search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Split tls modules and their tests into openssl and generic.
[tor.git] / src / test / test_tortls_openssl.c
bloba9336a6f1b72e4050a4972a8181e990bba07d231
1 /* Copyright (c) 2010-2018, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define TORTLS_PRIVATE
5 #define TORTLS_OPENSSL_PRIVATE
6 #define TOR_X509_PRIVATE
7 #define LOG_PRIVATE
8 #include "orconfig.h"
9
10 #ifdef _WIN32
11 #include <winsock2.h>
12 #endif
13 #include <math.h>
14
15 #include "lib/cc/compat_compiler.h"
16
17 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
18 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
19 DISABLE_GCC_WARNING(redundant-decls)
20
21 #include <openssl/opensslv.h>
22
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/asn1t.h>
27 #include <openssl/x509.h>
28 #include <openssl/rsa.h>
29 #include <openssl/evp.h>
30 #include <openssl/bn.h>
31
32 ENABLE_GCC_WARNING(redundant-decls)
33
34 #include "core/or/or.h"
35 #include "lib/log/log.h"
36 #include "app/config/config.h"
37 #include "lib/crypt_ops/compat_openssl.h"
38 #include "lib/tls/x509.h"
39 #include "lib/tls/tortls.h"
40 #include "lib/tls/tortls_st.h"
41 #include "lib/tls/tortls_internal.h"
42 #include "app/config/or_state_st.h"
43
44 #include "test/test.h"
45 #include "test/log_test_helpers.h"
46 #define NS_MODULE tortls
47
48 #ifndef HAVE_SSL_STATE
49 #define OPENSSL_OPAQUE
50 #endif
51
52 #if defined(OPENSSL_OPAQUE) && !defined(LIBRESSL_VERSION_NUMBER)
53 #define SSL_STATE_STR "before SSL initialization"
54 #else
55 #define SSL_STATE_STR "before/accept initialization"
56 #endif
57
58 #ifndef OPENSSL_OPAQUE
59 static SSL_METHOD *
60 give_me_a_test_method(void)
61 {
62 SSL_METHOD *method = tor_malloc_zero(sizeof(SSL_METHOD));
63 memcpy(method, TLSv1_method(), sizeof(SSL_METHOD));
64 return method;
65 }
66
67 static int
68 fake_num_ciphers(void)
69 {
70 return 0;
71 }
72 #endif /* !defined(OPENSSL_OPAQUE) */
73
74 static int
75 mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
76 {
77 (void) tls;
78 (void) cert; // XXXX look at this.
79 return 1;
80 }
81
82 static void
83 test_tortls_tor_tls_new(void *data)
84 {
85 (void) data;
86 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
87 crypto_pk_t *key1 = NULL, *key2 = NULL;
88 SSL_METHOD *method = NULL;
89
90 key1 = pk_generate(2);
91 key2 = pk_generate(3);
92
93 tor_tls_t *tls = NULL;
94 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
95 key1, key2, 86400), OP_EQ, 0);
96 tls = tor_tls_new(-1, 0);
97 tt_want(tls);
98 tor_tls_free(tls); tls = NULL;
99
100 SSL_CTX_free(client_tls_context->ctx);
101 client_tls_context->ctx = NULL;
102 tls = tor_tls_new(-1, 0);
103 tt_ptr_op(tls, OP_EQ, NULL);
104
105 #ifndef OPENSSL_OPAQUE
106 method = give_me_a_test_method();
107 SSL_CTX *ctx = SSL_CTX_new(method);
108 method->num_ciphers = fake_num_ciphers;
109 client_tls_context->ctx = ctx;
110 tls = tor_tls_new(-1, 0);
111 tt_ptr_op(tls, OP_EQ, NULL);
112 #endif /* !defined(OPENSSL_OPAQUE) */
113
114 done:
115 UNMOCK(tor_tls_cert_matches_key);
116 crypto_pk_free(key1);
117 crypto_pk_free(key2);
118 tor_tls_free(tls);
119 tor_free(method);
120 tor_tls_free_all();
121 }
122
123 #define NS_MODULE tortls
124
125 static void
126 library_init(void)
127 {
128 #ifdef OPENSSL_1_1_API
129 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
130 #else
131 SSL_library_init();
132 SSL_load_error_strings();
133 #endif
134 }
135
136 static void
137 test_tortls_get_state_description(void *ignored)
138 {
139 (void)ignored;
140 tor_tls_t *tls;
141 char *buf;
142 SSL_CTX *ctx;
143
144 library_init();
145 ctx = SSL_CTX_new(SSLv23_method());
146
147 buf = tor_malloc_zero(1000);
148 tls = tor_malloc_zero(sizeof(tor_tls_t));
149
150 tor_tls_get_state_description(NULL, buf, 20);
151 tt_str_op(buf, OP_EQ, "(No SSL object)");
152
153 SSL_free(tls->ssl);
154 tls->ssl = NULL;
155 tor_tls_get_state_description(tls, buf, 20);
156 tt_str_op(buf, OP_EQ, "(No SSL object)");
157
158 tls->ssl = SSL_new(ctx);
159 tor_tls_get_state_description(tls, buf, 200);
160 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in HANDSHAKE");
161
162 tls->state = TOR_TLS_ST_OPEN;
163 tor_tls_get_state_description(tls, buf, 200);
164 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in OPEN");
165
166 tls->state = TOR_TLS_ST_GOTCLOSE;
167 tor_tls_get_state_description(tls, buf, 200);
168 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in GOTCLOSE");
169
170 tls->state = TOR_TLS_ST_SENTCLOSE;
171 tor_tls_get_state_description(tls, buf, 200);
172 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in SENTCLOSE");
173
174 tls->state = TOR_TLS_ST_CLOSED;
175 tor_tls_get_state_description(tls, buf, 200);
176 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in CLOSED");
177
178 tls->state = TOR_TLS_ST_RENEGOTIATE;
179 tor_tls_get_state_description(tls, buf, 200);
180 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in RENEGOTIATE");
181
182 tls->state = TOR_TLS_ST_BUFFEREVENT;
183 tor_tls_get_state_description(tls, buf, 200);
184 tt_str_op(buf, OP_EQ, SSL_STATE_STR);
185
186 tls->state = 7;
187 tor_tls_get_state_description(tls, buf, 200);
188 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in unknown TLS state");
189
190 done:
191 SSL_CTX_free(ctx);
192 SSL_free(tls->ssl);
193 tor_free(buf);
194 tor_free(tls);
195 }
196
197 static void
198 test_tortls_get_by_ssl(void *ignored)
199 {
200 (void)ignored;
201 tor_tls_t *tls;
202 tor_tls_t *res;
203 SSL_CTX *ctx;
204 SSL *ssl;
205
206 library_init();
207 tor_tls_allocate_tor_tls_object_ex_data_index();
208
209 ctx = SSL_CTX_new(SSLv23_method());
210 tls = tor_malloc_zero(sizeof(tor_tls_t));
211 tls->magic = TOR_TLS_MAGIC;
212
213 ssl = SSL_new(ctx);
214
215 res = tor_tls_get_by_ssl(ssl);
216 tt_assert(!res);
217
218 SSL_set_ex_data(ssl, tor_tls_object_ex_data_index, tls);
219
220 res = tor_tls_get_by_ssl(ssl);
221 tt_assert(res == tls);
222
223 done:
224 SSL_free(ssl);
225 SSL_CTX_free(ctx);
226 tor_free(tls);
227 }
228
229 static void
230 test_tortls_allocate_tor_tls_object_ex_data_index(void *ignored)
231 {
232 (void)ignored;
233 int first;
234
235 tor_tls_allocate_tor_tls_object_ex_data_index();
236
237 first = tor_tls_object_ex_data_index;
238 tor_tls_allocate_tor_tls_object_ex_data_index();
239 tt_int_op(first, OP_EQ, tor_tls_object_ex_data_index);
240
241 done:
242 (void)0;
243 }
244
245 static void
246 test_tortls_log_one_error(void *ignored)
247 {
248 (void)ignored;
249 tor_tls_t *tls;
250 SSL_CTX *ctx;
251 SSL *ssl = NULL;
252
253 library_init();
254
255 ctx = SSL_CTX_new(SSLv23_method());
256 tls = tor_malloc_zero(sizeof(tor_tls_t));
257 setup_capture_of_logs(LOG_INFO);
258
259 tor_tls_log_one_error(NULL, 0, LOG_WARN, 0, "something");
260 expect_log_msg("TLS error while something: "
261 "(null) (in (null):(null):---)\n");
262
263 mock_clean_saved_logs();
264 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
265 expect_log_msg("TLS error: (null) "
266 "(in (null):(null):---)\n");
267
268 mock_clean_saved_logs();
269 tls->address = tor_strdup("127.hello");
270 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
271 expect_log_msg("TLS error with 127.hello: "
272 "(null) (in (null):(null):---)\n");
273 tor_free(tls->address);
274
275 mock_clean_saved_logs();
276 tls->address = tor_strdup("127.hello");
277 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, "blarg");
278 expect_log_msg("TLS error while blarg with "
279 "127.hello: (null) (in (null):(null):---)\n");
280
281 mock_clean_saved_logs();
282 tor_tls_log_one_error(tls, ERR_PACK(1, 2, 3), LOG_WARN, 0, NULL);
283 expect_log_msg("TLS error with 127.hello: "
284 "BN lib (in unknown library:(null):---)\n");
285
286 mock_clean_saved_logs();
287 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST),
288 LOG_WARN, 0, NULL);
289 expect_log_severity(LOG_INFO);
290
291 mock_clean_saved_logs();
292 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTPS_PROXY_REQUEST),
293 LOG_WARN, 0, NULL);
294 expect_log_severity(LOG_INFO);
295
296 mock_clean_saved_logs();
297 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_RECORD_LENGTH_MISMATCH),
298 LOG_WARN, 0, NULL);
299 expect_log_severity(LOG_INFO);
300
301 #ifndef OPENSSL_1_1_API
302 mock_clean_saved_logs();
303 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_RECORD_TOO_LARGE),
304 LOG_WARN, 0, NULL);
305 expect_log_severity(LOG_INFO);
306 #endif /* !defined(OPENSSL_1_1_API) */
307
308 mock_clean_saved_logs();
309 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_UNKNOWN_PROTOCOL),
310 LOG_WARN, 0, NULL);
311 expect_log_severity(LOG_INFO);
312
313 mock_clean_saved_logs();
314 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_UNSUPPORTED_PROTOCOL),
315 LOG_WARN, 0, NULL);
316 expect_log_severity(LOG_INFO);
317
318 tls->ssl = SSL_new(ctx);
319
320 mock_clean_saved_logs();
321 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
322 expect_log_msg("TLS error with 127.hello: (null)"
323 " (in (null):(null):" SSL_STATE_STR ")\n");
324
325 done:
326 teardown_capture_of_logs();
327 SSL_free(ssl);
328 SSL_CTX_free(ctx);
329 if (tls && tls->ssl)
330 SSL_free(tls->ssl);
331 if (tls)
332 tor_free(tls->address);
333 tor_free(tls);
334 }
335
336 #ifndef OPENSSL_OPAQUE
337 static void
338 test_tortls_get_error(void *ignored)
339 {
340 (void)ignored;
341 tor_tls_t *tls;
342 int ret;
343 SSL_CTX *ctx;
344
345 library_init();
346
347 ctx = SSL_CTX_new(SSLv23_method());
348 setup_capture_of_logs(LOG_INFO);
349 tls = tor_malloc_zero(sizeof(tor_tls_t));
350 tls->ssl = SSL_new(ctx);
351 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
352
353 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
354 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_IO);
355 expect_log_msg("TLS error: unexpected close while"
356 " something (before/accept initialization)\n");
357
358 mock_clean_saved_logs();
359 ret = tor_tls_get_error(tls, 2, 0, "something", LOG_WARN, 0);
360 tt_int_op(ret, OP_EQ, 0);
361 expect_no_log_entry();
362
363 mock_clean_saved_logs();
364 ret = tor_tls_get_error(tls, 0, 1, "something", LOG_WARN, 0);
365 tt_int_op(ret, OP_EQ, -11);
366 expect_no_log_entry();
367
