1 /* Copyright (c) 2010-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
5 #define TORTLS_OPENSSL_PRIVATE
6 #define TOR_X509_PRIVATE
15 #include "lib/cc/compat_compiler.h"
17 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
18 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
19 DISABLE_GCC_WARNING(redundant
-decls
)
21 #include <openssl/opensslv.h>
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/asn1t.h>
27 #include <openssl/x509.h>
28 #include <openssl/rsa.h>
29 #include <openssl/evp.h>
30 #include <openssl/bn.h>
32 ENABLE_GCC_WARNING(redundant
-decls
)
34 #include "core/or/or.h"
35 #include "lib/log/log.h"
36 #include "app/config/config.h"
37 #include "lib/crypt_ops/compat_openssl.h"
38 #include "lib/tls/x509.h"
39 #include "lib/tls/x509_internal.h"
40 #include "lib/tls/tortls.h"
41 #include "lib/tls/tortls_st.h"
42 #include "lib/tls/tortls_internal.h"
43 #include "app/config/or_state_st.h"
45 #include "test/test.h"
46 #include "test/log_test_helpers.h"
47 #include "test/test_tortls.h"
49 #define NS_MODULE tortls
51 #ifndef HAVE_SSL_STATE
52 #define OPENSSL_OPAQUE
55 #if defined(OPENSSL_OPAQUE) && !defined(LIBRESSL_VERSION_NUMBER)
56 #define SSL_STATE_STR "before SSL initialization"
58 #define SSL_STATE_STR "before/accept initialization"
61 #ifndef OPENSSL_OPAQUE
63 give_me_a_test_method(void)
65 SSL_METHOD
*method
= tor_malloc_zero(sizeof(SSL_METHOD
));
66 memcpy(method
, TLSv1_method(), sizeof(SSL_METHOD
));
71 fake_num_ciphers(void)
75 #endif /* !defined(OPENSSL_OPAQUE) */
78 mock_tls_cert_matches_key(const tor_tls_t
*tls
, const tor_x509_cert_t
*cert
)
81 (void) cert
; // XXXX look at this.
86 test_tortls_tor_tls_new(void *data
)
89 MOCK(tor_tls_cert_matches_key
, mock_tls_cert_matches_key
);
90 crypto_pk_t
*key1
= NULL
, *key2
= NULL
;
91 SSL_METHOD
*method
= NULL
;
93 key1
= pk_generate(2);
94 key2
= pk_generate(3);
96 tor_tls_t
*tls
= NULL
;
97 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER
,
98 key1
, key2
, 86400), OP_EQ
, 0);
99 tls
= tor_tls_new(-1, 0);
101 tor_tls_free(tls
); tls
= NULL
;
103 SSL_CTX_free(client_tls_context
->ctx
);
104 client_tls_context
->ctx
= NULL
;
105 tls
= tor_tls_new(-1, 0);
106 tt_ptr_op(tls
, OP_EQ
, NULL
);
108 #ifndef OPENSSL_OPAQUE
109 method
= give_me_a_test_method();
110 SSL_CTX
*ctx
= SSL_CTX_new(method
);
111 method
->num_ciphers
= fake_num_ciphers
;
112 client_tls_context
->ctx
= ctx
;
113 tls
= tor_tls_new(-1, 0);
114 tt_ptr_op(tls
, OP_EQ
, NULL
);
115 #endif /* !defined(OPENSSL_OPAQUE) */
118 UNMOCK(tor_tls_cert_matches_key
);
119 crypto_pk_free(key1
);
120 crypto_pk_free(key2
);
126 #define NS_MODULE tortls
131 #ifdef OPENSSL_1_1_API
132 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
, NULL
);
135 SSL_load_error_strings();
140 test_tortls_get_state_description(void *ignored
)
148 ctx
= SSL_CTX_new(SSLv23_method());
150 buf
= tor_malloc_zero(1000);
151 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
153 tor_tls_get_state_description(NULL
, buf
, 20);
154 tt_str_op(buf
, OP_EQ
, "(No SSL object)");
158 tor_tls_get_state_description(tls
, buf
, 20);
159 tt_str_op(buf
, OP_EQ
, "(No SSL object)");
161 tls
->ssl
= SSL_new(ctx
);
162 tor_tls_get_state_description(tls
, buf
, 200);
163 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in HANDSHAKE");
165 tls
->state
= TOR_TLS_ST_OPEN
;
166 tor_tls_get_state_description(tls
, buf
, 200);
167 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in OPEN");
169 tls
->state
= TOR_TLS_ST_GOTCLOSE
;
170 tor_tls_get_state_description(tls
, buf
, 200);
171 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in GOTCLOSE");
173 tls
->state
= TOR_TLS_ST_SENTCLOSE
;
174 tor_tls_get_state_description(tls
, buf
, 200);
175 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in SENTCLOSE");
177 tls
->state
= TOR_TLS_ST_CLOSED
;
178 tor_tls_get_state_description(tls
, buf
, 200);
179 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in CLOSED");
181 tls
->state
= TOR_TLS_ST_RENEGOTIATE
;
182 tor_tls_get_state_description(tls
, buf
, 200);
183 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in RENEGOTIATE");
185 tls
->state
= TOR_TLS_ST_BUFFEREVENT
;
186 tor_tls_get_state_description(tls
, buf
, 200);
187 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
);
190 tor_tls_get_state_description(tls
, buf
, 200);
191 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in unknown TLS state");
201 test_tortls_get_by_ssl(void *ignored
)
210 tor_tls_allocate_tor_tls_object_ex_data_index();
212 ctx
= SSL_CTX_new(SSLv23_method());
213 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
214 tls
->magic
= TOR_TLS_MAGIC
;
218 res
= tor_tls_get_by_ssl(ssl
);
221 SSL_set_ex_data(ssl
, tor_tls_object_ex_data_index
, tls
);
223 res
= tor_tls_get_by_ssl(ssl
);
224 tt_assert(res
== tls
);
233 test_tortls_allocate_tor_tls_object_ex_data_index(void *ignored
)
238 tor_tls_allocate_tor_tls_object_ex_data_index();
240 first
= tor_tls_object_ex_data_index
;
241 tor_tls_allocate_tor_tls_object_ex_data_index();
242 tt_int_op(first
, OP_EQ
, tor_tls_object_ex_data_index
);
249 test_tortls_log_one_error(void *ignored
)
258 ctx
= SSL_CTX_new(SSLv23_method());
259 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
260 setup_capture_of_logs(LOG_INFO
);
262 tor_tls_log_one_error(NULL
, 0, LOG_WARN
, 0, "something");
263 expect_log_msg("TLS error while something: "
264 "(null) (in (null):(null):---)\n");
266 mock_clean_saved_logs();
267 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
268 expect_log_msg("TLS error: (null) "
269 "(in (null):(null):---)\n");
271 mock_clean_saved_logs();
272 tls
->address
= tor_strdup("127.hello");
273 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
274 expect_log_msg("TLS error with 127.hello: "
275 "(null) (in (null):(null):---)\n");
276 tor_free(tls
->address
);
278 mock_clean_saved_logs();
279 tls
->address
= tor_strdup("127.hello");
280 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, "blarg");
281 expect_log_msg("TLS error while blarg with "
282 "127.hello: (null) (in (null):(null):---)\n");
284 mock_clean_saved_logs();
285 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, 3), LOG_WARN
, 0, NULL
);
286 expect_log_msg("TLS error with 127.hello: "
287 "BN lib (in unknown library:(null):---)\n");
289 mock_clean_saved_logs();
290 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST
),
292 expect_log_severity(LOG_INFO
);
294 mock_clean_saved_logs();
295 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_HTTPS_PROXY_REQUEST
),
297 expect_log_severity(LOG_INFO
);
299 mock_clean_saved_logs();
300 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_RECORD_LENGTH_MISMATCH
),
302 expect_log_severity(LOG_INFO
);
304 #ifndef OPENSSL_1_1_API
305 mock_clean_saved_logs();
306 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_RECORD_TOO_LARGE
),
308 expect_log_severity(LOG_INFO
);
309 #endif /* !defined(OPENSSL_1_1_API) */
311 mock_clean_saved_logs();
312 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_UNKNOWN_PROTOCOL
),
314 expect_log_severity(LOG_INFO
);
316 mock_clean_saved_logs();
317 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_UNSUPPORTED_PROTOCOL
),
319 expect_log_severity(LOG_INFO
);
321 tls
->ssl
= SSL_new(ctx
);
323 mock_clean_saved_logs();
324 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
325 expect_log_msg("TLS error with 127.hello: (null)"
326 " (in (null):(null):" SSL_STATE_STR
")\n");
329 teardown_capture_of_logs();
