(
58             rtc::SSLIdentity::Generate(name_, key_type)));
59   }
certificate()60   const rtc::scoped_refptr<rtc::RTCCertificate>& certificate() {
61     return certificate_;
62   }
SetupSrtp()63   void SetupSrtp() {
64     ASSERT(certificate_);
65     use_dtls_srtp_ = true;
66   }
SetupMaxProtocolVersion(rtc::SSLProtocolVersion version)67   void SetupMaxProtocolVersion(rtc::SSLProtocolVersion version) {
68     ASSERT(!transport_);
69     ssl_max_version_ = version;
70   }
SetupChannels(int count,cricket::IceRole role)71   void SetupChannels(int count, cricket::IceRole role) {
72     transport_.reset(new cricket::DtlsTransport<cricket::FakeTransport>(
73         "dtls content name", nullptr, certificate_));
74     transport_->SetAsync(true);
75     transport_->SetIceRole(role);
76     transport_->SetIceTiebreaker(
77         (role == cricket::ICEROLE_CONTROLLING) ? 1 : 2);
78 
79     for (int i = 0; i < count; ++i) {
80       cricket::DtlsTransportChannelWrapper* channel =
81           static_cast<cricket::DtlsTransportChannelWrapper*>(
82               transport_->CreateChannel(i));
83       ASSERT_TRUE(channel != NULL);
84       channel->SetSslMaxProtocolVersion(ssl_max_version_);
85       channel->SignalWritableState.connect(this,
86         &DtlsTestClient::OnTransportChannelWritableState);
87       channel->SignalReadPacket.connect(this,
88         &DtlsTestClient::OnTransportChannelReadPacket);
89       channel->SignalSentPacket.connect(
90           this, &DtlsTestClient::OnTransportChannelSentPacket);
91       channels_.push_back(channel);
92 
93       // Hook the raw packets so that we can verify they are encrypted.
94       channel->channel()->SignalReadPacket.connect(
95           this, &DtlsTestClient::OnFakeTransportChannelReadPacket);
96     }
97   }
98 
transport()99   cricket::Transport* transport() { return transport_.get(); }
100 
GetFakeChannel(int component)101   cricket::FakeTransportChannel* GetFakeChannel(int component) {
102     cricket::TransportChannelImpl* ch = transport_->GetChannel(component);
103     cricket::DtlsTransportChannelWrapper* wrapper =
104         static_cast<cricket::DtlsTransportChannelWrapper*>(ch);
105     return (wrapper) ?
106         static_cast<cricket::FakeTransportChannel*>(wrapper->channel()) : NULL;
107   }
108 
109   // Offer DTLS if we have an identity; pass in a remote fingerprint only if
110   // both sides support DTLS.
Negotiate(DtlsTestClient * peer,cricket::ContentAction action,ConnectionRole local_role,ConnectionRole remote_role,int flags)111   void Negotiate(DtlsTestClient* peer, cricket::ContentAction action,
112                  ConnectionRole local_role, ConnectionRole remote_role,
113                  int flags) {
114     Negotiate(certificate_, certificate_ ? peer->certificate_ : nullptr, action,
115               local_role, remote_role, flags);
116   }
117 
118   // Allow any DTLS configuration to be specified (including invalid ones).
Negotiate(const rtc::scoped_refptr<rtc::RTCCertificate> & local_cert,const rtc::scoped_refptr<rtc::RTCCertificate> & remote_cert,cricket::ContentAction action,ConnectionRole local_role,ConnectionRole remote_role,int flags)119   void Negotiate(const rtc::scoped_refptr<rtc::RTCCertificate>& local_cert,
120                  const rtc::scoped_refptr<rtc::RTCCertificate>& remote_cert,
121                  cricket::ContentAction action,
122                  ConnectionRole local_role,
123                  ConnectionRole remote_role,
124                  int flags) {
125     rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint;
126     rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint;
127     if (local_cert) {
128       std::string digest_algorithm;
129       ASSERT_TRUE(local_cert->ssl_certificate().GetSignatureDigestAlgorithm(
130           &digest_algorithm));
131       ASSERT_FALSE(digest_algorithm.empty());
132       local_fingerprint.reset(rtc::SSLFingerprint::Create(
133           digest_algorithm, local_cert->identity()));
134       ASSERT_TRUE(local_fingerprint.get() != NULL);
135       EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
136     }
137     if (remote_cert) {
138       std::string digest_algorithm;
139       ASSERT_TRUE(remote_cert->ssl_certificate().GetSignatureDigestAlgorithm(
140           &digest_algorithm));
141       ASSERT_FALSE(digest_algorithm.empty());
142       remote_fingerprint.reset(rtc::SSLFingerprint::Create(
143           digest_algorithm, remote_cert->identity()));
144       ASSERT_TRUE(remote_fingerprint.get() != NULL);
145       EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
146     }
147 
148     if (use_dtls_srtp_ && !(flags & NF_REOFFER)) {
149       // SRTP ciphers will be set only in the beginning.
150       for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
151            channels_.begin(); it != channels_.end(); ++it) {
152         std::vector<int> ciphers;
153         ciphers.push_back(rtc::SRTP_AES128_CM_SHA1_80);
154         ASSERT_TRUE((*it)->SetSrtpCryptoSuites(ciphers));
155       }
156     }
157 
158     cricket::TransportDescription local_desc(
159         std::vector<std::string>(), kIceUfrag1, kIcePwd1, cricket::ICEMODE_FULL,
160         local_role,
161         // If remote if the offerer and has no DTLS support, answer will be
162         // without any fingerprint.