368 mock_clean_saved_logs();
369 ERR_clear_error();
370 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
371 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
372 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
373 expect_log_msg("TLS error while something: (null)"
374 " (in bignum routines:(null):before/accept initialization)\n");
375
376 mock_clean_saved_logs();
377 ERR_clear_error();
378 tls->ssl->rwstate = SSL_READING;
379 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_READ;
380 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
381 tt_int_op(ret, OP_EQ, TOR_TLS_WANTREAD);
382 expect_no_log_entry();
383
384 mock_clean_saved_logs();
385 ERR_clear_error();
386 tls->ssl->rwstate = SSL_READING;
387 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_WRITE;
388 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
389 tt_int_op(ret, OP_EQ, TOR_TLS_WANTWRITE);
390 expect_no_log_entry();
391
392 mock_clean_saved_logs();
393 ERR_clear_error();
394 tls->ssl->rwstate = 0;
395 tls->ssl->shutdown = SSL_RECEIVED_SHUTDOWN;
396 tls->ssl->s3->warn_alert =SSL_AD_CLOSE_NOTIFY;
397 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
398 tt_int_op(ret, OP_EQ, TOR_TLS_CLOSE);
399 expect_log_entry();
400
401 mock_clean_saved_logs();
402 ret = tor_tls_get_error(tls, 0, 2, "something", LOG_WARN, 0);
403 tt_int_op(ret, OP_EQ, -10);
404 expect_no_log_entry();
405
406 mock_clean_saved_logs();
407 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
408 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
409 tt_int_op(ret, OP_EQ, -9);
410 expect_log_msg("TLS error while something: (null) (in system library:"
411 "connect:before/accept initialization)\n");
412
413 done:
414 teardown_capture_of_logs();
415 SSL_free(tls->ssl);
416 tor_free(tls);
417 SSL_CTX_free(ctx);
418 }
419 #endif /* !defined(OPENSSL_OPAQUE) */
420
421 static void
422 test_tortls_always_accept_verify_cb(void *ignored)
423 {
424 (void)ignored;
425 int ret;
426
427 ret = always_accept_verify_cb(0, NULL);
428 tt_int_op(ret, OP_EQ, 1);
429
430 done:
431 (void)0;
432 }
433
434 #ifndef OPENSSL_OPAQUE
435 static void
436 test_tortls_x509_cert_free(void *ignored)
437 {
438 (void)ignored;
439 tor_x509_cert_t *cert;
440
441 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
442 tor_x509_cert_free(cert);
443
444 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
445 cert->cert = X509_new();
446 cert->encoded = tor_malloc_zero(1);
447 tor_x509_cert_free(cert);
448 }
449 #endif /* !defined(OPENSSL_OPAQUE) */
450
451 #ifndef OPENSSL_OPAQUE
452 static int
453 fixed_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
454 {
455 (void) a; (void) b;
456 return 1;
457 }
458
459 /*
460 * Use only for the matching fake_x509_free() call
461 */
462 static X509 *
463 fake_x509_malloc(void)
464 {
465 return tor_malloc_zero(sizeof(X509));
466 }
467
468 static void
469 fake_x509_free(X509 *cert)
470 {
471 if (cert) {
472 if (cert->cert_info) {
473 if (cert->cert_info->key) {
474 if (cert->cert_info->key->pkey) {
475 tor_free(cert->cert_info->key->pkey);
476 }
477 tor_free(cert->cert_info->key);
478 }
479 tor_free(cert->cert_info);
480 }
481 tor_free(cert);
482 }
483 }
484
485 static void
486 test_tortls_cert_matches_key(void *ignored)
487 {
488 (void)ignored;
489 int res;
490 tor_tls_t *tls;
491 tor_x509_cert_t *cert;
492 X509 *one = NULL, *two = NULL;
493 EVP_PKEY_ASN1_METHOD *meth = EVP_PKEY_asn1_new(999, 0, NULL, NULL);
494 EVP_PKEY_asn1_set_public(meth, NULL, NULL, fixed_pub_cmp, NULL, NULL, NULL);
495
496 tls = tor_malloc_zero(sizeof(tor_tls_t));
497 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
498 one = fake_x509_malloc();
499 one->references = 1;
500 two = fake_x509_malloc();
501 two->references = 1;
502
503 res = tor_tls_cert_matches_key(tls, cert);
504 tt_int_op(res, OP_EQ, 0);
505
506 tls->ssl = tor_malloc_zero(sizeof(SSL));
507 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
508 tls->ssl->session->peer = one;
509 res = tor_tls_cert_matches_key(tls, cert);
510 tt_int_op(res, OP_EQ, 0);
511
512 cert->cert = two;
513 res = tor_tls_cert_matches_key(tls, cert);
514 tt_int_op(res, OP_EQ, 0);
515
516 one->cert_info = tor_malloc_zero(sizeof(X509_CINF));
517 one->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY));
518 one->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY));
519 one->cert_info->key->pkey->references = 1;
520 one->cert_info->key->pkey->ameth = meth;
521 one->cert_info->key->pkey->type = 1;
522
523 two->cert_info = tor_malloc_zero(sizeof(X509_CINF));
524 two->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY));
525 two->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY));
526 two->cert_info->key->pkey->references = 1;
527 two->cert_info->key->pkey->ameth = meth;
528 two->cert_info->key->pkey->type = 2;
529
530 res = tor_tls_cert_matches_key(tls, cert);
531 tt_int_op(res, OP_EQ, 0);
532
533 one->cert_info->key->pkey->type = 1;
534 two->cert_info->key->pkey->type = 1;
535 res = tor_tls_cert_matches_key(tls, cert);
536 tt_int_op(res, OP_EQ, 1);
537
538 done:
539 EVP_PKEY_asn1_free(meth);
540 tor_free(tls->ssl->session);
541 tor_free(tls->ssl);
542 tor_free(tls);
543 tor_free(cert);
544 fake_x509_free(one);
545 fake_x509_free(two);
546 }
547
548 static void
549 test_tortls_cert_get_key(void *ignored)
550 {
551 (void)ignored;
552 tor_x509_cert_t *cert = NULL;
553 crypto_pk_t *res = NULL;
554 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
555 X509 *key = NULL;
556 key = fake_x509_malloc();
557 key->references = 1;
558
559 res = tor_tls_cert_get_key(cert);
560 tt_assert(!res);
561
562 cert->cert = key;
563 key->cert_info = tor_malloc_zero(sizeof(X509_CINF));
564 key->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY));
565 key->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY));
566 key->cert_info->key->pkey->references = 1;
567 key->cert_info->key->pkey->type = 2;
568 res = tor_tls_cert_get_key(cert);
569 tt_assert(!res);
570
571 done:
572 fake_x509_free(key);
573 tor_free(cert);
574 crypto_pk_free(res);
575 }
576 #endif /* !defined(OPENSSL_OPAQUE) */
577
578 static void
579 test_tortls_get_my_client_auth_key(void *ignored)
580 {
581 (void)ignored;
582 crypto_pk_t *ret;
583 crypto_pk_t *expected;
584 tor_tls_context_t *ctx;
585 RSA *k = RSA_new();
586
587 ctx = tor_malloc_zero(sizeof(tor_tls_context_t));
588 expected = crypto_new_pk_from_openssl_rsa_(k);
589 ctx->auth_key = expected;
590
591 client_tls_context = NULL;
592 ret = tor_tls_get_my_client_auth_key();
593 tt_assert(!ret);
594
595 client_tls_context = ctx;
596 ret = tor_tls_get_my_client_auth_key();
597 tt_assert(ret == expected);
598
599 done:
600 tor_free(expected);
601 tor_free(ctx);
602 }
603
604 #ifndef HAVE_SSL_GET_CLIENT_CIPHERS
605 static SSL_CIPHER *
606 get_cipher_by_name(const char *name)
607 {
608 int i;
609 const SSL_METHOD *method = SSLv23_method();
610 int num = method->num_ciphers();
611
612 for (i = 0; i < num; ++i) {
613 const SSL_CIPHER *cipher = method->get_cipher(i);
614 const char *ciphername = SSL_CIPHER_get_name(cipher);
615 if (!strcmp(ciphername, name)) {
616 return (SSL_CIPHER *)cipher;
617 }
618 }
619
620 return NULL;
621 }
622 #endif /* !defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
623
624 #ifndef OPENSSL_OPAQUE
625 static void
626 test_tortls_get_ciphersuite_name(void *ignored)
627 {
628 (void)ignored;
629 const char *ret;
630 tor_tls_t *ctx;
631 ctx = tor_malloc_zero(sizeof(tor_tls_t));
632 ctx->ssl = tor_malloc_zero(sizeof(SSL));
633
634 ret = tor_tls_get_ciphersuite_name(ctx);
635 tt_str_op(ret, OP_EQ, "(NONE)");
636
637 done:
638 tor_free(ctx->ssl);
639 tor_free(ctx);
640 }
641
642 static SSL_CIPHER *
643 get_cipher_by_id(uint16_t id)
644 {
645 int i;
646 const SSL_METHOD *method = SSLv23_method();
647 int num = method->num_ciphers();
648 for (i = 0; i < num; ++i) {
649 const SSL_CIPHER *cipher = method->get_cipher(i);
650 if (id == (SSL_CIPHER_get_id(cipher) & 0xffff)) {
651 return (SSL_CIPHER *)cipher;
652 }
653 }
654
655 return NULL;
656 }
657
658 static void
659 test_tortls_classify_client_ciphers(void *ignored)
660 {
661 (void)ignored;
662 int i;
663 int ret;
664 SSL_CTX *ctx;
665 SSL *ssl;
666 tor_tls_t *tls;
667 STACK_OF(SSL_CIPHER) *ciphers;
668 SSL_CIPHER *tmp_cipher;
669
670 library_init();
671
672 tor_tls_allocate_tor_tls_object_ex_data_index();
673
674 tls = tor_malloc_zero(sizeof(tor_tls_t));
675 tls->magic = TOR_TLS_MAGIC;
676
677 ctx = SSL_CTX_new(TLSv1_method());
678 ssl = SSL_new(ctx);
679 tls->ssl = ssl;
680
681 ciphers = sk_SSL_CIPHER_new_null();
682
683 ret = tor_tls_classify_client_ciphers(ssl, NULL);
684 tt_int_op(ret, OP_EQ, -1);
685
686 SSL_set_ex_data(ssl, tor_tls_object_ex_data_index, tls);
687 tls->client_cipher_list_type = 42;
688
689 ret = tor_tls_classify_client_ciphers(ssl, NULL);
690 tt_int_op(ret, OP_EQ, 42);
691
692 tls->client_cipher_list_type = 0;
693 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
694 tt_int_op(ret, OP_EQ, 1);
695 tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
696
697 tls->client_cipher_list_type = 0;
698 ret = tor_tls_classify_client_ciphers(ssl, SSL_get_ciphers(ssl));
699 tt_int_op(ret, OP_EQ, 3);
700 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
701
702 SSL_CIPHER *one = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_128_SHA),
703 *two = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA),
704 *three = get_cipher_by_name(SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA),
705 *four = NULL;
706 sk_SSL_CIPHER_push(ciphers, one);
707 sk_SSL_CIPHER_push(ciphers, two);
708 sk_SSL_CIPHER_push(ciphers, three);
709 sk_SSL_CIPHER_push(ciphers, four);
710
711 tls->client_cipher_list_type = 0;
712 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
713 tt_int_op(ret, OP_EQ, 1);
714 tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
715
716 sk_SSL_CIPHER_zero(ciphers);
717
718 one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
719 tt_assert(one);
720 one->id = 0x00ff;
721 two = get_cipher_by_name("ECDHE-RSA-AES128-GCM-SHA256");
722 tt_assert(two);
723 two->id = 0x0000;
724 sk_SSL_CIPHER_push(ciphers, one);
725 tls->client_cipher_list_type = 0;
