search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update copyrights to 2021, using "make update-copyright"
[tor.git] / src / test / test_tortls.c
blob99c759e27606d1d217ed2cbfb07be20d831b8ab9
1 /* Copyright (c) 2010-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define TORTLS_PRIVATE
5 #define TOR_X509_PRIVATE
6 #define LOG_PRIVATE
7 #include "orconfig.h"
8
9 #ifdef _WIN32
10 #include <winsock2.h>
11 #endif
12 #include <math.h>
13 #include <stddef.h>
14
15 #include "lib/cc/compat_compiler.h"
16
17 #include "core/or/or.h"
18 #include "lib/log/log.h"
19 #include "app/config/config.h"
20 #include "lib/crypt_ops/compat_openssl.h"
21 #include "lib/tls/x509.h"
22 #include "lib/tls/x509_internal.h"
23 #include "lib/tls/tortls.h"
24 #include "lib/tls/tortls_st.h"
25 #include "lib/tls/tortls_internal.h"
26 #include "lib/encoding/pem.h"
27 #include "app/config/or_state_st.h"
28
29 #include "test/test.h"
30 #include "test/log_test_helpers.h"
31 #include "test/test_tortls.h"
32
33 #include "tinytest.h"
34
35 const char* notCompletelyValidCertString =
36 "-----BEGIN CERTIFICATE-----\n"
37 "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n"
38 "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n"
39 "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n"
40 "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n"
41 "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n"
42 "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n"
43 "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n"
44 "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n"
45 "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n"
46 "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n"
47 "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n"
48 "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n"
49 "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n"
50 "-----END CERTIFICATE-----\n";
51
52 const char* validCertString = "-----BEGIN CERTIFICATE-----\n"
53 "MIIDpTCCAY0CAg3+MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMREwDwYD\n"
54 "VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwLVG9yIFRl\n"
55 "c3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkwNjEzMzk1OVoXDTQz\n"
56 "MDEyMjEzMzk1OVowVjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB0NoaWNhZ28xFDAS\n"
57 "BgNVBAoMC1RvciBUZXN0aW5nMR8wHQYDVQQDDBZ0ZXN0aW5nLnRvcnByb2plY3Qu\n"
58 "b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoT6uyVVhWyOF3wkHjjYbd\n"
59 "nKaykyRv4JVtKQdZ4OpEErmX1zw4MmyzpQNV6iR4bQnWiyLfzyVJMZDIC/WILBfX\n"
60 "w2Pza/yuLgUvDc3twMuhOACzOQVO8PrEF/aVv2+hbCCy2udXvKhnYn+CCXl3ozc8\n"
61 "XcKYvujTXDyvGWY3xwAjlQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQCUvnhzQWuQ\n"
62 "MrN+pERkE+zcTI/9dGS90rUMMLgu8VDNqTa0TUQh8uO0EQ6uDvI8Js6e8tgwS0BR\n"
63 "UBahqb7ZHv+rejGCBr5OudqD+x4STiiuPNJVs86JTLN8SpM9CHjIBH5WCCN2KOy3\n"
64 "mevNoRcRRyYJzSFULCunIK6FGulszigMYGscrO4oiTkZiHPh9KvWT40IMiHfL+Lw\n"
65 "EtEWiLex6064LcA2YQ1AMuSZyCexks63lcfaFmQbkYOKqXa1oLkIRuDsOaSVjTfe\n"
66 "vec+X6jvf12cFTKS5WIeqkKF2Irt+dJoiHEGTe5RscUMN/f+gqHPzfFz5dR23sxo\n"