163         (action == cricket::CA_ANSWER && !remote_cert)
164             ? nullptr
165             : local_fingerprint.get(),
166         cricket::Candidates());
167 
168     cricket::TransportDescription remote_desc(
169         std::vector<std::string>(), kIceUfrag1, kIcePwd1, cricket::ICEMODE_FULL,
170         remote_role, remote_fingerprint.get(), cricket::Candidates());
171 
172     bool expect_success = (flags & NF_EXPECT_FAILURE) ? false : true;
173     // If |expect_success| is false, expect SRTD or SLTD to fail when
174     // content action is CA_ANSWER.
175     if (action == cricket::CA_OFFER) {
176       ASSERT_TRUE(transport_->SetLocalTransportDescription(
177           local_desc, cricket::CA_OFFER, NULL));
178       ASSERT_EQ(expect_success, transport_->SetRemoteTransportDescription(
179           remote_desc, cricket::CA_ANSWER, NULL));
180     } else {
181       ASSERT_TRUE(transport_->SetRemoteTransportDescription(
182           remote_desc, cricket::CA_OFFER, NULL));
183       ASSERT_EQ(expect_success, transport_->SetLocalTransportDescription(
184           local_desc, cricket::CA_ANSWER, NULL));
185     }
186     negotiated_dtls_ = (local_cert && remote_cert);
187   }
188 
Connect(DtlsTestClient * peer)189   bool Connect(DtlsTestClient* peer) {
190     transport_->ConnectChannels();
191     transport_->SetDestination(peer->transport_.get());
192     return true;
193   }
194 
all_channels_writable() const195   bool all_channels_writable() const {
196     if (channels_.empty()) {
197       return false;
198     }
199     for (cricket::DtlsTransportChannelWrapper* channel : channels_) {
200       if (!channel->writable()) {
201         return false;
202       }
203     }
204     return true;
205   }
206 
CheckRole(rtc::SSLRole role)207   void CheckRole(rtc::SSLRole role) {
208     if (role == rtc::SSL_CLIENT) {
209       ASSERT_FALSE(received_dtls_client_hello_);
210       ASSERT_TRUE(received_dtls_server_hello_);
211     } else {
212       ASSERT_TRUE(received_dtls_client_hello_);
213       ASSERT_FALSE(received_dtls_server_hello_);
214     }
215   }
216 
CheckSrtp(int expected_crypto_suite)217   void CheckSrtp(int expected_crypto_suite) {
218     for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
219            channels_.begin(); it != channels_.end(); ++it) {
220       int crypto_suite;
221 
222       bool rv = (*it)->GetSrtpCryptoSuite(&crypto_suite);
223       if (negotiated_dtls_ && expected_crypto_suite) {
224         ASSERT_TRUE(rv);
225 
226         ASSERT_EQ(crypto_suite, expected_crypto_suite);
227       } else {
228         ASSERT_FALSE(rv);
229       }
230     }
231   }
232 
CheckSsl(int expected_cipher)233   void CheckSsl(int expected_cipher) {
234     for (std::vector<cricket::DtlsTransportChannelWrapper*>::iterator it =
235            channels_.begin(); it != channels_.end(); ++it) {
236       int cipher;
237 
238       bool rv = (*it)->GetSslCipherSuite(&cipher);
239       if (negotiated_dtls_ && expected_cipher) {
240         ASSERT_TRUE(rv);
241 
242         ASSERT_EQ(cipher, expected_cipher);
243       } else {
244         ASSERT_FALSE(rv);
245       }
246     }
247   }
248 
SendPackets(size_t channel,size_t size,size_t count,bool srtp)249   void SendPackets(size_t channel, size_t size, size_t count, bool srtp) {
250     ASSERT(channel < channels_.size());
251     rtc::scoped_ptr<char[]> packet(new char[size]);
252     size_t sent = 0;
253     do {
254       // Fill the packet with a known value and a sequence number to check
255       // against, and make sure that it doesn't look like DTLS.
256       memset(packet.get(), sent & 0xff, size);
257       packet[0] = (srtp) ? 0x80 : 0x00;
258       rtc::SetBE32(packet.get() + kPacketNumOffset,
259                    static_cast<uint32_t>(sent));
260 
261       // Only set the bypass flag if we've activated DTLS.
262       int flags = (certificate_ && srtp) ? cricket::PF_SRTP_BYPASS : 0;
263       rtc::PacketOptions packet_options;
264       packet_options.packet_id = kFakePacketId;
265       int rv = channels_[channel]->SendPacket(
266           packet.get(), size, packet_options, flags);
267       ASSERT_GT(rv, 0);
268       ASSERT_EQ(size, static_cast<size_t>(rv));
269       ++sent;
270     } while (sent < count);
271   }
272 
SendInvalidSrtpPacket(size_t channel,size_t size)273   int SendInvalidSrtpPacket(size_t channel, size_t size) {
274     ASSERT(channel < channels_.size());
275     rtc::scoped_ptr<char[]> packet(new char[size]);
276     // Fill the packet with 0 to form an invalid SRTP packet.
277     memset(packet.get(), 0, size);
278 
279     rtc::PacketOptions packet_options;
280     return channels_[channel]->SendPacket(
281         packet.get(), size, packet_options, cricket::PF_SRTP_BYPASS);
282   }
283 
ExpectPackets(size_t channel,size_t size)284   void ExpectPackets(size_t channel, size_t size) {
285     packet_size_ = size;
286     received_.clear();
287   }
288 
NumPacketsReceived()289   size_t NumPacketsReceived() {
290     return received_.size();
291   }
292 
VerifyPacket(const char * data,size_t size,uint32_t * out_num)293   bool VerifyPacket(const char* data, size_t size, uint32_t* out_num) {
294     if (size != packet_size_ ||
295         (data[0] != 0 && static_cast<uint8_t>(data[0]) != 0x80)) {
296       return false;
297     }
298     uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset);
299     for (size_t i = kPacketHeaderLen; i < size; ++i) {
300       if (static_cast<uint8_t>(data[i]) != (packet_num & 0xff)) {
301         return false;
302       }
303     }
304     if (out_num) {
305       *out_num = packet_num;
306     }
307     return true;
308   }
VerifyEncryptedPacket(const char * data,size_t size)309   bool VerifyEncryptedPacket(const char* data, size_t size) {
310     // This is an encrypted data packet; let's make sure it's mostly random;
311     // less than 10% of the bytes should be equal to the cleartext packet.