335 tor_free(tls
->address
);
339 #ifndef OPENSSL_OPAQUE
341 test_tortls_get_error(void *ignored
)
350 ctx
= SSL_CTX_new(SSLv23_method());
351 setup_capture_of_logs(LOG_INFO
);
352 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
353 tls
->ssl
= SSL_new(ctx
);
354 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
356 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
357 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_IO
);
358 expect_log_msg("TLS error: unexpected close while"
359 " something (before/accept initialization)\n");
361 mock_clean_saved_logs();
362 ret
= tor_tls_get_error(tls
, 2, 0, "something", LOG_WARN
, 0);
363 tt_int_op(ret
, OP_EQ
, 0);
364 expect_no_log_entry();
366 mock_clean_saved_logs();
367 ret
= tor_tls_get_error(tls
, 0, 1, "something", LOG_WARN
, 0);
368 tt_int_op(ret
, OP_EQ
, -11);
369 expect_no_log_entry();
371 mock_clean_saved_logs();
373 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
374 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
375 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
376 expect_log_msg("TLS error while something: (null)"
377 " (in bignum routines:(null):before/accept initialization)\n");
379 mock_clean_saved_logs();
381 tls
->ssl
->rwstate
= SSL_READING
;
382 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_READ
;
383 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
384 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTREAD
);
385 expect_no_log_entry();
387 mock_clean_saved_logs();
389 tls
->ssl
->rwstate
= SSL_READING
;
390 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_WRITE
;
391 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
392 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTWRITE
);
393 expect_no_log_entry();
395 mock_clean_saved_logs();
397 tls
->ssl
->rwstate
= 0;
398 tls
->ssl
->shutdown
= SSL_RECEIVED_SHUTDOWN
;
399 tls
->ssl
->s3
->warn_alert
=SSL_AD_CLOSE_NOTIFY
;
400 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
401 tt_int_op(ret
, OP_EQ
, TOR_TLS_CLOSE
);
404 mock_clean_saved_logs();
405 ret
= tor_tls_get_error(tls
, 0, 2, "something", LOG_WARN
, 0);
406 tt_int_op(ret
, OP_EQ
, -10);
407 expect_no_log_entry();
409 mock_clean_saved_logs();
410 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
411 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
412 tt_int_op(ret
, OP_EQ
, -9);
413 expect_log_msg("TLS error while something: (null) (in system library:"
414 "connect:before/accept initialization)\n");
417 teardown_capture_of_logs();
422 #endif /* !defined(OPENSSL_OPAQUE) */
425 test_tortls_always_accept_verify_cb(void *ignored
)
430 ret
= always_accept_verify_cb(0, NULL
);
431 tt_int_op(ret
, OP_EQ
, 1);
437 #ifndef OPENSSL_OPAQUE
439 test_tortls_x509_cert_free(void *ignored
)
442 tor_x509_cert_t
*cert
;
444 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
445 tor_x509_cert_free(cert
);
447 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
448 cert
->cert
= X509_new();
449 cert
->encoded
= tor_malloc_zero(1);
450 tor_x509_cert_free(cert
);
452 #endif /* !defined(OPENSSL_OPAQUE) */
454 #ifndef OPENSSL_OPAQUE
456 * Use only for the matching fake_x509_free() call
459 fake_x509_malloc(void)
461 return tor_malloc_zero(sizeof(X509
));
465 fake_x509_free(X509
*cert
)
468 if (cert
->cert_info
) {
469 if (cert
->cert_info
->key
) {
470 if (cert
->cert_info
->key
->pkey
) {
471 tor_free(cert
->cert_info
->key
->pkey
);
473 tor_free(cert
->cert_info
->key
);
475 tor_free(cert
->cert_info
);
482 static tor_x509_cert_t
*fixed_x509_cert
= NULL
;
483 static tor_x509_cert_t
*
484 get_peer_cert_mock_return_fixed(tor_tls_t
*tls
)
488 return tor_x509_cert_dup(fixed_x509_cert
);
494 test_tortls_cert_matches_key(void *ignored
)
498 X509
*cert1
= NULL
, *cert2
= NULL
, *cert3
= NULL
, *cert4
= NULL
;
499 tor_x509_cert_t
*c1
= NULL
, *c2
= NULL
, *c3
= NULL
, *c4
= NULL
;
500 crypto_pk_t
*k1
= NULL
, *k2
= NULL
, *k3
= NULL
;
506 cert1
= tor_tls_create_certificate(k1
, k2
, "A", "B", 1000);
507 cert2
= tor_tls_create_certificate(k1
, k3
, "C", "D", 1000);
508 cert3
= tor_tls_create_certificate(k2
, k3
, "C", "D", 1000);
509 cert4
= tor_tls_create_certificate(k3
, k2
, "E", "F", 1000);
511 tt_assert(cert1
&& cert2
&& cert3
&& cert4
);
513 c1
= tor_x509_cert_new(cert1
); cert1
= NULL
;
514 c2
= tor_x509_cert_new(cert2
); cert2
= NULL
;
515 c3
= tor_x509_cert_new(cert3
); cert3
= NULL
;
516 c4
= tor_x509_cert_new(cert4
); cert4
= NULL
;
518 tt_assert(c1
&& c2
&& c3
&& c4
);
520 MOCK(tor_tls_get_peer_cert
, get_peer_cert_mock_return_fixed
);
522 fixed_x509_cert
= NULL
;
523 /* If the peer has no certificate, it shouldn't match anything. */
524 tt_assert(! tor_tls_cert_matches_key(NULL
, c1
));
525 tt_assert(! tor_tls_cert_matches_key(NULL
, c2
));
526 tt_assert(! tor_tls_cert_matches_key(NULL
, c3
));
527 tt_assert(! tor_tls_cert_matches_key(NULL
, c4
));
528 fixed_x509_cert
= c1
;
529 /* If the peer has a certificate, it should match every cert with the same
531 tt_assert(tor_tls_cert_matches_key(NULL
, c1
));
532 tt_assert(tor_tls_cert_matches_key(NULL
, c2
));
533 tt_assert(! tor_tls_cert_matches_key(NULL
, c3
));
534 tt_assert(! tor_tls_cert_matches_key(NULL
, c4
));
537 tor_x509_cert_free(c1
);
538 tor_x509_cert_free(c2
);
539 tor_x509_cert_free(c3
);
540 tor_x509_cert_free(c4
);
541 if (cert1
) X509_free(cert1
);
542 if (cert2
) X509_free(cert2
);
543 if (cert3
) X509_free(cert3
);
544 if (cert4
) X509_free(cert4
);
548 UNMOCK(tor_tls_get_peer_cert
);
551 #ifndef OPENSSL_OPAQUE
553 test_tortls_cert_get_key(void *ignored
)
556 tor_x509_cert_t
*cert
= NULL
;
557 crypto_pk_t
*res
= NULL
;
558 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
560 key
= fake_x509_malloc();
563 res
= tor_tls_cert_get_key(cert
);
567 key
->cert_info
= tor_malloc_zero(sizeof(X509_CINF
));
568 key
->cert_info
->key
= tor_malloc_zero(sizeof(X509_PUBKEY
));
569 key
->cert_info
->key
->pkey
= tor_malloc_zero(sizeof(EVP_PKEY
));
570 key
->cert_info
->key
->pkey
->references
= 1;
571 key
->cert_info
->key
->pkey
->type
= 2;
572 res
= tor_tls_cert_get_key(cert
);
580 #endif /* !defined(OPENSSL_OPAQUE) */
583 test_tortls_get_my_client_auth_key(void *ignored
)
587 crypto_pk_t
*expected
;
588 tor_tls_context_t
*ctx
;
591 ctx
= tor_malloc_zero(sizeof(tor_tls_context_t
));
592 expected
= crypto_new_pk_from_openssl_rsa_(k
);
593 ctx
->auth_key
= expected
;
595 client_tls_context
= NULL
;
596 ret
= tor_tls_get_my_client_auth_key();
599 client_tls_context
= ctx
;
600 ret
= tor_tls_get_my_client_auth_key();
601 tt_assert(ret
== expected
);
604 crypto_pk_free(expected
);
608 #ifndef HAVE_SSL_GET_CLIENT_CIPHERS
610 get_cipher_by_name(const char *name
)
613 const SSL_METHOD
*method
= SSLv23_method();
614 int num
= method
->num_ciphers();
616 for (i
= 0; i
< num
; ++i
) {
617 const SSL_CIPHER
*cipher
= method
->get_cipher(i
);
618 const char *ciphername
= SSL_CIPHER_get_name(cipher
);
619 if (!strcmp(ciphername
, name
)) {
620 return (SSL_CIPHER
*)cipher
;
626 #endif /* !defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
628 #ifndef OPENSSL_OPAQUE
630 test_tortls_get_ciphersuite_name(void *ignored
)
635 ctx
= tor_malloc_zero(sizeof(tor_tls_t
));
636 ctx
->ssl
= tor_malloc_zero(sizeof(SSL
));
638 ret
= tor_tls_get_ciphersuite_name(ctx
);
639 tt_str_op(ret
, OP_EQ
, "(NONE)");
647 get_cipher_by_id(uint16_t id
)
650 const SSL_METHOD
*method
= SSLv23_method();
651 int num
= method
->num_ciphers();
652 for (i
= 0; i
< num
; ++i
) {