726 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
727 tt_int_op(ret, OP_EQ, 3);
728 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
729
730 sk_SSL_CIPHER_push(ciphers, two);
731 tls->client_cipher_list_type = 0;
732 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
733 tt_int_op(ret, OP_EQ, 3);
734 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
735
736 one->id = 0xC00A;
737 tls->client_cipher_list_type = 0;
738 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
739 tt_int_op(ret, OP_EQ, 3);
740 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
741
742 sk_SSL_CIPHER_zero(ciphers);
743 for (i=0; v2_cipher_list[i]; i++) {
744 tmp_cipher = get_cipher_by_id(v2_cipher_list[i]);
745 tt_assert(tmp_cipher);
746 sk_SSL_CIPHER_push(ciphers, tmp_cipher);
747 }
748 tls->client_cipher_list_type = 0;
749 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
750 tt_int_op(ret, OP_EQ, 2);
751 tt_int_op(tls->client_cipher_list_type, OP_EQ, 2);
752
753 done:
754 sk_SSL_CIPHER_free(ciphers);
755 SSL_free(tls->ssl);
756 tor_free(tls);
757 SSL_CTX_free(ctx);
758 }
759 #endif /* !defined(OPENSSL_OPAQUE) */
760
761 static void
762 test_tortls_client_is_using_v2_ciphers(void *ignored)
763 {
764 (void)ignored;
765
766 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
767 tt_skip();
768 done:
769 (void)1;
770 #else
771 int ret;
772 SSL_CTX *ctx;
773 SSL *ssl;
774 SSL_SESSION *sess;
775 STACK_OF(SSL_CIPHER) *ciphers;
776
777 library_init();
778
779 ctx = SSL_CTX_new(TLSv1_method());
780 ssl = SSL_new(ctx);
781 sess = SSL_SESSION_new();
782
783 ret = tor_tls_client_is_using_v2_ciphers(ssl);
784 tt_int_op(ret, OP_EQ, -1);
785
786 ssl->session = sess;
787 ret = tor_tls_client_is_using_v2_ciphers(ssl);
788 tt_int_op(ret, OP_EQ, 0);
789
790 ciphers = sk_SSL_CIPHER_new_null();
791 SSL_CIPHER *one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
792 tt_assert(one);
793 one->id = 0x00ff;
794 sk_SSL_CIPHER_push(ciphers, one);
795 sess->ciphers = ciphers;
796 ret = tor_tls_client_is_using_v2_ciphers(ssl);
797 tt_int_op(ret, OP_EQ, 1);
798 done:
799 SSL_free(ssl);
800 SSL_CTX_free(ctx);
801 #endif /* defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
802 }
803
804 #ifndef OPENSSL_OPAQUE
805 static X509 *fixed_try_to_extract_certs_from_tls_cert_out_result = NULL;
806 static X509 *fixed_try_to_extract_certs_from_tls_id_cert_out_result = NULL;
807
808 static void
809 fixed_try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
810 tor_x509_cert_impl_t **cert_out,
811 tor_x509_cert_impl_t **id_cert_out)
812 {
813 (void) severity;
814 (void) tls;
815 *cert_out = fixed_try_to_extract_certs_from_tls_cert_out_result;
816 *id_cert_out = fixed_try_to_extract_certs_from_tls_id_cert_out_result;
817 }
818 #endif /* !defined(OPENSSL_OPAQUE) */
819
820 #ifndef OPENSSL_OPAQUE
821 static const char* notCompletelyValidCertString =
822 "-----BEGIN CERTIFICATE-----\n"
823 "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n"
824 "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n"
825 "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n"
826 "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n"
827 "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n"
828 "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n"
829 "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n"
830 "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n"
831 "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n"
832 "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n"
833 "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n"
834 "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n"
835 "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n"
836 "-----END CERTIFICATE-----\n";
837 #endif /* !defined(OPENSSL_OPAQUE) */
838
839 static const char* validCertString = "-----BEGIN CERTIFICATE-----\n"
840 "MIIDpTCCAY0CAg3+MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMREwDwYD\n"
841 "VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwLVG9yIFRl\n"
842 "c3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkwNjEzMzk1OVoXDTQz\n"
843 "MDEyMjEzMzk1OVowVjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB0NoaWNhZ28xFDAS\n"
844 "BgNVBAoMC1RvciBUZXN0aW5nMR8wHQYDVQQDDBZ0ZXN0aW5nLnRvcnByb2plY3Qu\n"
845 "b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoT6uyVVhWyOF3wkHjjYbd\n"
846 "nKaykyRv4JVtKQdZ4OpEErmX1zw4MmyzpQNV6iR4bQnWiyLfzyVJMZDIC/WILBfX\n"
847 "w2Pza/yuLgUvDc3twMuhOACzOQVO8PrEF/aVv2+hbCCy2udXvKhnYn+CCXl3ozc8\n"
848 "XcKYvujTXDyvGWY3xwAjlQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQCUvnhzQWuQ\n"
849 "MrN+pERkE+zcTI/9dGS90rUMMLgu8VDNqTa0TUQh8uO0EQ6uDvI8Js6e8tgwS0BR\n"
850 "UBahqb7ZHv+rejGCBr5OudqD+x4STiiuPNJVs86JTLN8SpM9CHjIBH5WCCN2KOy3\n"
851 "mevNoRcRRyYJzSFULCunIK6FGulszigMYGscrO4oiTkZiHPh9KvWT40IMiHfL+Lw\n"
852 "EtEWiLex6064LcA2YQ1AMuSZyCexks63lcfaFmQbkYOKqXa1oLkIRuDsOaSVjTfe\n"
853 "vec+X6jvf12cFTKS5WIeqkKF2Irt+dJoiHEGTe5RscUMN/f+gqHPzfFz5dR23sxo\n"
854 "g+HC6MZHlFkLAOx3wW6epPS8A/m1mw3zMPoTnb2U2YYt8T0dJMMlUn/7Y1sEAa+a\n"
855 "dSTMaeUf6VnJ//11m454EZl1to9Z7oJOgqmFffSrdD4BGIWe8f7hhW6L1Enmqe/J\n"
856 "BKL3wbzZh80O1W0bndAwhnEEhlzneFY84cbBo9pmVxpODHkUcStpr5Z7pBDrcL21\n"
857 "Ss/aB/1YrsVXhdvJdOGxl3Mnl9dUY57CympLGlT8f0pPS6GAKOelECOhFMHmJd8L\n"
858 "dj3XQSmKtYHevZ6IvuMXSlB/fJvSjSlkCuLo5+kJoaqPuRu+i/S1qxeRy3CBwmnE\n"
859 "LdSNdcX4N79GQJ996PA8+mUCQG7YRtK+WA==\n"
860 "-----END CERTIFICATE-----\n";
861
862 static const char* caCertString = "-----BEGIN CERTIFICATE-----\n"
863 "MIIFjzCCA3egAwIBAgIJAKd5WgyfPMYRMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV\n"
864 "BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIG\n"
865 "A1UECgwLVG9yIFRlc3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkw\n"
866 "NjEzMzc0MVoXDTQzMDEyMjEzMzc0MVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM\n"
867 "CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRQwEgYDVQQKDAtUb3IgVGVzdGlu\n"
868 "ZzEUMBIGA1UEAwwLVG9yIFRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
869 "ggIKAoICAQCpLMUEiLW5leUgBZoEJms2V7lZRhIAjnJBhVMHD0e3UubNknmaQoxf\n"
870 "ARz3rvqOaRd0JlV+qM9qE0DjiYcCVP1cAfqAo9d83uS1vwY3YMVJzADlaIiHfyVW\n"
871 "uEgBy0vvkeUBqaua24dYlcwsemOiXYLu41yM1wkcGHW1AhBNHppY6cznb8TyLgNM\n"
872 "2x3SGUdzc5XMyAFx51faKGBA3wjs+Hg1PLY7d30nmCgEOBavpm5I1disM/0k+Mcy\n"
873 "YmAKEo/iHJX/rQzO4b9znP69juLlR8PDBUJEVIG/CYb6+uw8MjjUyiWXYoqfVmN2\n"
874 "hm/lH8b6rXw1a2Aa3VTeD0DxaWeacMYHY/i01fd5n7hCoDTRNdSw5KJ0L3Z0SKTu\n"
875 "0lzffKzDaIfyZGlpW5qdouACkWYzsaitQOePVE01PIdO30vUfzNTFDfy42ccx3Di\n"
876 "59UCu+IXB+eMtrBfsok0Qc63vtF1linJgjHW1z/8ujk8F7/qkOfODhk4l7wngc2A\n"
877 "EmwWFIFoGaiTEZHB9qteXr4unbXZ0AHpM02uGGwZEGohjFyebEb73M+J57WKKAFb\n"
878 "PqbLcGUksL1SHNBNAJcVLttX55sO4nbidOS/kA3m+F1R04MBTyQF9qA6YDDHqdI3\n"
879 "h/3pw0Z4fxVouTYT4/NfRnX4JTP4u+7Mpcoof28VME0qWqD1LnRhFQIDAQABo1Aw\n"
880 "TjAdBgNVHQ4EFgQUMoAgIXH7pZ3QMRwTjT+DM9Yo/v0wHwYDVR0jBBgwFoAUMoAg\n"
881 "IXH7pZ3QMRwTjT+DM9Yo/v0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
882 "AgEAUJxacjXR9sT+Xs6ISFiUsyd0T6WVKMnV46xrYJHirGfx+krWHrjxMY+ZtxYD\n"
883 "DBDGlo11Qc4v6QrclNf5QUBfIiGQsP9Cm6hHcQ+Tpg9HHCgSqG1YNPwCPReCR4br\n"
884 "BLvLfrfkcBL2IWM0PdQdCze+59DBfipsULD2mEn9fjYRXQEwb2QWtQ9qRc20Yb/x\n"
885 "Q4b/+CvUodLkaq7B8MHz0BV8HHcBoph6DYaRmO/N+hPauIuSp6XyaGYcEefGKVKj\n"
886 "G2+fcsdyXsoijNdL8vNKwm4j2gVwCBnw16J00yfFoV46YcbfqEdJB2je0XSvwXqt\n"
887 "14AOTngxso2h9k9HLtrfpO1ZG/B5AcCMs1lzbZ2fp5DPHtjvvmvA2RJqgo3yjw4W\n"
888 "4DHAuTglYFlC3mDHNfNtcGP20JvepcQNzNP2UzwcpOc94hfKikOFw+gf9Vf1qd0y\n"
889 "h/Sk6OZHn2+JVUPiWHIQV98Vtoh4RmUZDJD+b55ia3fQGTGzt4z1XFzQYSva5sfs\n"
890 "wocS/papthqWldQU7x+3wofNd5CNU1x6WKXG/yw30IT/4F8ADJD6GeygNT8QJYvt\n"
891 "u/8lAkbOy6B9xGmSvr0Kk1oq9P2NshA6kalxp1Oz/DTNDdL4AeBXV3JmM6WWCjGn\n"
892 "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
893 "-----END CERTIFICATE-----\n";
894
895 static X509 *
896 read_cert_from(const char *str)
897 {
898 BIO *bio = BIO_new(BIO_s_mem());
899 BIO_write(bio, str, (int) strlen(str));
900 X509 *res = PEM_read_bio_X509(bio, NULL, NULL, NULL);
901 BIO_free(bio);
902 return res;
903 }
904
905 #ifndef OPENSSL_OPAQUE
906 static void
907 test_tortls_verify(void *ignored)
908 {
909 (void)ignored;
910 int ret;
911 tor_tls_t *tls;
912 crypto_pk_t *k = NULL;
913 X509 *cert1 = NULL, *cert2 = NULL, *invalidCert = NULL,
914 *validCert = NULL, *caCert = NULL;
915
916 cert1 = tor_malloc_zero(sizeof(X509));
917 cert1->references = 10;
918
919 cert2 = tor_malloc_zero(sizeof(X509));
920 cert2->references = 10;
921
922 validCert = read_cert_from(validCertString);
923 caCert = read_cert_from(caCertString);
924 invalidCert = read_cert_from(notCompletelyValidCertString);
925
926 tls = tor_malloc_zero(sizeof(tor_tls_t));
927 ret = tor_tls_verify(LOG_WARN, tls, &k);
928 tt_int_op(ret, OP_EQ, -1);
929
930 MOCK(try_to_extract_certs_from_tls, fixed_try_to_extract_certs_from_tls);
931
932 fixed_try_to_extract_certs_from_tls_cert_out_result = cert1;
933 ret = tor_tls_verify(LOG_WARN, tls, &k);
934 tt_int_op(ret, OP_EQ, -1);
935
936 fixed_try_to_extract_certs_from_tls_id_cert_out_result = cert2;
937 ret = tor_tls_verify(LOG_WARN, tls, &k);
938 tt_int_op(ret, OP_EQ, -1);
939
940 fixed_try_to_extract_certs_from_tls_cert_out_result = invalidCert;
941 fixed_try_to_extract_certs_from_tls_id_cert_out_result = invalidCert;
942
943 ret = tor_tls_verify(LOG_WARN, tls, &k);
944 tt_int_op(ret, OP_EQ, -1);
945
946 fixed_try_to_extract_certs_from_tls_cert_out_result = validCert;
947 fixed_try_to_extract_certs_from_tls_id_cert_out_result = caCert;
948
949 ret = tor_tls_verify(LOG_WARN, tls, &k);
950 tt_int_op(ret, OP_EQ, 0);
951 tt_assert(k);
952
953 done:
954 UNMOCK(try_to_extract_certs_from_tls);
955 tor_free(cert1);
956 tor_free(cert2);
957 tor_free(tls);
958 tor_free(k);
959 }
960 #endif /* !defined(OPENSSL_OPAQUE) */
961
962 #ifndef OPENSSL_OPAQUE
963 static void
964 test_tortls_check_lifetime(void *ignored)
965 {
966 (void)ignored;
967 int ret;
968 tor_tls_t *tls;
969 X509 *validCert = read_cert_from(validCertString);
970 time_t now = time(NULL);
971
972 tls = tor_malloc_zero(sizeof(tor_tls_t));
973 ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, 0);
974 tt_int_op(ret, OP_EQ, -1);
975
976 tls->ssl = tor_malloc_zero(sizeof(SSL));
