search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOR_VEGAS: Implement Prop#324 TOR_VEGAS.
[tor.git] / src / test / test_tortls_openssl.c
blob010e09c8eb41fd480f30ad0339bf7072fbd366cb
1 /* Copyright (c) 2010-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define TORTLS_PRIVATE
5 #define TORTLS_OPENSSL_PRIVATE
6 #define TOR_X509_PRIVATE
7 #define LOG_PRIVATE
8 #include "orconfig.h"
9
10 #ifdef _WIN32
11 #include <winsock2.h>
12 #endif
13 #include <math.h>
14
15 #include "lib/cc/compat_compiler.h"
16
17 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
18 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
19 DISABLE_GCC_WARNING("-Wredundant-decls")
20
21 #include <openssl/opensslv.h>
22
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/asn1t.h>
27 #include <openssl/x509.h>
28 #include <openssl/rsa.h>
29 #include <openssl/evp.h>
30 #include <openssl/bn.h>
31
32 ENABLE_GCC_WARNING("-Wredundant-decls")
33
34 #include "core/or/or.h"
35 #include "lib/log/log.h"
36 #include "app/config/config.h"
37 #include "lib/crypt_ops/compat_openssl.h"
38 #include "lib/tls/x509.h"
39 #include "lib/tls/x509_internal.h"
40 #include "lib/tls/tortls.h"
41 #include "lib/tls/tortls_st.h"
42 #include "lib/tls/tortls_internal.h"
43 #include "app/config/or_state_st.h"
44
45 #include "test/test.h"
46 #include "test/log_test_helpers.h"
47 #include "test/test_tortls.h"
48
49 #ifndef HAVE_SSL_STATE
50 #define OPENSSL_OPAQUE
51 #endif
52
53 #if defined(OPENSSL_OPAQUE) && !defined(LIBRESSL_VERSION_NUMBER)
54 #define SSL_STATE_STR "before SSL initialization"
55 #else
56 #define SSL_STATE_STR "before/accept initialization"
57 #endif
58
59 #ifndef OPENSSL_OPAQUE
60 static SSL_METHOD *
61 give_me_a_test_method(void)
62 {
63 SSL_METHOD *method = tor_malloc_zero(sizeof(SSL_METHOD));
64 memcpy(method, TLSv1_method(), sizeof(SSL_METHOD));
65 return method;
66 }
67
68 static int
69 fake_num_ciphers(void)
70 {
71 return 0;
72 }
73 #endif /* !defined(OPENSSL_OPAQUE) */
74
75 static int
76 mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
77 {
78 (void) tls;
79 (void) cert; // XXXX look at this.
80 return 1;
81 }
82
83 static void
84 test_tortls_tor_tls_new(void *data)
85 {
86 (void) data;
87 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
88 crypto_pk_t *key1 = NULL, *key2 = NULL;
89 SSL_METHOD *method = NULL;
90
91 key1 = pk_generate(2);
92 key2 = pk_generate(3);
93
94 tor_tls_t *tls = NULL;
95 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
96 key1, key2, 86400), OP_EQ, 0);
97 tls = tor_tls_new(-1, 0);
98 tt_want(tls);
99 tor_tls_free(tls); tls = NULL;
100
101 SSL_CTX_free(client_tls_context->ctx);
102 client_tls_context->ctx = NULL;
103 tls = tor_tls_new(-1, 0);
104 tt_ptr_op(tls, OP_EQ, NULL);
105
106 #ifndef OPENSSL_OPAQUE
107 method = give_me_a_test_method();
108 SSL_CTX *ctx = SSL_CTX_new(method);
109 method->num_ciphers = fake_num_ciphers;
110 client_tls_context->ctx = ctx;
111 tls = tor_tls_new(-1, 0);
112 tt_ptr_op(tls, OP_EQ, NULL);
113 #endif /* !defined(OPENSSL_OPAQUE) */
114
115 done:
116 UNMOCK(tor_tls_cert_matches_key);
117 crypto_pk_free(key1);
118 crypto_pk_free(key2);
119 tor_tls_free(tls);
120 tor_free(method);
121 tor_tls_free_all();
122 }
123
124 static void
125 library_init(void)
126 {
127 #ifdef OPENSSL_1_1_API
128 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
129 #else
130 SSL_library_init();
131 SSL_load_error_strings();
132 #endif /* defined(OPENSSL_1_1_API) */
133 }
134
135 static void
136 test_tortls_get_state_description(void *ignored)
137 {
138 (void)ignored;
139 tor_tls_t *tls;
140 char *buf;
141 SSL_CTX *ctx;
142
143 library_init();
144 ctx = SSL_CTX_new(SSLv23_method());
145
146 buf = tor_malloc_zero(1000);
147 tls = tor_malloc_zero(sizeof(tor_tls_t));
148
149 tor_tls_get_state_description(NULL, buf, 20);
150 tt_str_op(buf, OP_EQ, "(No SSL object)");
151
152 SSL_free(tls->ssl);
153 tls->ssl = NULL;
154 tor_tls_get_state_description(tls, buf, 20);
155 tt_str_op(buf, OP_EQ, "(No SSL object)");
156
157 tls->ssl = SSL_new(ctx);
158 tor_tls_get_state_description(tls, buf, 200);
159 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in HANDSHAKE");
160
161 tls->state = TOR_TLS_ST_OPEN;
162 tor_tls_get_state_description(tls, buf, 200);
163 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in OPEN");
164
165 tls->state = TOR_TLS_ST_GOTCLOSE;
166 tor_tls_get_state_description(tls, buf, 200);
167 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in GOTCLOSE");
168
169 tls->state = TOR_TLS_ST_SENTCLOSE;
170 tor_tls_get_state_description(tls, buf, 200);
171 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in SENTCLOSE");
172
173 tls->state = TOR_TLS_ST_CLOSED;
174 tor_tls_get_state_description(tls, buf, 200);
175 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in CLOSED");
176
177 tls->state = TOR_TLS_ST_RENEGOTIATE;
178 tor_tls_get_state_description(tls, buf, 200);
179 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in RENEGOTIATE");
180
181 tls->state = TOR_TLS_ST_BUFFEREVENT;
182 tor_tls_get_state_description(tls, buf, 200);
183 tt_str_op(buf, OP_EQ, SSL_STATE_STR);
184
185 tls->state = 7;
186 tor_tls_get_state_description(tls, buf, 200);
187 tt_str_op(buf, OP_EQ, SSL_STATE_STR " in unknown TLS state");
188
189 done:
190 SSL_CTX_free(ctx);
191 SSL_free(tls->ssl);
192 tor_free(buf);
193 tor_free(tls);
194 }
195
196 static void
197 test_tortls_get_by_ssl(void *ignored)
198 {
199 (void)ignored;
200 tor_tls_t *tls;
201 tor_tls_t *res;
202 SSL_CTX *ctx;
203 SSL *ssl;
204
205 library_init();
206 tor_tls_allocate_tor_tls_object_ex_data_index();
207
208 ctx = SSL_CTX_new(SSLv23_method());
209 tls = tor_malloc_zero(sizeof(tor_tls_t));
210 tls->magic = TOR_TLS_MAGIC;
211
212 ssl = SSL_new(ctx);
213
214 res = tor_tls_get_by_ssl(ssl);
215 tt_assert(!res);
216
217 SSL_set_ex_data(ssl, tor_tls_object_ex_data_index, tls);
218
219 res = tor_tls_get_by_ssl(ssl);
220 tt_assert(res == tls);
221
222 done:
223 SSL_free(ssl);
224 SSL_CTX_free(ctx);
225 tor_free(tls);
226 }
227
228 static void
229 test_tortls_allocate_tor_tls_object_ex_data_index(void *ignored)
230 {
231 (void)ignored;
232 int first;
233
234 tor_tls_allocate_tor_tls_object_ex_data_index();
235
236 first = tor_tls_object_ex_data_index;
237 tor_tls_allocate_tor_tls_object_ex_data_index();
238 tt_int_op(first, OP_EQ, tor_tls_object_ex_data_index);
239
240 done:
241 (void)0;
242 }
243
244 static void
245 test_tortls_log_one_error(void *ignored)
246 {
247 (void)ignored;
248 tor_tls_t *tls;
249 SSL_CTX *ctx;
250 SSL *ssl = NULL;
251
252 library_init();
253
254 ctx = SSL_CTX_new(SSLv23_method());
255 tls = tor_malloc_zero(sizeof(tor_tls_t));
256 setup_capture_of_logs(LOG_INFO);
257
258 tor_tls_log_one_error(NULL, 0, LOG_WARN, 0, "something");
259 expect_log_msg("TLS error while something: "
260 "(null) (in (null):(null):---)\n");
261
262 mock_clean_saved_logs();
263 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
264 expect_log_msg("TLS error: (null) "
265 "(in (null):(null):---)\n");
266
267 mock_clean_saved_logs();
268 tls->address = tor_strdup("127.hello");
269 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
270 expect_log_msg("TLS error with 127.hello: "
271 "(null) (in (null):(null):---)\n");
272 tor_free(tls->address);
273
274 mock_clean_saved_logs();
275 tls->address = tor_strdup("127.hello");
276 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, "blarg");
277 expect_log_msg("TLS error while blarg with "
278 "127.hello: (null) (in (null):(null):---)\n");
279
280 mock_clean_saved_logs();
281 tor_tls_log_one_error(tls, ERR_PACK(1, 2, 3), LOG_WARN, 0, NULL);
282 expect_log_msg_containing("TLS error with 127.hello");
283
284 mock_clean_saved_logs();
285 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST),
286 LOG_WARN, 0, NULL);
287 expect_log_severity(LOG_INFO);
288
289 mock_clean_saved_logs();
290 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTPS_PROXY_REQUEST),
291 LOG_WARN, 0, NULL);
292 expect_log_severity(LOG_INFO);
293
294 mock_clean_saved_logs();
295 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_RECORD_LENGTH_MISMATCH),
296 LOG_WARN, 0, NULL);
297 expect_log_severity(LOG_INFO);
298
299 #ifndef OPENSSL_1_1_API
300 mock_clean_saved_logs();
301 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_RECORD_TOO_LARGE),
302 LOG_WARN, 0, NULL);
303 expect_log_severity(LOG_INFO);