653 const SSL_CIPHER
*cipher
= method
->get_cipher(i
);
654 if (id
== (SSL_CIPHER_get_id(cipher
) & 0xffff)) {
655 return (SSL_CIPHER
*)cipher
;
663 test_tortls_classify_client_ciphers(void *ignored
)
671 STACK_OF(SSL_CIPHER
) *ciphers
;
672 SSL_CIPHER
*tmp_cipher
;
676 tor_tls_allocate_tor_tls_object_ex_data_index();
678 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
679 tls
->magic
= TOR_TLS_MAGIC
;
681 ctx
= SSL_CTX_new(TLSv1_method());
685 ciphers
= sk_SSL_CIPHER_new_null();
687 ret
= tor_tls_classify_client_ciphers(ssl
, NULL
);
688 tt_int_op(ret
, OP_EQ
, -1);
690 SSL_set_ex_data(ssl
, tor_tls_object_ex_data_index
, tls
);
691 tls
->client_cipher_list_type
= 42;
693 ret
= tor_tls_classify_client_ciphers(ssl
, NULL
);
694 tt_int_op(ret
, OP_EQ
, 42);
696 tls
->client_cipher_list_type
= 0;
697 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
698 tt_int_op(ret
, OP_EQ
, 1);
699 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 1);
701 tls
->client_cipher_list_type
= 0;
702 ret
= tor_tls_classify_client_ciphers(ssl
, SSL_get_ciphers(ssl
));
703 tt_int_op(ret
, OP_EQ
, 3);
704 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
706 SSL_CIPHER
*one
= get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
),
707 *two
= get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
),
708 *three
= get_cipher_by_name(SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
),
710 sk_SSL_CIPHER_push(ciphers
, one
);
711 sk_SSL_CIPHER_push(ciphers
, two
);
712 sk_SSL_CIPHER_push(ciphers
, three
);
713 sk_SSL_CIPHER_push(ciphers
, four
);
715 tls
->client_cipher_list_type
= 0;
716 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
717 tt_int_op(ret
, OP_EQ
, 1);
718 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 1);
720 sk_SSL_CIPHER_zero(ciphers
);
722 one
= get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
725 two
= get_cipher_by_name("ECDHE-RSA-AES128-GCM-SHA256");
728 sk_SSL_CIPHER_push(ciphers
, one
);
729 tls
->client_cipher_list_type
= 0;
730 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
731 tt_int_op(ret
, OP_EQ
, 3);
732 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
734 sk_SSL_CIPHER_push(ciphers
, two
);
735 tls
->client_cipher_list_type
= 0;
736 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
737 tt_int_op(ret
, OP_EQ
, 3);
738 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
741 tls
->client_cipher_list_type
= 0;
742 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
743 tt_int_op(ret
, OP_EQ
, 3);
744 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
746 sk_SSL_CIPHER_zero(ciphers
);
747 for (i
=0; v2_cipher_list
[i
]; i
++) {
748 tmp_cipher
= get_cipher_by_id(v2_cipher_list
[i
]);
749 tt_assert(tmp_cipher
);
750 sk_SSL_CIPHER_push(ciphers
, tmp_cipher
);
752 tls
->client_cipher_list_type
= 0;
753 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
754 tt_int_op(ret
, OP_EQ
, 2);
755 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 2);
758 sk_SSL_CIPHER_free(ciphers
);
763 #endif /* !defined(OPENSSL_OPAQUE) */
766 test_tortls_client_is_using_v2_ciphers(void *ignored
)
770 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
779 STACK_OF(SSL_CIPHER
) *ciphers
;
783 ctx
= SSL_CTX_new(TLSv1_method());
785 sess
= SSL_SESSION_new();
787 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
788 tt_int_op(ret
, OP_EQ
, -1);
791 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
792 tt_int_op(ret
, OP_EQ
, 0);
794 ciphers
= sk_SSL_CIPHER_new_null();
795 SSL_CIPHER
*one
= get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
798 sk_SSL_CIPHER_push(ciphers
, one
);
799 sess
->ciphers
= ciphers
;
800 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
801 tt_int_op(ret
, OP_EQ
, 1);
805 #endif /* defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
808 #ifndef OPENSSL_OPAQUE
809 static int fixed_ssl_pending_result
= 0;
812 fixed_ssl_pending(const SSL
*ignored
)
815 return fixed_ssl_pending_result
;
819 test_tortls_get_pending_bytes(void *ignored
)
826 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
827 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
828 method
= tor_malloc_zero(sizeof(SSL_METHOD
));
829 method
->ssl_pending
= fixed_ssl_pending
;
830 tls
->ssl
->method
= method
;
832 fixed_ssl_pending_result
= 42;
833 ret
= tor_tls_get_pending_bytes(tls
);
834 tt_int_op(ret
, OP_EQ
, 42);
841 #endif /* !defined(OPENSSL_OPAQUE) */
843 #ifndef OPENSSL_OPAQUE
845 test_tortls_SSL_SESSION_get_master_key(void *ignored
)
851 out
= tor_malloc_zero(1);
852 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
853 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
854 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
855 tls
->ssl
->session
->master_key_length
= 1;
857 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
858 tls
->ssl
->session
->master_key
[0] = 43;
859 ret
= SSL_SESSION_get_master_key(tls
->ssl
->session
, out
, 0);
860 tt_int_op(ret
, OP_EQ
, 1);
861 tt_int_op(out
[0], OP_EQ
, 0);
863 ret
= SSL_SESSION_get_master_key(tls
->ssl
->session
, out
, 1);
864 tt_int_op(ret
, OP_EQ
, 1);
865 tt_int_op(out
[0], OP_EQ
, 43);
868 #endif /* !defined(HAVE_SSL_SESSION_GET_MASTER_KEY) */
869 tor_free(tls
->ssl
->session
);
874 #endif /* !defined(OPENSSL_OPAQUE) */
876 #ifndef OPENSSL_OPAQUE
878 test_tortls_get_tlssecrets(void *ignored
)
882 uint8_t *secret_out
= tor_malloc_zero(DIGEST256_LEN
);
884 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
885 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
886 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
887 tls
->ssl
->session
->master_key_length
= 1;
888 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
890 ret
= tor_tls_get_tlssecrets(tls
, secret_out
);
891 tt_int_op(ret
, OP_EQ
, 0);
894 tor_free(secret_out
);
895 tor_free(tls
->ssl
->s3
);
896 tor_free(tls
->ssl
->session
);
900 #endif /* !defined(OPENSSL_OPAQUE) */
902 #ifndef OPENSSL_OPAQUE
904 test_tortls_get_buffer_sizes(void *ignored
)
909 size_t rbuf_c
=-1, rbuf_b
=-1, wbuf_c
=-1, wbuf_b
=-1;
911 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
912 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
913 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
915 tls
->ssl
->s3
->rbuf
.buf
= NULL
;
916 tls
->ssl
->s3
->rbuf
.len
= 1;
917 tls
->ssl
->s3
->rbuf
.offset
= 0;
918 tls
->ssl
->s3
->rbuf
.left
= 42;
920 tls
->ssl
->s3
->wbuf
.buf
= NULL
;
921 tls
->ssl
->s3
->wbuf
.len
= 2;
922 tls
->ssl
->s3
->wbuf
.offset
= 0;
923 tls
->ssl
->s3
->wbuf
.left
= 43;
925 ret
= tor_tls_get_buffer_sizes(tls
, &rbuf_c
, &rbuf_b
, &wbuf_c
, &wbuf_b
);
926 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
927 tt_int_op(ret
, OP_EQ
, -1);
929 tt_int_op(ret
, OP_EQ
, 0);
930 tt_int_op(rbuf_c
, OP_EQ
, 0);
931 tt_int_op(wbuf_c
, OP_EQ
, 0);
932 tt_int_op(rbuf_b
, OP_EQ
, 42);
933 tt_int_op(wbuf_b
, OP_EQ
, 43);
935 tls
->ssl
->s3
->rbuf
.buf
= tor_malloc_zero(1);
936 tls
->ssl
->s3
->wbuf
.buf
= tor_malloc_zero(1);
937 ret
= tor_tls_get_buffer_sizes(tls
, &rbuf_c
, &rbuf_b
, &wbuf_c
, &wbuf_b
);
938 tt_int_op(ret
, OP_EQ
, 0);
939 tt_int_op(rbuf_c
, OP_EQ
, 1);
940 tt_int_op(wbuf_c
, OP_EQ
, 2);
942 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
945 tor_free(tls
->ssl
->s3
->rbuf
.buf
);
946 tor_free(tls
->ssl
->s3
->wbuf
.buf
);
947 tor_free(tls
->ssl
->s3
);
951 #endif /* !defined(OPENSSL_OPAQUE) */
953 #ifndef OPENSSL_OPAQUE
954 typedef struct cert_pkey_st_local
957 EVP_PKEY
*privatekey
;
958 const EVP_MD