977 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
978 tls->ssl->session->peer = validCert;
979 ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, 0);
980 tt_int_op(ret, OP_EQ, 0);
981
982 ASN1_STRING_free(validCert->cert_info->validity->notBefore);
983 validCert->cert_info->validity->notBefore = ASN1_TIME_set(NULL, now-10);
984 ASN1_STRING_free(validCert->cert_info->validity->notAfter);
985 validCert->cert_info->validity->notAfter = ASN1_TIME_set(NULL, now+60);
986
987 ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, -1000);
988 tt_int_op(ret, OP_EQ, -1);
989
990 ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), -1000, 0);
991 tt_int_op(ret, OP_EQ, -1);
992
993 done:
994 tor_free(tls->ssl->session);
995 tor_free(tls->ssl);
996 tor_free(tls);
997 X509_free(validCert);
998 }
999 #endif /* !defined(OPENSSL_OPAQUE) */
1000
1001 #ifndef OPENSSL_OPAQUE
1002 static int fixed_ssl_pending_result = 0;
1003
1004 static int
1005 fixed_ssl_pending(const SSL *ignored)
1006 {
1007 (void)ignored;
1008 return fixed_ssl_pending_result;
1009 }
1010
1011 static void
1012 test_tortls_get_pending_bytes(void *ignored)
1013 {
1014 (void)ignored;
1015 int ret;
1016 tor_tls_t *tls;
1017 SSL_METHOD *method;
1018
1019 tls = tor_malloc_zero(sizeof(tor_tls_t));
1020 tls->ssl = tor_malloc_zero(sizeof(SSL));
1021 method = tor_malloc_zero(sizeof(SSL_METHOD));
1022 method->ssl_pending = fixed_ssl_pending;
1023 tls->ssl->method = method;
1024
1025 fixed_ssl_pending_result = 42;
1026 ret = tor_tls_get_pending_bytes(tls);
1027 tt_int_op(ret, OP_EQ, 42);
1028
1029 done:
1030 tor_free(method);
1031 tor_free(tls->ssl);
1032 tor_free(tls);
1033 }
1034 #endif /* !defined(OPENSSL_OPAQUE) */
1035
1036 #ifndef OPENSSL_OPAQUE
1037 static void
1038 test_tortls_SSL_SESSION_get_master_key(void *ignored)
1039 {
1040 (void)ignored;
1041 size_t ret;
1042 tor_tls_t *tls;
1043 uint8_t *out;
1044 out = tor_malloc_zero(1);
1045 tls = tor_malloc_zero(sizeof(tor_tls_t));
1046 tls->ssl = tor_malloc_zero(sizeof(SSL));
1047 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
1048 tls->ssl->session->master_key_length = 1;
1049
1050 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1051 tls->ssl->session->master_key[0] = 43;
1052 ret = SSL_SESSION_get_master_key(tls->ssl->session, out, 0);
1053 tt_int_op(ret, OP_EQ, 1);
1054 tt_int_op(out[0], OP_EQ, 0);
1055
1056 ret = SSL_SESSION_get_master_key(tls->ssl->session, out, 1);
1057 tt_int_op(ret, OP_EQ, 1);
1058 tt_int_op(out[0], OP_EQ, 43);
1059
1060 done:
1061 #endif /* !defined(HAVE_SSL_SESSION_GET_MASTER_KEY) */
1062 tor_free(tls->ssl->session);
1063 tor_free(tls->ssl);
1064 tor_free(tls);
1065 tor_free(out);
1066 }
1067 #endif /* !defined(OPENSSL_OPAQUE) */
1068
1069 #ifndef OPENSSL_OPAQUE
1070 static void
1071 test_tortls_get_tlssecrets(void *ignored)
1072 {
1073 (void)ignored;
1074 int ret;
1075 uint8_t *secret_out = tor_malloc_zero(DIGEST256_LEN);
1076 tor_tls_t *tls;
1077 tls = tor_malloc_zero(sizeof(tor_tls_t));
1078 tls->ssl = tor_malloc_zero(sizeof(SSL));
1079 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
1080 tls->ssl->session->master_key_length = 1;
1081 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
1082
1083 ret = tor_tls_get_tlssecrets(tls, secret_out);
1084 tt_int_op(ret, OP_EQ, 0);
1085
1086 done:
1087 tor_free(secret_out);
1088 tor_free(tls->ssl->s3);
1089 tor_free(tls->ssl->session);
1090 tor_free(tls->ssl);
1091 tor_free(tls);
1092 }
1093 #endif /* !defined(OPENSSL_OPAQUE) */
1094
1095 #ifndef OPENSSL_OPAQUE
1096 static void
1097 test_tortls_get_buffer_sizes(void *ignored)
1098 {
1099 (void)ignored;
1100 int ret;
1101 tor_tls_t *tls;
1102 size_t rbuf_c=-1, rbuf_b=-1, wbuf_c=-1, wbuf_b=-1;
1103
1104 tls = tor_malloc_zero(sizeof(tor_tls_t));
1105 tls->ssl = tor_malloc_zero(sizeof(SSL));
1106 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
1107
1108 tls->ssl->s3->rbuf.buf = NULL;
1109 tls->ssl->s3->rbuf.len = 1;
1110 tls->ssl->s3->rbuf.offset = 0;
1111 tls->ssl->s3->rbuf.left = 42;
1112
1113 tls->ssl->s3->wbuf.buf = NULL;
1114 tls->ssl->s3->wbuf.len = 2;
1115 tls->ssl->s3->wbuf.offset = 0;
1116 tls->ssl->s3->wbuf.left = 43;
1117
1118 ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
1119 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1120 tt_int_op(ret, OP_EQ, -1);
1121 #else
1122 tt_int_op(ret, OP_EQ, 0);
1123 tt_int_op(rbuf_c, OP_EQ, 0);
1124 tt_int_op(wbuf_c, OP_EQ, 0);
1125 tt_int_op(rbuf_b, OP_EQ, 42);
1126 tt_int_op(wbuf_b, OP_EQ, 43);
1127
1128 tls->ssl->s3->rbuf.buf = tor_malloc_zero(1);
1129 tls->ssl->s3->wbuf.buf = tor_malloc_zero(1);
1130 ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
1131 tt_int_op(ret, OP_EQ, 0);
1132 tt_int_op(rbuf_c, OP_EQ, 1);
1133 tt_int_op(wbuf_c, OP_EQ, 2);
1134
1135 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
1136
1137 done:
1138 tor_free(tls->ssl->s3->rbuf.buf);
1139 tor_free(tls->ssl->s3->wbuf.buf);
1140 tor_free(tls->ssl->s3);
1141 tor_free(tls->ssl);
1142 tor_free(tls);
1143 }
1144 #endif /* !defined(OPENSSL_OPAQUE) */
1145
1146 #ifndef OPENSSL_OPAQUE
1147 typedef struct cert_pkey_st_local
1148 {
1149 X509 *x509;
1150 EVP_PKEY *privatekey;
1151 const EVP_MD *digest;
1152 } CERT_PKEY_local;
1153
1154 typedef struct sess_cert_st_local
1155 {
1156 STACK_OF(X509) *cert_chain;
1157 int peer_cert_type;
1158 CERT_PKEY_local *peer_key;
1159 CERT_PKEY_local peer_pkeys[8];
1160 int references;
1161 } SESS_CERT_local;
1162
1163 static void
1164 test_tortls_try_to_extract_certs_from_tls(void *ignored)
1165 {
1166 (void)ignored;
1167 tor_tls_t *tls;
1168 X509 *cert = NULL, *id_cert = NULL, *c1 = NULL, *c2 = NULL;
1169 SESS_CERT_local *sess = NULL;
1170
1171 c1 = read_cert_from(validCertString);
1172 c2 = read_cert_from(caCertString);
1173
1174 tls = tor_malloc_zero(sizeof(tor_tls_t));
1175 tls->ssl = tor_malloc_zero(sizeof(SSL));
1176 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
1177 sess = tor_malloc_zero(sizeof(SESS_CERT_local));
1178 tls->ssl->session->sess_cert = (void *)sess;
1179
1180 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
1181 tt_assert(!cert);
1182 tt_assert(!id_cert);
1183
1184 tls->ssl->session->peer = c1;
1185 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
1186 tt_assert(cert == c1);
1187 tt_assert(!id_cert);
1188 X509_free(cert); /* decrease refcnt */
1189
1190 sess->cert_chain = sk_X509_new_null();
1191 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
1192 tt_assert(cert == c1);
1193 tt_assert(!id_cert);
1194 X509_free(cert); /* decrease refcnt */
1195
1196 sk_X509_push(sess->cert_chain, c1);
1197 sk_X509_push(sess->cert_chain, c2);
1198
1199 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
1200 tt_assert(cert == c1);
1201 tt_assert(id_cert);
1202 X509_free(cert); /* decrease refcnt */
1203
1204 done:
1205 sk_X509_free(sess->cert_chain);
1206 tor_free(sess);
1207 tor_free(tls->ssl->session);
1208 tor_free(tls->ssl);
1209 tor_free(tls);
1210 X509_free(c1);
1211 X509_free(c2);
1212 }
1213 #endif /* !defined(OPENSSL_OPAQUE) */
1214
1215 #ifndef OPENSSL_OPAQUE
1216 static void
1217 test_tortls_get_peer_cert(void *ignored)
1218 {
1219 (void)ignored;
1220 tor_x509_cert_t *ret;
1221 tor_tls_t *tls;
1222 X509 *cert = NULL;
1223
1224 cert = read_cert_from(validCertString);
1225
1226 tls = tor_malloc_zero(sizeof(tor_tls_t));
1227 tls->ssl = tor_malloc_zero(sizeof(SSL));
1228 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
1229
1230 ret = tor_tls_get_peer_cert(tls);
1231 tt_assert(!ret);
1232
1233 tls->ssl->session->peer = cert;
1234 ret = tor_tls_get_peer_cert(tls);
1235 tt_assert(ret);
1236 tt_assert(ret->cert == cert);
1237
1238 done:
1239 tor_x509_cert_free(ret);
1240 tor_free(tls->ssl->session);
1241 tor_free(tls->ssl);
1242 tor_free(tls);
1243 X509_free(cert);
1244 }
1245 #endif /* !defined(OPENSSL_OPAQUE) */
1246
1247 #ifndef OPENSSL_OPAQUE
1248 static void
1249 test_tortls_peer_has_cert(void *ignored)
1250 {
1251 (void)ignored;
1252 int ret;
1253 tor_tls_t *tls;
1254 X509 *cert = NULL;
1255
1256 cert = read_cert_from(validCertString);
1257
1258 tls = tor_malloc_zero(sizeof(tor_tls_t));
1259 tls->ssl = tor_malloc_zero(sizeof(SSL));
1260 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
1261
1262 ret = tor_tls_peer_has_cert(tls);
1263 tt_assert(!ret);
1264
1265 tls->ssl->session->peer = cert;
1266 ret = tor_tls_peer_has_cert(tls);
1267 tt_assert(ret);
1268
1269 done:
1270 tor_free(tls->ssl->session);
1271 tor_free(tls->ssl);
1272 tor_free(tls);
1273 X509_free(cert);
1274 }
1275 #endif /* !defined(OPENSSL_OPAQUE) */
1276
1277 static void
1278 test_tortls_get_write_overhead_ratio(void *ignored)
1279 {
1280 (void)ignored;
1281 double ret;
1282
1283 total_bytes_written_over_tls = 0;
1284 ret = tls_get_write_overhead_ratio();
1285 tt_double_op(fabs(ret - 1.0), OP_LT, 1E-12);
1286
1287 total_bytes_written_by_tls = 10;
1288 total_bytes_written_over_tls = 1;
1289 ret = tls_get_write_overhead_ratio();
1290 tt_double_op(fabs(ret - 10.0), OP_LT, 1E-12);
1291
1292 total_bytes_written_by_tls = 10;
1293 total_bytes_written_over_tls = 2;
1294 ret = tls_get_write_overhead_ratio();
1295 tt_double_op(fabs(ret - 5.0), OP_LT, 1E-12);
1296
1297 done:
1298 (void)0;
1299 }
1300
1301 static void
1302 test_tortls_is_server(void *ignored)
1303 {
1304 (void)ignored;
1305 tor_tls_t *tls;
1306 int ret;
1307
1308 tls = tor_malloc_zero(sizeof(tor_tls_t));
1309 tls->isServer = 1;
1310 ret = tor_tls_is_server(tls);
1311 tt_int_op(ret, OP_EQ, 1);
1312
1313 done:
1314 tor_free(tls);
1315 }
1316
1317 #ifndef OPENSSL_OPAQUE
1318 static void
1319 test_tortls_session_secret_cb(void *ignored)
1320 {
1321 (void)ignored;
1322 tor_tls_t *tls;
1323 SSL_CTX *ctx;
1324 STACK_OF(SSL_CIPHER) *ciphers = NULL;
1325 SSL_CIPHER *one;
1326
1327 library_init();
1328
1329 tor_tls_allocate_tor_tls_object_ex_data_index();
1330
1331 tls = tor_malloc_zero(sizeof(tor_tls_t));
1332
1333 tls->magic = TOR_TLS_MAGIC;
1334
1335 ctx = SSL_CTX_new(TLSv1_method());
1336 tls->ssl = SSL_new(ctx);
1337 SSL_set_ex_data(tls->ssl, tor_tls_object_ex_data_index, tls);
1338
1339 SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
1340