304 #endif /* !defined(OPENSSL_1_1_API) */
305
306 mock_clean_saved_logs();
307 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_UNKNOWN_PROTOCOL),
308 LOG_WARN, 0, NULL);
309 expect_log_severity(LOG_INFO);
310
311 mock_clean_saved_logs();
312 tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_UNSUPPORTED_PROTOCOL),
313 LOG_WARN, 0, NULL);
314 expect_log_severity(LOG_INFO);
315
316 tls->ssl = SSL_new(ctx);
317
318 mock_clean_saved_logs();
319 tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
320 expect_log_msg("TLS error with 127.hello: (null)"
321 " (in (null):(null):" SSL_STATE_STR ")\n");
322
323 done:
324 teardown_capture_of_logs();
325 SSL_free(ssl);
326 SSL_CTX_free(ctx);
327 if (tls && tls->ssl)
328 SSL_free(tls->ssl);
329 if (tls)
330 tor_free(tls->address);
331 tor_free(tls);
332 }
333
334 #ifndef OPENSSL_OPAQUE
335 static void
336 test_tortls_get_error(void *ignored)
337 {
338 (void)ignored;
339 tor_tls_t *tls;
340 int ret;
341 SSL_CTX *ctx;
342
343 library_init();
344
345 ctx = SSL_CTX_new(SSLv23_method());
346 setup_capture_of_logs(LOG_INFO);
347 tls = tor_malloc_zero(sizeof(tor_tls_t));
348 tls->ssl = SSL_new(ctx);
349 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
350
351 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
352 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_IO);
353 expect_log_msg("TLS error: unexpected close while"
354 " something (before/accept initialization)\n");
355
356 mock_clean_saved_logs();
357 ret = tor_tls_get_error(tls, 2, 0, "something", LOG_WARN, 0);
358 tt_int_op(ret, OP_EQ, 0);
359 expect_no_log_entry();
360
361 mock_clean_saved_logs();
362 ret = tor_tls_get_error(tls, 0, 1, "something", LOG_WARN, 0);
363 tt_int_op(ret, OP_EQ, -11);
364 expect_no_log_entry();
365
366 mock_clean_saved_logs();
367 ERR_clear_error();
368 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
369 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
370 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
371 expect_log_msg("TLS error while something: (null)"
372 " (in bignum routines:(null):before/accept initialization)\n");
373
374 mock_clean_saved_logs();
375 ERR_clear_error();
376 tls->ssl->rwstate = SSL_READING;
377 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_READ;
378 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
379 tt_int_op(ret, OP_EQ, TOR_TLS_WANTREAD);
380 expect_no_log_entry();
381
382 mock_clean_saved_logs();
383 ERR_clear_error();
384 tls->ssl->rwstate = SSL_READING;
385 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_WRITE;
386 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
387 tt_int_op(ret, OP_EQ, TOR_TLS_WANTWRITE);
388 expect_no_log_entry();
389
390 mock_clean_saved_logs();
391 ERR_clear_error();
392 tls->ssl->rwstate = 0;
393 tls->ssl->shutdown = SSL_RECEIVED_SHUTDOWN;
394 tls->ssl->s3->warn_alert =SSL_AD_CLOSE_NOTIFY;
395 ret = tor_tls_get_error(tls, 0, 0, "something", LOG_WARN, 0);
396 tt_int_op(ret, OP_EQ, TOR_TLS_CLOSE);
397 expect_log_entry();
398
399 mock_clean_saved_logs();
400 ret = tor_tls_get_error(tls, 0, 2, "something", LOG_WARN, 0);
401 tt_int_op(ret, OP_EQ, -10);
402 expect_no_log_entry();
403
404 mock_clean_saved_logs();
405 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
406 ret = tor_tls_get_error(tls, -1, 0, "something", LOG_WARN, 0);
407 tt_int_op(ret, OP_EQ, -9);
408 expect_log_msg("TLS error while something: (null) (in system library:"
409 "connect:before/accept initialization)\n");
410
411 done:
412 teardown_capture_of_logs();
413 SSL_free(tls->ssl);
414 tor_free(tls);
415 SSL_CTX_free(ctx);
416 }
417 #endif /* !defined(OPENSSL_OPAQUE) */
418
419 static void
420 test_tortls_always_accept_verify_cb(void *ignored)
421 {
422 (void)ignored;
423 int ret;
424
425 ret = always_accept_verify_cb(0, NULL);
426 tt_int_op(ret, OP_EQ, 1);
427
428 done:
429 (void)0;
430 }
431
432 #ifndef OPENSSL_OPAQUE
433 static void
434 test_tortls_x509_cert_free(void *ignored)
435 {
436 (void)ignored;
437 tor_x509_cert_t *cert;
438
439 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
440 tor_x509_cert_free(cert);
441
442 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
443 cert->cert = X509_new();
444 cert->encoded = tor_malloc_zero(1);
445 tor_x509_cert_free(cert);
446 }
447 #endif /* !defined(OPENSSL_OPAQUE) */
448
449 #ifndef OPENSSL_OPAQUE
450 /*
451 * Use only for the matching fake_x509_free() call
452 */
453 static X509 *
454 fake_x509_malloc(void)
455 {
456 return tor_malloc_zero(sizeof(X509));
457 }
458
459 static void
460 fake_x509_free(X509 *cert)
461 {
462 if (cert) {
463 if (cert->cert_info) {
464 if (cert->cert_info->key) {
465 if (cert->cert_info->key->pkey) {
466 tor_free(cert->cert_info->key->pkey);
467 }
468 tor_free(cert->cert_info->key);
469 }
470 tor_free(cert->cert_info);
471 }
472 tor_free(cert);
473 }
474 }
475 #endif /* !defined(OPENSSL_OPAQUE) */
476
477 #ifndef OPENSSL_OPAQUE
478 static void
479 test_tortls_cert_get_key(void *ignored)
480 {
481 (void)ignored;
482 tor_x509_cert_t *cert = NULL;
483 crypto_pk_t *res = NULL;
484 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
485 X509 *key = NULL;
486 key = fake_x509_malloc();
487 key->references = 1;
488
489 res = tor_tls_cert_get_key(cert);
490 tt_assert(!res);
491
492 cert->cert = key;
493 key->cert_info = tor_malloc_zero(sizeof(X509_CINF));
494 key->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY));
495 key->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY));
496 key->cert_info->key->pkey->references = 1;
497 key->cert_info->key->pkey->type = 2;
498 res = tor_tls_cert_get_key(cert);
499 tt_assert(!res);
500
501 done:
502 fake_x509_free(key);
503 tor_free(cert);
504 crypto_pk_free(res);
505 }
506 #endif /* !defined(OPENSSL_OPAQUE) */
507
508 static void
509 test_tortls_get_my_client_auth_key(void *ignored)
510 {
511 (void)ignored;
512 crypto_pk_t *ret;
513 crypto_pk_t *expected;
514 tor_tls_context_t *ctx;
515 RSA *k = RSA_new();
516
517 ctx = tor_malloc_zero(sizeof(tor_tls_context_t));
518 expected = crypto_new_pk_from_openssl_rsa_(k);
519 ctx->auth_key = expected;
520
521 client_tls_context = NULL;
522 ret = tor_tls_get_my_client_auth_key();
523 tt_assert(!ret);
524
525 client_tls_context = ctx;
526 ret = tor_tls_get_my_client_auth_key();
527 tt_assert(ret == expected);
528
529 done:
530 crypto_pk_free(expected);
531 tor_free(ctx);
532 }
533
534 #ifndef HAVE_SSL_GET_CLIENT_CIPHERS
535 static SSL_CIPHER *
536 get_cipher_by_name(const char *name)
537 {
538 int i;
539 const SSL_METHOD *method = SSLv23_method();
540 int num = method->num_ciphers();
541
542 for (i = 0; i < num; ++i) {
543 const SSL_CIPHER *cipher = method->get_cipher(i);
544 const char *ciphername = SSL_CIPHER_get_name(cipher);
545 if (!strcmp(ciphername, name)) {
546 return (SSL_CIPHER *)cipher;
547 }
548 }
549
550 return NULL;
551 }
552 #endif /* !defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
553
554 #ifndef OPENSSL_OPAQUE
555 static void
556 test_tortls_get_ciphersuite_name(void *ignored)
557 {
558 (void)ignored;
559 const char *ret;
560 tor_tls_t *ctx;
561 ctx = tor_malloc_zero(sizeof(tor_tls_t));
562 ctx->ssl = tor_malloc_zero(sizeof(SSL));
563
564 ret = tor_tls_get_ciphersuite_name(ctx);
565 tt_str_op(ret, OP_EQ, "(NONE)");
566
567 done:
568 tor_free(ctx->ssl);
569 tor_free(ctx);
570 }
571
572 static SSL_CIPHER *
573 get_cipher_by_id(uint16_t id)
574 {
575 int i;
576 const SSL_METHOD *method = SSLv23_method();
577 int num = method->num_ciphers();
578 for (i = 0; i < num; ++i) {
579 const SSL_CIPHER *cipher = method->get_cipher(i);
580 if (id == (SSL_CIPHER_get_id(cipher) & 0xffff)) {
581 return (SSL_CIPHER *)cipher;
582 }
583 }
584
585 return NULL;
586 }
587
588 static void
589 test_tortls_classify_client_ciphers(void *ignored)
590 {
591 (void)ignored;
592 int i;
593 int ret;
594 SSL_CTX *ctx;
595 SSL *ssl;
596 tor_tls_t *tls;
597 STACK_OF(SSL_CIPHER) *ciphers;
598 SSL_CIPHER *tmp_cipher;
599
600 library_init();
601
602 tor_tls_allocate_tor_tls_object_ex_data_index();
603
604 tls = tor_malloc_zero(sizeof(tor_tls_t));
605 tls->magic = TOR_TLS_MAGIC;
606
607 ctx = SSL_CTX_new(TLSv1_method());
608 ssl = SSL_new(ctx);
609 tls->ssl = ssl;
610
611 ciphers = sk_SSL_CIPHER_new_null();
612
613 ret = tor_tls_classify_client_ciphers(ssl, NULL);
614 tt_int_op(ret, OP_EQ, -1);
615