67 "g+HC6MZHlFkLAOx3wW6epPS8A/m1mw3zMPoTnb2U2YYt8T0dJMMlUn/7Y1sEAa+a\n"
68 "dSTMaeUf6VnJ//11m454EZl1to9Z7oJOgqmFffSrdD4BGIWe8f7hhW6L1Enmqe/J\n"
69 "BKL3wbzZh80O1W0bndAwhnEEhlzneFY84cbBo9pmVxpODHkUcStpr5Z7pBDrcL21\n"
70 "Ss/aB/1YrsVXhdvJdOGxl3Mnl9dUY57CympLGlT8f0pPS6GAKOelECOhFMHmJd8L\n"
71 "dj3XQSmKtYHevZ6IvuMXSlB/fJvSjSlkCuLo5+kJoaqPuRu+i/S1qxeRy3CBwmnE\n"
72 "LdSNdcX4N79GQJ996PA8+mUCQG7YRtK+WA==\n"
73 "-----END CERTIFICATE-----\n";
74
75 const char* caCertString = "-----BEGIN CERTIFICATE-----\n"
76 "MIIFjzCCA3egAwIBAgIJAKd5WgyfPMYRMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV\n"
77 "BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIG\n"
78 "A1UECgwLVG9yIFRlc3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkw\n"
79 "NjEzMzc0MVoXDTQzMDEyMjEzMzc0MVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM\n"
80 "CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRQwEgYDVQQKDAtUb3IgVGVzdGlu\n"
81 "ZzEUMBIGA1UEAwwLVG9yIFRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
82 "ggIKAoICAQCpLMUEiLW5leUgBZoEJms2V7lZRhIAjnJBhVMHD0e3UubNknmaQoxf\n"
83 "ARz3rvqOaRd0JlV+qM9qE0DjiYcCVP1cAfqAo9d83uS1vwY3YMVJzADlaIiHfyVW\n"
84 "uEgBy0vvkeUBqaua24dYlcwsemOiXYLu41yM1wkcGHW1AhBNHppY6cznb8TyLgNM\n"
85 "2x3SGUdzc5XMyAFx51faKGBA3wjs+Hg1PLY7d30nmCgEOBavpm5I1disM/0k+Mcy\n"
86 "YmAKEo/iHJX/rQzO4b9znP69juLlR8PDBUJEVIG/CYb6+uw8MjjUyiWXYoqfVmN2\n"
87 "hm/lH8b6rXw1a2Aa3VTeD0DxaWeacMYHY/i01fd5n7hCoDTRNdSw5KJ0L3Z0SKTu\n"
88 "0lzffKzDaIfyZGlpW5qdouACkWYzsaitQOePVE01PIdO30vUfzNTFDfy42ccx3Di\n"
89 "59UCu+IXB+eMtrBfsok0Qc63vtF1linJgjHW1z/8ujk8F7/qkOfODhk4l7wngc2A\n"
90 "EmwWFIFoGaiTEZHB9qteXr4unbXZ0AHpM02uGGwZEGohjFyebEb73M+J57WKKAFb\n"
91 "PqbLcGUksL1SHNBNAJcVLttX55sO4nbidOS/kA3m+F1R04MBTyQF9qA6YDDHqdI3\n"
92 "h/3pw0Z4fxVouTYT4/NfRnX4JTP4u+7Mpcoof28VME0qWqD1LnRhFQIDAQABo1Aw\n"
93 "TjAdBgNVHQ4EFgQUMoAgIXH7pZ3QMRwTjT+DM9Yo/v0wHwYDVR0jBBgwFoAUMoAg\n"
94 "IXH7pZ3QMRwTjT+DM9Yo/v0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
95 "AgEAUJxacjXR9sT+Xs6ISFiUsyd0T6WVKMnV46xrYJHirGfx+krWHrjxMY+ZtxYD\n"
96 "DBDGlo11Qc4v6QrclNf5QUBfIiGQsP9Cm6hHcQ+Tpg9HHCgSqG1YNPwCPReCR4br\n"
97 "BLvLfrfkcBL2IWM0PdQdCze+59DBfipsULD2mEn9fjYRXQEwb2QWtQ9qRc20Yb/x\n"
98 "Q4b/+CvUodLkaq7B8MHz0BV8HHcBoph6DYaRmO/N+hPauIuSp6XyaGYcEefGKVKj\n"
99 "G2+fcsdyXsoijNdL8vNKwm4j2gVwCBnw16J00yfFoV46YcbfqEdJB2je0XSvwXqt\n"
100 "14AOTngxso2h9k9HLtrfpO1ZG/B5AcCMs1lzbZ2fp5DPHtjvvmvA2RJqgo3yjw4W\n"
101 "4DHAuTglYFlC3mDHNfNtcGP20JvepcQNzNP2UzwcpOc94hfKikOFw+gf9Vf1qd0y\n"
102 "h/Sk6OZHn2+JVUPiWHIQV98Vtoh4RmUZDJD+b55ia3fQGTGzt4z1XFzQYSva5sfs\n"
103 "wocS/papthqWldQU7x+3wofNd5CNU1x6WKXG/yw30IT/4F8ADJD6GeygNT8QJYvt\n"
104 "u/8lAkbOy6B9xGmSvr0Kk1oq9P2NshA6kalxp1Oz/DTNDdL4AeBXV3JmM6WWCjGn\n"
105 "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
106 "-----END CERTIFICATE-----\n";
107
108 static tor_x509_cert_t *fixed_x509_cert = NULL;
109 static tor_x509_cert_t *
110 get_peer_cert_mock_return_fixed(tor_tls_t *tls)
111 {
112 (void)tls;
113 if (fixed_x509_cert)
114 return tor_x509_cert_dup(fixed_x509_cert);
115 else
116 return NULL;
117 }
118
119 tor_x509_cert_impl_t *