1341 tor_tls_session_secret_cb(tls->ssl, NULL, NULL, NULL, NULL, NULL);
1342 tt_assert(!tls->ssl->tls_session_secret_cb);
1343
1344 one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
1345 one->id = 0x00ff;
1346 ciphers = sk_SSL_CIPHER_new_null();
1347 sk_SSL_CIPHER_push(ciphers, one);
1348
1349 tls->client_cipher_list_type = 0;
1350 tor_tls_session_secret_cb(tls->ssl, NULL, NULL, ciphers, NULL, NULL);
1351 tt_assert(!tls->ssl->tls_session_secret_cb);
1352
1353 done:
1354 sk_SSL_CIPHER_free(ciphers);
1355 SSL_free(tls->ssl);
1356 SSL_CTX_free(ctx);
1357 tor_free(tls);
1358 }
1359 #endif /* !defined(OPENSSL_OPAQUE) */
1360
1361 #ifndef OPENSSL_OPAQUE
1362 /* TODO: It seems block_renegotiation and unblock_renegotiation and
1363 * using different blags. This might not be correct */
1364 static void
1365 test_tortls_block_renegotiation(void *ignored)
1366 {
1367 (void)ignored;
1368 tor_tls_t *tls;
1369
1370 tls = tor_malloc_zero(sizeof(tor_tls_t));
1371 tls->ssl = tor_malloc_zero(sizeof(SSL));
1372 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
1373 #ifndef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1374 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0
1375 #endif
1376
1377 tls->ssl->s3->flags = SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
1378
1379 tor_tls_block_renegotiation(tls);
1380
1381 #ifndef OPENSSL_1_1_API
1382 tt_assert(!(tls->ssl->s3->flags &
1383 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
1384 #endif
1385
1386 done:
1387 tor_free(tls->ssl->s3);
1388 tor_free(tls->ssl);
1389 tor_free(tls);
1390 }
1391
1392 static void
1393 test_tortls_unblock_renegotiation(void *ignored)
1394 {
1395 (void)ignored;
1396 tor_tls_t *tls;
1397
1398 tls = tor_malloc_zero(sizeof(tor_tls_t));
1399 tls->ssl = tor_malloc_zero(sizeof(SSL));
1400 tor_tls_unblock_renegotiation(tls);
1401
1402 tt_uint_op(SSL_get_options(tls->ssl) &
1403 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, OP_EQ,
1404 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1405
1406 done:
1407 tor_free(tls->ssl);
1408 tor_free(tls);
1409 }
1410 #endif /* !defined(OPENSSL_OPAQUE) */
1411
1412 #ifndef OPENSSL_OPAQUE
1413 static void
1414 test_tortls_assert_renegotiation_unblocked(void *ignored)
1415 {
1416 (void)ignored;
1417 tor_tls_t *tls;
1418
1419 tls = tor_malloc_zero(sizeof(tor_tls_t));
1420 tls->ssl = tor_malloc_zero(sizeof(SSL));
1421 tor_tls_unblock_renegotiation(tls);
1422 tor_tls_assert_renegotiation_unblocked(tls);
1423 /* No assertion here - this test will fail if tor_assert is turned on
1424 * and things are bad. */
1425
1426 tor_free(tls->ssl);
1427 tor_free(tls);
1428 }
1429 #endif /* !defined(OPENSSL_OPAQUE) */
1430
1431 static void
1432 test_tortls_set_logged_address(void *ignored)
1433 {
1434 (void)ignored;
1435 tor_tls_t *tls;
1436
1437 tls = tor_malloc_zero(sizeof(tor_tls_t));
1438
1439 tor_tls_set_logged_address(tls, "foo bar");
1440
1441 tt_str_op(tls->address, OP_EQ, "foo bar");
1442
1443 tor_tls_set_logged_address(tls, "foo bar 2");
1444 tt_str_op(tls->address, OP_EQ, "foo bar 2");
1445
1446 done:
1447 tor_free(tls->address);
1448 tor_free(tls);
1449 }
1450
1451 #ifndef OPENSSL_OPAQUE
1452 static void
1453 example_cb(tor_tls_t *t, void *arg)
1454 {
1455 (void)t;
1456 (void)arg;
1457 }
1458
1459 static void
1460 test_tortls_set_renegotiate_callback(void *ignored)
1461 {
1462 (void)ignored;
1463 tor_tls_t *tls;
1464 const char *arg = "hello";
1465
1466 tls = tor_malloc_zero(sizeof(tor_tls_t));
1467 tls->ssl = tor_malloc_zero(sizeof(SSL));
1468
1469 tor_tls_set_renegotiate_callback(tls, example_cb, (void*)arg);
1470 tt_assert(tls->negotiated_callback == example_cb);
1471 tt_assert(tls->callback_arg == arg);
1472 tt_assert(!tls->got_renegotiate);
1473
1474 /* Assumes V2_HANDSHAKE_SERVER */
1475 tt_assert(tls->ssl->info_callback == tor_tls_server_info_callback);
1476
1477 tor_tls_set_renegotiate_callback(tls, NULL, (void*)arg);
1478 tt_assert(tls->ssl->info_callback == tor_tls_debug_state_callback);
1479
1480 done:
1481 tor_free(tls->ssl);
1482 tor_free(tls);
1483 }
1484 #endif /* !defined(OPENSSL_OPAQUE) */
1485
1486 #ifndef OPENSSL_OPAQUE
1487 static SSL_CIPHER *fixed_cipher1 = NULL;
1488 static SSL_CIPHER *fixed_cipher2 = NULL;
1489 static const SSL_CIPHER *
1490 fake_get_cipher(unsigned ncipher)
1491 {
1492
1493 switch (ncipher) {
1494 case 1:
1495 return fixed_cipher1;
1496 case 2:
1497 return fixed_cipher2;
1498 default:
1499 return NULL;
1500 }
1501 }
1502 #endif /* !defined(OPENSSL_OPAQUE) */
1503
1504 #ifndef OPENSSL_OPAQUE
1505 static void
1506 test_tortls_find_cipher_by_id(void *ignored)
1507 {
1508 (void)ignored;
1509 int ret;
1510 SSL *ssl;
1511 SSL_CTX *ctx;
1512 const SSL_METHOD *m = TLSv1_method();
1513 SSL_METHOD *empty_method = tor_malloc_zero(sizeof(SSL_METHOD));
1514
1515 fixed_cipher1 = tor_malloc_zero(sizeof(SSL_CIPHER));
1516 fixed_cipher2 = tor_malloc_zero(sizeof(SSL_CIPHER));
1517 fixed_cipher2->id = 0xC00A;
1518
1519 library_init();
1520
1521 ctx = SSL_CTX_new(m);
1522 ssl = SSL_new(ctx);
1523
1524 ret = find_cipher_by_id(ssl, NULL, 0xC00A);
1525 tt_int_op(ret, OP_EQ, 1);
1526
1527 ret = find_cipher_by_id(ssl, m, 0xC00A);
1528 tt_int_op(ret, OP_EQ, 1);
1529
1530 ret = find_cipher_by_id(ssl, m, 0xFFFF);
1531 tt_int_op(ret, OP_EQ, 0);
1532
1533 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1534 tt_int_op(ret, OP_EQ, 1);
1535
1536 ret = find_cipher_by_id(ssl, empty_method, 0xFFFF);
1537 #ifdef HAVE_SSL_CIPHER_FIND
1538 tt_int_op(ret, OP_EQ, 0);
1539 #else
1540 tt_int_op(ret, OP_EQ, 1);
1541 #endif
1542
1543 empty_method->get_cipher = fake_get_cipher;
1544 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1545 tt_int_op(ret, OP_EQ, 1);
1546
1547 empty_method->get_cipher = m->get_cipher;
1548 empty_method->num_ciphers = m->num_ciphers;
1549 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1550 tt_int_op(ret, OP_EQ, 1);
1551
1552 empty_method->get_cipher = fake_get_cipher;
1553 empty_method->num_ciphers = m->num_ciphers;
1554 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1555 tt_int_op(ret, OP_EQ, 1);
1556
1557 empty_method->num_ciphers = fake_num_ciphers;
1558 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1559 #ifdef HAVE_SSL_CIPHER_FIND
1560 tt_int_op(ret, OP_EQ, 1);
1561 #else
1562 tt_int_op(ret, OP_EQ, 0);
1563 #endif
1564
1565 done:
1566 tor_free(empty_method);
1567 SSL_free(ssl);
1568 SSL_CTX_free(ctx);
1569 tor_free(fixed_cipher1);
1570 }
1571 #endif /* !defined(OPENSSL_OPAQUE) */
1572
1573 #ifndef OPENSSL_OPAQUE
1574 static void
1575 test_tortls_debug_state_callback(void *ignored)
1576 {
1577 (void)ignored;
1578 SSL *ssl;
1579 char *buf = tor_malloc_zero(1000);
1580 int n;
1581
1582 setup_capture_of_logs(LOG_DEBUG);
1583
1584 ssl = tor_malloc_zero(sizeof(SSL));
1585
1586 tor_tls_debug_state_callback(ssl, 32, 45);
1587
1588 n = tor_snprintf(buf, 1000, "SSL %p is now in state unknown"
1589 " state [type=32,val=45].\n", ssl);
1590 /* tor's snprintf returns -1 on error */
1591 tt_int_op(n, OP_NE, -1);
1592 expect_log_msg(buf);
1593
1594 done:
1595 teardown_capture_of_logs();
1596 tor_free(buf);
1597 tor_free(ssl);
1598 }
1599 #endif /* !defined(OPENSSL_OPAQUE) */
1600
1601 #ifndef OPENSSL_OPAQUE
1602 static void
1603 test_tortls_server_info_callback(void *ignored)
1604 {
1605 (void)ignored;
1606 tor_tls_t *tls;
1607 SSL_CTX *ctx;
1608 SSL *ssl;
1609
1610 library_init();
1611
1612 ctx = SSL_CTX_new(TLSv1_method());
1613 ssl = SSL_new(ctx);
1614
1615 tor_tls_allocate_tor_tls_object_ex_data_index();
1616
1617 tls = tor_malloc_zero(sizeof(tor_tls_t));
1618 tls->magic = TOR_TLS_MAGIC;
1619 tls->ssl = ssl;
1620
1621 setup_full_capture_of_logs(LOG_WARN);
1622 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_A);
1623 mock_clean_saved_logs();
1624 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1625 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1626
1627 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_B);
1628 mock_clean_saved_logs();
1629 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1630 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1631
1632 SSL_set_state(ssl, 99);
1633 mock_clean_saved_logs();
1634 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1635 expect_no_log_entry();
1636 teardown_capture_of_logs();
1637
1638 SSL_set_ex_data(tls->ssl, tor_tls_object_ex_data_index, tls);
1639 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_B);
1640 tls->negotiated_callback = 0;
1641 tls->server_handshake_count = 120;
1642 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1643 tt_int_op(tls->server_handshake_count, OP_EQ, 121);
1644
1645 tls->server_handshake_count = 127;
1646 tls->negotiated_callback = (void *)1;
1647 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1648 tt_int_op(tls->server_handshake_count, OP_EQ, 127);
1649 tt_int_op(tls->got_renegotiate, OP_EQ, 1);
1650
1651 tls->ssl->session = SSL_SESSION_new();
1652 tls->wasV2Handshake = 0;
1653 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1654 tt_int_op(tls->wasV2Handshake, OP_EQ, 0);
1655
1656 done:
1657 teardown_capture_of_logs();
1658 SSL_free(ssl);
1659 SSL_CTX_free(ctx);
1660 tor_free(tls);
1661 }
1662 #endif /* !defined(OPENSSL_OPAQUE) */
1663
1664 #ifndef OPENSSL_OPAQUE
1665 static int fixed_ssl_read_result_index;
1666 static int fixed_ssl_read_result[5];
1667 static int fixed_ssl_shutdown_result;
1668
1669 static int
1670 fixed_ssl_read(SSL *s, void *buf, int len)
1671 {
1672 (void)s;
1673 (void)buf;
1674 (void)len;
1675 return fixed_ssl_read_result[fixed_ssl_read_result_index++];
1676 }
1677
1678 static int
1679 fixed_ssl_shutdown(SSL *s)
1680 {
1681 (void)s;
1682 return fixed_ssl_shutdown_result;
1683 }
1684
1685 #ifndef LIBRESSL_VERSION_NUMBER
1686 static int fixed_ssl_state_to_set;
1687 static tor_tls_t *fixed_tls;
1688
1689 static int
1690 setting_version_ssl_shutdown(SSL *s)
1691 {
1692 s->version = SSL2_VERSION;
1693 return fixed_ssl_shutdown_result;
1694 }
1695
1696 static int
1697 setting_version_and_state_ssl_shutdown(SSL *s)
1698 {
1699 fixed_tls->state = fixed_ssl_state_to_set;
1700 s->version = SSL2_VERSION;
1701 return fixed_ssl_shutdown_result;
1702 }
