1 /* Copyright (c) 2010-2015, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
13 #define GCC_VERSION (__GNUC__ * 100 + __GNUC_MINOR__)
16 #if __GNUC__ && GCC_VERSION >= 402
17 #if GCC_VERSION >= 406
18 #pragma GCC diagnostic push
20 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
21 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
22 #pragma GCC diagnostic ignored "-Wredundant-decls"
25 #include <openssl/opensslv.h>
27 #include <openssl/ssl.h>
28 #include <openssl/ssl3.h>
29 #include <openssl/err.h>
30 #include <openssl/asn1t.h>
31 #include <openssl/x509.h>
32 #include <openssl/rsa.h>
33 #include <openssl/evp.h>
34 #include <openssl/bn.h>
36 #if __GNUC__ && GCC_VERSION >= 402
37 #if GCC_VERSION >= 406
38 #pragma GCC diagnostic pop
40 #pragma GCC diagnostic warning "-Wredundant-decls"
50 #include "log_test_helpers.h"
51 #define NS_MODULE tortls
53 extern tor_tls_context_t
*server_tls_context
;
54 extern tor_tls_context_t
*client_tls_context
;
56 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) \
57 && !defined(LIBRESSL_VERSION_NUMBER)
58 #define OPENSSL_OPAQUE
59 #define SSL_STATE_STR "before SSL initialization"
61 #define SSL_STATE_STR "before/accept initialization"
64 #ifndef OPENSSL_OPAQUE
66 give_me_a_test_method(void)
68 SSL_METHOD
*method
= tor_malloc_zero(sizeof(SSL_METHOD
));
69 memcpy(method
, TLSv1_method(), sizeof(SSL_METHOD
));
74 fake_num_ciphers(void)
81 test_tortls_errno_to_tls_error(void *data
)
84 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNRESET
)),OP_EQ
,
85 TOR_TLS_ERROR_CONNRESET
);
86 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ETIMEDOUT
)),OP_EQ
,
87 TOR_TLS_ERROR_TIMEOUT
);
88 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(EHOSTUNREACH
)),OP_EQ
,
89 TOR_TLS_ERROR_NO_ROUTE
);
90 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ENETUNREACH
)),OP_EQ
,
91 TOR_TLS_ERROR_NO_ROUTE
);
92 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNREFUSED
)),OP_EQ
,
93 TOR_TLS_ERROR_CONNREFUSED
);
94 tt_int_op(tor_errno_to_tls_error(0),OP_EQ
,TOR_TLS_ERROR_MISC
);
100 test_tortls_err_to_string(void *data
)
103 tt_str_op(tor_tls_err_to_string(1),OP_EQ
,"[Not an error.]");
104 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_MISC
),OP_EQ
,"misc error");
105 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_IO
),OP_EQ
,"unexpected close");
106 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNREFUSED
),OP_EQ
,
107 "connection refused");
108 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNRESET
),OP_EQ
,
110 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_NO_ROUTE
),OP_EQ
,
112 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_TIMEOUT
),OP_EQ
,
113 "connection timed out");
114 tt_str_op(tor_tls_err_to_string(TOR_TLS_CLOSE
),OP_EQ
,"closed");
115 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTREAD
),OP_EQ
,"want to read");
116 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTWRITE
),OP_EQ
,"want to write");
117 tt_str_op(tor_tls_err_to_string(-100),OP_EQ
,"(unknown error code)");
123 mock_tls_cert_matches_key(const tor_tls_t
*tls
, const tor_x509_cert_t
*cert
)
126 (void) cert
; // XXXX look at this.
131 test_tortls_tor_tls_new(void *data
)
134 MOCK(tor_tls_cert_matches_key
, mock_tls_cert_matches_key
);
135 crypto_pk_t
*key1
= NULL
, *key2
= NULL
;
136 SSL_METHOD
*method
= NULL
;
138 key1
= pk_generate(2);
139 key2
= pk_generate(3);
141 tor_tls_t
*tls
= NULL
;
142 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER
,
143 key1
, key2
, 86400), OP_EQ
, 0);
144 tls
= tor_tls_new(-1, 0);
146 tor_tls_free(tls
); tls
= NULL
;
148 SSL_CTX_free(client_tls_context
->ctx
);
149 client_tls_context
->ctx
= NULL
;
150 tls
= tor_tls_new(-1, 0);
153 #ifndef OPENSSL_OPAQUE
154 method
= give_me_a_test_method();
155 SSL_CTX
*ctx
= SSL_CTX_new(method
);
156 method
->num_ciphers
= fake_num_ciphers
;
157 client_tls_context
->ctx
= ctx
;
158 tls
= tor_tls_new(-1, 0);
163 UNMOCK(tor_tls_cert_matches_key
);
164 crypto_pk_free(key1
);
165 crypto_pk_free(key2
);
171 #define NS_MODULE tortls
172 NS_DECL(void, logv
, (int severity
, log_domain_mask_t domain
,
173 const char *funcname
, const char *suffix
,
174 const char *format
, va_list ap
));
177 NS(logv
)(int severity
, log_domain_mask_t domain
,
178 const char *funcname
, const char *suffix
, const char *format
,
186 (void) ap
; // XXXX look at this.
