mollyim/webrtc
1
0
Fork 0
mirror of https://github.com/mollyim/webrtc.git synced 2025-05-12 21:30:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove DTLS 1.0 legacy code

Browse source 
which has been enabled by default since M84. This was still available
under an enterprise policy which is gone since M121:
  https://chromiumdash.appspot.com/commit/39d28bb7657b482f1fdcab81ca88371d8914809b

BUG=webrtc:10261,chromium:1132854

Change-Id: Icd534342b60799b7862bc3e7edda6825de7ae976
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/317360
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Guido Urdaneta <guidou@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#41145}
This commit is contained in:
Philipp Hancke 2023-11-13 12:25:25 +01:00 committed by WebRTC LUCI CQ
parent d431156c0e
commit e75cd0c704
3 changed files with 11 additions and 231 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
rtc_base/openssl_stream_adapter.cc
View file

@ -278,21 +278,6 @@ static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
// OpenSSLStreamAdapter
/////////////////////////////////////////////////////////////////////////////
static std::atomic<bool> g_use_legacy_tls_protocols_override(false);
static std::atomic<bool> g_allow_legacy_tls_protocols(false);
void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow) {
g_use_legacy_tls_protocols_override.store(allow.has_value());
if (allow.has_value())
g_allow_legacy_tls_protocols.store(allow.value());
}
bool ShouldAllowLegacyTLSProtocols() {
return g_use_legacy_tls_protocols_override.load()
? g_allow_legacy_tls_protocols.load()
: webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols");
}
OpenSSLStreamAdapter::OpenSSLStreamAdapter(
std::unique_ptr<StreamInterface> stream,
absl::AnyInvocable<void(SSLHandshakeError)> handshake_error)
@ -306,10 +291,7 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter(
ssl_(nullptr),
ssl_ctx_(nullptr),
ssl_mode_(SSL_MODE_TLS),
ssl_max_version_(SSL_PROTOCOL_TLS_12),
// Default is to support legacy TLS protocols.
// This will be changed to default non-support in M82 or M83.
support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) {
ssl_max_version_(SSL_PROTOCOL_TLS_12) {
stream_->SignalEvent.connect(this, &OpenSSLStreamAdapter::OnEvent);
}
@ -1031,33 +1013,10 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
return nullptr;
}
if (support_legacy_tls_protocols_flag_) {
// TODO(https://bugs.webrtc.org/10261): Completely remove this branch in
// M84.
SSL_CTX_set_min_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
switch (ssl_max_version_) {
case SSL_PROTOCOL_TLS_10:
SSL_CTX_set_max_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
break;
case SSL_PROTOCOL_TLS_11:
SSL_CTX_set_max_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION);
break;
case SSL_PROTOCOL_TLS_12:
default:
SSL_CTX_set_max_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
break;
}
} else {
// TODO(https://bugs.webrtc.org/10261): Make this the default in M84.
SSL_CTX_set_min_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
SSL_CTX_set_max_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
}
SSL_CTX_set_min_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
SSL_CTX_set_max_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
#ifdef OPENSSL_IS_BORINGSSL
// SSL_CTX_set_current_time_cb is only supported in BoringSSL.

9
rtc_base/openssl_stream_adapter.h
View file

@ -66,12 +66,6 @@ class SSLCertChain;
///////////////////////////////////////////////////////////////////////////////
// If `allow` has a value, its value determines if legacy TLS protocols are
// allowed, overriding the default configuration.
// If `allow` has no value, any previous override is removed and the default
// configuration is restored.
RTC_EXPORT void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow);
class OpenSSLStreamAdapter final : public SSLStreamAdapter,
public sigslot::has_slots<> {
public:
@ -252,9 +246,6 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter,
// A 50-ms initial timeout ensures rapid setup on fast connections, but may
// be too aggressive for low bandwidth links.
int dtls_handshake_timeout_ms_ = 50;
// TODO(https://bugs.webrtc.org/10261): Completely remove this option in M84.
const bool support_legacy_tls_protocols_flag_;
};
/////////////////////////////////////////////////////////////////////////////