616 SSL_set_ex_data(ssl, tor_tls_object_ex_data_index, tls);
617 tls->client_cipher_list_type = 42;
618
619 ret = tor_tls_classify_client_ciphers(ssl, NULL);
620 tt_int_op(ret, OP_EQ, 42);
621
622 tls->client_cipher_list_type = 0;
623 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
624 tt_int_op(ret, OP_EQ, 1);
625 tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
626
627 tls->client_cipher_list_type = 0;
628 ret = tor_tls_classify_client_ciphers(ssl, SSL_get_ciphers(ssl));
629 tt_int_op(ret, OP_EQ, 3);
630 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
631
632 SSL_CIPHER *one = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_128_SHA),
633 *two = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA),
634 *three = get_cipher_by_name(SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA),
635 *four = NULL;
636 sk_SSL_CIPHER_push(ciphers, one);
637 sk_SSL_CIPHER_push(ciphers, two);
638 sk_SSL_CIPHER_push(ciphers, three);
639 sk_SSL_CIPHER_push(ciphers, four);
640
641 tls->client_cipher_list_type = 0;
642 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
643 tt_int_op(ret, OP_EQ, 1);
644 tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
645
646 sk_SSL_CIPHER_zero(ciphers);
647
648 one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
649 tt_assert(one);
650 one->id = 0x00ff;
651 two = get_cipher_by_name("ECDHE-RSA-AES128-GCM-SHA256");
652 tt_assert(two);
653 two->id = 0x0000;
654 sk_SSL_CIPHER_push(ciphers, one);
655 tls->client_cipher_list_type = 0;
656 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
657 tt_int_op(ret, OP_EQ, 3);
658 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
659
660 sk_SSL_CIPHER_push(ciphers, two);
661 tls->client_cipher_list_type = 0;
662 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
663 tt_int_op(ret, OP_EQ, 3);
664 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
665
666 one->id = 0xC00A;
667 tls->client_cipher_list_type = 0;
668 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
669 tt_int_op(ret, OP_EQ, 3);
670 tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
671
672 sk_SSL_CIPHER_zero(ciphers);
673 for (i=0; v2_cipher_list[i]; i++) {
674 tmp_cipher = get_cipher_by_id(v2_cipher_list[i]);
675 tt_assert(tmp_cipher);
676 sk_SSL_CIPHER_push(ciphers, tmp_cipher);
677 }
678 tls->client_cipher_list_type = 0;
679 ret = tor_tls_classify_client_ciphers(ssl, ciphers);
680 tt_int_op(ret, OP_EQ, 2);
681 tt_int_op(tls->client_cipher_list_type, OP_EQ, 2);
682
683 done:
684 sk_SSL_CIPHER_free(ciphers);
685 SSL_free(tls->ssl);
686 tor_free(tls);
687 SSL_CTX_free(ctx);
688 }
689 #endif /* !defined(OPENSSL_OPAQUE) */
690
691 static void
692 test_tortls_client_is_using_v2_ciphers(void *ignored)
693 {
694 (void)ignored;
695
696 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
697 tt_skip();
698 done:
699 (void)1;
700 #else
701 int ret;
702 SSL_CTX *ctx;
703 SSL *ssl;
704 SSL_SESSION *sess;
705 STACK_OF(SSL_CIPHER) *ciphers;
706
707 library_init();
708
709 ctx = SSL_CTX_new(TLSv1_method());
710 ssl = SSL_new(ctx);
711 sess = SSL_SESSION_new();
712
713 ret = tor_tls_client_is_using_v2_ciphers(ssl);
714 tt_int_op(ret, OP_EQ, -1);
715
716 ssl->session = sess;
717 ret = tor_tls_client_is_using_v2_ciphers(ssl);
718 tt_int_op(ret, OP_EQ, 0);
719
720 ciphers = sk_SSL_CIPHER_new_null();
721 SSL_CIPHER *one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
722 tt_assert(one);
723 one->id = 0x00ff;
724 sk_SSL_CIPHER_push(ciphers, one);
725 sess->ciphers = ciphers;
726 ret = tor_tls_client_is_using_v2_ciphers(ssl);
727 tt_int_op(ret, OP_EQ, 1);
728 done:
729 SSL_free(ssl);
730 SSL_CTX_free(ctx);
731 #endif /* defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
732 }
733
734 #ifndef OPENSSL_OPAQUE
735 static int fixed_ssl_pending_result = 0;
736
737 static int
738 fixed_ssl_pending(const SSL *ignored)
739 {
740 (void)ignored;
741 return fixed_ssl_pending_result;
742 }
743
744 static void
745 test_tortls_get_pending_bytes(void *ignored)
746 {
747 (void)ignored;
748 int ret;
749 tor_tls_t *tls;
750 SSL_METHOD *method;
751
752 tls = tor_malloc_zero(sizeof(tor_tls_t));
753 tls->ssl = tor_malloc_zero(sizeof(SSL));
754 method = tor_malloc_zero(sizeof(SSL_METHOD));
755 method->ssl_pending = fixed_ssl_pending;
756 tls->ssl->method = method;
757
758 fixed_ssl_pending_result = 42;
759 ret = tor_tls_get_pending_bytes(tls);
760 tt_int_op(ret, OP_EQ, 42);
761
762 done:
763 tor_free(method);
764 tor_free(tls->ssl);
765 tor_free(tls);
766 }
767 #endif /* !defined(OPENSSL_OPAQUE) */
768
769 #ifndef OPENSSL_OPAQUE
770 static void
771 test_tortls_SSL_SESSION_get_master_key(void *ignored)
772 {
773 (void)ignored;
774 size_t ret;
775 tor_tls_t *tls;
776 uint8_t *out;
777 out = tor_malloc_zero(1);
778 tls = tor_malloc_zero(sizeof(tor_tls_t));
779 tls->ssl = tor_malloc_zero(sizeof(SSL));
780 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
781 tls->ssl->session->master_key_length = 1;
782
783 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
784 tls->ssl->session->master_key[0] = 43;
785 ret = SSL_SESSION_get_master_key(tls->ssl->session, out, 0);
786 tt_int_op(ret, OP_EQ, 1);
787 tt_int_op(out[0], OP_EQ, 0);
788
789 ret = SSL_SESSION_get_master_key(tls->ssl->session, out, 1);
790 tt_int_op(ret, OP_EQ, 1);
791 tt_int_op(out[0], OP_EQ, 43);
792
793 done:
794 #endif /* !defined(HAVE_SSL_SESSION_GET_MASTER_KEY) */
795 tor_free(tls->ssl->session);
796 tor_free(tls->ssl);
797 tor_free(tls);
798 tor_free(out);
799 }
800 #endif /* !defined(OPENSSL_OPAQUE) */
801
802 #ifndef OPENSSL_OPAQUE
803 static void
804 test_tortls_get_tlssecrets(void *ignored)
805 {
806 (void)ignored;
807 int ret;
808 uint8_t *secret_out = tor_malloc_zero(DIGEST256_LEN);
809 tor_tls_t *tls;
810 tls = tor_malloc_zero(sizeof(tor_tls_t));
811 tls->ssl = tor_malloc_zero(sizeof(SSL));
812 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
813 tls->ssl->session->master_key_length = 1;
814 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
815
816 ret = tor_tls_get_tlssecrets(tls, secret_out);
817 tt_int_op(ret, OP_EQ, 0);
818
819 done:
820 tor_free(secret_out);
821 tor_free(tls->ssl->s3);
822 tor_free(tls->ssl->session);
823 tor_free(tls->ssl);
824 tor_free(tls);
825 }
826 #endif /* !defined(OPENSSL_OPAQUE) */
827
828 #ifndef OPENSSL_OPAQUE
829 static void
830 test_tortls_get_buffer_sizes(void *ignored)
831 {
832 (void)ignored;
833 int ret;
834 tor_tls_t *tls;
835 size_t rbuf_c=-1, rbuf_b=-1, wbuf_c=-1, wbuf_b=-1;
836
837 tls = tor_malloc_zero(sizeof(tor_tls_t));
838 tls->ssl = tor_malloc_zero(sizeof(SSL));
839 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
840
841 tls->ssl->s3->rbuf.buf = NULL;
842 tls->ssl->s3->rbuf.len = 1;
843 tls->ssl->s3->rbuf.offset = 0;
844 tls->ssl->s3->rbuf.left = 42;
845
846 tls->ssl->s3->wbuf.buf = NULL;
847 tls->ssl->s3->wbuf.len = 2;
848 tls->ssl->s3->wbuf.offset = 0;
849 tls->ssl->s3->wbuf.left = 43;
850
851 ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
852 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
853 tt_int_op(ret, OP_EQ, -1);
854 #else
855 tt_int_op(ret, OP_EQ, 0);
856 tt_int_op(rbuf_c, OP_EQ, 0);
857 tt_int_op(wbuf_c, OP_EQ, 0);
858 tt_int_op(rbuf_b, OP_EQ, 42);
859 tt_int_op(wbuf_b, OP_EQ, 43);
860
861 tls->ssl->s3->rbuf.buf = tor_malloc_zero(1);
862 tls->ssl->s3->wbuf.buf = tor_malloc_zero(1);
863 ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
864 tt_int_op(ret, OP_EQ, 0);
865 tt_int_op(rbuf_c, OP_EQ, 1);
866 tt_int_op(wbuf_c, OP_EQ, 2);
867
868 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
869
870 done:
871 tor_free(tls->ssl->s3->rbuf.buf);
872 tor_free(tls->ssl->s3->wbuf.buf);
873 tor_free(tls->ssl->s3);
874 tor_free(tls->ssl);
875 tor_free(tls);
876 }
877 #endif /* !defined(OPENSSL_OPAQUE) */
878
879 #ifndef OPENSSL_OPAQUE
880 typedef struct cert_pkey_st_local
881 {
882 X509 *x509;
883 EVP_PKEY *privatekey;
884 const EVP_MD *digest;
885 } CERT_PKEY_local;
886
887 typedef struct sess_cert_st_local
888 {
889 STACK_OF(X509) *cert_chain;
890 int peer_cert_type;
891 CERT_PKEY_local *peer_key;
892 CERT_PKEY_local peer_pkeys[8];
893 int references;
894 } SESS_CERT_local;
895
896 static void
897 test_tortls_try_to_extract_certs_from_tls(void *ignored)
898 {
899 (void)ignored;
900 tor_tls_t *tls;
901 X509 *cert = NULL, *id_cert = NULL, *c1 = NULL, *c2 = NULL;
902 SESS_CERT_local *sess = NULL;
903