191 test_tortls_tor_tls_get_error(void *data
)
194 MOCK(tor_tls_cert_matches_key
, mock_tls_cert_matches_key
);
195 crypto_pk_t
*key1
= NULL
, *key2
= NULL
;
196 key1
= pk_generate(2);
197 key2
= pk_generate(3);
199 tor_tls_t
*tls
= NULL
;
200 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER
,
201 key1
, key2
, 86400), OP_EQ
, 0);
202 tls
= tor_tls_new(-1, 0);
204 tt_int_op(CALLED(logv
), OP_EQ
, 0);
205 tor_tls_get_error(tls
, 0, 0,
206 (const char *)"test", 0, 0);
207 tt_int_op(CALLED(logv
), OP_EQ
, 1);
210 UNMOCK(tor_tls_cert_matches_key
);
212 crypto_pk_free(key1
);
213 crypto_pk_free(key2
);
218 test_tortls_get_state_description(void *ignored
)
226 SSL_load_error_strings();
228 ctx
= SSL_CTX_new(SSLv23_method());
230 buf
= tor_malloc_zero(1000);
231 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
233 tor_tls_get_state_description(NULL
, buf
, 20);
234 tt_str_op(buf
, OP_EQ
, "(No SSL object)");
238 tor_tls_get_state_description(tls
, buf
, 20);
239 tt_str_op(buf
, OP_EQ
, "(No SSL object)");
241 tls
->ssl
= SSL_new(ctx
);
242 tor_tls_get_state_description(tls
, buf
, 200);
243 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in HANDSHAKE");
245 tls
->state
= TOR_TLS_ST_OPEN
;
246 tor_tls_get_state_description(tls
, buf
, 200);
247 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in OPEN");
249 tls
->state
= TOR_TLS_ST_GOTCLOSE
;
250 tor_tls_get_state_description(tls
, buf
, 200);
251 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in GOTCLOSE");
253 tls
->state
= TOR_TLS_ST_SENTCLOSE
;
254 tor_tls_get_state_description(tls
, buf
, 200);
255 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in SENTCLOSE");
257 tls
->state
= TOR_TLS_ST_CLOSED
;
258 tor_tls_get_state_description(tls
, buf
, 200);
259 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in CLOSED");
261 tls
->state
= TOR_TLS_ST_RENEGOTIATE
;
262 tor_tls_get_state_description(tls
, buf
, 200);
263 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in RENEGOTIATE");
265 tls
->state
= TOR_TLS_ST_BUFFEREVENT
;
266 tor_tls_get_state_description(tls
, buf
, 200);
267 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
);
270 tor_tls_get_state_description(tls
, buf
, 200);
271 tt_str_op(buf
, OP_EQ
, SSL_STATE_STR
" in unknown TLS state");
280 extern int tor_tls_object_ex_data_index
;
283 test_tortls_get_by_ssl(void *ignored
)
292 SSL_load_error_strings();
293 tor_tls_allocate_tor_tls_object_ex_data_index();
295 ctx
= SSL_CTX_new(SSLv23_method());
296 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
297 tls
->magic
= TOR_TLS_MAGIC
;
301 res
= tor_tls_get_by_ssl(ssl
);
304 SSL_set_ex_data(ssl
, tor_tls_object_ex_data_index
, tls
);
306 res
= tor_tls_get_by_ssl(ssl
);
307 tt_assert(res
== tls
);
316 test_tortls_allocate_tor_tls_object_ex_data_index(void *ignored
)
321 tor_tls_allocate_tor_tls_object_ex_data_index();
323 first
= tor_tls_object_ex_data_index
;
324 tor_tls_allocate_tor_tls_object_ex_data_index();
325 tt_int_op(first
, OP_EQ
, tor_tls_object_ex_data_index
);
332 test_tortls_log_one_error(void *ignored
)
340 SSL_load_error_strings();
342 ctx
= SSL_CTX_new(SSLv23_method());
343 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
344 int previous_log
= setup_capture_of_logs(LOG_INFO
);
346 tor_tls_log_one_error(NULL
, 0, LOG_WARN
, 0, "something");
347 expect_log_msg("TLS error while something: "
348 "(null) (in (null):(null):---)\n");
350 mock_clean_saved_logs();
351 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
352 expect_log_msg("TLS error: (null) "
353 "(in (null):(null):---)\n");
355 mock_clean_saved_logs();
356 tls
->address
= tor_strdup("127.hello");
357 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
358 expect_log_msg("TLS error with 127.hello: "
359 "(null) (in (null):(null):---)\n");
360 tor_free(tls
->address
);
362 mock_clean_saved_logs();
363 tls
->address
= tor_strdup("127.hello");
364 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, "blarg");
365 expect_log_msg("TLS error while blarg with "
366 "127.hello: (null) (in (null):(null):---)\n");
368 mock_clean_saved_logs();
369 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, 3), LOG_WARN
, 0, NULL
);
370 expect_log_msg("TLS error with 127.hello: "
371 "BN lib (in unknown library:(null):---)\n");
373 mock_clean_saved_logs();
374 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST
),
376 expect_log_severity(LOG_INFO
);
378 mock_clean_saved_logs();
379 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_HTTPS_PROXY_REQUEST