182
rtc_base/ssl_stream_adapter_unittest.cc
View file

@ -1613,11 +1613,14 @@ INSTANTIATE_TEST_SUITE_P(
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256))));
// Tests for enabling / disabling legacy TLS protocols in DTLS.
class SSLStreamAdapterTestDTLSLegacyProtocols
// Tests for enabling the (D)TLS extension permutation which randomizes the
// order of extensions in the client hello.
// These tests are a no-op under OpenSSL.
#ifdef OPENSSL_IS_BORINGSSL
class SSLStreamAdapterTestDTLSExtensionPermutation
: public SSLStreamAdapterTestDTLSBase {
public:
SSLStreamAdapterTestDTLSLegacyProtocols()
SSLStreamAdapterTestDTLSExtensionPermutation()
: SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) {
}
@ -1656,179 +1659,6 @@ class SSLStreamAdapterTestDTLSLegacyProtocols
}
};
// Test getting the used DTLS ciphers.
// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, TestGetSslCipherSuite) {
ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
}
// Test getting the used DTLS 1.2 ciphers.
// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslCipherSuiteDtls12Both) {
ConfigureClient("");
ConfigureServer("");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
}
// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslCipherSuiteDtls12Client) {
ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
}
// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslCipherSuiteDtls12Server) {
ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
int client_cipher;
ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
int server_cipher;
ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
ASSERT_EQ(client_cipher, server_cipher);
}
// Client has legacy TLS versions disabled, server has DTLS 1.0 only.
// This is meant to cause a failure.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyDisabledServer10) {
ConfigureClient("");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
// Handshake should fail.
TestHandshake(false);
}
// Both client and server have legacy TLS versions disabled and support
// DTLS 1.2. This should work.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyDisabledServer12) {
ConfigureClient("");
ConfigureServer("");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
TestHandshake();
}
// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
// This should work.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyEnabledClient10Server10) {
ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
}
// Legacy protocols are disabled in the client, max TLS version is 1.0
// This should be a configuration error, and handshake should fail.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyDisabledClient10Server10) {
ConfigureClient("");
ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake(false);
}
// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
// This should work.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyOverrideEnabledClient10Server10) {
rtc::SetAllowLegacyTLSProtocols(true);
ConfigureClient("");
ConfigureServer("");
// Remove override.
rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake();
}
// Client has legacy TLS disabled and server has legacy TLS enabled via
// override. Handshake for DTLS 1.0 should fail.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyOverrideDisabledClient10EnabledServer10) {
rtc::SetAllowLegacyTLSProtocols(false);
ConfigureClient("");
rtc::SetAllowLegacyTLSProtocols(true);
ConfigureServer("");
// Remove override.
rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake(false);
}
// Client has legacy TLS enabled and server has legacy TLS disabled via
// override. Handshake for DTLS 1.0 should fail.
TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
TestGetSslVersionLegacyOverrideEnabledClient10DisabledServer10) {
rtc::SetAllowLegacyTLSProtocols(true);
ConfigureClient("");
rtc::SetAllowLegacyTLSProtocols(false);
ConfigureServer("");
// Remove override.
rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
TestHandshake(false);
}
// These tests are a no-op under OpenSSL.
#ifdef OPENSSL_IS_BORINGSSL
// TODO(https://bugs.webrtc.org/10261): when removing
// SSLStreamAdapterTestDTLSLegacyProtocols that this class
// inherits from move the code to this class.
class SSLStreamAdapterTestDTLSExtensionPermutation
: public SSLStreamAdapterTestDTLSLegacyProtocols {
public:
SSLStreamAdapterTestDTLSExtensionPermutation()
: SSLStreamAdapterTestDTLSLegacyProtocols() {}
};
// Tests for enabling the (D)TLS extension permutation which randomizes the
// order of extensions in the client hello.
TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
ClientDefaultServerDefault) {
ConfigureClient("");