120 read_cert_from(const char *str)
121 {
122 size_t len = strlen(str);
123 uint8_t *raw_cert = tor_malloc(len);
124 ssize_t true_len = pem_decode(raw_cert, len, str, len, "CERTIFICATE");
125 if (true_len < 0) {
126 tor_free(raw_cert);
127 return NULL;
128 }
129 tor_x509_cert_t *cert = tor_x509_cert_decode(raw_cert, true_len);
130 tor_free(raw_cert);
131 if (! cert) {
132 return NULL;
133 }
134 tor_x509_cert_impl_t *res = tor_x509_cert_impl_dup_(cert->cert);
135 tor_x509_cert_free(cert);
136 return res;
137 }
138
139 static tor_x509_cert_impl_t *
140 fixed_try_to_extract_certs_from_tls_cert_out_result = NULL;
141 static tor_x509_cert_impl_t *
142 fixed_try_to_extract_certs_from_tls_id_cert_out_result = NULL;
143
144 static void
145 fixed_try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
146 tor_x509_cert_impl_t **cert_out,
147 tor_x509_cert_impl_t **id_cert_out)
148 {
149 (void) severity;
150 (void) tls;
151 *cert_out = tor_x509_cert_impl_dup_(
152 fixed_try_to_extract_certs_from_tls_cert_out_result);
153 *id_cert_out = tor_x509_cert_impl_dup_(
154 fixed_try_to_extract_certs_from_tls_id_cert_out_result);
155 }
156
157 static void
158 test_tortls_errno_to_tls_error(void *data)
159 {
160 (void) data;
161 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNRESET)),OP_EQ,
162 TOR_TLS_ERROR_CONNRESET);
163 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ETIMEDOUT)),OP_EQ,
164 TOR_TLS_ERROR_TIMEOUT);
165 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(EHOSTUNREACH)),OP_EQ,
166 TOR_TLS_ERROR_NO_ROUTE);
167 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ENETUNREACH)),OP_EQ,
168 TOR_TLS_ERROR_NO_ROUTE);
169 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNREFUSED)),OP_EQ,
170 TOR_TLS_ERROR_CONNREFUSED);
171 tt_int_op(tor_errno_to_tls_error(0),OP_EQ,TOR_TLS_ERROR_MISC);
172 done:
173 (void)1;
174 }
175
176 static void
177 test_tortls_err_to_string(void *data)
178 {
179 (void) data;
180 tt_str_op(tor_tls_err_to_string(1),OP_EQ,"[Not an error.]");
181 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_MISC),OP_EQ,"misc error");
182 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_IO),OP_EQ,"unexpected close");
183 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNREFUSED),OP_EQ,
184 "connection refused");
185 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNRESET),OP_EQ,
186 "connection reset");
187 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_NO_ROUTE),OP_EQ,
188 "host unreachable");
189 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_TIMEOUT),OP_EQ,
190 "connection timed out");
191 tt_str_op(tor_tls_err_to_string(TOR_TLS_CLOSE),OP_EQ,"closed");
192 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTREAD),OP_EQ,"want to read");
193 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTWRITE),OP_EQ,"want to write");
194 tt_str_op(tor_tls_err_to_string(-100),OP_EQ,"(unknown error code)");
195 done:
196 (void)1;
197 }
198
199 #ifdef ENABLE_OPENSSL
200 static int
201 mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
202 {
203 (void) tls;
204 (void) cert; // XXXX look at this.