904 c1 = read_cert_from(validCertString);
905 c2 = read_cert_from(caCertString);
906
907 tls = tor_malloc_zero(sizeof(tor_tls_t));
908 tls->ssl = tor_malloc_zero(sizeof(SSL));
909 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
910 sess = tor_malloc_zero(sizeof(SESS_CERT_local));
911 tls->ssl->session->sess_cert = (void *)sess;
912
913 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
914 tt_assert(!cert);
915 tt_assert(!id_cert);
916
917 tls->ssl->session->peer = c1;
918 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
919 tt_assert(cert == c1);
920 tt_assert(!id_cert);
921 X509_free(cert); /* decrease refcnt */
922
923 sess->cert_chain = sk_X509_new_null();
924 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
925 tt_assert(cert == c1);
926 tt_assert(!id_cert);
927 X509_free(cert); /* decrease refcnt */
928
929 sk_X509_push(sess->cert_chain, c1);
930 sk_X509_push(sess->cert_chain, c2);
931
932 try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert);
933 tt_assert(cert == c1);
934 tt_assert(id_cert);
935 X509_free(cert); /* decrease refcnt */
936 X509_free(id_cert); /* decrease refcnt */
937
938 done:
939 sk_X509_free(sess->cert_chain);
940 tor_free(sess);
941 tor_free(tls->ssl->session);
942 tor_free(tls->ssl);
943 tor_free(tls);
944 X509_free(c1);
945 X509_free(c2);
946 }
947 #endif /* !defined(OPENSSL_OPAQUE) */
948
949 #ifndef OPENSSL_OPAQUE
950 static void
951 test_tortls_get_peer_cert(void *ignored)
952 {
953 (void)ignored;
954 tor_x509_cert_t *ret;
955 tor_tls_t *tls;
956 X509 *cert = NULL;
957
958 cert = read_cert_from(validCertString);
959
960 tls = tor_malloc_zero(sizeof(tor_tls_t));
961 tls->ssl = tor_malloc_zero(sizeof(SSL));
962 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
963
964 ret = tor_tls_get_peer_cert(tls);
965 tt_assert(!ret);
966
967 tls->ssl->session->peer = cert;
968 ret = tor_tls_get_peer_cert(tls);
969 tt_assert(ret);
970 tt_assert(ret->cert == cert);
971
972 done:
973 tor_x509_cert_free(ret);
974 tor_free(tls->ssl->session);
975 tor_free(tls->ssl);
976 tor_free(tls);
977 X509_free(cert);
978 }
979 #endif /* !defined(OPENSSL_OPAQUE) */
980
981 #ifndef OPENSSL_OPAQUE
982 static void
983 test_tortls_peer_has_cert(void *ignored)
984 {
985 (void)ignored;
986 int ret;
987 tor_tls_t *tls;
988 X509 *cert = NULL;
989
990 cert = read_cert_from(validCertString);
991
992 tls = tor_malloc_zero(sizeof(tor_tls_t));
993 tls->ssl = tor_malloc_zero(sizeof(SSL));
994 tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION));
995
996 ret = tor_tls_peer_has_cert(tls);
997 tt_assert(!ret);
998
999 tls->ssl->session->peer = cert;
1000 ret = tor_tls_peer_has_cert(tls);
1001 tt_assert(ret);
1002
1003 done:
1004 tor_free(tls->ssl->session);
1005 tor_free(tls->ssl);
1006 tor_free(tls);
1007 X509_free(cert);
1008 }
1009 #endif /* !defined(OPENSSL_OPAQUE) */
1010
1011 static void
1012 test_tortls_get_write_overhead_ratio(void *ignored)
1013 {
1014 (void)ignored;
1015 double ret;
1016
1017 total_bytes_written_over_tls = 0;
1018 ret = tls_get_write_overhead_ratio();
1019 tt_double_op(fabs(ret - 1.0), OP_LT, 1E-12);
1020
1021 total_bytes_written_by_tls = 10;
1022 total_bytes_written_over_tls = 1;
1023 ret = tls_get_write_overhead_ratio();
1024 tt_double_op(fabs(ret - 10.0), OP_LT, 1E-12);
1025
1026 total_bytes_written_by_tls = 10;
1027 total_bytes_written_over_tls = 2;
1028 ret = tls_get_write_overhead_ratio();
1029 tt_double_op(fabs(ret - 5.0), OP_LT, 1E-12);
1030
1031 done:
1032 (void)0;
1033 }
1034
1035 static void
1036 test_tortls_is_server(void *ignored)
1037 {
1038 (void)ignored;
1039 tor_tls_t *tls;
1040 int ret;
1041
1042 tls = tor_malloc_zero(sizeof(tor_tls_t));
1043 tls->isServer = 1;
1044 ret = tor_tls_is_server(tls);
1045 tt_int_op(ret, OP_EQ, 1);
1046
1047 done:
1048 tor_free(tls);
1049 }
1050
1051 #ifndef OPENSSL_OPAQUE
1052 static void
1053 test_tortls_session_secret_cb(void *ignored)
1054 {
1055 (void)ignored;
1056 tor_tls_t *tls;
1057 SSL_CTX *ctx;
1058 STACK_OF(SSL_CIPHER) *ciphers = NULL;
1059 SSL_CIPHER *one;
1060
1061 library_init();
1062
1063 tor_tls_allocate_tor_tls_object_ex_data_index();
1064
1065 tls = tor_malloc_zero(sizeof(tor_tls_t));
1066
1067 tls->magic = TOR_TLS_MAGIC;
1068
1069 ctx = SSL_CTX_new(TLSv1_method());
1070 tls->ssl = SSL_new(ctx);
1071 SSL_set_ex_data(tls->ssl, tor_tls_object_ex_data_index, tls);
1072
1073 SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
1074
1075 tor_tls_session_secret_cb(tls->ssl, NULL, NULL, NULL, NULL, NULL);
1076 tt_assert(!tls->ssl->tls_session_secret_cb);
1077
1078 one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
1079 one->id = 0x00ff;
1080 ciphers = sk_SSL_CIPHER_new_null();
1081 sk_SSL_CIPHER_push(ciphers, one);
1082
1083 tls->client_cipher_list_type = 0;
1084 tor_tls_session_secret_cb(tls->ssl, NULL, NULL, ciphers, NULL, NULL);
1085 tt_assert(!tls->ssl->tls_session_secret_cb);
1086
1087 done:
1088 sk_SSL_CIPHER_free(ciphers);
1089 SSL_free(tls->ssl);
1090 SSL_CTX_free(ctx);
1091 tor_free(tls);
1092 }
1093 #endif /* !defined(OPENSSL_OPAQUE) */
1094
1095 #ifndef OPENSSL_OPAQUE
1096 /* TODO: It seems block_renegotiation and unblock_renegotiation and
1097 * using different blags. This might not be correct */
1098 static void
1099 test_tortls_block_renegotiation(void *ignored)
1100 {
1101 (void)ignored;
1102 tor_tls_t *tls;
1103
1104 tls = tor_malloc_zero(sizeof(tor_tls_t));
1105 tls->ssl = tor_malloc_zero(sizeof(SSL));
1106 tls->ssl->s3 = tor_malloc_zero(sizeof(SSL3_STATE));
1107 #ifndef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1108 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0
1109 #endif
1110
1111 tls->ssl->s3->flags = SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
1112
1113 tor_tls_block_renegotiation(tls);
1114
1115 #ifndef OPENSSL_1_1_API
1116 tt_assert(!(tls->ssl->s3->flags &
1117 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
1118 #endif
1119
1120 done:
1121 tor_free(tls->ssl->s3);
1122 tor_free(tls->ssl);
1123 tor_free(tls);
1124 }
1125
1126 static void
1127 test_tortls_unblock_renegotiation(void *ignored)
1128 {
1129 (void)ignored;
1130 tor_tls_t *tls;
1131
1132 tls = tor_malloc_zero(sizeof(tor_tls_t));
1133 tls->ssl = tor_malloc_zero(sizeof(SSL));
1134 tor_tls_unblock_renegotiation(tls);
1135
1136 tt_uint_op(SSL_get_options(tls->ssl) &
1137 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, OP_EQ,
1138 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1139
1140 done:
1141 tor_free(tls->ssl);
1142 tor_free(tls);
1143 }
1144 #endif /* !defined(OPENSSL_OPAQUE) */
1145
1146 static void
1147 test_tortls_set_logged_address(void *ignored)
1148 {
1149 (void)ignored;
1150 tor_tls_t *tls;
1151
1152 tls = tor_malloc_zero(sizeof(tor_tls_t));
1153
1154 tor_tls_set_logged_address(tls, "foo bar");
1155
1156 tt_str_op(tls->address, OP_EQ, "foo bar");
1157
1158 tor_tls_set_logged_address(tls, "foo bar 2");
1159 tt_str_op(tls->address, OP_EQ, "foo bar 2");
1160
1161 done:
1162 tor_free(tls->address);
1163 tor_free(tls);
1164 }
1165
1166 #ifndef OPENSSL_OPAQUE
1167 static void
1168 example_cb(tor_tls_t *t, void *arg)
1169 {
1170 (void)t;
1171 (void)arg;
1172 }
1173
1174 static void
1175 test_tortls_set_renegotiate_callback(void *ignored)
1176 {
1177 (void)ignored;
1178 tor_tls_t *tls;
1179 const char *arg = "hello";
1180
1181 tls = tor_malloc_zero(sizeof(tor_tls_t));
1182 tls->ssl = tor_malloc_zero(sizeof(SSL));
1183
1184 tor_tls_set_renegotiate_callback(tls, example_cb, (void*)arg);
1185 tt_assert(tls->negotiated_callback == example_cb);
1186 tt_assert(tls->callback_arg == arg);
1187 tt_assert(!tls->got_renegotiate);
1188
1189 /* Assumes V2_HANDSHAKE_SERVER */
1190 tt_assert(tls->ssl->info_callback == tor_tls_server_info_callback);
1191
1192 tor_tls_set_renegotiate_callback(tls, NULL, (void*)arg);
1193 tt_assert(tls->ssl->info_callback == tor_tls_debug_state_callback);
1194
1195 done:
1196 tor_free(tls->ssl);
1197 tor_free(tls);
1198 }
1199 #endif /* !defined(OPENSSL_OPAQUE) */
1200
1201 #ifndef OPENSSL_OPAQUE
1202 static SSL_CIPHER *fixed_cipher1 = NULL;
1203 static SSL_CIPHER *fixed_cipher2 = NULL;
1204 static const SSL_CIPHER *
1205 fake_get_cipher(unsigned ncipher)
1206 {
1207
1208 switch (ncipher) {
1209 case 1:
1210 return fixed_cipher1;
1211 case 2:
1212 return fixed_cipher2;
1213 default:
1214 return NULL;
1215 }
1216 }
1217 #endif /* !defined(OPENSSL_OPAQUE) */