*digest
;
961 typedef struct sess_cert_st_local
963 STACK_OF(X509
) *cert_chain
;
965 CERT_PKEY_local
*peer_key
;
966 CERT_PKEY_local peer_pkeys
[8];
971 test_tortls_try_to_extract_certs_from_tls(void *ignored
)
975 X509
*cert
= NULL
, *id_cert
= NULL
, *c1
= NULL
, *c2
= NULL
;
976 SESS_CERT_local
*sess
= NULL
;
978 c1
= read_cert_from(validCertString
);
979 c2
= read_cert_from(caCertString
);
981 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
982 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
983 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
984 sess
= tor_malloc_zero(sizeof(SESS_CERT_local
));
985 tls
->ssl
->session
->sess_cert
= (void *)sess
;
987 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
991 tls
->ssl
->session
->peer
= c1
;
992 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
993 tt_assert(cert
== c1
);
995 X509_free(cert
); /* decrease refcnt */
997 sess
->cert_chain
= sk_X509_new_null();
998 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
999 tt_assert(cert
== c1
);
1000 tt_assert(!id_cert
);
1001 X509_free(cert
); /* decrease refcnt */
1003 sk_X509_push(sess
->cert_chain
, c1
);
1004 sk_X509_push(sess
->cert_chain
, c2
);
1006 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
1007 tt_assert(cert
== c1
);
1009 X509_free(cert
); /* decrease refcnt */
1010 X509_free(id_cert
); /* decrease refcnt */
1013 sk_X509_free(sess
->cert_chain
);
1015 tor_free(tls
->ssl
->session
);
1021 #endif /* !defined(OPENSSL_OPAQUE) */
1023 #ifndef OPENSSL_OPAQUE
1025 test_tortls_get_peer_cert(void *ignored
)
1028 tor_x509_cert_t
*ret
;
1032 cert
= read_cert_from(validCertString
);
1034 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1035 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1036 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1038 ret
= tor_tls_get_peer_cert(tls
);
1041 tls
->ssl
->session
->peer
= cert
;
1042 ret
= tor_tls_get_peer_cert(tls
);
1044 tt_assert(ret
->cert
== cert
);
1047 tor_x509_cert_free(ret
);
1048 tor_free(tls
->ssl
->session
);
1053 #endif /* !defined(OPENSSL_OPAQUE) */
1055 #ifndef OPENSSL_OPAQUE
1057 test_tortls_peer_has_cert(void *ignored
)
1064 cert
= read_cert_from(validCertString
);
1066 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1067 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1068 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1070 ret
= tor_tls_peer_has_cert(tls
);
1073 tls
->ssl
->session
->peer
= cert
;
1074 ret
= tor_tls_peer_has_cert(tls
);
1078 tor_free(tls
->ssl
->session
);
1083 #endif /* !defined(OPENSSL_OPAQUE) */
1086 test_tortls_get_write_overhead_ratio(void *ignored
)
1091 total_bytes_written_over_tls
= 0;
1092 ret
= tls_get_write_overhead_ratio();
1093 tt_double_op(fabs(ret
- 1.0), OP_LT
, 1E-12);
1095 total_bytes_written_by_tls
= 10;
1096 total_bytes_written_over_tls
= 1;
1097 ret
= tls_get_write_overhead_ratio();
1098 tt_double_op(fabs(ret
- 10.0), OP_LT
, 1E-12);
1100 total_bytes_written_by_tls
= 10;
1101 total_bytes_written_over_tls
= 2;
1102 ret
= tls_get_write_overhead_ratio();
1103 tt_double_op(fabs(ret
- 5.0), OP_LT
, 1E-12);
1110 test_tortls_is_server(void *ignored
)
1116 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1118 ret
= tor_tls_is_server(tls
);
1119 tt_int_op(ret
, OP_EQ
, 1);
1125 #ifndef OPENSSL_OPAQUE
1127 test_tortls_session_secret_cb(void *ignored
)
1132 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
1137 tor_tls_allocate_tor_tls_object_ex_data_index();
1139 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1141 tls
->magic
= TOR_TLS_MAGIC
;
1143 ctx
= SSL_CTX_new(TLSv1_method());
1144 tls
->ssl
= SSL_new(ctx
);
1145 SSL_set_ex_data(tls
->ssl
, tor_tls_object_ex_data_index
, tls
);
1147 SSL_set_session_secret_cb(tls
->ssl
, tor_tls_session_secret_cb
, NULL
);
1149 tor_tls_session_secret_cb(tls
->ssl
, NULL
, NULL
, NULL
, NULL
, NULL
);
1150 tt_assert(!tls
->ssl
->tls_session_secret_cb
);
1152 one
= get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
1154 ciphers
= sk_SSL_CIPHER_new_null();
1155 sk_SSL_CIPHER_push(ciphers
, one
);
1157 tls
->client_cipher_list_type
= 0;
1158 tor_tls_session_secret_cb(tls
->ssl
, NULL
, NULL
, ciphers
, NULL
, NULL
);
1159 tt_assert(!tls
->ssl
->tls_session_secret_cb
);
1162 sk_SSL_CIPHER_free(ciphers
);
1167 #endif /* !defined(OPENSSL_OPAQUE) */
1169 #ifndef OPENSSL_OPAQUE
1170 /* TODO: It seems block_renegotiation and unblock_renegotiation and
1171 * using different blags. This might not be correct */
1173 test_tortls_block_renegotiation(void *ignored
)
1178 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1179 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1180 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
1181 #ifndef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1182 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0
1185 tls
->ssl
->s3
->flags
= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
;
1187 tor_tls_block_renegotiation(tls
);
1189 #ifndef OPENSSL_1_1_API
1190 tt_assert(!(tls
->ssl
->s3
->flags
&
1191 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
));
1195 tor_free(tls
->ssl
->s3
);
1201 test_tortls_unblock_renegotiation(void *ignored
)
1206 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1207 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1208 tor_tls_unblock_renegotiation(tls
);
1210 tt_uint_op(SSL_get_options(tls
->ssl
) &
1211 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
, OP_EQ
,
1212 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
);
1218 #endif /* !defined(OPENSSL_OPAQUE) */
1220 #ifndef OPENSSL_OPAQUE
1222 test_tortls_assert_renegotiation_unblocked(void *ignored
)
1227 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1228 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1229 tor_tls_unblock_renegotiation(tls
);
1230 tor_tls_assert_renegotiation_unblocked(tls
);
1231 /* No assertion here - this test will fail if tor_assert is turned on
1232 * and things are bad. */
1237 #endif /* !defined(OPENSSL_OPAQUE) */
1240 test_tortls_set_logged_address(void *ignored
)
1245 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1247 tor_tls_set_logged_address(tls
, "foo bar");
1249 tt_str_op(tls
->address
, OP_EQ
, "foo bar");
1251 tor_tls_set_logged_address(tls
, "foo bar 2");
1252 tt_str_op(tls
->address
, OP_EQ
, "foo bar 2");
1255 tor_free(tls
->address
);
1259 #ifndef OPENSSL_OPAQUE
1261 example_cb(tor_tls_t
*t
, void *arg
)
1268 test_tortls_set_renegotiate_callback(void *ignored
)
1272 const char *arg
= "hello";
1274 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1275 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1277 tor_tls_set_renegotiate_callback(tls
, example_cb
, (void*)arg
);
1278 tt_assert(tls
->negotiated_callback
== example_cb
);
1279 tt_assert(tls
->callback_arg
== arg
);
1280 tt_assert(!tls
->got_renegotiate
);
1282 /* Assumes V2_HANDSHAKE_SERVER */
1283 tt_assert(tls
->ssl
->info_callback
== tor_tls_server_info_callback
);
1285 tor_tls_set_renegotiate_callback(tls
, NULL
, (void*)arg
);
1286 tt_assert(tls
->ssl
->info_callback
== tor_tls_debug_state_callback
);
1292 #endif /* !defined(OPENSSL_OPAQUE) */
1294 #ifndef OPENSSL_OPAQUE
1295 static SSL_CIPHER
*fixed_cipher1
= NULL
;
1296 static SSL_CIPHER
*fixed_cipher2
= NULL
;
1297 static const SSL_CIPHER
*
1298 fake_get_cipher(unsigned ncipher
)
1303 return fixed_cipher1
;
1305 return fixed_cipher2
;
1310 #endif /* !defined(OPENSSL_OPAQUE) */
1312 #ifndef OPENSSL_OPAQUE