205 return 1;
206 }
207
208 static void
209 test_tortls_tor_tls_get_error(void *data)
210 {
211 (void) data;
212 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
213 crypto_pk_t *key1 = NULL, *key2 = NULL;
214 key1 = pk_generate(2);
215 key2 = pk_generate(3);
216
217 tor_tls_t *tls = NULL;
218 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
219 key1, key2, 86400), OP_EQ, 0);
220 tls = tor_tls_new(-1, 0);
221 setup_capture_of_logs(LOG_WARN);
222 tor_tls_get_error(tls, 0, 0,
223 (const char *)"in unit test", LOG_WARN, LD_GENERAL);
224 expect_single_log_msg_containing("unexpected close while in unit test");
225
226 done:
227 UNMOCK(tor_tls_cert_matches_key);
228 UNMOCK(logv);
229 crypto_pk_free(key1);
230 crypto_pk_free(key2);
231 tor_tls_free(tls);
232 }
233 #endif /* defined(ENABLE_OPENSSL) */
234
235 static void
236 test_tortls_x509_cert_get_id_digests(void *ignored)
237 {
238 (void)ignored;
239 tor_x509_cert_t *cert;
240 common_digests_t *d;
241 const common_digests_t *res;
242 cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
243 d = tor_malloc_zero(sizeof(common_digests_t));
244 d->d[0][0] = 42;
245
246 res = tor_x509_cert_get_id_digests(cert);
247 tt_assert(!res);
248
249 cert->pkey_digests_set = 1;
250 cert->pkey_digests = *d;
251 res = tor_x509_cert_get_id_digests(cert);
252 tt_assert(res);
253 tt_int_op(res->d[0][0], OP_EQ, 42);
254
255 done:
256 tor_free(cert);
257 tor_free(d);
258 }
259
260 static void
261 test_tortls_get_my_certs(void *ignored)
262 {
263 (void)ignored;
264 int ret;
265 tor_tls_context_t *ctx;
266 const tor_x509_cert_t *link_cert_out = NULL;
267 const tor_x509_cert_t *id_cert_out = NULL;
268
269 ctx = tor_malloc_zero(sizeof(tor_tls_context_t));
270
271 client_tls_context = NULL;
272 ret = tor_tls_get_my_certs(0, NULL, NULL);
273 tt_int_op(ret, OP_EQ, -1);
274
275 server_tls_context = NULL;
276 ret = tor_tls_get_my_certs(1, NULL, NULL);
277 tt_int_op(ret, OP_EQ, -1);
278
279 client_tls_context = ctx;
280 ret = tor_tls_get_my_certs(0, NULL, NULL);
281 tt_int_op(ret, OP_EQ, 0);
282
283 client_tls_context = ctx;
284 ret = tor_tls_get_my_certs(0, &link_cert_out, &id_cert_out);
285 tt_int_op(ret, OP_EQ, 0);
286
287 server_tls_context = ctx;
288 ret = tor_tls_get_my_certs(1, &link_cert_out, &id_cert_out);
289 tt_int_op(ret, OP_EQ, 0);
290
291 done:
292 (void)1;
293 }
294
295 #ifdef ENABLE_OPENSSL
296 static void
297 test_tortls_get_forced_write_size(void *ignored)
298 {
299 (void)ignored;
300 long ret;
301 tor_tls_t *tls;
302
303 tls = tor_malloc_zero(sizeof(tor_tls_t));
304
305 tls->wantwrite_n = 43;
306 ret = tor_tls_get_forced_write_size(tls);
307 tt_int_op(ret, OP_EQ, 43);
308
309 done:
310 tor_free(tls);
311 }
312
313 static void
314 test_tortls_used_v1_handshake(void *ignored)
315 {
316 (void)ignored;
317 int ret;
318 tor_tls_t *tls;