1218
1219 #ifndef OPENSSL_OPAQUE
1220 static void
1221 test_tortls_find_cipher_by_id(void *ignored)
1222 {
1223 (void)ignored;
1224 int ret;
1225 SSL *ssl;
1226 SSL_CTX *ctx;
1227 const SSL_METHOD *m = TLSv1_method();
1228 SSL_METHOD *empty_method = tor_malloc_zero(sizeof(SSL_METHOD));
1229
1230 fixed_cipher1 = tor_malloc_zero(sizeof(SSL_CIPHER));
1231 fixed_cipher2 = tor_malloc_zero(sizeof(SSL_CIPHER));
1232 fixed_cipher2->id = 0xC00A;
1233
1234 library_init();
1235
1236 ctx = SSL_CTX_new(m);
1237 ssl = SSL_new(ctx);
1238
1239 ret = find_cipher_by_id(ssl, NULL, 0xC00A);
1240 tt_int_op(ret, OP_EQ, 1);
1241
1242 ret = find_cipher_by_id(ssl, m, 0xC00A);
1243 tt_int_op(ret, OP_EQ, 1);
1244
1245 ret = find_cipher_by_id(ssl, m, 0xFFFF);
1246 tt_int_op(ret, OP_EQ, 0);
1247
1248 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1249 tt_int_op(ret, OP_EQ, 1);
1250
1251 ret = find_cipher_by_id(ssl, empty_method, 0xFFFF);
1252 #ifdef HAVE_SSL_CIPHER_FIND
1253 tt_int_op(ret, OP_EQ, 0);
1254 #else
1255 tt_int_op(ret, OP_EQ, 1);
1256 #endif
1257
1258 empty_method->get_cipher = fake_get_cipher;
1259 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1260 tt_int_op(ret, OP_EQ, 1);
1261
1262 empty_method->get_cipher = m->get_cipher;
1263 empty_method->num_ciphers = m->num_ciphers;
1264 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1265 tt_int_op(ret, OP_EQ, 1);
1266
1267 empty_method->get_cipher = fake_get_cipher;
1268 empty_method->num_ciphers = m->num_ciphers;
1269 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1270 tt_int_op(ret, OP_EQ, 1);
1271
1272 empty_method->num_ciphers = fake_num_ciphers;
1273 ret = find_cipher_by_id(ssl, empty_method, 0xC00A);
1274 #ifdef HAVE_SSL_CIPHER_FIND
1275 tt_int_op(ret, OP_EQ, 1);
1276 #else
1277 tt_int_op(ret, OP_EQ, 0);
1278 #endif
1279
1280 done:
1281 tor_free(empty_method);
1282 SSL_free(ssl);
1283 SSL_CTX_free(ctx);
1284 tor_free(fixed_cipher1);
1285 }
1286 #endif /* !defined(OPENSSL_OPAQUE) */
1287
1288 #ifndef OPENSSL_OPAQUE
1289 static void
1290 test_tortls_debug_state_callback(void *ignored)
1291 {
1292 (void)ignored;
1293 SSL *ssl;
1294 char *buf = tor_malloc_zero(1000);
1295 int n;
1296
1297 setup_capture_of_logs(LOG_DEBUG);
1298
1299 ssl = tor_malloc_zero(sizeof(SSL));
1300
1301 tor_tls_debug_state_callback(ssl, 32, 45);
1302
1303 n = tor_snprintf(buf, 1000, "SSL %p is now in state unknown"
1304 " state [type=32,val=45].\n", ssl);
1305 /* tor's snprintf returns -1 on error */
1306 tt_int_op(n, OP_NE, -1);
1307 expect_log_msg(buf);
1308
1309 done:
1310 teardown_capture_of_logs();
1311 tor_free(buf);
1312 tor_free(ssl);
1313 }
1314 #endif /* !defined(OPENSSL_OPAQUE) */
1315
1316 #ifndef OPENSSL_OPAQUE
1317 static void
1318 test_tortls_server_info_callback(void *ignored)
1319 {
1320 (void)ignored;
1321 tor_tls_t *tls;
1322 SSL_CTX *ctx;
1323 SSL *ssl;
1324
1325 library_init();
1326
1327 ctx = SSL_CTX_new(TLSv1_method());
1328 ssl = SSL_new(ctx);
1329
1330 tor_tls_allocate_tor_tls_object_ex_data_index();
1331
1332 tls = tor_malloc_zero(sizeof(tor_tls_t));
1333 tls->magic = TOR_TLS_MAGIC;
1334 tls->ssl = ssl;
1335
1336 setup_full_capture_of_logs(LOG_WARN);
1337 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_A);
1338 mock_clean_saved_logs();
1339 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1340 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1341
1342 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_B);
1343 mock_clean_saved_logs();
1344 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1345 expect_single_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1346
1347 SSL_set_state(ssl, 99);
1348 mock_clean_saved_logs();
1349 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1350 expect_no_log_entry();
1351 teardown_capture_of_logs();
1352
1353 SSL_set_ex_data(tls->ssl, tor_tls_object_ex_data_index, tls);
1354 SSL_set_state(ssl, SSL3_ST_SW_SRVR_HELLO_B);
1355 tls->negotiated_callback = 0;
1356 //tls->server_handshake_count = 120;
1357 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1358 //tt_int_op(tls->server_handshake_count, OP_EQ, 121);
1359
1360 //tls->server_handshake_count = 127;
1361 tls->negotiated_callback = (void *)1;
1362 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1363 //tt_int_op(tls->server_handshake_count, OP_EQ, 127);
1364 tt_int_op(tls->got_renegotiate, OP_EQ, 1);
1365
1366 tls->ssl->session = SSL_SESSION_new();
1367 tls->wasV2Handshake = 0;
1368 tor_tls_server_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 0);
1369 tt_int_op(tls->wasV2Handshake, OP_EQ, 0);
1370
1371 done:
1372 teardown_capture_of_logs();
1373 SSL_free(ssl);
1374 SSL_CTX_free(ctx);
1375 tor_free(tls);
1376 }
1377 #endif /* !defined(OPENSSL_OPAQUE) */
1378
1379 #ifndef OPENSSL_OPAQUE
1380 static int fixed_ssl_read_result_index;
1381 static int fixed_ssl_read_result[5];
1382
1383 static int
1384 fixed_ssl_read(SSL *s, void *buf, int len)
1385 {
1386 (void)s;
1387 (void)buf;
1388 (void)len;
1389 return fixed_ssl_read_result[fixed_ssl_read_result_index++];
1390 }
1391
1392 static int
1393 dummy_handshake_func(SSL *s)
1394 {
1395 (void)s;
1396 return 1;
1397 }
1398
1399 static int negotiated_callback_called;
1400
1401 static void
1402 negotiated_callback_setter(tor_tls_t *t, void *arg)
1403 {
1404 (void)t;
1405 (void)arg;
1406 negotiated_callback_called++;
1407 }
1408
1409 static void
1410 test_tortls_read(void *ignored)
1411 {
1412 (void)ignored;
1413 int ret;
1414 tor_tls_t *tls;
1415 char buf[100];
1416 SSL_METHOD *method = give_me_a_test_method();
1417 setup_capture_of_logs(LOG_WARN);
1418
1419 tls = tor_malloc_zero(sizeof(tor_tls_t));
1420 tls->ssl = tor_malloc_zero(sizeof(SSL));
1421 tls->state = TOR_TLS_ST_OPEN;
1422
1423 ret = tor_tls_read(tls, buf, 10);
1424 tt_int_op(ret, OP_EQ, -9);
1425
1426 /* These tests assume that V2_HANDSHAKE_SERVER is set */
1427 tls->ssl->handshake_func = dummy_handshake_func;
1428 tls->ssl->method = method;
1429 method->ssl_read = fixed_ssl_read;
1430 fixed_ssl_read_result_index = 0;
1431 fixed_ssl_read_result[0] = 42;
1432 tls->state = TOR_TLS_ST_OPEN;
1433 ERR_clear_error();
1434 ret = tor_tls_read(tls, buf, 10);
1435 tt_int_op(ret, OP_EQ, 42);
1436
1437 tls->state = TOR_TLS_ST_OPEN;
1438 tls->got_renegotiate = 1;
1439 fixed_ssl_read_result_index = 0;
1440 ERR_clear_error();
1441 ret = tor_tls_read(tls, buf, 10);
1442 tt_int_op(tls->got_renegotiate, OP_EQ, 0);
1443
1444 tls->state = TOR_TLS_ST_OPEN;
1445 tls->got_renegotiate = 1;
1446 negotiated_callback_called = 0;
1447 tls->negotiated_callback = negotiated_callback_setter;
1448 fixed_ssl_read_result_index = 0;
1449 ERR_clear_error();
1450 ret = tor_tls_read(tls, buf, 10);
1451 tt_int_op(negotiated_callback_called, OP_EQ, 1);
1452
1453 #ifndef LIBRESSL_VERSION_NUMBER
1454 fixed_ssl_read_result_index = 0;
1455 fixed_ssl_read_result[0] = 0;
1456 tls->ssl->version = SSL2_VERSION;
1457 ERR_clear_error();
1458 ret = tor_tls_read(tls, buf, 10);
1459 tt_int_op(ret, OP_EQ, TOR_TLS_CLOSE);
1460 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_CLOSED);
1461 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
1462 // TODO: fill up
1463
1464 done:
1465 teardown_capture_of_logs();
1466 tor_free(tls->ssl);
1467 tor_free(tls);
1468 tor_free(method);
1469 }
1470
1471 static int fixed_ssl_write_result;
1472
1473 static int
1474 fixed_ssl_write(SSL *s, const void *buf, int len)
1475 {
1476 (void)s;
1477 (void)buf;
1478 (void)len;
1479 return fixed_ssl_write_result;
1480 }
1481
1482 static void
1483 test_tortls_write(void *ignored)
1484 {
1485 (void)ignored;
1486 int ret;
1487 tor_tls_t *tls;
1488 SSL_METHOD *method = give_me_a_test_method();
1489 char buf[100];
1490 setup_capture_of_logs(LOG_WARN);
1491
1492 tls = tor_malloc_zero(sizeof(tor_tls_t));
1493 tls->ssl = tor_malloc_zero(sizeof(SSL));
1494 tls->state = TOR_TLS_ST_OPEN;
1495
1496 ret = tor_tls_write(tls, buf, 0);
1497 tt_int_op(ret, OP_EQ, 0);
1498
1499 ret = tor_tls_write(tls, buf, 10);
1500 tt_int_op(ret, OP_EQ, -9);
1501
1502 tls->ssl->method = method;
1503 tls->wantwrite_n = 1;
1504 ret = tor_tls_write(tls, buf, 10);
1505 tt_int_op(tls->wantwrite_n, OP_EQ, 0);
1506
1507 method->ssl_write = fixed_ssl_write;
1508 tls->ssl->handshake_func = dummy_handshake_func;
1509 fixed_ssl_write_result = 1;
1510 ERR_clear_error();
1511 ret = tor_tls_write(tls, buf, 10);