1314 test_tortls_find_cipher_by_id(void *ignored
)
1320 const SSL_METHOD
*m
= TLSv1_method();
1321 SSL_METHOD
*empty_method
= tor_malloc_zero(sizeof(SSL_METHOD
));
1323 fixed_cipher1
= tor_malloc_zero(sizeof(SSL_CIPHER
));
1324 fixed_cipher2
= tor_malloc_zero(sizeof(SSL_CIPHER
));
1325 fixed_cipher2
->id
= 0xC00A;
1329 ctx
= SSL_CTX_new(m
);
1332 ret
= find_cipher_by_id(ssl
, NULL
, 0xC00A);
1333 tt_int_op(ret
, OP_EQ
, 1);
1335 ret
= find_cipher_by_id(ssl
, m
, 0xC00A);
1336 tt_int_op(ret
, OP_EQ
, 1);
1338 ret
= find_cipher_by_id(ssl
, m
, 0xFFFF);
1339 tt_int_op(ret
, OP_EQ
, 0);
1341 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1342 tt_int_op(ret
, OP_EQ
, 1);
1344 ret
= find_cipher_by_id(ssl
, empty_method
, 0xFFFF);
1345 #ifdef HAVE_SSL_CIPHER_FIND
1346 tt_int_op(ret
, OP_EQ
, 0);
1348 tt_int_op(ret
, OP_EQ
, 1);
1351 empty_method
->get_cipher
= fake_get_cipher
;
1352 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1353 tt_int_op(ret
, OP_EQ
, 1);
1355 empty_method
->get_cipher
= m
->get_cipher
;
1356 empty_method
->num_ciphers
= m
->num_ciphers
;
1357 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1358 tt_int_op(ret
, OP_EQ
, 1);
1360 empty_method
->get_cipher
= fake_get_cipher
;
1361 empty_method
->num_ciphers
= m
->num_ciphers
;
1362 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1363 tt_int_op(ret
, OP_EQ
, 1);
1365 empty_method
->num_ciphers
= fake_num_ciphers
;
1366 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1367 #ifdef HAVE_SSL_CIPHER_FIND
1368 tt_int_op(ret
, OP_EQ
, 1);
1370 tt_int_op(ret
, OP_EQ
, 0);
1374 tor_free(empty_method
);
1377 tor_free(fixed_cipher1
);
1379 #endif /* !defined(OPENSSL_OPAQUE) */
1381 #ifndef OPENSSL_OPAQUE
1383 test_tortls_debug_state_callback(void *ignored
)
1387 char *buf
= tor_malloc_zero(1000);
1390 setup_capture_of_logs(LOG_DEBUG
);
1392 ssl
= tor_malloc_zero(sizeof(SSL
));
1394 tor_tls_debug_state_callback(ssl
, 32, 45);
1396 n
= tor_snprintf(buf
, 1000, "SSL %p is now in state unknown"
1397 " state [type=32,val=45].\n", ssl
);
1398 /* tor's snprintf returns -1 on error */
1399 tt_int_op(n
, OP_NE
, -1);
1400 expect_log_msg(buf
);
1403 teardown_capture_of_logs();
1407 #endif /* !defined(OPENSSL_OPAQUE) */
1409 #ifndef OPENSSL_OPAQUE
1411 test_tortls_server_info_callback(void *ignored
)
1420 ctx
= SSL_CTX_new(TLSv1_method());
1423 tor_tls_allocate_tor_tls_object_ex_data_index();
1425 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1426 tls
->magic
= TOR_TLS_MAGIC
;
1429 setup_full_capture_of_logs(LOG_WARN
);
1430 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_A
);
1431 mock_clean_saved_logs();
1432 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1433 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1435 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_B
);
1436 mock_clean_saved_logs();
1437 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1438 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1440 SSL_set_state(ssl
, 99);
1441 mock_clean_saved_logs();
1442 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1443 expect_no_log_entry();
1444 teardown_capture_of_logs();
1446 SSL_set_ex_data(tls
->ssl
, tor_tls_object_ex_data_index
, tls
);
1447 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_B
);
1448 tls
->negotiated_callback
= 0;
1449 //tls->server_handshake_count = 120;
1450 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1451 //tt_int_op(tls->server_handshake_count, OP_EQ, 121);
1453 //tls->server_handshake_count = 127;
1454 tls
->negotiated_callback
= (void *)1;
1455 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1456 //tt_int_op(tls->server_handshake_count, OP_EQ, 127);
1457 tt_int_op(tls
->got_renegotiate
, OP_EQ
, 1);
1459 tls
->ssl
->session
= SSL_SESSION_new();
1460 tls
->wasV2Handshake
= 0;
1461 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1462 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 0);
1465 teardown_capture_of_logs();
1470 #endif /* !defined(OPENSSL_OPAQUE) */
1472 #ifndef OPENSSL_OPAQUE
1473 static int fixed_ssl_read_result_index
;
1474 static int fixed_ssl_read_result
[5];
1477 fixed_ssl_read(SSL
*s
, void *buf
, int len
)
1482 return fixed_ssl_read_result
[fixed_ssl_read_result_index
++];
1486 dummy_handshake_func(SSL
*s
)
1492 static int negotiated_callback_called
;
1495 negotiated_callback_setter(tor_tls_t
*t
, void *arg
)
1499 negotiated_callback_called
++;
1503 test_tortls_read(void *ignored
)
1509 SSL_METHOD
*method
= give_me_a_test_method();
1510 setup_capture_of_logs(LOG_WARN
);
1512 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1513 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1514 tls
->state
= TOR_TLS_ST_OPEN
;
1516 ret
= tor_tls_read(tls
, buf
, 10);
1517 tt_int_op(ret
, OP_EQ
, -9);
1519 /* These tests assume that V2_HANDSHAKE_SERVER is set */
1520 tls
->ssl
->handshake_func
= dummy_handshake_func
;
1521 tls
->ssl
->method
= method
;
1522 method
->ssl_read
= fixed_ssl_read
;
1523 fixed_ssl_read_result_index
= 0;
1524 fixed_ssl_read_result
[0] = 42;
1525 tls
->state
= TOR_TLS_ST_OPEN
;
1527 ret
= tor_tls_read(tls
, buf
, 10);
1528 tt_int_op(ret
, OP_EQ
, 42);
1530 tls
->state
= TOR_TLS_ST_OPEN
;
1531 tls
->got_renegotiate
= 1;
1532 fixed_ssl_read_result_index
= 0;
1534 ret
= tor_tls_read(tls
, buf
, 10);
1535 tt_int_op(tls
->got_renegotiate
, OP_EQ
, 0);
1537 tls
->state
= TOR_TLS_ST_OPEN
;
1538 tls
->got_renegotiate
= 1;
1539 negotiated_callback_called
= 0;
1540 tls
->negotiated_callback
= negotiated_callback_setter
;
1541 fixed_ssl_read_result_index
= 0;
1543 ret
= tor_tls_read(tls
, buf
, 10);
1544 tt_int_op(negotiated_callback_called
, OP_EQ
, 1);
1546 #ifndef LIBRESSL_VERSION_NUMBER
1547 fixed_ssl_read_result_index
= 0;
1548 fixed_ssl_read_result
[0] = 0;
1549 tls
->ssl
->version
= SSL2_VERSION
;
1551 ret
= tor_tls_read(tls
, buf
, 10);
1552 tt_int_op(ret
, OP_EQ
, TOR_TLS_CLOSE
);
1553 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_CLOSED
);
1554 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
1558 teardown_capture_of_logs();
1564 static int fixed_ssl_write_result
;
1567 fixed_ssl_write(SSL
*s
, const void *buf
, int len
)
1572 return fixed_ssl_write_result
;
1576 test_tortls_write(void *ignored
)
1581 SSL_METHOD
*method
= give_me_a_test_method();
1583 setup_capture_of_logs(LOG_WARN
);
1585 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1586 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1587 tls
->state
= TOR_TLS_ST_OPEN
;
1589 ret
= tor_tls_write(tls
, buf
, 0);
1590 tt_int_op(ret
, OP_EQ
, 0);
1592 ret
= tor_tls_write(tls
, buf
, 10);
1593 tt_int_op(ret
, OP_EQ
, -9);
1595 tls
->ssl
->method
= method
;
1596 tls
->wantwrite_n
= 1;
1597 ret
= tor_tls_write(tls
, buf
, 10);
1598 tt_int_op(tls
->wantwrite_n
, OP_EQ
, 0);
1600 method
->ssl_write
= fixed_ssl_write
;
1601 tls
->ssl
->handshake_func
= dummy_handshake_func
;
1602 fixed_ssl_write_result
= 1;
1604 ret
= tor_tls_write(tls
, buf
, 10);
1605 tt_int_op(ret
, OP_EQ
, 1);
1607 fixed_ssl_write_result
= -1;
1609 tls
->ssl
->rwstate
= SSL_READING
;
1610 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
1611 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_READ
;
1612 ret
= tor_tls_write(tls
, buf
, 10);
1613 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTREAD
);
1616 tls
->ssl
->rwstate
= SSL_READING
;
1617 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
1618 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_WRITE
;
1619 ret