1703 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
1704
1705 static int
1706 dummy_handshake_func(SSL *s)
1707 {
1708 (void)s;
1709 return 1;
1710 }
1711
1712 static void
1713 test_tortls_shutdown(void *ignored)
1714 {
1715 (void)ignored;
1716 int ret;
1717 tor_tls_t *tls;
1718 SSL_METHOD *method = give_me_a_test_method();
1719 setup_capture_of_logs(LOG_WARN);
1720
1721 tls = tor_malloc_zero(sizeof(tor_tls_t));
1722 tls->ssl = tor_malloc_zero(sizeof(SSL));
1723 tls->ssl->method = method;
1724 method->ssl_read = fixed_ssl_read;
1725 method->ssl_shutdown = fixed_ssl_shutdown;
1726
1727 ret = tor_tls_shutdown(tls);
1728 tt_int_op(ret, OP_EQ, -9);
1729
1730 tls->state = TOR_TLS_ST_SENTCLOSE;
1731 fixed_ssl_read_result_index = 0;
1732 fixed_ssl_read_result[0] = 10;
1733 fixed_ssl_read_result[1] = -1;
1734 ret = tor_tls_shutdown(tls);
1735 tt_int_op(ret, OP_EQ, -9);
1736
1737 #ifndef LIBRESSL_VERSION_NUMBER
1738 tls->ssl->handshake_func = dummy_handshake_func;
1739
1740 fixed_ssl_read_result_index = 0;
1741 fixed_ssl_read_result[0] = 10;
1742 fixed_ssl_read_result[1] = 42;
1743 fixed_ssl_read_result[2] = 0;
1744 fixed_ssl_shutdown_result = 1;
1745 ERR_clear_error();
1746 tls->ssl->version = SSL2_VERSION;
1747 ret = tor_tls_shutdown(tls);
1748 tt_int_op(ret, OP_EQ, TOR_TLS_DONE);
1749 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_CLOSED);
1750
1751 fixed_ssl_read_result_index = 0;
1752 fixed_ssl_read_result[0] = 10;
1753 fixed_ssl_read_result[1] = 42;
1754 fixed_ssl_read_result[2] = 0;
1755 fixed_ssl_shutdown_result = 0;
1756 ERR_clear_error();
1757 tls->ssl->version = 0;
1758 ret = tor_tls_shutdown(tls);
1759 tt_int_op(ret, OP_EQ, TOR_TLS_DONE);
1760 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_CLOSED);
1761
1762 fixed_ssl_read_result_index = 0;
1763 fixed_ssl_read_result[0] = 10;
1764 fixed_ssl_read_result[1] = 42;
1765 fixed_ssl_read_result[2] = 0;
1766 fixed_ssl_shutdown_result = 0;
1767 ERR_clear_error();
1768 tls->ssl->version = 0;
1769 method->ssl_shutdown = setting_version_ssl_shutdown;
1770 ret = tor_tls_shutdown(tls);
1771 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
1772
1773 fixed_ssl_read_result_index = 0;
1774 fixed_ssl_read_result[0] = 10;
1775 fixed_ssl_read_result[1] = 42;
1776 fixed_ssl_read_result[2] = 0;
1777 fixed_ssl_shutdown_result = 0;
1778 fixed_tls = tls;
1779 fixed_ssl_state_to_set = TOR_TLS_ST_GOTCLOSE;
1780 ERR_clear_error();
1781 tls->ssl->version = 0;
1782 method->ssl_shutdown = setting_version_and_state_ssl_shutdown;
1783 ret = tor_tls_shutdown(tls);
1784 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
1785
1786 fixed_ssl_read_result_index = 0;
1787 fixed_ssl_read_result[0] = 10;
1788 fixed_ssl_read_result[1] = 42;
1789 fixed_ssl_read_result[2] = 0;
1790 fixed_ssl_read_result[3] = -1;
1791 fixed_ssl_shutdown_result = 0;
1792 fixed_tls = tls;
1793 fixed_ssl_state_to_set = 0;
1794 ERR_clear_error();
1795 tls->ssl->version = 0;
1796 method->ssl_shutdown = setting_version_and_state_ssl_shutdown;
1797 ret = tor_tls_shutdown(tls);
1798 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
1799 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
1800
1801 done:
1802 teardown_capture_of_logs();
1803 tor_free(method);
1804 tor_free(tls->ssl);
1805 tor_free(tls);
1806 }
1807
1808 static int negotiated_callback_called;
1809
1810 static void
1811 negotiated_callback_setter(tor_tls_t *t, void *arg)
1812 {
1813 (void)t;
1814 (void)arg;
1815 negotiated_callback_called++;
1816 }
1817
1818 static void
1819 test_tortls_read(void *ignored)
1820 {
1821 (void)ignored;
1822 int ret;
1823 tor_tls_t *tls;
1824 char buf[100];
1825 SSL_METHOD *method = give_me_a_test_method();
1826 setup_capture_of_logs(LOG_WARN);
1827
1828 tls = tor_malloc_zero(sizeof(tor_tls_t));
1829 tls->ssl = tor_malloc_zero(sizeof(SSL));
1830 tls->state = TOR_TLS_ST_OPEN;
1831
1832 ret = tor_tls_read(tls, buf, 10);
1833 tt_int_op(ret, OP_EQ, -9);
1834
1835 /* These tests assume that V2_HANDSHAKE_SERVER is set */
1836 tls->ssl->handshake_func = dummy_handshake_func;
1837 tls->ssl->method = method;
1838 method->ssl_read = fixed_ssl_read;
1839 fixed_ssl_read_result_index = 0;
1840 fixed_ssl_read_result[0] = 42;
1841 tls->state = TOR_TLS_ST_OPEN;
1842 ERR_clear_error();
1843 ret = tor_tls_read(tls, buf, 10);
1844 tt_int_op(ret, OP_EQ, 42);
1845
1846 tls->state = TOR_TLS_ST_OPEN;
1847 tls->got_renegotiate = 1;
1848 fixed_ssl_read_result_index = 0;
1849 ERR_clear_error();
1850 ret = tor_tls_read(tls, buf, 10);
1851 tt_int_op(tls->got_renegotiate, OP_EQ, 0);
1852
1853 tls->state = TOR_TLS_ST_OPEN;
1854 tls->got_renegotiate = 1;
1855 negotiated_callback_called = 0;
1856 tls->negotiated_callback = negotiated_callback_setter;
1857 fixed_ssl_read_result_index = 0;
1858 ERR_clear_error();
1859 ret = tor_tls_read(tls, buf, 10);
1860 tt_int_op(negotiated_callback_called, OP_EQ, 1);
1861
1862 #ifndef LIBRESSL_VERSION_NUMBER
1863 fixed_ssl_read_result_index = 0;
1864 fixed_ssl_read_result[0] = 0;
1865 tls->ssl->version = SSL2_VERSION;
1866 ERR_clear_error();
1867 ret = tor_tls_read(tls, buf, 10);
1868 tt_int_op(ret, OP_EQ, TOR_TLS_CLOSE);
1869 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_CLOSED);
1870 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
1871 // TODO: fill up
1872
1873 done:
1874 teardown_capture_of_logs();
1875 tor_free(tls->ssl);
1876 tor_free(tls);
1877 tor_free(method);
1878 }
1879
1880 static int fixed_ssl_write_result;
1881
1882 static int
1883 fixed_ssl_write(SSL *s, const void *buf, int len)
1884 {
1885 (void)s;
1886 (void)buf;
1887 (void)len;
1888 return fixed_ssl_write_result;
1889 }
1890
1891 static void
1892 test_tortls_write(void *ignored)
1893 {
1894 (void)ignored;
1895 int ret;
1896 tor_tls_t *tls;
1897 SSL_METHOD *method = give_me_a_test_method();
1898 char buf[100];
1899 setup_capture_of_logs(LOG_WARN);
1900
1901 tls = tor_malloc_zero(sizeof(tor_tls_t));
1902 tls->ssl = tor_malloc_zero(sizeof(SSL));
1903 tls->state = TOR_TLS_ST_OPEN;
1904
1905 ret = tor_tls_write(tls, buf, 0);
1906 tt_int_op(ret, OP_EQ, 0);
1907
1908 ret = tor_tls_write(tls, buf, 10);
1909 tt_int_op(ret, OP_EQ, -9);
1910
1911 tls->ssl->method = method;
1912 tls->wantwrite_n = 1;
1913 ret = tor_tls_write(tls, buf, 10);
1914 tt_int_op(tls->wantwrite_n, OP_EQ, 0);
1915
1916 method->ssl_write = fixed_ssl_write;
1917 tls->ssl->handshake_func = dummy_handshake_func;
1918 fixed_ssl_write_result = 1;
1919 ERR_clear_error();
1920 ret = tor_tls_write(tls, buf, 10);
1921 tt_int_op(ret, OP_EQ, 1);
1922
1923 fixed_ssl_write_result = -1;
1924 ERR_clear_error();
1925 tls->ssl->rwstate = SSL_READING;
1926 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
1927 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_READ;
1928 ret = tor_tls_write(tls, buf, 10);
1929 tt_int_op(ret, OP_EQ, TOR_TLS_WANTREAD);
1930
1931 ERR_clear_error();
1932 tls->ssl->rwstate = SSL_READING;
1933 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
1934 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_WRITE;
1935 ret = tor_tls_write(tls, buf, 10);
1936 tt_int_op(ret, OP_EQ, TOR_TLS_WANTWRITE);
1937
1938 done:
1939 teardown_capture_of_logs();
1940 BIO_free(tls->ssl->rbio);
1941 tor_free(tls->ssl);
1942 tor_free(tls);
1943 tor_free(method);
1944 }
1945 #endif /* !defined(OPENSSL_OPAQUE) */
1946
1947 #ifndef OPENSSL_OPAQUE
1948 static int fixed_ssl_accept_result;
1949 static int fixed_ssl_connect_result;
1950
1951 static int
1952 setting_error_ssl_accept(SSL *ssl)
1953 {
1954 (void)ssl;
1955 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
1956 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
1957 return fixed_ssl_accept_result;
1958 }
1959
1960 static int
1961 setting_error_ssl_connect(SSL *ssl)
1962 {
1963 (void)ssl;
1964 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
1965 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
1966 return fixed_ssl_connect_result;
1967 }
1968
1969 static int
1970 fixed_ssl_accept(SSL *ssl)
1971 {
1972 (void) ssl;
1973 return fixed_ssl_accept_result;
1974 }
1975
1976 static void
1977 test_tortls_handshake(void *ignored)
1978 {
1979 (void)ignored;
1980 int ret;
1981 tor_tls_t *tls;
1982 SSL_CTX *ctx;
1983 SSL_METHOD *method = give_me_a_test_method();
1984 setup_capture_of_logs(LOG_INFO);
1985
1986 SSL_library_init();
1987 SSL_load_error_strings();
1988
1989 ctx = SSL_CTX_new(TLSv1_method());
1990
1991 tls = tor_malloc_zero(sizeof(tor_tls_t));
1992 tls->ssl = SSL_new(ctx);
1993 tls->state = TOR_TLS_ST_HANDSHAKE;
1994
1995 ret = tor_tls_handshake(tls);
1996 tt_int_op(ret, OP_EQ, -9);
1997
1998 tls->isServer = 1;
1999 tls->state = TOR_TLS_ST_HANDSHAKE;
2000 ret = tor_tls_handshake(tls);
2001 tt_int_op(ret, OP_EQ, -9);
2002
2003 tls->ssl->method = method;
2004 method->ssl_accept = fixed_ssl_accept;
2005 fixed_ssl_accept_result = 2;
2006 ERR_clear_error();
2007 tls->state = TOR_TLS_ST_HANDSHAKE;
2008 ret = tor_tls_handshake(tls);
2009 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_OPEN);
2010
2011 method->ssl_accept = setting_error_ssl_accept;
2012 fixed_ssl_accept_result = 1;
2013 ERR_clear_error();
2014 mock_clean_saved_logs();
2015 tls->state = TOR_TLS_ST_HANDSHAKE;
2016 ret = tor_tls_handshake(tls);
2017 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
2018 expect_log_entry();
2019 /* This fails on jessie. Investigate why! */
2020 #if 0
2021 expect_log_msg("TLS error while handshaking: (null) (in bignum routines:"
2022 "(null):SSLv3 write client hello B)\n");
2023 expect_log_msg("TLS error while handshaking: (null) (in system library:"
2024 "connect:SSLv3 write client hello B)\n");
2025 #endif /* 0 */
2026 expect_log_severity(LOG_INFO);
2027
2028 tls->isServer = 0;
2029 method->ssl_connect = setting_error_ssl_connect;
2030 fixed_ssl_connect_result = 1;
2031 ERR_clear_error();
2032 mock_clean_saved_logs();
2033 tls->state = TOR_TLS_ST_HANDSHAKE;
2034 ret = tor_tls_handshake(tls);
2035 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
2036 expect_log_entry();
2037 #if 0
2038 /* See above */
2039 expect_log_msg("TLS error while handshaking: "
2040 "(null) (in bignum routines:(null):SSLv3 write client hello B)\n");
2041 expect_log_msg("TLS error while handshaking: "