312     if (size <= packet_size_) {
313       return false;
314     }
315     uint32_t packet_num = rtc::GetBE32(data + kPacketNumOffset);
316     int num_matches = 0;
317     for (size_t i = kPacketNumOffset; i < size; ++i) {
318       if (static_cast<uint8_t>(data[i]) == (packet_num & 0xff)) {
319         ++num_matches;
320       }
321     }
322     return (num_matches < ((static_cast<int>(size) - 5) / 10));
323   }
324 
325   // Transport channel callbacks
OnTransportChannelWritableState(cricket::TransportChannel * channel)326   void OnTransportChannelWritableState(cricket::TransportChannel* channel) {
327     LOG(LS_INFO) << name_ << ": Channel '" << channel->component()
328                  << "' is writable";
329   }
330 
OnTransportChannelReadPacket(cricket::TransportChannel * channel,const char * data,size_t size,const rtc::PacketTime & packet_time,int flags)331   void OnTransportChannelReadPacket(cricket::TransportChannel* channel,
332                                     const char* data, size_t size,
333                                     const rtc::PacketTime& packet_time,
334                                     int flags) {
335     uint32_t packet_num = 0;
336     ASSERT_TRUE(VerifyPacket(data, size, &packet_num));
337     received_.insert(packet_num);
338     // Only DTLS-SRTP packets should have the bypass flag set.
339     int expected_flags =
340         (certificate_ && IsRtpLeadByte(data[0])) ? cricket::PF_SRTP_BYPASS : 0;
341     ASSERT_EQ(expected_flags, flags);
342   }
343 
OnTransportChannelSentPacket(cricket::TransportChannel * channel,const rtc::SentPacket & sent_packet)344   void OnTransportChannelSentPacket(cricket::TransportChannel* channel,
345                                     const rtc::SentPacket& sent_packet) {
346     sent_packet_ = sent_packet;
347   }
348 
sent_packet() const349   rtc::SentPacket sent_packet() const { return sent_packet_; }
350 
351   // Hook into the raw packet stream to make sure DTLS packets are encrypted.
OnFakeTransportChannelReadPacket(cricket::TransportChannel * channel,const char * data,size_t size,const rtc::PacketTime & time,int flags)352   void OnFakeTransportChannelReadPacket(cricket::TransportChannel* channel,
353                                         const char* data, size_t size,
354                                         const rtc::PacketTime& time,
355                                         int flags) {
356     // Flags shouldn't be set on the underlying TransportChannel packets.
357     ASSERT_EQ(0, flags);
358 
359     // Look at the handshake packets to see what role we played.
360     // Check that non-handshake packets are DTLS data or SRTP bypass.
361     if (negotiated_dtls_) {
362       if (data[0] == 22 && size > 17) {
363         if (data[13] == 1) {
364           received_dtls_client_hello_ = true;
365         } else if (data[13] == 2) {
366           received_dtls_server_hello_ = true;
367         }
368       } else if (!(data[0] >= 20 && data[0] <= 22)) {
369         ASSERT_TRUE(data[0] == 23 || IsRtpLeadByte(data[0]));
370         if (data[0] == 23) {
371           ASSERT_TRUE(VerifyEncryptedPacket(data, size));
372         } else if (IsRtpLeadByte(data[0])) {
373           ASSERT_TRUE(VerifyPacket(data, size, NULL));
374         }
375       }
376     }
377   }
378 
379  private:
380   std::string name_;
381   rtc::scoped_refptr<rtc::RTCCertificate> certificate_;
382   rtc::scoped_ptr<cricket::FakeTransport> transport_;
383   std::vector<cricket::DtlsTransportChannelWrapper*> channels_;
384   size_t packet_size_;
385   std::set<int> received_;
386   bool use_dtls_srtp_;
387   rtc::SSLProtocolVersion ssl_max_version_;
388   bool negotiated_dtls_;
389   bool received_dtls_client_hello_;
390   bool received_dtls_server_hello_;
391   rtc::SentPacket sent_packet_;
392 };
393 
394 
395 class DtlsTransportChannelTest : public testing::Test {
396  public:
DtlsTransportChannelTest()397   DtlsTransportChannelTest()
398       : client1_("P1"),
399         client2_("P2"),
400         channel_ct_(1),
401         use_dtls_(false),
402         use_dtls_srtp_(false),
403         ssl_expected_version_(rtc::SSL_PROTOCOL_DTLS_12) {}
404 
SetChannelCount(size_t channel_ct)405   void SetChannelCount(size_t channel_ct) {
406     channel_ct_ = static_cast<int>(channel_ct);
407   }
SetMaxProtocolVersions(rtc::SSLProtocolVersion c1,rtc::SSLProtocolVersion c2)408   void SetMaxProtocolVersions(rtc::SSLProtocolVersion c1,
409                               rtc::SSLProtocolVersion c2) {
410     client1_.SetupMaxProtocolVersion(c1);
411     client2_.SetupMaxProtocolVersion(c2);
412     ssl_expected_version_ = std::min(c1, c2);
413   }
PrepareDtls(bool c1,bool c2,rtc::KeyType key_type)414   void PrepareDtls(bool c1, bool c2, rtc::KeyType key_type) {
415     if (c1) {
416       client1_.CreateCertificate(key_type);
417     }
418     if (c2) {
419       client2_.CreateCertificate(key_type);
420     }
421     if (c1 && c2)
422       use_dtls_ = true;
423   }
PrepareDtlsSrtp(bool c1,bool c2)424   void PrepareDtlsSrtp(bool c1, bool c2) {
425     if (!use_dtls_)
426       return;
427 
428     if (c1)
429       client1_.SetupSrtp();
430     if (c2)
431       client2_.SetupSrtp();
432 
433     if (c1 && c2)
434       use_dtls_srtp_ = true;
435   }
436 
Connect(ConnectionRole client1_role,ConnectionRole client2_role)437   bool Connect(ConnectionRole client1_role, ConnectionRole client2_role) {
438     Negotiate(client1_role, client2_role);
439 
440     bool rv = client1_.Connect(&client2_);
441     EXPECT_TRUE(rv);
442     if (!rv)
443       return false;
444 
445     EXPECT_TRUE_WAIT(
446         client1_.all_channels_writable() && client2_.all_channels_writable(),
447         10000);
448     if (!client1_.all_channels_writable() || !client2_.all_channels_writable())
449       return false;
450 
451     // Check that we used the right roles.