1512 tt_int_op(ret, OP_EQ, 1);
1513
1514 fixed_ssl_write_result = -1;
1515 ERR_clear_error();
1516 tls->ssl->rwstate = SSL_READING;
1517 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
1518 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_READ;
1519 ret = tor_tls_write(tls, buf, 10);
1520 tt_int_op(ret, OP_EQ, TOR_TLS_WANTREAD);
1521
1522 ERR_clear_error();
1523 tls->ssl->rwstate = SSL_READING;
1524 SSL_set_bio(tls->ssl, BIO_new(BIO_s_mem()), NULL);
1525 SSL_get_rbio(tls->ssl)->flags = BIO_FLAGS_WRITE;
1526 ret = tor_tls_write(tls, buf, 10);
1527 tt_int_op(ret, OP_EQ, TOR_TLS_WANTWRITE);
1528
1529 done:
1530 teardown_capture_of_logs();
1531 BIO_free(tls->ssl->rbio);
1532 tor_free(tls->ssl);
1533 tor_free(tls);
1534 tor_free(method);
1535 }
1536 #endif /* !defined(OPENSSL_OPAQUE) */
1537
1538 #ifndef OPENSSL_OPAQUE
1539 static int fixed_ssl_accept_result;
1540 static int fixed_ssl_connect_result;
1541
1542 static int
1543 setting_error_ssl_accept(SSL *ssl)
1544 {
1545 (void)ssl;
1546 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
1547 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
1548 return fixed_ssl_accept_result;
1549 }
1550
1551 static int
1552 setting_error_ssl_connect(SSL *ssl)
1553 {
1554 (void)ssl;
1555 ERR_put_error(ERR_LIB_BN, 2, -1, "somewhere.c", 99);
1556 ERR_put_error(ERR_LIB_SYS, 2, -1, "somewhere.c", 99);
1557 return fixed_ssl_connect_result;
1558 }
1559
1560 static int
1561 fixed_ssl_accept(SSL *ssl)
1562 {
1563 (void) ssl;
1564 return fixed_ssl_accept_result;
1565 }
1566
1567 static void
1568 test_tortls_handshake(void *ignored)
1569 {
1570 (void)ignored;
1571 int ret;
1572 tor_tls_t *tls;
1573 SSL_CTX *ctx;
1574 SSL_METHOD *method = give_me_a_test_method();
1575 setup_capture_of_logs(LOG_INFO);
1576
1577 SSL_library_init();
1578 SSL_load_error_strings();
1579
1580 ctx = SSL_CTX_new(TLSv1_method());
1581
1582 tls = tor_malloc_zero(sizeof(tor_tls_t));
1583 tls->ssl = SSL_new(ctx);
1584 tls->state = TOR_TLS_ST_HANDSHAKE;
1585
1586 ret = tor_tls_handshake(tls);
1587 tt_int_op(ret, OP_EQ, -9);
1588
1589 tls->isServer = 1;
1590 tls->state = TOR_TLS_ST_HANDSHAKE;
1591 ret = tor_tls_handshake(tls);
1592 tt_int_op(ret, OP_EQ, -9);
1593
1594 tls->ssl->method = method;
1595 method->ssl_accept = fixed_ssl_accept;
1596 fixed_ssl_accept_result = 2;
1597 ERR_clear_error();
1598 tls->state = TOR_TLS_ST_HANDSHAKE;
1599 ret = tor_tls_handshake(tls);
1600 tt_int_op(tls->state, OP_EQ, TOR_TLS_ST_OPEN);
1601
1602 method->ssl_accept = setting_error_ssl_accept;
1603 fixed_ssl_accept_result = 1;
1604 ERR_clear_error();
1605 mock_clean_saved_logs();
1606 tls->state = TOR_TLS_ST_HANDSHAKE;
1607 ret = tor_tls_handshake(tls);
1608 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
1609 expect_log_entry();
1610 /* This fails on jessie. Investigate why! */
1611 #if 0
1612 expect_log_msg("TLS error while handshaking: (null) (in bignum routines:"
1613 "(null):SSLv3 write client hello B)\n");
1614 expect_log_msg("TLS error while handshaking: (null) (in system library:"
1615 "connect:SSLv3 write client hello B)\n");
1616 #endif /* 0 */
1617 expect_log_severity(LOG_INFO);
1618
1619 tls->isServer = 0;
1620 method->ssl_connect = setting_error_ssl_connect;
1621 fixed_ssl_connect_result = 1;
1622 ERR_clear_error();
1623 mock_clean_saved_logs();
1624 tls->state = TOR_TLS_ST_HANDSHAKE;
1625 ret = tor_tls_handshake(tls);
1626 tt_int_op(ret, OP_EQ, TOR_TLS_ERROR_MISC);
1627 expect_log_entry();
1628 #if 0
1629 /* See above */
1630 expect_log_msg("TLS error while handshaking: "
1631 "(null) (in bignum routines:(null):SSLv3 write client hello B)\n");
1632 expect_log_msg("TLS error while handshaking: "
1633 "(null) (in system library:connect:SSLv3 write client hello B)\n");
1634 #endif /* 0 */
1635 expect_log_severity(LOG_WARN);
1636
1637 done:
1638 teardown_capture_of_logs();
1639 SSL_free(tls->ssl);
1640 SSL_CTX_free(ctx);
1641 tor_free(tls);
1642 tor_free(method);
1643 }
1644 #endif /* !defined(OPENSSL_OPAQUE) */
1645
1646 #ifndef OPENSSL_OPAQUE
1647 static void
1648 test_tortls_finish_handshake(void *ignored)
1649 {
1650 (void)ignored;
1651 int ret;
1652 tor_tls_t *tls;
1653 SSL_CTX *ctx;
1654 SSL_METHOD *method = give_me_a_test_method();
1655 SSL_library_init();
1656 SSL_load_error_strings();
1657
1658 X509 *c1 = read_cert_from(validCertString);
1659 SESS_CERT_local *sess = NULL;
1660
1661 ctx = SSL_CTX_new(method);
1662
1663 tls = tor_malloc_zero(sizeof(tor_tls_t));
1664 tls->ssl = SSL_new(ctx);
1665 tls->state = TOR_TLS_ST_OPEN;
1666
1667 ret = tor_tls_finish_handshake(tls);
1668 tt_int_op(ret, OP_EQ, 0);
1669
1670 tls->isServer = 1;
1671 tls->wasV2Handshake = 0;
1672 setup_full_capture_of_logs(LOG_WARN);
1673 ret = tor_tls_finish_handshake(tls);
1674 tt_int_op(ret, OP_EQ, 0);
1675 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
1676 expect_single_log_msg_containing("For some reason, wasV2Handshake didn't "
1677 "get set.");
1678 teardown_capture_of_logs();
1679
1680 tls->wasV2Handshake = 1;
1681 ret = tor_tls_finish_handshake(tls);
1682 tt_int_op(ret, OP_EQ, 0);
1683 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
1684
1685 tls->wasV2Handshake = 1;
1686 tls->ssl->session = SSL_SESSION_new();
1687 ret = tor_tls_finish_handshake(tls);
1688 tt_int_op(ret, OP_EQ, 0);
1689 tt_int_op(tls->wasV2Handshake, OP_EQ, 0);
1690
1691 tls->isServer = 0;
1692
1693 sess = tor_malloc_zero(sizeof(SESS_CERT_local));
1694 tls->ssl->session->sess_cert = (void *)sess;
1695 sess->cert_chain = sk_X509_new_null();
1696 sk_X509_push(sess->cert_chain, c1);
1697 tls->ssl->session->peer = c1;
1698 tls->wasV2Handshake = 0;
1699 ret = tor_tls_finish_handshake(tls);
1700 tt_int_op(ret, OP_EQ, 0);
1701 tt_int_op(tls->wasV2Handshake, OP_EQ, 1);
1702
1703 method->num_ciphers = fake_num_ciphers;
1704 ret = tor_tls_finish_handshake(tls);
1705 tt_int_op(ret, OP_EQ, -9);
1706
1707 done:
1708 if (sess)
1709 sk_X509_free(sess->cert_chain);
1710 if (tls->ssl && tls->ssl->session) {
1711 tor_free(tls->ssl->session->sess_cert);
1712 }
1713 SSL_free(tls->ssl);
1714 tor_free(tls);
1715 SSL_CTX_free(ctx);
1716 tor_free(method);
1717 teardown_capture_of_logs();
1718 }
1719 #endif /* !defined(OPENSSL_OPAQUE) */
1720
1721 static int fixed_crypto_pk_new_result_index;
1722 static crypto_pk_t *fixed_crypto_pk_new_result[5];
1723
1724 static crypto_pk_t *
1725 fixed_crypto_pk_new(void)
1726 {
1727 return fixed_crypto_pk_new_result[fixed_crypto_pk_new_result_index++];
1728 }
1729
1730 #ifndef OPENSSL_OPAQUE
1731 static int fixed_crypto_pk_generate_key_with_bits_result_index;
1732 static int fixed_crypto_pk_generate_key_with_bits_result[5];
1733 static int fixed_tor_tls_create_certificate_result_index;
1734 static X509 *fixed_tor_tls_create_certificate_result[5];
1735 static int fixed_tor_x509_cert_new_result_index;
1736 static tor_x509_cert_t *fixed_tor_x509_cert_new_result[5];
1737
1738 static int
1739 fixed_crypto_pk_generate_key_with_bits(crypto_pk_t *env, int bits)
1740 {
1741 (void)env;
1742 (void)bits;
1743 return fixed_crypto_pk_generate_key_with_bits_result[
1744 fixed_crypto_pk_generate_key_with_bits_result_index++];
1745 }
1746
1747 static X509 *
1748 fixed_tor_tls_create_certificate(crypto_pk_t *rsa,
1749 crypto_pk_t *rsa_sign,
1750 const char *cname,
1751 const char *cname_sign,
1752 unsigned int cert_lifetime)
1753 {
1754 (void)rsa;
1755 (void)rsa_sign;
1756 (void)cname;
1757 (void)cname_sign;
1758 (void)cert_lifetime;
1759 X509 *result = fixed_tor_tls_create_certificate_result[
1760 fixed_tor_tls_create_certificate_result_index++];
1761 if (result)
1762 return X509_dup(result);
1763 else
1764 return NULL;
1765 }
1766
1767 static void
1768 fixed_tor_tls_create_certificate_results_free(void)
1769 {
1770 unsigned i;
1771 for (i = 0; i < ARRAY_LENGTH(fixed_tor_tls_create_certificate_result); ++i) {
1772 X509 *cert = fixed_tor_tls_create_certificate_result[i];
1773 if (cert)
1774 X509_free(cert);
1775 fixed_tor_tls_create_certificate_result[i] = NULL;
1776 }
1777 }
1778
1779 static void
1780 fixed_tor_x509_cert_new_results_free(void)
1781 {
1782 unsigned i;
1783 for (i = 0; i < ARRAY_LENGTH(fixed_tor_x509_cert_new_result); ++i) {
1784 tor_x509_cert_free(fixed_tor_x509_cert_new_result[i]);
1785 }
1786 }
1787
1788 static tor_x509_cert_t *
1789 fixed_tor_x509_cert_new(tor_x509_cert_impl_t *x509_cert)
1790 {
1791 (void) x509_cert;