2042 "(null) (in system library:connect:SSLv3 write client hello B)\n");
2043 #endif /* 0 */
2044 expect_log_severity(LOG_WARN);
2045
2046 done:
2047 teardown_capture_of_logs();
2048 SSL_free(tls->ssl);
2049 SSL_CTX_free(ctx);
2050 tor_free(tls);
2051 tor_free(method);
2052 }
2053 #endif /* !defined(OPENSSL_OPAQUE) */
2054
2055 #ifndef OPENSSL_OPAQUE
2056 static void
2057 test_tortls_finish_handshake(void *ignored)
2058 {
2059 (void)ignored;
2060 int ret;
2061 tor_tls_t *tls;
2062 SSL_CTX *ctx;
2063 SSL_METHOD *method = give_me_a_test_method();
2064 SSL_library_init();
2065 SSL_load_error_strings();
2066
2067 X509 *c1 = read_cert_from(validCertString);
2068 SESS_CERT_local *sess = NULL;
2069
2070 ctx = SSL_CTX_new(method);
2071
2072 tls = tor_malloc_zero(sizeof(tor_tls_t));
2073 tls->ssl = SSL_new(ctx);
2074 tls->state = TOR_TLS_ST_OPEN;
2075
2076 ret = tor_tls_finish_handshake(tls);
2077 tt_int_op(ret, OP_EQ, 0);
2078
2079 tls->isServer = 1;
2080 tls->wasV2Handshake = 0;
2081 setup_full_capture_of_logs(LOG_WARN);
2082 ret = tor_tls_finish_handshake(tls);
2083 tt_int_op(ret, OP_EQ, 0);
2084 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
2085 expect_single_log_msg_containing("For some reason, wasV2Handshake didn't "
2086 "get set.");
2087 teardown_capture_of_logs();
2088
2089 tls->wasV2Handshake = 1;
2090 ret = tor_tls_finish_handshake(tls);
2091 tt_int_op(ret, OP_EQ, 0);
2092 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
2093
2094 tls->wasV2Handshake = 1;
2095 tls->ssl->session = SSL_SESSION_new();
2096 ret = tor_tls_finish_handshake(tls);
2097 tt_int_op(ret, OP_EQ, 0);
2098 tt_int_op(tls->wasV2Handshake, OP_EQ, 0);
2099
2100 tls->isServer = 0;
2101
2102 sess = tor_malloc_zero(sizeof(SESS_CERT_local));
2103 tls->ssl->session->sess_cert = (void *)sess;
2104 sess->cert_chain = sk_X509_new_null();
2105 sk_X509_push(sess->cert_chain, c1);
2106 tls->ssl->session->peer = c1;
2107 tls->wasV2Handshake = 0;
2108 ret = tor_tls_finish_handshake(tls);
2109 tt_int_op(ret, OP_EQ, 0);
2110 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
2111
2112 method->num_ciphers = fake_num_ciphers;
2113 ret = tor_tls_finish_handshake(tls);
2114 tt_int_op(ret, OP_EQ, -9);
2115
2116 done:
2117 if (sess)
2118 sk_X509_free(sess->cert_chain);
2119 if (tls->ssl && tls->ssl->session) {
2120 tor_free(tls->ssl->session->sess_cert);
2121 }
2122 SSL_free(tls->ssl);
2123 tor_free(tls);
2124 SSL_CTX_free(ctx);
2125 tor_free(method);
2126 teardown_capture_of_logs();
2127 }
2128 #endif /* !defined(OPENSSL_OPAQUE) */
2129
2130 static int fixed_crypto_pk_new_result_index;
2131 static crypto_pk_t *fixed_crypto_pk_new_result[5];
2132
2133 static crypto_pk_t *
2134 fixed_crypto_pk_new(void)
2135 {
2136 return fixed_crypto_pk_new_result[fixed_crypto_pk_new_result_index++];
2137 }
2138
2139 #ifndef OPENSSL_OPAQUE
2140 static int fixed_crypto_pk_generate_key_with_bits_result_index;
2141 static int fixed_crypto_pk_generate_key_with_bits_result[5];
2142 static int fixed_tor_tls_create_certificate_result_index;
2143 static X509 *fixed_tor_tls_create_certificate_result[5];
2144 static int fixed_tor_x509_cert_new_result_index;
2145 static tor_x509_cert_t *fixed_tor_x509_cert_new_result[5];
2146
2147 static int
2148 fixed_crypto_pk_generate_key_with_bits(crypto_pk_t *env, int bits)
2149 {
2150 (void)env;
2151 (void)bits;
2152 return fixed_crypto_pk_generate_key_with_bits_result[
2153 fixed_crypto_pk_generate_key_with_bits_result_index++];
2154 }
2155
2156 static X509 *
2157 fixed_tor_tls_create_certificate(crypto_pk_t *rsa,
2158 crypto_pk_t *rsa_sign,
2159 const char *cname,
2160 const char *cname_sign,
2161 unsigned int cert_lifetime)
2162 {
2163 (void)rsa;
2164 (void)rsa_sign;
2165 (void)cname;
2166 (void)cname_sign;
2167 (void)cert_lifetime;
2168 return fixed_tor_tls_create_certificate_result[
2169 fixed_tor_tls_create_certificate_result_index++];
2170 }
2171
2172 static tor_x509_cert_t *
2173 fixed_tor_x509_cert_new(tor_x509_cert_impl_t *x509_cert)
2174 {
2175 (void) x509_cert;
2176 return fixed_tor_x509_cert_new_result[
2177 fixed_tor_x509_cert_new_result_index++];
2178 }
2179
2180 static void
2181 test_tortls_context_new(void *ignored)
2182 {
2183 (void)ignored;
2184 tor_tls_context_t *ret;
2185 crypto_pk_t *pk1, *pk2, *pk3, *pk4, *pk5, *pk6, *pk7, *pk8, *pk9, *pk10,
2186 *pk11, *pk12, *pk13, *pk14, *pk15, *pk16, *pk17, *pk18;
2187
2188 pk1 = crypto_pk_new();
2189 pk2 = crypto_pk_new();
2190 pk3 = crypto_pk_new();
2191 pk4 = crypto_pk_new();
2192 pk5 = crypto_pk_new();
2193 pk6 = crypto_pk_new();
2194 pk7 = crypto_pk_new();
2195 pk8 = crypto_pk_new();
2196 pk9 = crypto_pk_new();
2197 pk10 = crypto_pk_new();
2198 pk11 = crypto_pk_new();
2199 pk12 = crypto_pk_new();
2200 pk13 = crypto_pk_new();
2201 pk14 = crypto_pk_new();
2202 pk15 = crypto_pk_new();
2203 pk16 = crypto_pk_new();
2204 pk17 = crypto_pk_new();
2205 pk18 = crypto_pk_new();
2206
2207 fixed_crypto_pk_new_result_index = 0;
2208 fixed_crypto_pk_new_result[0] = NULL;
2209 MOCK(crypto_pk_new, fixed_crypto_pk_new);
2210 ret = tor_tls_context_new(NULL, 0, 0, 0);
2211 tt_assert(!ret);
2212
2213 /* note: we already override this in testing_common.c, so we
2214 * run this unit test in a subprocess. */
2215 MOCK(crypto_pk_generate_key_with_bits,
2216 fixed_crypto_pk_generate_key_with_bits);
2217 fixed_crypto_pk_new_result_index = 0;
2218 fixed_crypto_pk_new_result[0] = pk1;
2219 fixed_crypto_pk_new_result[1] = NULL;
2220 fixed_crypto_pk_generate_key_with_bits_result[0] = -1;
2221 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2222 ret = tor_tls_context_new(NULL, 0, 0, 0);
2223 tt_assert(!ret);
2224
2225 fixed_crypto_pk_new_result_index = 0;
2226 fixed_crypto_pk_new_result[0] = pk2;
2227 fixed_crypto_pk_new_result[1] = NULL;
2228 fixed_crypto_pk_generate_key_with_bits_result[0] = 0;
2229 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2230 ret = tor_tls_context_new(NULL, 0, 0, 0);
2231 tt_assert(!ret);
2232
2233 fixed_crypto_pk_new_result_index = 0;
2234 fixed_crypto_pk_new_result[0] = pk3;
2235 fixed_crypto_pk_new_result[1] = pk4;
2236 fixed_crypto_pk_new_result[2] = NULL;
2237 fixed_crypto_pk_generate_key_with_bits_result[0] = 0;
2238 fixed_crypto_pk_generate_key_with_bits_result[1] = -1;
2239 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2240 ret = tor_tls_context_new(NULL, 0, 0, 0);
2241 tt_assert(!ret);
2242
2243 MOCK(tor_tls_create_certificate, fixed_tor_tls_create_certificate);
2244
2245 fixed_crypto_pk_new_result_index = 0;
2246 fixed_crypto_pk_new_result[0] = pk5;
2247 fixed_crypto_pk_new_result[1] = pk6;
2248 fixed_crypto_pk_new_result[2] = NULL;
2249 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2250 fixed_crypto_pk_generate_key_with_bits_result[1] = 0;
2251 fixed_tor_tls_create_certificate_result_index = 0;
2252 fixed_tor_tls_create_certificate_result[0] = NULL;
2253 fixed_tor_tls_create_certificate_result[1] = X509_new();
2254 fixed_tor_tls_create_certificate_result[2] = X509_new();
2255 ret = tor_tls_context_new(NULL, 0, 0, 0);
2256 tt_assert(!ret);
2257
2258 fixed_crypto_pk_new_result_index = 0;
2259 fixed_crypto_pk_new_result[0] = pk7;
2260 fixed_crypto_pk_new_result[1] = pk8;
2261 fixed_crypto_pk_new_result[2] = NULL;
2262 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2263 fixed_tor_tls_create_certificate_result_index = 0;
2264 fixed_tor_tls_create_certificate_result[0] = X509_new();
2265 fixed_tor_tls_create_certificate_result[1] = NULL;
2266 fixed_tor_tls_create_certificate_result[2] = X509_new();
2267 ret = tor_tls_context_new(NULL, 0, 0, 0);
2268 tt_assert(!ret);
2269
2270 fixed_crypto_pk_new_result_index = 0;
2271 fixed_crypto_pk_new_result[0] = pk9;
2272 fixed_crypto_pk_new_result[1] = pk10;
2273 fixed_crypto_pk_new_result[2] = NULL;
2274 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2275 fixed_tor_tls_create_certificate_result_index = 0;
2276 fixed_tor_tls_create_certificate_result[0] = X509_new();
2277 fixed_tor_tls_create_certificate_result[1] = X509_new();
2278 fixed_tor_tls_create_certificate_result[2] = NULL;
2279 ret = tor_tls_context_new(NULL, 0, 0, 0);
2280 tt_assert(!ret);
2281
2282 MOCK(tor_x509_cert_new, fixed_tor_x509_cert_new);
2283 fixed_crypto_pk_new_result_index = 0;
2284 fixed_crypto_pk_new_result[0] = pk11;
2285 fixed_crypto_pk_new_result[1] = pk12;
2286 fixed_crypto_pk_new_result[2] = NULL;
2287 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2288 fixed_tor_tls_create_certificate_result_index = 0;
2289 fixed_tor_tls_create_certificate_result[0] = X509_new();
2290 fixed_tor_tls_create_certificate_result[1] = X509_new();
2291 fixed_tor_tls_create_certificate_result[2] = X509_new();
2292 fixed_tor_x509_cert_new_result_index = 0;
2293 fixed_tor_x509_cert_new_result[0] = NULL;
2294 fixed_tor_x509_cert_new_result[1] = NULL;
2295 fixed_tor_x509_cert_new_result[2] = NULL;
2296 ret = tor_tls_context_new(NULL, 0, 0, 0);
2297 tt_assert(!ret);
2298
2299 fixed_crypto_pk_new_result_index = 0;
2300 fixed_crypto_pk_new_result[0] = pk13;
2301 fixed_crypto_pk_new_result[1] = pk14;
2302 fixed_crypto_pk_new_result[2] = NULL;
2303 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2304 fixed_tor_tls_create_certificate_result_index = 0;
2305 fixed_tor_tls_create_certificate_result[0] = X509_new();
2306 fixed_tor_tls_create_certificate_result[1] = X509_new();
2307 fixed_tor_tls_create_certificate_result[2] = X509_new();
2308 fixed_tor_x509_cert_new_result_index = 0;
2309 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2310 fixed_tor_x509_cert_new_result[1] = NULL;
2311 fixed_tor_x509_cert_new_result[2] = NULL;
2312 ret = tor_tls_context_new(NULL, 0, 0, 0);
2313 tt_assert(!ret);
2314
2315 fixed_crypto_pk_new_result_index = 0;
2316 fixed_crypto_pk_new_result[0] = pk15;
2317 fixed_crypto_pk_new_result[1] = pk16;
2318 fixed_crypto_pk_new_result[2] = NULL;
2319 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2320 fixed_tor_tls_create_certificate_result_index = 0;
2321 fixed_tor_tls_create_certificate_result[0] = X509_new();
2322 fixed_tor_tls_create_certificate_result[1] = X509_new();
2323 fixed_tor_tls_create_certificate_result[2] = X509_new();