452     if (use_dtls_) {
453       rtc::SSLRole client1_ssl_role =
454           (client1_role == cricket::CONNECTIONROLE_ACTIVE ||
455            (client2_role == cricket::CONNECTIONROLE_PASSIVE &&
456             client1_role == cricket::CONNECTIONROLE_ACTPASS)) ?
457               rtc::SSL_CLIENT : rtc::SSL_SERVER;
458 
459       rtc::SSLRole client2_ssl_role =
460           (client2_role == cricket::CONNECTIONROLE_ACTIVE ||
461            (client1_role == cricket::CONNECTIONROLE_PASSIVE &&
462             client2_role == cricket::CONNECTIONROLE_ACTPASS)) ?
463               rtc::SSL_CLIENT : rtc::SSL_SERVER;
464 
465       client1_.CheckRole(client1_ssl_role);
466       client2_.CheckRole(client2_ssl_role);
467     }
468 
469     // Check that we negotiated the right ciphers.
470     if (use_dtls_srtp_) {
471       client1_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
472       client2_.CheckSrtp(rtc::SRTP_AES128_CM_SHA1_80);
473     } else {
474       client1_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
475       client2_.CheckSrtp(rtc::SRTP_INVALID_CRYPTO_SUITE);
476     }
477     client1_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
478         ssl_expected_version_, rtc::KT_DEFAULT));
479     client2_.CheckSsl(rtc::SSLStreamAdapter::GetDefaultSslCipherForTest(
480         ssl_expected_version_, rtc::KT_DEFAULT));
481 
482     return true;
483   }
484 
Connect()485   bool Connect() {
486     // By default, Client1 will be Server and Client2 will be Client.
487     return Connect(cricket::CONNECTIONROLE_ACTPASS,
488                    cricket::CONNECTIONROLE_ACTIVE);
489   }
490 
Negotiate()491   void Negotiate() {
492     Negotiate(cricket::CONNECTIONROLE_ACTPASS, cricket::CONNECTIONROLE_ACTIVE);
493   }
494 
Negotiate(ConnectionRole client1_role,ConnectionRole client2_role)495   void Negotiate(ConnectionRole client1_role, ConnectionRole client2_role) {
496     client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING);
497     client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED);
498     // Expect success from SLTD and SRTD.
499     client1_.Negotiate(&client2_, cricket::CA_OFFER,
500                        client1_role, client2_role, 0);
501     client2_.Negotiate(&client1_, cricket::CA_ANSWER,
502                        client2_role, client1_role, 0);
503   }
504 
505   // Negotiate with legacy client |client2|. Legacy client doesn't use setup
506   // attributes, except NONE.
NegotiateWithLegacy()507   void NegotiateWithLegacy() {
508     client1_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLING);
509     client2_.SetupChannels(channel_ct_, cricket::ICEROLE_CONTROLLED);
510     // Expect success from SLTD and SRTD.
511     client1_.Negotiate(&client2_, cricket::CA_OFFER,
512                        cricket::CONNECTIONROLE_ACTPASS,
513                        cricket::CONNECTIONROLE_NONE, 0);
514     client2_.Negotiate(&client1_, cricket::CA_ANSWER,
515                        cricket::CONNECTIONROLE_ACTIVE,
516                        cricket::CONNECTIONROLE_NONE, 0);
517   }
518 
Renegotiate(DtlsTestClient * reoffer_initiator,ConnectionRole client1_role,ConnectionRole client2_role,int flags)519   void Renegotiate(DtlsTestClient* reoffer_initiator,
520                    ConnectionRole client1_role, ConnectionRole client2_role,
521                    int flags) {
522     if (reoffer_initiator == &client1_) {
523       client1_.Negotiate(&client2_, cricket::CA_OFFER,
524                          client1_role, client2_role, flags);
525       client2_.Negotiate(&client1_, cricket::CA_ANSWER,
526                          client2_role, client1_role, flags);
527     } else {
528       client2_.Negotiate(&client1_, cricket::CA_OFFER,
529                          client2_role, client1_role, flags);
530       client1_.Negotiate(&client2_, cricket::CA_ANSWER,
531                          client1_role, client2_role, flags);
532     }
533   }
534 
TestTransfer(size_t channel,size_t size,size_t count,bool srtp)535   void TestTransfer(size_t channel, size_t size, size_t count, bool srtp) {
536     LOG(LS_INFO) << "Expect packets, size=" << size;
537     client2_.ExpectPackets(channel, size);
538     client1_.SendPackets(channel, size, count, srtp);
539     EXPECT_EQ_WAIT(count, client2_.NumPacketsReceived(), 10000);
540   }
541 
542  protected:
543   DtlsTestClient client1_;
544   DtlsTestClient client2_;
545   int channel_ct_;
546   bool use_dtls_;
547   bool use_dtls_srtp_;
548   rtc::SSLProtocolVersion ssl_expected_version_;
549 };
550 
551 // Test that transport negotiation of ICE, no DTLS works properly.