319 tls = tor_malloc_zero(sizeof(tor_tls_t));
320
321 // These tests assume both V2 handshake server and client are enabled
322 tls->wasV2Handshake = 0;
323 ret = tor_tls_used_v1_handshake(tls);
324 tt_int_op(ret, OP_EQ, 1);
325
326 tls->wasV2Handshake = 1;
327 ret = tor_tls_used_v1_handshake(tls);
328 tt_int_op(ret, OP_EQ, 0);
329
330 done:
331 tor_free(tls);
332 }
333
334 static void
335 test_tortls_server_got_renegotiate(void *ignored)
336 {
337 (void)ignored;
338 int ret;
339 tor_tls_t *tls;
340
341 tls = tor_malloc_zero(sizeof(tor_tls_t));
342
343 tls->got_renegotiate = 1;
344 ret = tor_tls_server_got_renegotiate(tls);
345 tt_int_op(ret, OP_EQ, 1);
346
347 done:
348 tor_free(tls);
349 }
350 #endif /* defined(ENABLE_OPENSSL) */
351
352 static void
353 test_tortls_evaluate_ecgroup_for_tls(void *ignored)
354 {
355 (void)ignored;
356 int ret;
357
358 ret = evaluate_ecgroup_for_tls(NULL);
359 tt_int_op(ret, OP_EQ, 1);
360
361 ret = evaluate_ecgroup_for_tls("foobar");
362 tt_int_op(ret, OP_EQ, 0);
363
364 ret = evaluate_ecgroup_for_tls("P256");
365 tt_int_op(ret, OP_EQ, 1);
366
367 ret = evaluate_ecgroup_for_tls("P224");
368 // tt_int_op(ret, OP_EQ, 1); This varies between machines
369 tt_assert(ret == 0 || ret == 1);
370
371 done:
372 (void)0;
373 }
374
375 static void
376 test_tortls_double_init(void *arg)
377 {
378 (void) arg;
379 /* If we call tor_tls_context_init() a second time, nothing should go
380 * wrong.
381 */
382 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
383 pk1 = pk_generate(2);
384 pk2 = pk_generate(0);
385
386 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
387 pk1, pk2, 86400);
388 tt_int_op(r, OP_EQ, 0);
389
390 r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
391 pk2, pk1, 86400);
392 tt_int_op(r, OP_EQ, 0);
393 /* For a public server context, these are the same */
394 tt_ptr_op(tor_tls_context_get(0), OP_EQ, tor_tls_context_get(1));
395
396 done:
397 crypto_pk_free(pk1);
398 crypto_pk_free(pk2);
399 }
400
401 static void
402 test_tortls_bridge_init(void *arg)
403 {
404 (void)arg;
405 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
406 pk1 = pk_generate(2);
407 pk2 = pk_generate(0);
408
409 /* If we pass in a server identity key but not the
410 TOR_TLS_CTX_IS_PUBLIC_SERVER flag, we should get a bridge-style
411 configuration, with two distinct contexts. */
412 int r = tor_tls_context_init(0 /* flags */, pk1, pk2, 86400);
413
414 tt_int_op(r, OP_EQ, 0);
415 tt_ptr_op(tor_tls_context_get(0), OP_NE, tor_tls_context_get(1));
416 done:
417 crypto_pk_free(pk1);
418 crypto_pk_free(pk2);
419 }
420
421 static void
422 test_tortls_address(void *arg)
423 {
424 (void)arg;
425 tor_tls_t *tls = NULL;
426 crypto_pk_t *pk1=NULL, *pk2=NULL;
427 pk1 = pk_generate(2);
428 pk2 = pk_generate(0);
429
430 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
431 pk1, pk2, 86400);