2324 fixed_tor_x509_cert_new_result_index = 0;
2325 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2326 fixed_tor_x509_cert_new_result[1] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2327 fixed_tor_x509_cert_new_result[2] = NULL;
2328 ret = tor_tls_context_new(NULL, 0, 0, 0);
2329 tt_assert(!ret);
2330
2331 fixed_crypto_pk_new_result_index = 0;
2332 fixed_crypto_pk_new_result[0] = pk17;
2333 fixed_crypto_pk_new_result[1] = pk18;
2334 fixed_crypto_pk_new_result[2] = NULL;
2335 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
2336 fixed_tor_tls_create_certificate_result_index = 0;
2337 fixed_tor_tls_create_certificate_result[0] = X509_new();
2338 fixed_tor_tls_create_certificate_result[1] = X509_new();
2339 fixed_tor_tls_create_certificate_result[2] = X509_new();
2340 fixed_tor_x509_cert_new_result_index = 0;
2341 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2342 fixed_tor_x509_cert_new_result[1] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2343 fixed_tor_x509_cert_new_result[2] = tor_malloc_zero(sizeof(tor_x509_cert_t));
2344 ret = tor_tls_context_new(NULL, 0, 0, 0);
2345 tt_assert(!ret);
2346
2347 done:
2348 UNMOCK(tor_x509_cert_new);
2349 UNMOCK(tor_tls_create_certificate);
2350 UNMOCK(crypto_pk_generate_key_with_bits);
2351 UNMOCK(crypto_pk_new);
2352 }
2353 #endif /* !defined(OPENSSL_OPAQUE) */
2354
2355 static int fixed_crypto_pk_get_evp_pkey_result_index = 0;
2356 static EVP_PKEY *fixed_crypto_pk_get_evp_pkey_result[5];
2357
2358 static EVP_PKEY *
2359 fixed_crypto_pk_get_evp_pkey_(crypto_pk_t *env, int private)
2360 {
2361 (void) env;
2362 (void) private;
2363 return fixed_crypto_pk_get_evp_pkey_result[
2364 fixed_crypto_pk_get_evp_pkey_result_index++];
2365 }
2366
2367 static void
2368 test_tortls_create_certificate(void *ignored)
2369 {
2370 (void)ignored;
2371 X509 *ret;
2372 crypto_pk_t *pk1, *pk2;
2373
2374 pk1 = crypto_pk_new();
2375 pk2 = crypto_pk_new();
2376
2377 MOCK(crypto_pk_get_openssl_evp_pkey_, fixed_crypto_pk_get_evp_pkey_);
2378 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2379 fixed_crypto_pk_get_evp_pkey_result[0] = NULL;
2380 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2381 tt_assert(!ret);
2382
2383 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2384 fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
2385 fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
2386 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2387 tt_assert(!ret);
2388
2389 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2390 fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
2391 fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
2392 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2393 tt_assert(!ret);
2394
2395 done:
2396 UNMOCK(crypto_pk_get_openssl_evp_pkey_);
2397 crypto_pk_free(pk1);
2398 crypto_pk_free(pk2);
2399 }
2400
2401 static void
2402 test_tortls_cert_new(void *ignored)
2403 {
2404 (void)ignored;
2405 tor_x509_cert_t *ret;
2406 X509 *cert = read_cert_from(validCertString);
2407
2408 ret = tor_x509_cert_new(NULL);
2409 tt_assert(!ret);
2410
2411 ret = tor_x509_cert_new(cert);
2412 tt_assert(ret);
2413 tor_x509_cert_free(ret);
2414 ret = NULL;
2415
2416 #if 0
2417 cert = read_cert_from(validCertString);
2418 /* XXX this doesn't do what you think: it alters a copy of the pubkey. */
2419 X509_get_pubkey(cert)->type = EVP_PKEY_DSA;
2420 ret = tor_x509_cert_new(cert);
2421 tt_assert(ret);
2422 #endif /* 0 */
2423
2424 #ifndef OPENSSL_OPAQUE
2425 cert = read_cert_from(validCertString);
2426 X509_CINF_free(cert->cert_info);
2427 cert->cert_info = NULL;
2428 ret = tor_x509_cert_new(cert);
2429 tt_assert(ret);
2430 #endif /* !defined(OPENSSL_OPAQUE) */
2431
2432 done:
2433 tor_x509_cert_free(ret);
2434 }
2435
2436 static void
2437 test_tortls_cert_is_valid(void *ignored)
2438 {
2439 (void)ignored;
2440 int ret;
2441 tor_x509_cert_t *cert = NULL, *scert = NULL;
2442
2443 scert = tor_malloc_zero(sizeof(tor_x509_cert_t));
2444 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2445 tt_int_op(ret, OP_EQ, 0);
2446
2447 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
2448 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2449 tt_int_op(ret, OP_EQ, 0);
2450 tor_free(scert);
2451 tor_free(cert);
2452
2453 cert = tor_x509_cert_new(read_cert_from(validCertString));
2454 scert = tor_x509_cert_new(read_cert_from(caCertString));
2455 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2456 tt_int_op(ret, OP_EQ, 1);
2457
2458 #ifndef OPENSSL_OPAQUE
2459 tor_x509_cert_free(cert);
2460 tor_x509_cert_free(scert);
2461 cert = tor_x509_cert_new(read_cert_from(validCertString));
2462 scert = tor_x509_cert_new(read_cert_from(caCertString));
2463 ASN1_TIME_free(cert->cert->cert_info->validity->notAfter);
2464 cert->cert->cert_info->validity->notAfter =
2465 ASN1_TIME_set(NULL, time(NULL)-1000000);
2466 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2467 tt_int_op(ret, OP_EQ, 0);
2468
2469 tor_x509_cert_free(cert);
2470 tor_x509_cert_free(scert);
2471 cert = tor_x509_cert_new(read_cert_from(validCertString));
2472 scert = tor_x509_cert_new(read_cert_from(caCertString));
2473 X509_PUBKEY_free(cert->cert->cert_info->key);
2474 cert->cert->cert_info->key = NULL;
2475 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2476 tt_int_op(ret, OP_EQ, 0);
2477 #endif /* !defined(OPENSSL_OPAQUE) */
2478
2479 #if 0
2480 tor_x509_cert_free(cert);
2481 tor_x509_cert_free(scert);
2482 cert = tor_x509_cert_new(read_cert_from(validCertString));
2483 scert = tor_x509_cert_new(read_cert_from(caCertString));
2484 /* This doesn't actually change the key in the cert. XXXXXX */
2485 BN_one(EVP_PKEY_get1_RSA(X509_get_pubkey(cert->cert))->n);
2486 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2487 tt_int_op(ret, OP_EQ, 0);
2488
2489 tor_x509_cert_free(cert);
2490 tor_x509_cert_free(scert);
2491 cert = tor_x509_cert_new(read_cert_from(validCertString));
2492 scert = tor_x509_cert_new(read_cert_from(caCertString));
2493 /* This doesn't actually change the key in the cert. XXXXXX */
2494 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2495 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2496 tt_int_op(ret, OP_EQ, 0);
2497
2498 tor_x509_cert_free(cert);
2499 tor_x509_cert_free(scert);
2500 cert = tor_x509_cert_new(read_cert_from(validCertString));
2501 scert = tor_x509_cert_new(read_cert_from(caCertString));
2502 /* This doesn't actually change the key in the cert. XXXXXX */
2503 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2504 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2505 tt_int_op(ret, OP_EQ, 1);
2506
2507 tor_x509_cert_free(cert);
2508 tor_x509_cert_free(scert);
2509 cert = tor_x509_cert_new(read_cert_from(validCertString));
2510 scert = tor_x509_cert_new(read_cert_from(caCertString));
2511 /* This doesn't actually change the key in the cert. XXXXXX */
2512 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2513 X509_get_pubkey(cert->cert)->ameth = NULL;
2514 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2515 tt_int_op(ret, OP_EQ, 0);
2516 #endif /* 0 */
2517
2518 done:
2519 tor_x509_cert_free(cert);
2520 tor_x509_cert_free(scert);
2521 }
2522
2523 static void
2524 test_tortls_context_init_one(void *ignored)
2525 {
2526 (void)ignored;
2527 int ret;
2528 tor_tls_context_t *old = NULL;
2529
2530 MOCK(crypto_pk_new, fixed_crypto_pk_new);
2531
2532 fixed_crypto_pk_new_result_index = 0;
2533 fixed_crypto_pk_new_result[0] = NULL;
2534 ret = tor_tls_context_init_one(&old, NULL, 0, 0, 0);
2535 tt_int_op(ret, OP_EQ, -1);
2536
2537 done:
2538 UNMOCK(crypto_pk_new);
2539 }
2540
2541 #define LOCAL_TEST_CASE(name, flags) \
2542 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
2543
2544 #ifdef OPENSSL_OPAQUE
2545 #define INTRUSIVE_TEST_CASE(name, flags) \
2546 { #name, NULL, TT_SKIP, NULL, NULL }
2547 #else
2548 #define INTRUSIVE_TEST_CASE(name, flags) LOCAL_TEST_CASE(name, flags)
2549 #endif /* defined(OPENSSL_OPAQUE) */
2550
2551 struct testcase_t tortls_openssl_tests[] = {
2552 LOCAL_TEST_CASE(tor_tls_new, TT_FORK),
2553 LOCAL_TEST_CASE(get_state_description, TT_FORK),
2554 LOCAL_TEST_CASE(get_by_ssl, TT_FORK),
2555 LOCAL_TEST_CASE(allocate_tor_tls_object_ex_data_index, TT_FORK),
2556 LOCAL_TEST_CASE(log_one_error, TT_FORK),
2557 INTRUSIVE_TEST_CASE(get_error, TT_FORK),
2558 LOCAL_TEST_CASE(always_accept_verify_cb, 0),
2559 INTRUSIVE_TEST_CASE(x509_cert_free, 0),
2560 INTRUSIVE_TEST_CASE(cert_matches_key, 0),
2561 INTRUSIVE_TEST_CASE(cert_get_key, 0),
2562 LOCAL_TEST_CASE(get_my_client_auth_key, TT_FORK),
2563 INTRUSIVE_TEST_CASE(get_ciphersuite_name, 0),
2564 INTRUSIVE_TEST_CASE(classify_client_ciphers, 0),
2565 LOCAL_TEST_CASE(client_is_using_v2_ciphers, 0),
2566 INTRUSIVE_TEST_CASE(verify, 0),
2567 INTRUSIVE_TEST_CASE(check_lifetime, 0),
2568 INTRUSIVE_TEST_CASE(get_pending_bytes, 0),
2569 INTRUSIVE_TEST_CASE(SSL_SESSION_get_master_key, 0),
2570 INTRUSIVE_TEST_CASE(get_tlssecrets, 0),
2571 INTRUSIVE_TEST_CASE(get_buffer_sizes, 0),
2572 INTRUSIVE_TEST_CASE(try_to_extract_certs_from_tls, 0),
2573 INTRUSIVE_TEST_CASE(get_peer_cert, 0),
2574 INTRUSIVE_TEST_CASE(peer_has_cert, 0),
2575 INTRUSIVE_TEST_CASE(shutdown, 0),
2576 INTRUSIVE_TEST_CASE(finish_handshake, 0),
2577 INTRUSIVE_TEST_CASE(handshake, 0),
2578 INTRUSIVE_TEST_CASE(write, 0),
2579 INTRUSIVE_TEST_CASE(read, 0),
2580 INTRUSIVE_TEST_CASE(server_info_callback, 0),
2581 LOCAL_TEST_CASE(get_write_overhead_ratio, TT_FORK),
2582 LOCAL_TEST_CASE(is_server, 0),
2583 INTRUSIVE_TEST_CASE(assert_renegotiation_unblocked, 0),
2584 INTRUSIVE_TEST_CASE(block_renegotiation, 0),
2585 INTRUSIVE_TEST_CASE(unblock_renegotiation, 0),
2586 INTRUSIVE_TEST_CASE(set_renegotiate_callback, 0),
2587 LOCAL_TEST_CASE(set_logged_address, 0),
2588 INTRUSIVE_TEST_CASE(find_cipher_by_id, 0),
2589 INTRUSIVE_TEST_CASE(session_secret_cb, 0),
2590 INTRUSIVE_TEST_CASE(debug_state_callback, 0),
2591 INTRUSIVE_TEST_CASE(context_new, TT_FORK /* redundant */),
2592 LOCAL_TEST_CASE(create_certificate, 0),
2593 LOCAL_TEST_CASE(cert_new, 0),
2594 LOCAL_TEST_CASE(cert_is_valid, 0),
2595 LOCAL_TEST_CASE(context_init_one, 0),
2596 END_OF_TESTCASES
2597 };
The Onion Router