TEST_F(DtlsTransportChannelTest,TestChannelSetupIce)552 TEST_F(DtlsTransportChannelTest, TestChannelSetupIce) {
553   Negotiate();
554   cricket::FakeTransportChannel* channel1 = client1_.GetFakeChannel(0);
555   cricket::FakeTransportChannel* channel2 = client2_.GetFakeChannel(0);
556   ASSERT_TRUE(channel1 != NULL);
557   ASSERT_TRUE(channel2 != NULL);
558   EXPECT_EQ(cricket::ICEROLE_CONTROLLING, channel1->GetIceRole());
559   EXPECT_EQ(1U, channel1->IceTiebreaker());
560   EXPECT_EQ(kIceUfrag1, channel1->ice_ufrag());
561   EXPECT_EQ(kIcePwd1, channel1->ice_pwd());
562   EXPECT_EQ(cricket::ICEROLE_CONTROLLED, channel2->GetIceRole());
563   EXPECT_EQ(2U, channel2->IceTiebreaker());
564 }
565 
566 // Connect without DTLS, and transfer some data.
TEST_F(DtlsTransportChannelTest,TestTransfer)567 TEST_F(DtlsTransportChannelTest, TestTransfer) {
568   ASSERT_TRUE(Connect());
569   TestTransfer(0, 1000, 100, false);
570 }
571 
572 // Connect without DTLS, and transfer some data.
TEST_F(DtlsTransportChannelTest,TestOnSentPacket)573 TEST_F(DtlsTransportChannelTest, TestOnSentPacket) {
574   ASSERT_TRUE(Connect());
575   EXPECT_EQ(client1_.sent_packet().send_time_ms, -1);
576   TestTransfer(0, 1000, 100, false);
577   EXPECT_EQ(kFakePacketId, client1_.sent_packet().packet_id);
578   EXPECT_GE(client1_.sent_packet().send_time_ms, 0);
579 }
580 
581 // Create two channels without DTLS, and transfer some data.
TEST_F(DtlsTransportChannelTest,TestTransferTwoChannels)582 TEST_F(DtlsTransportChannelTest, TestTransferTwoChannels) {
583   SetChannelCount(2);
584   ASSERT_TRUE(Connect());
585   TestTransfer(0, 1000, 100, false);
586   TestTransfer(1, 1000, 100, false);
587 }
588 
589 // Connect without DTLS, and transfer SRTP data.
TEST_F(DtlsTransportChannelTest,TestTransferSrtp)590 TEST_F(DtlsTransportChannelTest, TestTransferSrtp) {
591   ASSERT_TRUE(Connect());
592   TestTransfer(0, 1000, 100, true);
593 }
594 
595 // Create two channels without DTLS, and transfer SRTP data.
TEST_F(DtlsTransportChannelTest,TestTransferSrtpTwoChannels)596 TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) {
597   SetChannelCount(2);
598   ASSERT_TRUE(Connect());
599   TestTransfer(0, 1000, 100, true);
600   TestTransfer(1, 1000, 100, true);
601 }
602 
603 #if defined(MEMORY_SANITIZER)
604 // Fails under MemorySanitizer:
605 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
606 #define MAYBE_TestTransferDtls DISABLED_TestTransferDtls
607 #else
608 #define MAYBE_TestTransferDtls TestTransferDtls
609 #endif
610 // Connect with DTLS, and transfer some data.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtls)611 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtls) {
612   MAYBE_SKIP_TEST(HaveDtls);
613   PrepareDtls(true, true, rtc::KT_DEFAULT);
614   ASSERT_TRUE(Connect());
615   TestTransfer(0, 1000, 100, false);
616 }
617 
618 #if defined(MEMORY_SANITIZER)
619 // Fails under MemorySanitizer:
620 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
621 #define MAYBE_TestTransferDtlsTwoChannels DISABLED_TestTransferDtlsTwoChannels
622 #else
623 #define MAYBE_TestTransferDtlsTwoChannels TestTransferDtlsTwoChannels
624 #endif
625 // Create two channels with DTLS, and transfer some data.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsTwoChannels)626 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsTwoChannels) {
627   MAYBE_SKIP_TEST(HaveDtls);
628   SetChannelCount(2);
629   PrepareDtls(true, true, rtc::KT_DEFAULT);
630   ASSERT_TRUE(Connect());
631   TestTransfer(0, 1000, 100, false);
632   TestTransfer(1, 1000, 100, false);
633 }
634 
635 // Connect with A doing DTLS and B not, and transfer some data.
TEST_F(DtlsTransportChannelTest,TestTransferDtlsRejected)636 TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) {
637   PrepareDtls(true, false, rtc::KT_DEFAULT);
638   ASSERT_TRUE(Connect());
639   TestTransfer(0, 1000, 100, false);
640 }
641 
642 // Connect with B doing DTLS and A not, and transfer some data.
TEST_F(DtlsTransportChannelTest,TestTransferDtlsNotOffered)643 TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) {
644   PrepareDtls(false, true, rtc::KT_DEFAULT);
645   ASSERT_TRUE(Connect());
646   TestTransfer(0, 1000, 100, false);
647 }
648 
649 // Create two channels with DTLS 1.0 and check ciphers.
TEST_F(DtlsTransportChannelTest,TestDtls12None)650 TEST_F(DtlsTransportChannelTest, TestDtls12None) {
651   MAYBE_SKIP_TEST(HaveDtls);
652   SetChannelCount(2);
653   PrepareDtls(true, true, rtc::KT_DEFAULT);
654   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
655   ASSERT_TRUE(Connect());
656 }
657 
658 #if defined(MEMORY_SANITIZER)
659 // Fails under MemorySanitizer:
660 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
661 #define MAYBE_TestDtls12Both DISABLED_TestDtls12Both
662 #else
663 #define MAYBE_TestDtls12Both TestDtls12Both
664 #endif
665 // Create two channels with DTLS 1.2 and check ciphers.