),
381 expect_log_severity(LOG_INFO
);
383 mock_clean_saved_logs();
384 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_RECORD_LENGTH_MISMATCH
),
386 expect_log_severity(LOG_INFO
);
388 mock_clean_saved_logs();
389 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_RECORD_TOO_LARGE
),
391 expect_log_severity(LOG_INFO
);
393 mock_clean_saved_logs();
394 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_UNKNOWN_PROTOCOL
),
396 expect_log_severity(LOG_INFO
);
398 mock_clean_saved_logs();
399 tor_tls_log_one_error(tls
, ERR_PACK(1, 2, SSL_R_UNSUPPORTED_PROTOCOL
),
401 expect_log_severity(LOG_INFO
);
403 tls
->ssl
= SSL_new(ctx
);
405 mock_clean_saved_logs();
406 tor_tls_log_one_error(tls
, 0, LOG_WARN
, 0, NULL
);
407 expect_log_msg("TLS error with 127.hello: (null)"
408 " (in (null):(null):" SSL_STATE_STR
")\n");
411 teardown_capture_of_logs(previous_log
);
417 tor_free(tls
->address
);
421 #ifndef OPENSSL_OPAQUE
423 test_tortls_get_error(void *ignored
)
431 SSL_load_error_strings();
433 ctx
= SSL_CTX_new(SSLv23_method());
434 int previous_log
= setup_capture_of_logs(LOG_INFO
);
435 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
436 tls
->ssl
= SSL_new(ctx
);
437 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
439 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
440 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_IO
);
441 expect_log_msg("TLS error: unexpected close while"
442 " something (before/accept initialization)\n");
444 mock_clean_saved_logs();
445 ret
= tor_tls_get_error(tls
, 2, 0, "something", LOG_WARN
, 0);
446 tt_int_op(ret
, OP_EQ
, 0);
447 expect_no_log_entry();
449 mock_clean_saved_logs();
450 ret
= tor_tls_get_error(tls
, 0, 1, "something", LOG_WARN
, 0);
451 tt_int_op(ret
, OP_EQ
, -11);
452 expect_no_log_entry();
454 mock_clean_saved_logs();
456 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
457 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
458 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
459 expect_log_msg("TLS error while something: (null)"
460 " (in bignum routines:(null):before/accept initialization)\n");
462 mock_clean_saved_logs();
464 tls
->ssl
->rwstate
= SSL_READING
;
465 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_READ
;
466 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
467 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTREAD
);
468 expect_no_log_entry();
470 mock_clean_saved_logs();
472 tls
->ssl
->rwstate
= SSL_READING
;
473 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_WRITE
;
474 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
475 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTWRITE
);
476 expect_no_log_entry();
478 mock_clean_saved_logs();
480 tls
->ssl
->rwstate
= 0;
481 tls
->ssl
->shutdown
= SSL_RECEIVED_SHUTDOWN
;
482 tls
->ssl
->s3
->warn_alert
=SSL_AD_CLOSE_NOTIFY
;
483 ret
= tor_tls_get_error(tls
, 0, 0, "something", LOG_WARN
, 0);
484 tt_int_op(ret
, OP_EQ
, TOR_TLS_CLOSE
);
487 mock_clean_saved_logs();
488 ret
= tor_tls_get_error(tls
, 0, 2, "something", LOG_WARN
, 0);
489 tt_int_op(ret
, OP_EQ
, -10);
490 expect_no_log_entry();
492 mock_clean_saved_logs();
493 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
494 ret
= tor_tls_get_error(tls
, -1, 0, "something", LOG_WARN
, 0);
495 tt_int_op(ret
, OP_EQ
, -9);
496 expect_log_msg("TLS error while something: (null) (in system library:"
497 "connect:before/accept initialization)\n");
500 teardown_capture_of_logs(previous_log
);
508 test_tortls_always_accept_verify_cb(void *ignored
)
513 ret
= always_accept_verify_cb(0, NULL
);
514 tt_int_op(ret
, OP_EQ
, 1);
520 #ifndef OPENSSL_OPAQUE
522 test_tortls_x509_cert_free(void *ignored
)
525 tor_x509_cert_t
*cert
;
527 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
528 tor_x509_cert_free(cert
);
530 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
531 cert
->cert
= tor_malloc_zero(sizeof(X509
));
532 cert
->encoded
= tor_malloc_zero(1);
533 tor_x509_cert_free(cert
);
538 test_tortls_x509_cert_get_id_digests(void *ignored
)
541 tor_x509_cert_t
*cert
;
543 const digests_t
*res
;
544 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
545 d
= tor_malloc_zero(sizeof(digests_t
));
548 res
= tor_x509_cert_get_id_digests(cert
);
551 cert
->pkey_digests_set
= 1;
552 cert
->pkey_digests
= *d
;
553 res
= tor_x509_cert_get_id_digests(cert
);
554 tt_int_op(res
->d
[0][0], OP_EQ
, 42);
561 #ifndef OPENSSL_OPAQUE
563 fixed_pub_cmp(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