= tor_tls_write(tls
, buf
, 10);
1620 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTWRITE
);
1623 teardown_capture_of_logs();
1624 BIO_free(tls
->ssl
->rbio
);
1629 #endif /* !defined(OPENSSL_OPAQUE) */
1631 #ifndef OPENSSL_OPAQUE
1632 static int fixed_ssl_accept_result
;
1633 static int fixed_ssl_connect_result
;
1636 setting_error_ssl_accept(SSL
*ssl
)
1639 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
1640 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
1641 return fixed_ssl_accept_result
;
1645 setting_error_ssl_connect(SSL
*ssl
)
1648 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
1649 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
1650 return fixed_ssl_connect_result
;
1654 fixed_ssl_accept(SSL
*ssl
)
1657 return fixed_ssl_accept_result
;
1661 test_tortls_handshake(void *ignored
)
1667 SSL_METHOD
*method
= give_me_a_test_method();
1668 setup_capture_of_logs(LOG_INFO
);
1671 SSL_load_error_strings();
1673 ctx
= SSL_CTX_new(TLSv1_method());
1675 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1676 tls
->ssl
= SSL_new(ctx
);
1677 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
1679 ret
= tor_tls_handshake(tls
);
1680 tt_int_op(ret
, OP_EQ
, -9);
1683 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
1684 ret
= tor_tls_handshake(tls
);
1685 tt_int_op(ret
, OP_EQ
, -9);
1687 tls
->ssl
->method
= method
;
1688 method
->ssl_accept
= fixed_ssl_accept
;
1689 fixed_ssl_accept_result
= 2;
1691 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
1692 ret
= tor_tls_handshake(tls
);
1693 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_OPEN
);
1695 method
->ssl_accept
= setting_error_ssl_accept
;
1696 fixed_ssl_accept_result
= 1;
1698 mock_clean_saved_logs();
1699 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
1700 ret
= tor_tls_handshake(tls
);
1701 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
1703 /* This fails on jessie. Investigate why! */
1705 expect_log_msg("TLS error while handshaking: (null) (in bignum routines:"
1706 "(null):SSLv3 write client hello B)\n");
1707 expect_log_msg("TLS error while handshaking: (null) (in system library:"
1708 "connect:SSLv3 write client hello B)\n");
1710 expect_log_severity(LOG_INFO
);
1713 method
->ssl_connect
= setting_error_ssl_connect
;
1714 fixed_ssl_connect_result
= 1;
1716 mock_clean_saved_logs();
1717 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
1718 ret
= tor_tls_handshake(tls
);
1719 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
1723 expect_log_msg("TLS error while handshaking: "
1724 "(null) (in bignum routines:(null):SSLv3 write client hello B)\n");
1725 expect_log_msg("TLS error while handshaking: "
1726 "(null) (in system library:connect:SSLv3 write client hello B)\n");
1728 expect_log_severity(LOG_WARN
);
1731 teardown_capture_of_logs();
1737 #endif /* !defined(OPENSSL_OPAQUE) */
1739 #ifndef OPENSSL_OPAQUE
1741 test_tortls_finish_handshake(void *ignored
)
1747 SSL_METHOD
*method
= give_me_a_test_method();
1749 SSL_load_error_strings();
1751 X509
*c1
= read_cert_from(validCertString
);
1752 SESS_CERT_local
*sess
= NULL
;
1754 ctx
= SSL_CTX_new(method
);
1756 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1757 tls
->ssl
= SSL_new(ctx
);
1758 tls
->state
= TOR_TLS_ST_OPEN
;
1760 ret
= tor_tls_finish_handshake(tls
);
1761 tt_int_op(ret
, OP_EQ
, 0);
1764 tls
->wasV2Handshake
= 0;
1765 setup_full_capture_of_logs(LOG_WARN
);
1766 ret
= tor_tls_finish_handshake(tls
);
1767 tt_int_op(ret
, OP_EQ
, 0);
1768 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
1769 expect_single_log_msg_containing("For some reason, wasV2Handshake didn't "
1771 teardown_capture_of_logs();
1773 tls
->wasV2Handshake
= 1;
1774 ret
= tor_tls_finish_handshake(tls
);
1775 tt_int_op(ret
, OP_EQ
, 0);
1776 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
1778 tls
->wasV2Handshake
= 1;
1779 tls
->ssl
->session
= SSL_SESSION_new();
1780 ret
= tor_tls_finish_handshake(tls
);
1781 tt_int_op(ret
, OP_EQ
, 0);
1782 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 0);
1786 sess
= tor_malloc_zero(sizeof(SESS_CERT_local
));
1787 tls
->ssl
->session
->sess_cert
= (void *)sess
;
1788 sess
->cert_chain
= sk_X509_new_null();
1789 sk_X509_push(sess
->cert_chain
, c1
);
1790 tls
->ssl
->session
->peer
= c1
;
1791 tls
->wasV2Handshake
= 0;
1792 ret
= tor_tls_finish_handshake(tls
);
1793 tt_int_op(ret
, OP_EQ
, 0);
1794 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
1796 method
->num_ciphers
= fake_num_ciphers
;
1797 ret
= tor_tls_finish_handshake(tls
);
1798 tt_int_op(ret
, OP_EQ
, -9);
1802 sk_X509_free(sess
->cert_chain
);
1803 if (tls
->ssl
&& tls
->ssl
->session
) {
1804 tor_free(tls
->ssl
->session
->sess_cert
);
1810 teardown_capture_of_logs();
1812 #endif /* !defined(OPENSSL_OPAQUE) */
1814 static int fixed_crypto_pk_new_result_index
;
1815 static crypto_pk_t
*fixed_crypto_pk_new_result
[5];
1817 static crypto_pk_t
*
1818 fixed_crypto_pk_new(void)
1820 return fixed_crypto_pk_new_result
[fixed_crypto_pk_new_result_index
++];
1823 #ifndef OPENSSL_OPAQUE
1824 static int fixed_crypto_pk_generate_key_with_bits_result_index
;
1825 static int fixed_crypto_pk_generate_key_with_bits_result
[5];
1826 static int fixed_tor_tls_create_certificate_result_index
;
1827 static X509
*fixed_tor_tls_create_certificate_result
[5];
1828 static int fixed_tor_x509_cert_new_result_index
;
1829 static tor_x509_cert_t
*fixed_tor_x509_cert_new_result
[5];
1832 fixed_crypto_pk_generate_key_with_bits(crypto_pk_t
*env
, int bits
)
1836 return fixed_crypto_pk_generate_key_with_bits_result
[
1837 fixed_crypto_pk_generate_key_with_bits_result_index
++];
1841 fixed_tor_tls_create_certificate(crypto_pk_t
*rsa
,
1842 crypto_pk_t
*rsa_sign
,
1844 const char *cname_sign
,
1845 unsigned int cert_lifetime
)
1851 (void)cert_lifetime
;
1852 X509
*result
= fixed_tor_tls_create_certificate_result
[
1853 fixed_tor_tls_create_certificate_result_index
++];
1855 return X509_dup(result
);
1861 fixed_tor_tls_create_certificate_results_free(void)
1864 for (i
= 0; i
< ARRAY_LENGTH(fixed_tor_tls_create_certificate_result
); ++i
) {
1865 X509
*cert
= fixed_tor_tls_create_certificate_result
[i
];
1868 fixed_tor_tls_create_certificate_result
[i
] = NULL
;
1873 fixed_tor_x509_cert_new_results_free(void)
1876 for (i
= 0; i
< ARRAY_LENGTH(fixed_tor_x509_cert_new_result
); ++i
) {
1877 tor_x509_cert_free(fixed_tor_x509_cert_new_result
[i
]);
1881 static tor_x509_cert_t
*
1882 fixed_tor_x509_cert_new(tor_x509_cert_impl_t
*x509_cert
)
1885 tor_x509_cert_t
**certp
=
1886 &fixed_tor_x509_cert_new_result
[fixed_tor_x509_cert_new_result_index
++];
1887 tor_x509_cert_t
*cert
= *certp
;
1893 test_tortls_context_new(void *ignored
)
1896 tor_tls_context_t
*ret
;
1897 crypto_pk_t
*pk1
, *pk2
, *pk3
, *pk4
, *pk5
, *pk6
, *pk7
, *pk8
, *pk9
, *pk10
,
1898 *pk11
, *pk12
, *pk13
, *pk14
, *pk15
, *pk16
, *pk17
, *pk18
;
1900 pk1
= crypto_pk_new();
1901 pk2
= crypto_pk_new();
1902 pk3
= crypto_pk_new();
1903 pk4
= crypto_pk_new();
1904 pk5
= crypto_pk_new();
1905 pk6
= crypto_pk_new();
1906 pk7
= crypto_pk_new();
1907 pk8
= crypto_pk_new();
1908 pk9
= crypto_pk_new();
1909 pk10
= crypto_pk_new();
1910 pk11
= crypto_pk_new();
1911 pk12
= crypto_pk_new();
1912 pk13
= crypto_pk_new();
1913 pk14
= crypto_pk_new();
1914 pk15
= crypto_pk_new();
1915 pk16
= crypto_pk_new();
1916 pk17
= crypto_pk_new();
1917 pk18
= crypto_pk_new();
1919 fixed_crypto_pk_new_result_index
= 0;