TEST_F(DtlsTransportChannelTest,MAYBE_TestDtls12Both)666 TEST_F(DtlsTransportChannelTest, MAYBE_TestDtls12Both) {
667   MAYBE_SKIP_TEST(HaveDtls);
668   SetChannelCount(2);
669   PrepareDtls(true, true, rtc::KT_DEFAULT);
670   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
671   ASSERT_TRUE(Connect());
672 }
673 
674 // Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers.
TEST_F(DtlsTransportChannelTest,TestDtls12Client1)675 TEST_F(DtlsTransportChannelTest, TestDtls12Client1) {
676   MAYBE_SKIP_TEST(HaveDtls);
677   SetChannelCount(2);
678   PrepareDtls(true, true, rtc::KT_DEFAULT);
679   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
680   ASSERT_TRUE(Connect());
681 }
682 
683 // Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers.
TEST_F(DtlsTransportChannelTest,TestDtls12Client2)684 TEST_F(DtlsTransportChannelTest, TestDtls12Client2) {
685   MAYBE_SKIP_TEST(HaveDtls);
686   SetChannelCount(2);
687   PrepareDtls(true, true, rtc::KT_DEFAULT);
688   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
689   ASSERT_TRUE(Connect());
690 }
691 
692 #if defined(MEMORY_SANITIZER)
693 // Fails under MemorySanitizer:
694 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
695 #define MAYBE_TestTransferDtlsSrtp DISABLED_TestTransferDtlsSrtp
696 #else
697 #define MAYBE_TestTransferDtlsSrtp TestTransferDtlsSrtp
698 #endif
699 // Connect with DTLS, negotiate DTLS-SRTP, and transfer SRTP using bypass.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsSrtp)700 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsSrtp) {
701   MAYBE_SKIP_TEST(HaveDtlsSrtp);
702   PrepareDtls(true, true, rtc::KT_DEFAULT);
703   PrepareDtlsSrtp(true, true);
704   ASSERT_TRUE(Connect());
705   TestTransfer(0, 1000, 100, true);
706 }
707 
708 #if defined(MEMORY_SANITIZER)
709 // Fails under MemorySanitizer:
710 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
711 #define MAYBE_TestTransferDtlsInvalidSrtpPacket \
712   DISABLED_TestTransferDtlsInvalidSrtpPacket
713 #else
714 #define MAYBE_TestTransferDtlsInvalidSrtpPacket \
715   TestTransferDtlsInvalidSrtpPacket
716 #endif
717 // Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1
718 // returned.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsInvalidSrtpPacket)719 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsInvalidSrtpPacket) {
720   MAYBE_SKIP_TEST(HaveDtls);
721   PrepareDtls(true, true, rtc::KT_DEFAULT);
722   PrepareDtlsSrtp(true, true);
723   ASSERT_TRUE(Connect());
724   int result = client1_.SendInvalidSrtpPacket(0, 100);
725   ASSERT_EQ(-1, result);
726 }
727 
728 #if defined(MEMORY_SANITIZER)
729 // Fails under MemorySanitizer:
730 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
731 #define MAYBE_TestTransferDtlsSrtpRejected DISABLED_TestTransferDtlsSrtpRejected
732 #else
733 #define MAYBE_TestTransferDtlsSrtpRejected TestTransferDtlsSrtpRejected
734 #endif
735 // Connect with DTLS. A does DTLS-SRTP but B does not.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsSrtpRejected)736 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsSrtpRejected) {
737   MAYBE_SKIP_TEST(HaveDtlsSrtp);
738   PrepareDtls(true, true, rtc::KT_DEFAULT);
739   PrepareDtlsSrtp(true, false);
740   ASSERT_TRUE(Connect());
741 }
742 
743 #if defined(MEMORY_SANITIZER)
744 // Fails under MemorySanitizer:
745 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
746 #define MAYBE_TestTransferDtlsSrtpNotOffered \
747   DISABLED_TestTransferDtlsSrtpNotOffered
748 #else
749 #define MAYBE_TestTransferDtlsSrtpNotOffered TestTransferDtlsSrtpNotOffered
750 #endif
751 // Connect with DTLS. B does DTLS-SRTP but A does not.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsSrtpNotOffered)752 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsSrtpNotOffered) {
753   MAYBE_SKIP_TEST(HaveDtlsSrtp);
754   PrepareDtls(true, true, rtc::KT_DEFAULT);
755   PrepareDtlsSrtp(false, true);
756   ASSERT_TRUE(Connect());
757 }
758 
759 #if defined(MEMORY_SANITIZER)
760 // Fails under MemorySanitizer:
761 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
762 #define MAYBE_TestTransferDtlsSrtpTwoChannels \
763   DISABLED_TestTransferDtlsSrtpTwoChannels
764 #else
765 #define MAYBE_TestTransferDtlsSrtpTwoChannels TestTransferDtlsSrtpTwoChannels
766 #endif
767 // Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsSrtpTwoChannels)768 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsSrtpTwoChannels) {
769   MAYBE_SKIP_TEST(HaveDtlsSrtp);
770   SetChannelCount(2);
771   PrepareDtls(true, true, rtc::KT_DEFAULT);
772   PrepareDtlsSrtp(true, true);
773   ASSERT_TRUE(Connect());
774   TestTransfer(0, 1000, 100, true);
775   TestTransfer(1, 1000, 100, true);
776 }
777 
778 #if defined(MEMORY_SANITIZER)
779 // Fails under MemorySanitizer:
780 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
781 #define MAYBE_TestTransferDtlsSrtpDemux DISABLED_TestTransferDtlsSrtpDemux
782 #else
783 #define MAYBE_TestTransferDtlsSrtpDemux TestTransferDtlsSrtpDemux
784 #endif
785 // Create a single channel with DTLS, and send normal data and SRTP data on it.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsSrtpDemux)786 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsSrtpDemux) {
787   MAYBE_SKIP_TEST(HaveDtlsSrtp);
788   PrepareDtls(true, true, rtc::KT_DEFAULT);
789   PrepareDtlsSrtp(true, true);
790   ASSERT_TRUE(Connect());
791   TestTransfer(0, 1000, 100, false);
792   TestTransfer(0, 1000, 100, true);
793 }
794 
795 #if defined(MEMORY_SANITIZER)
796 // Fails under MemorySanitizer:
797 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
798 #define MAYBE_TestTransferDtlsAnswererIsPassive \
799   DISABLED_TestTransferDtlsAnswererIsPassive
800 #else
801 #define MAYBE_TestTransferDtlsAnswererIsPassive \
802   TestTransferDtlsAnswererIsPassive
803 #endif
804 // Testing when the remote is passive.