570 fake_x509_free(X509
*cert
)
573 if (cert
->cert_info
) {
574 if (cert
->cert_info
->key
) {
575 if (cert
->cert_info
->key
->pkey
) {
576 tor_free(cert
->cert_info
->key
->pkey
);
578 tor_free(cert
->cert_info
->key
);
580 tor_free(cert
->cert_info
);
587 test_tortls_cert_matches_key(void *ignored
)
592 tor_x509_cert_t
*cert
;
593 X509
*one
= NULL
, *two
= NULL
;
594 EVP_PKEY_ASN1_METHOD
*meth
= EVP_PKEY_asn1_new(999, 0, NULL
, NULL
);
595 EVP_PKEY_asn1_set_public(meth
, NULL
, NULL
, fixed_pub_cmp
, NULL
, NULL
, NULL
);
597 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
598 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
599 one
= tor_malloc_zero(sizeof(X509
));
601 two
= tor_malloc_zero(sizeof(X509
));
604 res
= tor_tls_cert_matches_key(tls
, cert
);
605 tt_int_op(res
, OP_EQ
, 0);
607 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
608 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
609 tls
->ssl
->session
->peer
= one
;
610 res
= tor_tls_cert_matches_key(tls
, cert
);
611 tt_int_op(res
, OP_EQ
, 0);
614 res
= tor_tls_cert_matches_key(tls
, cert
);
615 tt_int_op(res
, OP_EQ
, 0);
617 one
->cert_info
= tor_malloc_zero(sizeof(X509_CINF
));
618 one
->cert_info
->key
= tor_malloc_zero(sizeof(X509_PUBKEY
));
619 one
->cert_info
->key
->pkey
= tor_malloc_zero(sizeof(EVP_PKEY
));
620 one
->cert_info
->key
->pkey
->references
= 1;
621 one
->cert_info
->key
->pkey
->ameth
= meth
;
622 one
->cert_info
->key
->pkey
->type
= 1;
624 two
->cert_info
= tor_malloc_zero(sizeof(X509_CINF
));
625 two
->cert_info
->key
= tor_malloc_zero(sizeof(X509_PUBKEY
));
626 two
->cert_info
->key
->pkey
= tor_malloc_zero(sizeof(EVP_PKEY
));
627 two
->cert_info
->key
->pkey
->references
= 1;
628 two
->cert_info
->key
->pkey
->ameth
= meth
;
629 two
->cert_info
->key
->pkey
->type
= 2;
631 res
= tor_tls_cert_matches_key(tls
, cert
);
632 tt_int_op(res
, OP_EQ
, 0);
634 one
->cert_info
->key
->pkey
->type
= 1;
635 two
->cert_info
->key
->pkey
->type
= 1;
636 res
= tor_tls_cert_matches_key(tls
, cert
);
637 tt_int_op(res
, OP_EQ
, 1);
640 EVP_PKEY_asn1_free(meth
);
641 tor_free(tls
->ssl
->session
);
650 test_tortls_cert_get_key(void *ignored
)
653 tor_x509_cert_t
*cert
= NULL
;
654 crypto_pk_t
*res
= NULL
;
655 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
657 key
= tor_malloc_zero(sizeof(X509
));
660 res
= tor_tls_cert_get_key(cert
);
664 key
->cert_info
= tor_malloc_zero(sizeof(X509_CINF
));
665 key
->cert_info
->key
= tor_malloc_zero(sizeof(X509_PUBKEY
));
666 key
->cert_info
->key
->pkey
= tor_malloc_zero(sizeof(EVP_PKEY
));
667 key
->cert_info
->key
->pkey
->references
= 1;
668 key
->cert_info
->key
->pkey
->type
= 2;
669 res
= tor_tls_cert_get_key(cert
);
680 test_tortls_get_my_client_auth_key(void *ignored
)
684 crypto_pk_t
*expected
;
685 tor_tls_context_t
*ctx
;
686 RSA
*k
= tor_malloc_zero(sizeof(RSA
));
688 ctx
= tor_malloc_zero(sizeof(tor_tls_context_t
));
689 expected
= crypto_new_pk_from_rsa_(k
);
690 ctx
->auth_key
= expected
;
692 client_tls_context
= NULL
;
693 ret
= tor_tls_get_my_client_auth_key();
696 client_tls_context
= ctx
;
697 ret
= tor_tls_get_my_client_auth_key();
698 tt_assert(ret
== expected
);
707 test_tortls_get_my_certs(void *ignored
)
711 tor_tls_context_t
*ctx
;
712 const tor_x509_cert_t
*link_cert_out
= NULL
;
713 const tor_x509_cert_t
*id_cert_out
= NULL
;
715 ctx
= tor_malloc_zero(sizeof(tor_tls_context_t
));
717 client_tls_context
= NULL
;
718 ret
= tor_tls_get_my_certs(0, NULL
, NULL
);
719 tt_int_op(ret
, OP_EQ
, -1);
721 server_tls_context
= NULL
;
722 ret
= tor_tls_get_my_certs(1, NULL
, NULL
);
723 tt_int_op(ret
, OP_EQ
, -1);
725 client_tls_context
= ctx
;
726 ret
= tor_tls_get_my_certs(0, NULL
, NULL
);
727 tt_int_op(ret
, OP_EQ
, 0);
729 client_tls_context
= ctx
;
730 ret
= tor_tls_get_my_certs(0, &link_cert_out
, &id_cert_out
);
731 tt_int_op(ret
, OP_EQ
, 0);
733 server_tls_context
= ctx
;
734 ret
= tor_tls_get_my_certs(1, &link_cert_out
, &id_cert_out
);
735 tt_int_op(ret
, OP_EQ
, 0);
741 #ifndef OPENSSL_OPAQUE
743 test_tortls_get_ciphersuite_name(void *ignored
)
748 ctx
= tor_malloc_zero(sizeof(tor_tls_t
));
749 ctx
->ssl
= tor_malloc_zero(sizeof(SSL
));
751 ret
= tor_tls_get_ciphersuite_name(ctx
);
752 tt_str_op(ret
, OP_EQ
, "(NONE)");
760 get_cipher_by_name(const char *name
)
763 const SSL_METHOD
*method
= SSLv23_method();
764 int num
= method
->num_ciphers();
765 for (i
= 0; i
< num
; ++i
) {
766 const SSL_CIPHER
*cipher
= method