432 tt_int_op(r, OP_EQ, 0);
433
434 tls = tor_tls_new(-1, 0);
435 tls->state = TOR_TLS_ST_OPEN;
436 tor_tls_set_logged_address(tls, "zombo.com");
437
438 /* This write should fail, since the fd is -1. */
439 setup_capture_of_logs(LOG_INFO);
440 int n = tor_tls_write(tls, "welcome", 7);
441 tt_int_op(n, OP_LT, 0);
442 expect_log_msg_containing("with zombo.com");
443
444 done:
445 teardown_capture_of_logs();
446 tor_tls_free(tls);
447 crypto_pk_free(pk1);
448 crypto_pk_free(pk2);
449 }
450
451 static void
452 test_tortls_is_server(void *arg)
453 {
454 (void)arg;
455 crypto_pk_t *pk1=NULL, *pk2=NULL;
456 tor_tls_t *tls1=NULL, *tls2=NULL;
457 pk1 = pk_generate(2);
458 pk2 = pk_generate(0);
459
460 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
461 pk1, pk2, 86400);
462 tt_int_op(r, OP_EQ, 0);
463 tls1 = tor_tls_new(-1, 0);
464 tls2 = tor_tls_new(-1, 1);
465
466 tt_assert(! tor_tls_is_server(tls1));
467 tt_assert(tor_tls_is_server(tls2));
468
469 done:
470 tor_tls_free(tls1);
471 tor_tls_free(tls2);
472 crypto_pk_free(pk1);
473 crypto_pk_free(pk2);
474 }
475
476 static void
477 test_tortls_verify(void *ignored)
478 {
479 (void)ignored;
480 int ret;
481 tor_tls_t *tls;
482 crypto_pk_t *k = NULL;
483 tor_x509_cert_impl_t *cert1 = NULL, *cert2 = NULL, *invalidCert = NULL,
484 *validCert = NULL, *caCert = NULL;
485
486 validCert = read_cert_from(validCertString);
487 caCert = read_cert_from(caCertString);
488 invalidCert = read_cert_from(notCompletelyValidCertString);
489
490 tls = tor_malloc_zero(sizeof(tor_tls_t));
491
492 MOCK(try_to_extract_certs_from_tls, fixed_try_to_extract_certs_from_tls);
493
494 fixed_try_to_extract_certs_from_tls_cert_out_result = cert1;
495 ret = tor_tls_verify(LOG_WARN, tls, &k);
496 tt_int_op(ret, OP_EQ, -1);
497
498 fixed_try_to_extract_certs_from_tls_id_cert_out_result = cert2;
499 ret = tor_tls_verify(LOG_WARN, tls, &k);
500 tt_int_op(ret, OP_EQ, -1);
501
502 fixed_try_to_extract_certs_from_tls_cert_out_result = invalidCert;
503 fixed_try_to_extract_certs_from_tls_id_cert_out_result = invalidCert;
504
505 ret = tor_tls_verify(LOG_WARN, tls, &k);
506 tt_int_op(ret, OP_EQ, -1);
507
508 fixed_try_to_extract_certs_from_tls_cert_out_result = validCert;
509 fixed_try_to_extract_certs_from_tls_id_cert_out_result = caCert;
510
511 ret = tor_tls_verify(LOG_WARN, tls, &k);
512 tt_int_op(ret, OP_EQ, 0);
513 tt_assert(k);
514
515 done:
516 UNMOCK(try_to_extract_certs_from_tls);
517 tor_x509_cert_impl_free(cert1);
518 tor_x509_cert_impl_free(cert2);
519 tor_x509_cert_impl_free(validCert);
520 tor_x509_cert_impl_free(invalidCert);
521 tor_x509_cert_impl_free(caCert);
522
523 tor_free(tls);
524 crypto_pk_free(k);
525 }
526
527 static void
528 test_tortls_cert_matches_key(void *ignored)
529 {
530 (void)ignored;
531
532 tor_x509_cert_impl_t *cert1 = NULL,
533 *cert2 = NULL,