TEST_F(DtlsTransportChannelTest,MAYBE_TestTransferDtlsAnswererIsPassive)805 TEST_F(DtlsTransportChannelTest, MAYBE_TestTransferDtlsAnswererIsPassive) {
806   MAYBE_SKIP_TEST(HaveDtlsSrtp);
807   SetChannelCount(2);
808   PrepareDtls(true, true, rtc::KT_DEFAULT);
809   PrepareDtlsSrtp(true, true);
810   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
811                       cricket::CONNECTIONROLE_PASSIVE));
812   TestTransfer(0, 1000, 100, true);
813   TestTransfer(1, 1000, 100, true);
814 }
815 
816 // Testing with the legacy DTLS client which doesn't use setup attribute.
817 // In this case legacy is the answerer.
TEST_F(DtlsTransportChannelTest,TestDtlsSetupWithLegacyAsAnswerer)818 TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) {
819   MAYBE_SKIP_TEST(HaveDtlsSrtp);
820   PrepareDtls(true, true, rtc::KT_DEFAULT);
821   NegotiateWithLegacy();
822   rtc::SSLRole channel1_role;
823   rtc::SSLRole channel2_role;
824   EXPECT_TRUE(client1_.transport()->GetSslRole(&channel1_role));
825   EXPECT_TRUE(client2_.transport()->GetSslRole(&channel2_role));
826   EXPECT_EQ(rtc::SSL_SERVER, channel1_role);
827   EXPECT_EQ(rtc::SSL_CLIENT, channel2_role);
828 }
829 
830 #if defined(MEMORY_SANITIZER)
831 // Fails under MemorySanitizer:
832 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
833 #define MAYBE_TestDtlsReOfferFromOfferer DISABLED_TestDtlsReOfferFromOfferer
834 #else
835 #define MAYBE_TestDtlsReOfferFromOfferer TestDtlsReOfferFromOfferer
836 #endif
837 // Testing re offer/answer after the session is estbalished. Roles will be
838 // kept same as of the previous negotiation.
TEST_F(DtlsTransportChannelTest,MAYBE_TestDtlsReOfferFromOfferer)839 TEST_F(DtlsTransportChannelTest, MAYBE_TestDtlsReOfferFromOfferer) {
840   MAYBE_SKIP_TEST(HaveDtlsSrtp);
841   SetChannelCount(2);
842   PrepareDtls(true, true, rtc::KT_DEFAULT);
843   PrepareDtlsSrtp(true, true);
844   // Initial role for client1 is ACTPASS and client2 is ACTIVE.
845   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
846                       cricket::CONNECTIONROLE_ACTIVE));
847   TestTransfer(0, 1000, 100, true);
848   TestTransfer(1, 1000, 100, true);
849   // Using input roles for the re-offer.
850   Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
851               cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
852   TestTransfer(0, 1000, 100, true);
853   TestTransfer(1, 1000, 100, true);
854 }
855 
856 #if defined(MEMORY_SANITIZER)
857 // Fails under MemorySanitizer:
858 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
859 #define MAYBE_TestDtlsReOfferFromAnswerer DISABLED_TestDtlsReOfferFromAnswerer
860 #else
861 #define MAYBE_TestDtlsReOfferFromAnswerer TestDtlsReOfferFromAnswerer
862 #endif
TEST_F(DtlsTransportChannelTest,MAYBE_TestDtlsReOfferFromAnswerer)863 TEST_F(DtlsTransportChannelTest, MAYBE_TestDtlsReOfferFromAnswerer) {
864   MAYBE_SKIP_TEST(HaveDtlsSrtp);
865   SetChannelCount(2);
866   PrepareDtls(true, true, rtc::KT_DEFAULT);
867   PrepareDtlsSrtp(true, true);
868   // Initial role for client1 is ACTPASS and client2 is ACTIVE.
869   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
870                       cricket::CONNECTIONROLE_ACTIVE));
871   TestTransfer(0, 1000, 100, true);
872   TestTransfer(1, 1000, 100, true);
873   // Using input roles for the re-offer.
874   Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE,
875               cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
876   TestTransfer(0, 1000, 100, true);
877   TestTransfer(1, 1000, 100, true);
878 }
879 
880 #if defined(MEMORY_SANITIZER)
881 // Fails under MemorySanitizer:
882 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
883 #define MAYBE_TestDtlsRoleReversal DISABLED_TestDtlsRoleReversal
884 #else
885 #define MAYBE_TestDtlsRoleReversal TestDtlsRoleReversal
886 #endif
887 // Test that any change in role after the intial setup will result in failure.