1792 tor_x509_cert_t **certp =
1793 &fixed_tor_x509_cert_new_result[fixed_tor_x509_cert_new_result_index++];
1794 tor_x509_cert_t *cert = *certp;
1795 *certp = NULL;
1796 return cert;
1797 }
1798
1799 static void
1800 test_tortls_context_new(void *ignored)
1801 {
1802 (void)ignored;
1803 tor_tls_context_t *ret;
1804 crypto_pk_t *pk1, *pk2, *pk3, *pk4, *pk5, *pk6, *pk7, *pk8, *pk9, *pk10,
1805 *pk11, *pk12, *pk13, *pk14, *pk15, *pk16, *pk17, *pk18;
1806
1807 pk1 = crypto_pk_new();
1808 pk2 = crypto_pk_new();
1809 pk3 = crypto_pk_new();
1810 pk4 = crypto_pk_new();
1811 pk5 = crypto_pk_new();
1812 pk6 = crypto_pk_new();
1813 pk7 = crypto_pk_new();
1814 pk8 = crypto_pk_new();
1815 pk9 = crypto_pk_new();
1816 pk10 = crypto_pk_new();
1817 pk11 = crypto_pk_new();
1818 pk12 = crypto_pk_new();
1819 pk13 = crypto_pk_new();
1820 pk14 = crypto_pk_new();
1821 pk15 = crypto_pk_new();
1822 pk16 = crypto_pk_new();
1823 pk17 = crypto_pk_new();
1824 pk18 = crypto_pk_new();
1825
1826 fixed_crypto_pk_new_result_index = 0;
1827 fixed_crypto_pk_new_result[0] = NULL;
1828 MOCK(crypto_pk_new, fixed_crypto_pk_new);
1829 ret = tor_tls_context_new(NULL, 0, 0, 0);
1830 tt_assert(!ret);
1831
1832 /* note: we already override this in testing_common.c, so we
1833 * run this unit test in a subprocess. */
1834 MOCK(crypto_pk_generate_key_with_bits,
1835 fixed_crypto_pk_generate_key_with_bits);
1836 fixed_crypto_pk_new_result_index = 0;
1837 fixed_crypto_pk_new_result[0] = pk1;
1838 fixed_crypto_pk_new_result[1] = NULL;
1839 fixed_crypto_pk_generate_key_with_bits_result[0] = -1;
1840 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1841 ret = tor_tls_context_new(NULL, 0, 0, 0);
1842 tt_assert(!ret);
1843
1844 fixed_crypto_pk_new_result_index = 0;
1845 fixed_crypto_pk_new_result[0] = pk2;
1846 fixed_crypto_pk_new_result[1] = NULL;
1847 fixed_crypto_pk_generate_key_with_bits_result[0] = 0;
1848 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1849 ret = tor_tls_context_new(NULL, 0, 0, 0);
1850 tt_assert(!ret);
1851
1852 fixed_crypto_pk_new_result_index = 0;
1853 fixed_crypto_pk_new_result[0] = pk3;
1854 fixed_crypto_pk_new_result[1] = pk4;
1855 fixed_crypto_pk_new_result[2] = NULL;
1856 fixed_crypto_pk_generate_key_with_bits_result[0] = 0;
1857 fixed_crypto_pk_generate_key_with_bits_result[1] = -1;
1858 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1859 ret = tor_tls_context_new(NULL, 0, 0, 0);
1860 tt_assert(!ret);
1861
1862 MOCK(tor_tls_create_certificate, fixed_tor_tls_create_certificate);
1863
1864 fixed_crypto_pk_new_result_index = 0;
1865 fixed_crypto_pk_new_result[0] = pk5;
1866 fixed_crypto_pk_new_result[1] = pk6;
1867 fixed_crypto_pk_new_result[2] = NULL;
1868 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1869 fixed_crypto_pk_generate_key_with_bits_result[1] = 0;
1870 fixed_tor_tls_create_certificate_result_index = 0;
1871 fixed_tor_tls_create_certificate_result[0] = NULL;
1872 fixed_tor_tls_create_certificate_result[1] = X509_new();
1873 fixed_tor_tls_create_certificate_result[2] = X509_new();
1874 ret = tor_tls_context_new(NULL, 0, 0, 0);
1875 tt_assert(!ret);
1876 fixed_tor_tls_create_certificate_results_free();
1877
1878 fixed_crypto_pk_new_result_index = 0;
1879 fixed_crypto_pk_new_result[0] = pk7;
1880 fixed_crypto_pk_new_result[1] = pk8;
1881 fixed_crypto_pk_new_result[2] = NULL;
1882 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1883 fixed_tor_tls_create_certificate_result_index = 0;
1884 fixed_tor_tls_create_certificate_result[0] = X509_new();
1885 fixed_tor_tls_create_certificate_result[1] = NULL;
1886 fixed_tor_tls_create_certificate_result[2] = X509_new();
1887 ret = tor_tls_context_new(NULL, 0, 0, 0);
1888 tt_assert(!ret);
1889 fixed_tor_tls_create_certificate_results_free();
1890
1891 fixed_crypto_pk_new_result_index = 0;
1892 fixed_crypto_pk_new_result[0] = pk9;
1893 fixed_crypto_pk_new_result[1] = pk10;
1894 fixed_crypto_pk_new_result[2] = NULL;
1895 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1896 fixed_tor_tls_create_certificate_result_index = 0;
1897 fixed_tor_tls_create_certificate_result[0] = X509_new();
1898 fixed_tor_tls_create_certificate_result[1] = X509_new();
1899 fixed_tor_tls_create_certificate_result[2] = NULL;
1900 ret = tor_tls_context_new(NULL, 0, 0, 0);
1901 tt_assert(!ret);
1902 fixed_tor_tls_create_certificate_results_free();
1903
1904 MOCK(tor_x509_cert_new, fixed_tor_x509_cert_new);
1905 fixed_crypto_pk_new_result_index = 0;
1906 fixed_crypto_pk_new_result[0] = pk11;
1907 fixed_crypto_pk_new_result[1] = pk12;
1908 fixed_crypto_pk_new_result[2] = NULL;
1909 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1910 fixed_tor_tls_create_certificate_result_index = 0;
1911 fixed_tor_tls_create_certificate_result[0] = X509_new();
1912 fixed_tor_tls_create_certificate_result[1] = X509_new();
1913 fixed_tor_tls_create_certificate_result[2] = X509_new();
1914 fixed_tor_x509_cert_new_result_index = 0;
1915 fixed_tor_x509_cert_new_result[0] = NULL;
1916 fixed_tor_x509_cert_new_result[1] = NULL;
1917 fixed_tor_x509_cert_new_result[2] = NULL;
1918 ret = tor_tls_context_new(NULL, 0, 0, 0);
1919 tt_assert(!ret);
1920 fixed_tor_tls_create_certificate_results_free();
1921
1922 fixed_crypto_pk_new_result_index = 0;
1923 fixed_crypto_pk_new_result[0] = pk13;
1924 fixed_crypto_pk_new_result[1] = pk14;
1925 fixed_crypto_pk_new_result[2] = NULL;
1926 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1927 fixed_tor_tls_create_certificate_result_index = 0;
1928 fixed_tor_tls_create_certificate_result[0] = X509_new();
1929 fixed_tor_tls_create_certificate_result[1] = X509_new();
1930 fixed_tor_tls_create_certificate_result[2] = X509_new();
1931 fixed_tor_x509_cert_new_result_index = 0;
1932 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1933 fixed_tor_x509_cert_new_result[1] = NULL;
1934 fixed_tor_x509_cert_new_result[2] = NULL;
1935 ret = tor_tls_context_new(NULL, 0, 0, 0);
1936 tt_assert(!ret);
1937 fixed_tor_tls_create_certificate_results_free();
1938 fixed_tor_x509_cert_new_results_free();
1939
1940 fixed_crypto_pk_new_result_index = 0;
1941 fixed_crypto_pk_new_result[0] = pk15;
1942 fixed_crypto_pk_new_result[1] = pk16;
1943 fixed_crypto_pk_new_result[2] = NULL;
1944 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1945 fixed_tor_tls_create_certificate_result_index = 0;
1946 fixed_tor_tls_create_certificate_result[0] = X509_new();
1947 fixed_tor_tls_create_certificate_result[1] = X509_new();
1948 fixed_tor_tls_create_certificate_result[2] = X509_new();
1949 fixed_tor_x509_cert_new_result_index = 0;
1950 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1951 fixed_tor_x509_cert_new_result[1] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1952 fixed_tor_x509_cert_new_result[2] = NULL;
1953 ret = tor_tls_context_new(NULL, 0, 0, 0);
1954 tt_assert(!ret);
1955 fixed_tor_tls_create_certificate_results_free();
1956 fixed_tor_x509_cert_new_results_free();
1957
1958 fixed_crypto_pk_new_result_index = 0;
1959 fixed_crypto_pk_new_result[0] = pk17;
1960 fixed_crypto_pk_new_result[1] = pk18;
1961 fixed_crypto_pk_new_result[2] = NULL;
1962 fixed_crypto_pk_generate_key_with_bits_result_index = 0;
1963 fixed_tor_tls_create_certificate_result_index = 0;
1964 fixed_tor_tls_create_certificate_result[0] = X509_new();
1965 fixed_tor_tls_create_certificate_result[1] = X509_new();
1966 fixed_tor_tls_create_certificate_result[2] = X509_new();
1967 fixed_tor_x509_cert_new_result_index = 0;
1968 fixed_tor_x509_cert_new_result[0] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1969 fixed_tor_x509_cert_new_result[1] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1970 fixed_tor_x509_cert_new_result[2] = tor_malloc_zero(sizeof(tor_x509_cert_t));
1971 ret = tor_tls_context_new(NULL, 0, 0, 0);
1972 tt_assert(!ret);
1973
1974 done:
1975 fixed_tor_tls_create_certificate_results_free();
1976 fixed_tor_x509_cert_new_results_free();
1977 UNMOCK(tor_x509_cert_new);
1978 UNMOCK(tor_tls_create_certificate);
1979 UNMOCK(crypto_pk_generate_key_with_bits);
1980 UNMOCK(crypto_pk_new);
1981 }
1982 #endif /* !defined(OPENSSL_OPAQUE) */
1983
1984 static int fixed_crypto_pk_get_evp_pkey_result_index = 0;
1985 static EVP_PKEY *fixed_crypto_pk_get_evp_pkey_result[5];
1986
1987 static EVP_PKEY *
1988 fixed_crypto_pk_get_evp_pkey_(crypto_pk_t *env, int private)
1989 {
1990 (void) env;