->get_cipher(i
);
767 const char *ciphername
= SSL_CIPHER_get_name(cipher
);
768 if (!strcmp(ciphername
, name
)) {
769 return (SSL_CIPHER
*)cipher
;
777 get_cipher_by_id(uint16_t id
)
780 const SSL_METHOD
*method
= SSLv23_method();
781 int num
= method
->num_ciphers();
782 for (i
= 0; i
< num
; ++i
) {
783 const SSL_CIPHER
*cipher
= method
->get_cipher(i
);
784 if (id
== (SSL_CIPHER_get_id(cipher
) & 0xffff)) {
785 return (SSL_CIPHER
*)cipher
;
792 extern uint16_t v2_cipher_list
[];
795 test_tortls_classify_client_ciphers(void *ignored
)
803 STACK_OF(SSL_CIPHER
) *ciphers
;
804 SSL_CIPHER
*tmp_cipher
;
807 SSL_load_error_strings();
808 tor_tls_allocate_tor_tls_object_ex_data_index();
810 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
811 tls
->magic
= TOR_TLS_MAGIC
;
813 ctx
= SSL_CTX_new(TLSv1_method());
817 ciphers
= sk_SSL_CIPHER_new_null();
819 ret
= tor_tls_classify_client_ciphers(ssl
, NULL
);
820 tt_int_op(ret
, OP_EQ
, -1);
822 SSL_set_ex_data(ssl
, tor_tls_object_ex_data_index
, tls
);
823 tls
->client_cipher_list_type
= 42;
825 ret
= tor_tls_classify_client_ciphers(ssl
, NULL
);
826 tt_int_op(ret
, OP_EQ
, 42);
828 tls
->client_cipher_list_type
= 0;
829 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
830 tt_int_op(ret
, OP_EQ
, 1);
831 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 1);
833 tls
->client_cipher_list_type
= 0;
834 ret
= tor_tls_classify_client_ciphers(ssl
, SSL_get_ciphers(ssl
));
835 tt_int_op(ret
, OP_EQ
, 3);
836 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
838 SSL_CIPHER
*one
= get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
),
839 *two
= get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
),
840 *three
= get_cipher_by_name(SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
),
842 sk_SSL_CIPHER_push(ciphers
, one
);
843 sk_SSL_CIPHER_push(ciphers
, two
);
844 sk_SSL_CIPHER_push(ciphers
, three
);
845 sk_SSL_CIPHER_push(ciphers
, four
);
847 tls
->client_cipher_list_type
= 0;
848 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
849 tt_int_op(ret
, OP_EQ
, 1);
850 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 1);
852 sk_SSL_CIPHER_zero(ciphers
);
854 one
= get_cipher_by_name("ECDH-RSA-AES256-GCM-SHA384");
856 two
= get_cipher_by_name("ECDH-RSA-AES128-GCM-SHA256");
858 sk_SSL_CIPHER_push(ciphers
, one
);
859 tls
->client_cipher_list_type
= 0;
860 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
861 tt_int_op(ret
, OP_EQ
, 3);
862 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
864 sk_SSL_CIPHER_push(ciphers
, two
);
865 tls
->client_cipher_list_type
= 0;
866 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
867 tt_int_op(ret
, OP_EQ
, 3);
868 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
871 tls
->client_cipher_list_type
= 0;
872 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
873 tt_int_op(ret
, OP_EQ
, 3);
874 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 3);
876 sk_SSL_CIPHER_zero(ciphers
);
877 for (i
=0; v2_cipher_list
[i
]; i
++) {
878 tmp_cipher
= get_cipher_by_id(v2_cipher_list
[i
]);
879 tt_assert(tmp_cipher
);
880 sk_SSL_CIPHER_push(ciphers
, tmp_cipher
);
882 tls
->client_cipher_list_type
= 0;
883 ret
= tor_tls_classify_client_ciphers(ssl
, ciphers
);
884 tt_int_op(ret
, OP_EQ
, 2);
885 tt_int_op(tls
->client_cipher_list_type
, OP_EQ
, 2);
888 sk_SSL_CIPHER_free(ciphers
);
896 test_tortls_client_is_using_v2_ciphers(void *ignored
)
900 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
909 STACK_OF(SSL_CIPHER
) *ciphers
;
912 SSL_load_error_strings();
914 ctx
= SSL_CTX_new(TLSv1_method());
916 sess
= SSL_SESSION_new();
918 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
919 tt_int_op(ret
, OP_EQ
, -1);
922 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
923 tt_int_op(ret
, OP_EQ
, 0);
925 ciphers
= sk_SSL_CIPHER_new_null();
926 SSL_CIPHER
*one
= get_cipher_by_name("ECDH-RSA-AES256-GCM-SHA384");
928 sk_SSL_CIPHER_push(ciphers
, one
);
929 sess
->ciphers
= ciphers
;
930 ret
= tor_tls_client_is_using_v2_ciphers(ssl
);
931 tt_int_op(ret
, OP_EQ
, 1);
938 #ifndef OPENSSL_OPAQUE
939 static X509
*fixed_try_to_extract_certs_from_tls_cert_out_result
= NULL
;
940 static X509
*fixed_try_to_extract_certs_from_tls_id_cert_out_result
= NULL
;
943 fixed_try_to_extract_certs_from_tls(int severity
, tor_tls_t
*tls
,
944 X509
**cert_out
, X509
**id_cert_out
)
948 *cert_out
= fixed_try_to_extract_certs_from_tls_cert_out_result
;
949 *id_cert_out
= fixed_try_to_extract_certs_from_tls_id_cert_out_result