1920 fixed_crypto_pk_new_result
[0] = NULL
;
1921 MOCK(crypto_pk_new
, fixed_crypto_pk_new
);
1922 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1925 /* note: we already override this in testing_common.c, so we
1926 * run this unit test in a subprocess. */
1927 MOCK(crypto_pk_generate_key_with_bits
,
1928 fixed_crypto_pk_generate_key_with_bits
);
1929 fixed_crypto_pk_new_result_index
= 0;
1930 fixed_crypto_pk_new_result
[0] = pk1
;
1931 fixed_crypto_pk_new_result
[1] = NULL
;
1932 fixed_crypto_pk_generate_key_with_bits_result
[0] = -1;
1933 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1934 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1937 fixed_crypto_pk_new_result_index
= 0;
1938 fixed_crypto_pk_new_result
[0] = pk2
;
1939 fixed_crypto_pk_new_result
[1] = NULL
;
1940 fixed_crypto_pk_generate_key_with_bits_result
[0] = 0;
1941 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1942 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1945 fixed_crypto_pk_new_result_index
= 0;
1946 fixed_crypto_pk_new_result
[0] = pk3
;
1947 fixed_crypto_pk_new_result
[1] = pk4
;
1948 fixed_crypto_pk_new_result
[2] = NULL
;
1949 fixed_crypto_pk_generate_key_with_bits_result
[0] = 0;
1950 fixed_crypto_pk_generate_key_with_bits_result
[1] = -1;
1951 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1952 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1955 MOCK(tor_tls_create_certificate
, fixed_tor_tls_create_certificate
);
1957 fixed_crypto_pk_new_result_index
= 0;
1958 fixed_crypto_pk_new_result
[0] = pk5
;
1959 fixed_crypto_pk_new_result
[1] = pk6
;
1960 fixed_crypto_pk_new_result
[2] = NULL
;
1961 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1962 fixed_crypto_pk_generate_key_with_bits_result
[1] = 0;
1963 fixed_tor_tls_create_certificate_result_index
= 0;
1964 fixed_tor_tls_create_certificate_result
[0] = NULL
;
1965 fixed_tor_tls_create_certificate_result
[1] = X509_new();
1966 fixed_tor_tls_create_certificate_result
[2] = X509_new();
1967 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1969 fixed_tor_tls_create_certificate_results_free();
1971 fixed_crypto_pk_new_result_index
= 0;
1972 fixed_crypto_pk_new_result
[0] = pk7
;
1973 fixed_crypto_pk_new_result
[1] = pk8
;
1974 fixed_crypto_pk_new_result
[2] = NULL
;
1975 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1976 fixed_tor_tls_create_certificate_result_index
= 0;
1977 fixed_tor_tls_create_certificate_result
[0] = X509_new();
1978 fixed_tor_tls_create_certificate_result
[1] = NULL
;
1979 fixed_tor_tls_create_certificate_result
[2] = X509_new();
1980 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1982 fixed_tor_tls_create_certificate_results_free();
1984 fixed_crypto_pk_new_result_index
= 0;
1985 fixed_crypto_pk_new_result
[0] = pk9
;
1986 fixed_crypto_pk_new_result
[1] = pk10
;
1987 fixed_crypto_pk_new_result
[2] = NULL
;
1988 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
1989 fixed_tor_tls_create_certificate_result_index
= 0;
1990 fixed_tor_tls_create_certificate_result
[0] = X509_new();
1991 fixed_tor_tls_create_certificate_result
[1] = X509_new();
1992 fixed_tor_tls_create_certificate_result
[2] = NULL
;
1993 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
1995 fixed_tor_tls_create_certificate_results_free();
1997 MOCK(tor_x509_cert_new
, fixed_tor_x509_cert_new
);
1998 fixed_crypto_pk_new_result_index
= 0;
1999 fixed_crypto_pk_new_result
[0] = pk11
;
2000 fixed_crypto_pk_new_result
[1] = pk12
;
2001 fixed_crypto_pk_new_result
[2] = NULL
;
2002 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2003 fixed_tor_tls_create_certificate_result_index
= 0;
2004 fixed_tor_tls_create_certificate_result
[0] = X509_new();
2005 fixed_tor_tls_create_certificate_result
[1] = X509_new();
2006 fixed_tor_tls_create_certificate_result
[2] = X509_new();
2007 fixed_tor_x509_cert_new_result_index
= 0;
2008 fixed_tor_x509_cert_new_result
[0] = NULL
;
2009 fixed_tor_x509_cert_new_result
[1] = NULL
;
2010 fixed_tor_x509_cert_new_result
[2] = NULL
;
2011 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2013 fixed_tor_tls_create_certificate_results_free();
2015 fixed_crypto_pk_new_result_index
= 0;
2016 fixed_crypto_pk_new_result
[0] = pk13
;
2017 fixed_crypto_pk_new_result
[1] = pk14
;
2018 fixed_crypto_pk_new_result
[2] = NULL
;
2019 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2020 fixed_tor_tls_create_certificate_result_index
= 0;
2021 fixed_tor_tls_create_certificate_result
[0] = X509_new();
2022 fixed_tor_tls_create_certificate_result
[1] = X509_new();
2023 fixed_tor_tls_create_certificate_result
[2] = X509_new();
2024 fixed_tor_x509_cert_new_result_index
= 0;
2025 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2026 fixed_tor_x509_cert_new_result
[1] = NULL
;
2027 fixed_tor_x509_cert_new_result
[2] = NULL
;
2028 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2030 fixed_tor_tls_create_certificate_results_free();
2031 fixed_tor_x509_cert_new_results_free();
2033 fixed_crypto_pk_new_result_index
= 0;
2034 fixed_crypto_pk_new_result
[0] = pk15
;
2035 fixed_crypto_pk_new_result
[1] = pk16
;
2036 fixed_crypto_pk_new_result
[2] = NULL
;
2037 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2038 fixed_tor_tls_create_certificate_result_index
= 0;
2039 fixed_tor_tls_create_certificate_result
[0] = X509_new();
2040 fixed_tor_tls_create_certificate_result
[1] = X509_new();
2041 fixed_tor_tls_create_certificate_result
[2] = X509_new();
2042 fixed_tor_x509_cert_new_result_index
= 0;
2043 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2044 fixed_tor_x509_cert_new_result
[1] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2045 fixed_tor_x509_cert_new_result
[2] = NULL
;
2046 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2048 fixed_tor_tls_create_certificate_results_free();
2049 fixed_tor_x509_cert_new_results_free();
2051 fixed_crypto_pk_new_result_index
= 0;
2052 fixed_crypto_pk_new_result
[0] = pk17
;
2053 fixed_crypto_pk_new_result
[1] = pk18
;
2054 fixed_crypto_pk_new_result
[2] = NULL
;
2055 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2056 fixed_tor_tls_create_certificate_result_index
= 0;
2057 fixed_tor_tls_create_certificate_result
[0] = X509_new();
2058 fixed_tor_tls_create_certificate_result
[1] = X509_new();
2059 fixed_tor_tls_create_certificate_result
[2] = X509_new();
2060 fixed_tor_x509_cert_new_result_index
= 0;
2061 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2062 fixed_tor_x509_cert_new_result
[1] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2063 fixed_tor_x509_cert_new_result
[2] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2064 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2068 fixed_tor_tls_create_certificate_results_free();
2069 fixed_tor_x509_cert_new_results_free();
2070 UNMOCK(tor_x509_cert_new
);
2071 UNMOCK(tor_tls_create_certificate
);
2072 UNMOCK(crypto_pk_generate_key_with_bits
);
2073 UNMOCK(crypto_pk_new
);
2075 #endif /* !defined(OPENSSL_OPAQUE) */
2077 static int fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2078 static EVP_PKEY
*fixed_crypto_pk_get_evp_pkey_result
[5];
2081 fixed_crypto_pk_get_evp_pkey_(crypto_pk_t
*env
, int private)
2085 return fixed_crypto_pk_get_evp_pkey_result
[
2086 fixed_crypto_pk_get_evp_pkey_result_index
++];
2090 test_tortls_create_certificate(void *ignored
)
2094 crypto_pk_t
*pk1
, *pk2
;
2096 pk1
= crypto_pk_new();
2097 pk2
= crypto_pk_new();
2099 MOCK(crypto_pk_get_openssl_evp_pkey_
, fixed_crypto_pk_get_evp_pkey_