1991 (void) private;
1992 return fixed_crypto_pk_get_evp_pkey_result[
1993 fixed_crypto_pk_get_evp_pkey_result_index++];
1994 }
1995
1996 static void
1997 test_tortls_create_certificate(void *ignored)
1998 {
1999 (void)ignored;
2000 X509 *ret;
2001 crypto_pk_t *pk1, *pk2;
2002
2003 pk1 = crypto_pk_new();
2004 pk2 = crypto_pk_new();
2005
2006 MOCK(crypto_pk_get_openssl_evp_pkey_, fixed_crypto_pk_get_evp_pkey_);
2007 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2008 fixed_crypto_pk_get_evp_pkey_result[0] = NULL;
2009 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2010 tt_assert(!ret);
2011
2012 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2013 fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
2014 fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
2015 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2016 tt_assert(!ret);
2017
2018 fixed_crypto_pk_get_evp_pkey_result_index = 0;
2019 fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
2020 fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
2021 ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
2022 tt_assert(!ret);
2023
2024 done:
2025 UNMOCK(crypto_pk_get_openssl_evp_pkey_);
2026 crypto_pk_free(pk1);
2027 crypto_pk_free(pk2);
2028 }
2029
2030 static void
2031 test_tortls_cert_new(void *ignored)
2032 {
2033 (void)ignored;
2034 tor_x509_cert_t *ret;
2035 X509 *cert = read_cert_from(validCertString);
2036
2037 ret = tor_x509_cert_new(NULL);
2038 tt_assert(!ret);
2039
2040 ret = tor_x509_cert_new(cert);
2041 tt_assert(ret);
2042 tor_x509_cert_free(ret);
2043 ret = NULL;
2044
2045 #if 0
2046 cert = read_cert_from(validCertString);
2047 /* XXX this doesn't do what you think: it alters a copy of the pubkey. */
2048 X509_get_pubkey(cert)->type = EVP_PKEY_DSA;
2049 ret = tor_x509_cert_new(cert);
2050 tt_assert(ret);
2051 #endif /* 0 */
2052
2053 #ifndef OPENSSL_OPAQUE
2054 cert = read_cert_from(validCertString);
2055 X509_CINF_free(cert->cert_info);
2056 cert->cert_info = NULL;
2057 ret = tor_x509_cert_new(cert);
2058 tt_assert(ret);
2059 #endif /* !defined(OPENSSL_OPAQUE) */
2060
2061 done:
2062 tor_x509_cert_free(ret);
2063 }
2064
2065 static void
2066 test_tortls_cert_is_valid(void *ignored)
2067 {
2068 (void)ignored;
2069 int ret;
2070 tor_x509_cert_t *cert = NULL, *scert = NULL;
2071
2072 scert = tor_malloc_zero(sizeof(tor_x509_cert_t));
2073 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2074 tt_int_op(ret, OP_EQ, 0);
2075
2076 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
2077 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2078 tt_int_op(ret, OP_EQ, 0);
2079 tor_free(scert);
2080 tor_free(cert);
2081
2082 cert = tor_x509_cert_new(read_cert_from(validCertString));
2083 scert = tor_x509_cert_new(read_cert_from(caCertString));
2084 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2085 tt_int_op(ret, OP_EQ, 1);
2086
2087 #ifndef OPENSSL_OPAQUE
2088 tor_x509_cert_free(cert);
2089 tor_x509_cert_free(scert);
2090 cert = tor_x509_cert_new(read_cert_from(validCertString));
2091 scert = tor_x509_cert_new(read_cert_from(caCertString));
2092 ASN1_TIME_free(cert->cert->cert_info->validity->notAfter);
2093 cert->cert->cert_info->validity->notAfter =
2094 ASN1_TIME_set(NULL, time(NULL)-1000000);
2095 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2096 tt_int_op(ret, OP_EQ, 0);
2097
2098 tor_x509_cert_free(cert);
2099 tor_x509_cert_free(scert);
2100 cert = tor_x509_cert_new(read_cert_from(validCertString));
2101 scert = tor_x509_cert_new(read_cert_from(caCertString));
2102 X509_PUBKEY_free(cert->cert->cert_info->key);
2103 cert->cert->cert_info->key = NULL;
2104 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2105 tt_int_op(ret, OP_EQ, 0);
2106 #endif /* !defined(OPENSSL_OPAQUE) */
2107
2108 #if 0
2109 tor_x509_cert_free(cert);
2110 tor_x509_cert_free(scert);
2111 cert = tor_x509_cert_new(read_cert_from(validCertString));
2112 scert = tor_x509_cert_new(read_cert_from(caCertString));
2113 /* This doesn't actually change the key in the cert. XXXXXX */
2114 BN_one(EVP_PKEY_get1_RSA(X509_get_pubkey(cert->cert))->n);
2115 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2116 tt_int_op(ret, OP_EQ, 0);
2117
2118 tor_x509_cert_free(cert);
2119 tor_x509_cert_free(scert);
2120 cert = tor_x509_cert_new(read_cert_from(validCertString));
2121 scert = tor_x509_cert_new(read_cert_from(caCertString));
2122 /* This doesn't actually change the key in the cert. XXXXXX */
2123 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2124 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1);
2125 tt_int_op(ret, OP_EQ, 0);
2126
2127 tor_x509_cert_free(cert);
2128 tor_x509_cert_free(scert);
2129 cert = tor_x509_cert_new(read_cert_from(validCertString));
2130 scert = tor_x509_cert_new(read_cert_from(caCertString));
2131 /* This doesn't actually change the key in the cert. XXXXXX */
2132 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2133 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2134 tt_int_op(ret, OP_EQ, 1);
2135
2136 tor_x509_cert_free(cert);
2137 tor_x509_cert_free(scert);
2138 cert = tor_x509_cert_new(read_cert_from(validCertString));
2139 scert = tor_x509_cert_new(read_cert_from(caCertString));
2140 /* This doesn't actually change the key in the cert. XXXXXX */
2141 X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC;
2142 X509_get_pubkey(cert->cert)->ameth = NULL;
2143 ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0);
2144 tt_int_op(ret, OP_EQ, 0);
2145 #endif /* 0 */
2146
2147 done:
2148 tor_x509_cert_free(cert);
2149 tor_x509_cert_free(scert);
2150 }
2151
2152 static void
2153 test_tortls_context_init_one(void *ignored)
2154 {
2155 (void)ignored;
2156 int ret;
2157 tor_tls_context_t *old = NULL;
2158
2159 MOCK(crypto_pk_new, fixed_crypto_pk_new);
2160
2161 fixed_crypto_pk_new_result_index = 0;
2162 fixed_crypto_pk_new_result[0] = NULL;
2163 ret = tor_tls_context_init_one(&old, NULL, 0, 0, 0);
2164 tt_int_op(ret, OP_EQ, -1);
2165
2166 done:
2167 UNMOCK(crypto_pk_new);
2168 }
2169
2170 #define LOCAL_TEST_CASE(name, flags) \
2171 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
2172
2173 #ifdef OPENSSL_OPAQUE
2174 #define INTRUSIVE_TEST_CASE(name, flags) \
2175 { #name, NULL, TT_SKIP, NULL, NULL }
2176 #else
2177 #define INTRUSIVE_TEST_CASE(name, flags) LOCAL_TEST_CASE(name, flags)
2178 #endif /* defined(OPENSSL_OPAQUE) */
2179
2180 struct testcase_t tortls_openssl_tests[] = {
2181 LOCAL_TEST_CASE(tor_tls_new, TT_FORK),
2182 LOCAL_TEST_CASE(get_state_description, TT_FORK),
2183 LOCAL_TEST_CASE(get_by_ssl, TT_FORK),
2184 LOCAL_TEST_CASE(allocate_tor_tls_object_ex_data_index, TT_FORK),
2185 LOCAL_TEST_CASE(log_one_error, TT_FORK),
2186 INTRUSIVE_TEST_CASE(get_error, TT_FORK),
2187 LOCAL_TEST_CASE(always_accept_verify_cb, 0),
2188 INTRUSIVE_TEST_CASE(x509_cert_free, 0),
2189 INTRUSIVE_TEST_CASE(cert_get_key, 0),
2190 LOCAL_TEST_CASE(get_my_client_auth_key, TT_FORK),
2191 INTRUSIVE_TEST_CASE(get_ciphersuite_name, 0),
2192 INTRUSIVE_TEST_CASE(classify_client_ciphers, 0),
2193 LOCAL_TEST_CASE(client_is_using_v2_ciphers, 0),
2194 INTRUSIVE_TEST_CASE(get_pending_bytes, 0),
2195 INTRUSIVE_TEST_CASE(SSL_SESSION_get_master_key, 0),
2196 INTRUSIVE_TEST_CASE(get_tlssecrets, 0),
2197 INTRUSIVE_TEST_CASE(get_buffer_sizes, 0),
2198 INTRUSIVE_TEST_CASE(try_to_extract_certs_from_tls, 0),
2199 INTRUSIVE_TEST_CASE(get_peer_cert, 0),
2200 INTRUSIVE_TEST_CASE(peer_has_cert, 0),
2201 INTRUSIVE_TEST_CASE(finish_handshake, 0),
2202 INTRUSIVE_TEST_CASE(handshake, 0),
2203 INTRUSIVE_TEST_CASE(write, 0),
2204 INTRUSIVE_TEST_CASE(read, 0),
2205 INTRUSIVE_TEST_CASE(server_info_callback, 0),
2206 LOCAL_TEST_CASE(get_write_overhead_ratio, TT_FORK),
2207 LOCAL_TEST_CASE(is_server, 0),
2208 INTRUSIVE_TEST_CASE(block_renegotiation, 0),
2209 INTRUSIVE_TEST_CASE(unblock_renegotiation, 0),
2210 INTRUSIVE_TEST_CASE(set_renegotiate_callback, 0),
2211 LOCAL_TEST_CASE(set_logged_address, 0),
2212 INTRUSIVE_TEST_CASE(find_cipher_by_id, 0),
2213 INTRUSIVE_TEST_CASE(session_secret_cb, 0),
2214 INTRUSIVE_TEST_CASE(debug_state_callback, 0),
2215 INTRUSIVE_TEST_CASE(context_new, TT_FORK /* redundant */),
2216 LOCAL_TEST_CASE(create_certificate, 0),
2217 LOCAL_TEST_CASE(cert_new, 0),
2218 LOCAL_TEST_CASE(cert_is_valid, 0),
2219 LOCAL_TEST_CASE(context_init_one, 0),
2220 END_OF_TESTCASES
2221 };
The Onion Router