;
953 #ifndef OPENSSL_OPAQUE
954 static const char* notCompletelyValidCertString
=
955 "-----BEGIN CERTIFICATE-----\n"
956 "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n"
957 "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n"
958 "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n"
959 "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n"
960 "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n"
961 "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n"
962 "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n"
963 "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n"
964 "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n"
965 "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n"
966 "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n"
967 "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n"
968 "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n"
969 "-----END CERTIFICATE-----\n";
972 static const char* validCertString
= "-----BEGIN CERTIFICATE-----\n"
973 "MIIDpTCCAY0CAg3+MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMREwDwYD\n"
974 "VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwLVG9yIFRl\n"
975 "c3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkwNjEzMzk1OVoXDTQz\n"
976 "MDEyMjEzMzk1OVowVjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB0NoaWNhZ28xFDAS\n"
977 "BgNVBAoMC1RvciBUZXN0aW5nMR8wHQYDVQQDDBZ0ZXN0aW5nLnRvcnByb2plY3Qu\n"
978 "b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoT6uyVVhWyOF3wkHjjYbd\n"
979 "nKaykyRv4JVtKQdZ4OpEErmX1zw4MmyzpQNV6iR4bQnWiyLfzyVJMZDIC/WILBfX\n"
980 "w2Pza/yuLgUvDc3twMuhOACzOQVO8PrEF/aVv2+hbCCy2udXvKhnYn+CCXl3ozc8\n"
981 "XcKYvujTXDyvGWY3xwAjlQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQCUvnhzQWuQ\n"
982 "MrN+pERkE+zcTI/9dGS90rUMMLgu8VDNqTa0TUQh8uO0EQ6uDvI8Js6e8tgwS0BR\n"
983 "UBahqb7ZHv+rejGCBr5OudqD+x4STiiuPNJVs86JTLN8SpM9CHjIBH5WCCN2KOy3\n"
984 "mevNoRcRRyYJzSFULCunIK6FGulszigMYGscrO4oiTkZiHPh9KvWT40IMiHfL+Lw\n"
985 "EtEWiLex6064LcA2YQ1AMuSZyCexks63lcfaFmQbkYOKqXa1oLkIRuDsOaSVjTfe\n"
986 "vec+X6jvf12cFTKS5WIeqkKF2Irt+dJoiHEGTe5RscUMN/f+gqHPzfFz5dR23sxo\n"
987 "g+HC6MZHlFkLAOx3wW6epPS8A/m1mw3zMPoTnb2U2YYt8T0dJMMlUn/7Y1sEAa+a\n"
988 "dSTMaeUf6VnJ//11m454EZl1to9Z7oJOgqmFffSrdD4BGIWe8f7hhW6L1Enmqe/J\n"
989 "BKL3wbzZh80O1W0bndAwhnEEhlzneFY84cbBo9pmVxpODHkUcStpr5Z7pBDrcL21\n"
990 "Ss/aB/1YrsVXhdvJdOGxl3Mnl9dUY57CympLGlT8f0pPS6GAKOelECOhFMHmJd8L\n"
991 "dj3XQSmKtYHevZ6IvuMXSlB/fJvSjSlkCuLo5+kJoaqPuRu+i/S1qxeRy3CBwmnE\n"
992 "LdSNdcX4N79GQJ996PA8+mUCQG7YRtK+WA==\n"
993 "-----END CERTIFICATE-----\n";
995 static const char* caCertString
= "-----BEGIN CERTIFICATE-----\n"
996 "MIIFjzCCA3egAwIBAgIJAKd5WgyfPMYRMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV\n"
997 "BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIG\n"
998 "A1UECgwLVG9yIFRlc3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkw\n"
999 "NjEzMzc0MVoXDTQzMDEyMjEzMzc0MVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM\n"
1000 "CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRQwEgYDVQQKDAtUb3IgVGVzdGlu\n"
1001 "ZzEUMBIGA1UEAwwLVG9yIFRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
1002 "ggIKAoICAQCpLMUEiLW5leUgBZoEJms2V7lZRhIAjnJBhVMHD0e3UubNknmaQoxf\n"
1003 "ARz3rvqOaRd0JlV+qM9qE0DjiYcCVP1cAfqAo9d83uS1vwY3YMVJzADlaIiHfyVW\n"
1004 "uEgBy0vvkeUBqaua24dYlcwsemOiXYLu41yM1wkcGHW1AhBNHppY6cznb8TyLgNM\n"
1005 "2x3SGUdzc5XMyAFx51faKGBA3wjs+Hg1PLY7d30nmCgEOBavpm5I1disM/0k+Mcy\n"
1006 "YmAKEo/iHJX/rQzO4b9znP69juLlR8PDBUJEVIG/CYb6+uw8MjjUyiWXYoqfVmN2\n"
1007 "hm/lH8b6rXw1a2Aa3VTeD0DxaWeacMYHY/i01fd5n7hCoDTRNdSw5KJ0L3Z0SKTu\n"
1008 "0lzffKzDaIfyZGlpW5qdouACkWYzsaitQOePVE01PIdO30vUfzNTFDfy42ccx3Di\n"
1009 "59UCu+IXB+eMtrBfsok0Qc63vtF1linJgjHW1z/8ujk8F7/qkOfODhk4l7wngc2A\n"
1010 "EmwWFIFoGaiTEZHB9qteXr4unbXZ0AHpM02uGGwZEGohjFyebEb73M+J57WKKAFb\n"
1011 "PqbLcGUksL1SHNBNAJcVLttX55sO4nbidOS/kA3m+F1R04MBTyQF9qA6YDDHqdI3\n"
1012 "h/3pw0Z4fxVouTYT4/NfRnX4JTP4u+7Mpcoof28VME0qWqD1LnRhFQIDAQABo1Aw\n"
1013 "TjAdBgNVHQ4EFgQUMoAgIXH7pZ3QMRwTjT+DM9Yo/v0wHwYDVR0jBBgwFoAUMoAg\n"
1014 "IXH7pZ3QMRwTjT+DM9Yo/v0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
1015 "AgEAUJxacjXR9sT+Xs6ISFiUsyd0T6WVKMnV46xrYJHirGfx+krWHrjxMY+ZtxYD\n"
1016 "DBDGlo11Qc4v6QrclNf5QUBfIiGQsP9Cm6hHcQ+Tpg9HHCgSqG1YNPwCPReCR4br\n"
1017 "BLvLfrfkcBL2IWM0PdQdCze+59DBfipsULD2mEn9fjYRXQEwb2QWtQ9qRc20Yb/x\n"
1018 "Q4b/+CvUodLkaq7B8MHz0BV8HHcBoph6DYaRmO/N+hPauIuSp6XyaGYcEefGKVKj\n"
1019 "G2+fcsdyXsoijNdL8vNKwm4j2gVwCBnw16J00yfFoV46YcbfqEdJB2je0XSvwXqt\n"