534 *cert3 = NULL,
535 *cert4 = NULL;
536 tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL;
537 crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL;
538
539 k1 = pk_generate(1);
540 k2 = pk_generate(2);
541 k3 = pk_generate(3);
542
543 cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000);
544 cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000);
545 cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000);
546 cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000);
547
548 tt_assert(cert1 && cert2 && cert3 && cert4);
549
550 c1 = tor_x509_cert_new(cert1); cert1 = NULL;
551 c2 = tor_x509_cert_new(cert2); cert2 = NULL;
552 c3 = tor_x509_cert_new(cert3); cert3 = NULL;
553 c4 = tor_x509_cert_new(cert4); cert4 = NULL;
554
555 tt_assert(c1 && c2 && c3 && c4);
556
557 MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed);
558
559 fixed_x509_cert = NULL;
560 /* If the peer has no certificate, it shouldn't match anything. */
561 tt_assert(! tor_tls_cert_matches_key(NULL, c1));
562 tt_assert(! tor_tls_cert_matches_key(NULL, c2));
563 tt_assert(! tor_tls_cert_matches_key(NULL, c3));
564 tt_assert(! tor_tls_cert_matches_key(NULL, c4));
565 fixed_x509_cert = c1;
566 /* If the peer has a certificate, it should match every cert with the same
567 * subject key. */
568 tt_assert(tor_tls_cert_matches_key(NULL, c1));
569 tt_assert(tor_tls_cert_matches_key(NULL, c2));
570 tt_assert(! tor_tls_cert_matches_key(NULL, c3));
571 tt_assert(! tor_tls_cert_matches_key(NULL, c4));
572
573 done:
574 tor_x509_cert_free(c1);
575 tor_x509_cert_free(c2);
576 tor_x509_cert_free(c3);
577 tor_x509_cert_free(c4);
578 if (cert1) tor_x509_cert_impl_free(cert1);
579 if (cert2) tor_x509_cert_impl_free(cert2);
580 if (cert3) tor_x509_cert_impl_free(cert3);
581 if (cert4) tor_x509_cert_impl_free(cert4);
582 crypto_pk_free(k1);
583 crypto_pk_free(k2);
584 crypto_pk_free(k3);
585 UNMOCK(tor_tls_get_peer_cert);
586 }
587
588 #define LOCAL_TEST_CASE(name, flags) \
589 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
590
591 struct testcase_t tortls_tests[] = {
592 LOCAL_TEST_CASE(errno_to_tls_error, 0),
593 LOCAL_TEST_CASE(err_to_string, 0),
594 LOCAL_TEST_CASE(x509_cert_get_id_digests, 0),
595 LOCAL_TEST_CASE(get_my_certs, TT_FORK),
596 #ifdef ENABLE_OPENSSL
597 LOCAL_TEST_CASE(tor_tls_get_error, 0),
598 LOCAL_TEST_CASE(get_forced_write_size, 0),
599 LOCAL_TEST_CASE(used_v1_handshake, TT_FORK),
600 LOCAL_TEST_CASE(server_got_renegotiate, 0),
601 #endif /* defined(ENABLE_OPENSSL) */
602 LOCAL_TEST_CASE(evaluate_ecgroup_for_tls, 0),
603 LOCAL_TEST_CASE(double_init, TT_FORK),
604 LOCAL_TEST_CASE(address, TT_FORK),
605 LOCAL_TEST_CASE(is_server, 0),
606 LOCAL_TEST_CASE(bridge_init, TT_FORK),
607 LOCAL_TEST_CASE(verify, TT_FORK),
608 LOCAL_TEST_CASE(cert_matches_key, 0),
609 END_OF_TESTCASES
610 };
The Onion Router