);
2100 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2101 fixed_crypto_pk_get_evp_pkey_result
[0] = NULL
;
2102 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2105 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2106 fixed_crypto_pk_get_evp_pkey_result
[0] = EVP_PKEY_new();
2107 fixed_crypto_pk_get_evp_pkey_result
[1] = NULL
;
2108 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2111 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2112 fixed_crypto_pk_get_evp_pkey_result
[0] = EVP_PKEY_new();
2113 fixed_crypto_pk_get_evp_pkey_result
[1] = EVP_PKEY_new();
2114 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2118 UNMOCK(crypto_pk_get_openssl_evp_pkey_
);
2119 crypto_pk_free(pk1
);
2120 crypto_pk_free(pk2
);
2124 test_tortls_cert_new(void *ignored
)
2127 tor_x509_cert_t
*ret
;
2128 X509
*cert
= read_cert_from(validCertString
);
2130 ret
= tor_x509_cert_new(NULL
);
2133 ret
= tor_x509_cert_new(cert
);
2135 tor_x509_cert_free(ret
);
2139 cert
= read_cert_from(validCertString
);
2140 /* XXX this doesn't do what you think: it alters a copy of the pubkey. */
2141 X509_get_pubkey(cert
)->type
= EVP_PKEY_DSA
;
2142 ret
= tor_x509_cert_new(cert
);
2146 #ifndef OPENSSL_OPAQUE
2147 cert
= read_cert_from(validCertString
);
2148 X509_CINF_free(cert
->cert_info
);
2149 cert
->cert_info
= NULL
;
2150 ret
= tor_x509_cert_new(cert
);
2152 #endif /* !defined(OPENSSL_OPAQUE) */
2155 tor_x509_cert_free(ret
);
2159 test_tortls_cert_is_valid(void *ignored
)
2163 tor_x509_cert_t
*cert
= NULL
, *scert
= NULL
;
2165 scert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
2166 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2167 tt_int_op(ret
, OP_EQ
, 0);
2169 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
2170 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2171 tt_int_op(ret
, OP_EQ
, 0);
2175 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2176 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2177 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2178 tt_int_op(ret
, OP_EQ
, 1);
2180 #ifndef OPENSSL_OPAQUE
2181 tor_x509_cert_free(cert
);
2182 tor_x509_cert_free(scert
);
2183 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2184 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2185 ASN1_TIME_free(cert
->cert
->cert_info
->validity
->notAfter
);
2186 cert
->cert
->cert_info
->validity
->notAfter
=
2187 ASN1_TIME_set(NULL
, time(NULL
)-1000000);
2188 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2189 tt_int_op(ret
, OP_EQ
, 0);
2191 tor_x509_cert_free(cert
);
2192 tor_x509_cert_free(scert
);
2193 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2194 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2195 X509_PUBKEY_free(cert
->cert
->cert_info
->key
);
2196 cert
->cert
->cert_info
->key
= NULL
;
2197 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 1);
2198 tt_int_op(ret
, OP_EQ
, 0);
2199 #endif /* !defined(OPENSSL_OPAQUE) */
2202 tor_x509_cert_free(cert
);
2203 tor_x509_cert_free(scert
);
2204 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2205 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2206 /* This doesn't actually change the key in the cert. XXXXXX */
2207 BN_one(EVP_PKEY_get1_RSA(X509_get_pubkey(cert
->cert
))->n
);
2208 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 1);
2209 tt_int_op(ret
, OP_EQ
, 0);
2211 tor_x509_cert_free(cert
);
2212 tor_x509_cert_free(scert
);
2213 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2214 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2215 /* This doesn't actually change the key in the cert. XXXXXX */
2216 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2217 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 1);
2218 tt_int_op(ret
, OP_EQ
, 0);
2220 tor_x509_cert_free(cert
);
2221 tor_x509_cert_free(scert
);
2222 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2223 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2224 /* This doesn't actually change the key in the cert. XXXXXX */
2225 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2226 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2227 tt_int_op(ret
, OP_EQ
, 1);
2229 tor_x509_cert_free(cert
);
2230 tor_x509_cert_free(scert
);
2231 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2232 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2233 /* This doesn't actually change the key in the cert. XXXXXX */
2234 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2235 X509_get_pubkey(cert
->cert
)->ameth
= NULL
;
2236 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, time(NULL
), 0);
2237 tt_int_op(ret
, OP_EQ
, 0);
2241 tor_x509_cert_free(cert
);
2242 tor_x509_cert_free(scert
);
2246 test_tortls_context_init_one(void *ignored
)
2250 tor_tls_context_t
*old
= NULL
;
2252 MOCK(crypto_pk_new
, fixed_crypto_pk_new
);
2254 fixed_crypto_pk_new_result_index
= 0;
2255 fixed_crypto_pk_new_result
[0] = NULL
;
2256 ret
= tor_tls_context_init_one(&old
, NULL
, 0, 0, 0);
2257 tt_int_op(ret
, OP_EQ
, -1);
2260 UNMOCK(crypto_pk_new
);
2263 #define LOCAL_TEST_CASE(name, flags) \
2264 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
2266 #ifdef OPENSSL_OPAQUE
2267 #define INTRUSIVE_TEST_CASE(name, flags) \
2268 { #name, NULL, TT_SKIP, NULL, NULL }
2270 #define INTRUSIVE_TEST_CASE(name, flags) LOCAL_TEST_CASE(name, flags)
2271 #endif /* defined(OPENSSL_OPAQUE) */
2273 struct testcase_t tortls_openssl_tests
[] = {
2274 LOCAL_TEST_CASE(tor_tls_new
, TT_FORK
),
2275 LOCAL_TEST_CASE(get_state_description
, TT_FORK
),
2276 LOCAL_TEST_CASE(get_by_ssl
, TT_FORK
),
2277 LOCAL_TEST_CASE(allocate_tor_tls_object_ex_data_index
, TT_FORK
),
2278 LOCAL_TEST_CASE(log_one_error
, TT_FORK
),
2279 INTRUSIVE_TEST_CASE(get_error
, TT_FORK
),
2280 LOCAL_TEST_CASE(always_accept_verify_cb
, 0),
2281 INTRUSIVE_TEST_CASE(x509_cert_free
, 0),
2282 LOCAL_TEST_CASE(cert_matches_key
, 0),
2283 INTRUSIVE_TEST_CASE(cert_get_key
, 0),
2284 LOCAL_TEST_CASE(get_my_client_auth_key
, TT_FORK
),
2285 INTRUSIVE_TEST_CASE(get_ciphersuite_name
, 0),
2286 INTRUSIVE_TEST_CASE(classify_client_ciphers
, 0),
2287 LOCAL_TEST_CASE(client_is_using_v2_ciphers
, 0),
2288 INTRUSIVE_TEST_CASE(get_pending_bytes
, 0),
2289 INTRUSIVE_TEST_CASE(SSL_SESSION_get_master_key
, 0),
2290 INTRUSIVE_TEST_CASE(get_tlssecrets
, 0),
2291 INTRUSIVE_TEST_CASE(get_buffer_sizes
, 0),
2292 INTRUSIVE_TEST_CASE(try_to_extract_certs_from_tls
, 0),
2293 INTRUSIVE_TEST_CASE(get_peer_cert
, 0),
2294 INTRUSIVE_TEST_CASE(peer_has_cert
, 0),
2295 INTRUSIVE_TEST_CASE(finish_handshake
, 0),
2296 INTRUSIVE_TEST_CASE(handshake
, 0),
2297 INTRUSIVE_TEST_CASE(write
, 0),
2298 INTRUSIVE_TEST_CASE(read
, 0),
2299 INTRUSIVE_TEST_CASE(server_info_callback
, 0),
2300 LOCAL_TEST_CASE(get_write_overhead_ratio
, TT_FORK
),
2301 LOCAL_TEST_CASE(is_server
, 0),
2302 INTRUSIVE_TEST_CASE(assert_renegotiation_unblocked
, 0),
2303 INTRUSIVE_TEST_CASE(block_renegotiation
, 0),
2304 INTRUSIVE_TEST_CASE(unblock_renegotiation
, 0),
2305 INTRUSIVE_TEST_CASE(set_renegotiate_callback
, 0),
2306 LOCAL_TEST_CASE(set_logged_address
, 0),
2307 INTRUSIVE_TEST_CASE(find_cipher_by_id
, 0),
2308 INTRUSIVE_TEST_CASE(session_secret_cb
, 0),
2309 INTRUSIVE_TEST_CASE(debug_state_callback
, 0),
2310 INTRUSIVE_TEST_CASE(context_new
, TT_FORK
/* redundant */),
2311 LOCAL_TEST_CASE(create_certificate
, 0),
2312 LOCAL_TEST_CASE(cert_new
, 0),
2313 LOCAL_TEST_CASE(cert_is_valid
, 0),
2314 LOCAL_TEST_CASE(context_init_one
, 0),