1020 "14AOTngxso2h9k9HLtrfpO1ZG/B5AcCMs1lzbZ2fp5DPHtjvvmvA2RJqgo3yjw4W\n"
1021 "4DHAuTglYFlC3mDHNfNtcGP20JvepcQNzNP2UzwcpOc94hfKikOFw+gf9Vf1qd0y\n"
1022 "h/Sk6OZHn2+JVUPiWHIQV98Vtoh4RmUZDJD+b55ia3fQGTGzt4z1XFzQYSva5sfs\n"
1023 "wocS/papthqWldQU7x+3wofNd5CNU1x6WKXG/yw30IT/4F8ADJD6GeygNT8QJYvt\n"
1024 "u/8lAkbOy6B9xGmSvr0Kk1oq9P2NshA6kalxp1Oz/DTNDdL4AeBXV3JmM6WWCjGn\n"
1025 "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
1026 "-----END CERTIFICATE-----\n";
1029 read_cert_from(const char *str
)
1031 BIO
*bio
= BIO_new(BIO_s_mem());
1032 BIO_write(bio
, str
, (int) strlen(str
));
1033 X509
*res
= PEM_read_bio_X509(bio
, NULL
, NULL
, NULL
);
1038 #ifndef OPENSSL_OPAQUE
1040 test_tortls_verify(void *ignored
)
1045 crypto_pk_t
*k
= NULL
;
1046 X509
*cert1
= NULL
, *cert2
= NULL
, *invalidCert
= NULL
,
1047 *validCert
= NULL
, *caCert
= NULL
;
1049 cert1
= tor_malloc_zero(sizeof(X509
));
1050 cert1
->references
= 10;
1052 cert2
= tor_malloc_zero(sizeof(X509
));
1053 cert2
->references
= 10;
1055 validCert
= read_cert_from(validCertString
);
1056 caCert
= read_cert_from(caCertString
);
1057 invalidCert
= read_cert_from(notCompletelyValidCertString
);
1059 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1060 ret
= tor_tls_verify(LOG_WARN
, tls
, &k
);
1061 tt_int_op(ret
, OP_EQ
, -1);
1063 MOCK(try_to_extract_certs_from_tls
, fixed_try_to_extract_certs_from_tls
);
1065 fixed_try_to_extract_certs_from_tls_cert_out_result
= cert1
;
1066 ret
= tor_tls_verify(LOG_WARN
, tls
, &k
);
1067 tt_int_op(ret
, OP_EQ
, -1);
1069 fixed_try_to_extract_certs_from_tls_id_cert_out_result
= cert2
;
1070 ret
= tor_tls_verify(LOG_WARN
, tls
, &k
);
1071 tt_int_op(ret
, OP_EQ
, -1);
1073 fixed_try_to_extract_certs_from_tls_cert_out_result
= invalidCert
;
1074 fixed_try_to_extract_certs_from_tls_id_cert_out_result
= invalidCert
;
1076 ret
= tor_tls_verify(LOG_WARN
, tls
, &k
);
1077 tt_int_op(ret
, OP_EQ
, -1);
1079 fixed_try_to_extract_certs_from_tls_cert_out_result
= validCert
;
1080 fixed_try_to_extract_certs_from_tls_id_cert_out_result
= caCert
;
1082 ret
= tor_tls_verify(LOG_WARN
, tls
, &k
);
1083 tt_int_op(ret
, OP_EQ
, 0);
1087 UNMOCK(try_to_extract_certs_from_tls
);
1095 #ifndef OPENSSL_OPAQUE
1097 test_tortls_check_lifetime(void *ignored
)
1102 X509
*validCert
= read_cert_from(validCertString
);
1103 time_t now
= time(NULL
);
1105 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1106 ret
= tor_tls_check_lifetime(LOG_WARN
, tls
, 0, 0);
1107 tt_int_op(ret
, OP_EQ
, -1);
1109 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1110 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1111 tls
->ssl
->session
->peer
= validCert
;
1112 ret
= tor_tls_check_lifetime(LOG_WARN
, tls
, 0, 0);
1113 tt_int_op(ret
, OP_EQ
, 0);
1115 ASN1_STRING_free(validCert
->cert_info
->validity
->notBefore
);
1116 validCert
->cert_info
->validity
->notBefore
= ASN1_TIME_set(NULL
, now
-10);
1117 ASN1_STRING_free(validCert
->cert_info
->validity
->notAfter
);
1118 validCert
->cert_info
->validity
->notAfter
= ASN1_TIME_set(NULL
, now
+60);
1120 ret
= tor_tls_check_lifetime(LOG_WARN
, tls
, 0, -1000);
1121 tt_int_op(ret
, OP_EQ
, -1);
1123 ret
= tor_tls_check_lifetime(LOG_WARN
, tls
, -1000, 0);
1124 tt_int_op(ret
, OP_EQ
, -1);
1127 tor_free(tls
->ssl
->session
);
1130 X509_free(validCert
);
1134 #ifndef OPENSSL_OPAQUE
1135 static int fixed_ssl_pending_result
= 0;
1138 fixed_ssl_pending(const SSL
*ignored
)
1141 return fixed_ssl_pending_result
;
1145 test_tortls_get_pending_bytes(void *ignored
)
1152 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1153 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1154 method
= tor_malloc_zero(sizeof(SSL_METHOD
));
1155 method
->ssl_pending
= fixed_ssl_pending
;
1156 tls
->ssl
->method
= method
;
1158 fixed_ssl_pending_result
= 42;
1159 ret
= tor_tls_get_pending_bytes(tls
);
1160 tt_int_op(ret
, OP_EQ
, 42);
1170 test_tortls_get_forced_write_size(void *ignored
)
1176 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1178 tls
->wantwrite_n
= 43;
1179 ret
= tor_tls_get_forced_write_size(tls
);
1180 tt_int_op(ret
, OP_EQ
, 43);
1186 extern uint64_t total_bytes_written_over_tls
;
1187 extern uint64_t total_bytes_written_by_tls
;
1190 test_tortls_get_write_overhead_ratio(void *ignored
)
1195 total_bytes_written_over_tls
= 0;
1196 ret
= tls_get_write_overhead_ratio();
1197 tt_int_op(ret
, OP_EQ
, 1.0);
1199 total_bytes_written_by_tls
= 10;
1200 total_bytes_written_over_tls
= 1;
1201 ret