TEST_F(DtlsTransportChannelTest,MAYBE_TestDtlsRoleReversal)888 TEST_F(DtlsTransportChannelTest, MAYBE_TestDtlsRoleReversal) {
889   MAYBE_SKIP_TEST(HaveDtlsSrtp);
890   SetChannelCount(2);
891   PrepareDtls(true, true, rtc::KT_DEFAULT);
892   PrepareDtlsSrtp(true, true);
893   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
894                       cricket::CONNECTIONROLE_PASSIVE));
895 
896   // Renegotiate from client2 with actpass and client1 as active.
897   Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS,
898               cricket::CONNECTIONROLE_ACTIVE,
899               NF_REOFFER | NF_EXPECT_FAILURE);
900 }
901 
902 #if defined(MEMORY_SANITIZER)
903 // Fails under MemorySanitizer:
904 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
905 #define MAYBE_TestDtlsReOfferWithDifferentSetupAttr \
906   DISABLED_TestDtlsReOfferWithDifferentSetupAttr
907 #else
908 #define MAYBE_TestDtlsReOfferWithDifferentSetupAttr \
909   TestDtlsReOfferWithDifferentSetupAttr
910 #endif
911 // Test that using different setup attributes which results in similar ssl
912 // role as the initial negotiation will result in success.
TEST_F(DtlsTransportChannelTest,MAYBE_TestDtlsReOfferWithDifferentSetupAttr)913 TEST_F(DtlsTransportChannelTest, MAYBE_TestDtlsReOfferWithDifferentSetupAttr) {
914   MAYBE_SKIP_TEST(HaveDtlsSrtp);
915   SetChannelCount(2);
916   PrepareDtls(true, true, rtc::KT_DEFAULT);
917   PrepareDtlsSrtp(true, true);
918   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
919                       cricket::CONNECTIONROLE_PASSIVE));
920   // Renegotiate from client2 with actpass and client1 as active.
921   Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE,
922               cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
923   TestTransfer(0, 1000, 100, true);
924   TestTransfer(1, 1000, 100, true);
925 }
926 
927 // Test that re-negotiation can be started before the clients become connected
928 // in the first negotiation.
TEST_F(DtlsTransportChannelTest,TestRenegotiateBeforeConnect)929 TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) {
930   MAYBE_SKIP_TEST(HaveDtlsSrtp);
931   SetChannelCount(2);
932   PrepareDtls(true, true, rtc::KT_DEFAULT);
933   PrepareDtlsSrtp(true, true);
934   Negotiate();
935 
936   Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
937               cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
938   bool rv = client1_.Connect(&client2_);
939   EXPECT_TRUE(rv);
940   EXPECT_TRUE_WAIT(
941       client1_.all_channels_writable() && client2_.all_channels_writable(),
942       10000);
943 
944   TestTransfer(0, 1000, 100, true);
945   TestTransfer(1, 1000, 100, true);
946 }
947 
948 // Test Certificates state after negotiation but before connection.
TEST_F(DtlsTransportChannelTest,TestCertificatesBeforeConnect)949 TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) {
950   MAYBE_SKIP_TEST(HaveDtls);
951   PrepareDtls(true, true, rtc::KT_DEFAULT);
952   Negotiate();
953 
954   rtc::scoped_refptr<rtc::RTCCertificate> certificate1;
955   rtc::scoped_refptr<rtc::RTCCertificate> certificate2;
956   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
957   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
958 
959   // After negotiation, each side has a distinct local certificate, but still no
960   // remote certificate, because connection has not yet occurred.
961   ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1));
962   ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2));
963   ASSERT_NE(certificate1->ssl_certificate().ToPEMString(),
964             certificate2->ssl_certificate().ToPEMString());
965   ASSERT_FALSE(
966       client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept()));
967   ASSERT_FALSE(remote_cert1 != NULL);
968   ASSERT_FALSE(
969       client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept()));
970   ASSERT_FALSE(remote_cert2 != NULL);
971 }
972 
973 #if defined(MEMORY_SANITIZER)
974 // Fails under MemorySanitizer:
975 // See https://code.google.com/p/webrtc/issues/detail?id=5381.
976 #define MAYBE_TestCertificatesAfterConnect DISABLED_TestCertificatesAfterConnect
977 #else
978 #define MAYBE_TestCertificatesAfterConnect TestCertificatesAfterConnect
979 #endif
980 // Test Certificates state after connection.
TEST_F(DtlsTransportChannelTest,MAYBE_TestCertificatesAfterConnect)981 TEST_F(DtlsTransportChannelTest, MAYBE_TestCertificatesAfterConnect) {
982   MAYBE_SKIP_TEST(HaveDtls);
983   PrepareDtls(true, true, rtc::KT_DEFAULT);
984   ASSERT_TRUE(Connect());
985 
986   rtc::scoped_refptr<rtc::RTCCertificate> certificate1;
987   rtc::scoped_refptr<rtc::RTCCertificate> certificate2;
988   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
989   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
990 
991   // After connection, each side has a distinct local certificate.
992   ASSERT_TRUE(client1_.transport()->GetLocalCertificate(&certificate1));
993   ASSERT_TRUE(client2_.transport()->GetLocalCertificate(&certificate2));
994   ASSERT_NE(certificate1->ssl_certificate().ToPEMString(),
995             certificate2->ssl_certificate().ToPEMString());
996 
997   // Each side's remote certificate is the other side's local certificate.
998   ASSERT_TRUE(
999       client1_.transport()->GetRemoteSSLCertificate(remote_cert1.accept()));
1000   ASSERT_EQ(remote_cert1->ToPEMString(),
1001             certificate2->ssl_certificate().ToPEMString());
1002   ASSERT_TRUE(
1003       client2_.transport()->GetRemoteSSLCertificate(remote_cert2.accept()));
1004   ASSERT_EQ(remote_cert2->ToPEMString(),
1005             certificate1->ssl_certificate().ToPEMString());
1006 }
1007