= tls_get_write_overhead_ratio();
1202 tt_int_op(ret
, OP_EQ
, 10.0);
1204 total_bytes_written_by_tls
= 10;
1205 total_bytes_written_over_tls
= 2;
1206 ret
= tls_get_write_overhead_ratio();
1207 tt_int_op(ret
, OP_EQ
, 5.0);
1214 test_tortls_used_v1_handshake(void *ignored
)
1219 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1221 // These tests assume both V2 handshake server and client are enabled
1222 tls
->wasV2Handshake
= 0;
1223 ret
= tor_tls_used_v1_handshake(tls
);
1224 tt_int_op(ret
, OP_EQ
, 1);
1226 tls
->wasV2Handshake
= 1;
1227 ret
= tor_tls_used_v1_handshake(tls
);
1228 tt_int_op(ret
, OP_EQ
, 0);
1235 test_tortls_get_num_server_handshakes(void *ignored
)
1241 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1243 tls
->server_handshake_count
= 3;
1244 ret
= tor_tls_get_num_server_handshakes(tls
);
1245 tt_int_op(ret
, OP_EQ
, 3);
1252 test_tortls_server_got_renegotiate(void *ignored
)
1258 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1260 tls
->got_renegotiate
= 1;
1261 ret
= tor_tls_server_got_renegotiate(tls
);
1262 tt_int_op(ret
, OP_EQ
, 1);
1268 #ifndef OPENSSL_OPAQUE
1270 test_tortls_SSL_SESSION_get_master_key(void *ignored
)
1276 out
= tor_malloc_zero(1);
1277 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1278 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1279 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1280 tls
->ssl
->session
->master_key_length
= 1;
1282 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1283 tls
->ssl
->session
->master_key
[0] = 43;
1284 ret
= SSL_SESSION_get_master_key(tls
->ssl
->session
, out
, 0);
1285 tt_int_op(ret
, OP_EQ
, 1);
1286 tt_int_op(out
[0], OP_EQ
, 0);
1288 ret
= SSL_SESSION_get_master_key(tls
->ssl
->session
, out
, 1);
1289 tt_int_op(ret
, OP_EQ
, 1);
1290 tt_int_op(out
[0], OP_EQ
, 43);
1294 tor_free(tls
->ssl
->session
);
1301 #ifndef OPENSSL_OPAQUE
1303 test_tortls_get_tlssecrets(void *ignored
)
1307 uint8_t *secret_out
= tor_malloc_zero(DIGEST256_LEN
);;
1309 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1310 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1311 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1312 tls
->ssl
->session
->master_key_length
= 1;
1313 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
1315 ret
= tor_tls_get_tlssecrets(tls
, secret_out
);
1316 tt_int_op(ret
, OP_EQ
, 0);
1319 tor_free(secret_out
);
1320 tor_free(tls
->ssl
->s3
);
1321 tor_free(tls
->ssl
->session
);
1327 #ifndef OPENSSL_OPAQUE
1329 test_tortls_get_buffer_sizes(void *ignored
)
1334 size_t rbuf_c
=-1, rbuf_b
=-1, wbuf_c
=-1, wbuf_b
=-1;
1336 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1337 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1338 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
1340 tls
->ssl
->s3
->rbuf
.buf
= NULL
;
1341 tls
->ssl
->s3
->rbuf
.len
= 1;
1342 tls
->ssl
->s3
->rbuf
.offset
= 0;
1343 tls
->ssl
->s3
->rbuf
.left
= 42;
1345 tls
->ssl
->s3
->wbuf
.buf
= NULL
;
1346 tls
->ssl
->s3
->wbuf
.len
= 2;
1347 tls
->ssl
->s3
->wbuf
.offset
= 0;
1348 tls
->ssl
->s3
->wbuf
.left
= 43;
1350 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1351 ret
= tor_tls_get_buffer_sizes(NULL
, NULL
, NULL
, NULL
, NULL
);
1352 tt_int_op(ret
, OP_EQ
, -1);
1354 ret
= tor_tls_get_buffer_sizes(tls
, &rbuf_c
, &rbuf_b
, &wbuf_c
, &wbuf_b
);
1355 tt_int_op(ret
, OP_EQ
, 0);
1356 tt_int_op(rbuf_c
, OP_EQ
, 0);
1357 tt_int_op(wbuf_c
, OP_EQ
, 0);
1358 tt_int_op(rbuf_b
, OP_EQ
, 42);
1359 tt_int_op(wbuf_b
, OP_EQ
, 43);
1361 tls
->ssl
->s3
->rbuf
.buf
= tor_malloc_zero(1);
1362 tls
->ssl
->s3
->wbuf
.buf
= tor_malloc_zero(1);
1363 ret
= tor_tls_get_buffer_sizes(tls
, &rbuf_c
, &rbuf_b
, &wbuf_c
, &wbuf_b
);
1364 tt_int_op(ret
, OP_EQ
, 0);
1365 tt_int_op(rbuf_c
, OP_EQ
, 1);
1366 tt_int_op(wbuf_c
, OP_EQ
, 2);
1371 tor_free(tls
->ssl
->s3
->rbuf
.buf
);
1372 tor_free(tls
->ssl
->s3
->wbuf
.buf
);
1373 tor_free(tls
->ssl
->s3
);
1380 test_tortls_evaluate_ecgroup_for_tls(void *ignored
)
1385 ret
= evaluate_ecgroup_for_tls(NULL
);
1386 tt_int_op(ret
, OP_EQ
, 1);
1388 ret
= evaluate_ecgroup_for_tls("foobar");
1389 tt_int_op(ret
, OP_EQ
, 0);
1391 ret
= evaluate_ecgroup_for_tls("P256");
1392 tt_int_op(ret
, OP_EQ
, 1);
1394 ret
= evaluate_ecgroup_for_tls("P224");
1395 // tt_int_op(ret, OP_EQ, 1); This varies between machines
1401 #ifndef OPENSSL_OPAQUE
1402 typedef struct cert_pkey_st_local
1405 EVP_PKEY
*privatekey
;
1406 const EVP_MD
*digest
;
1409 typedef struct sess_cert_st_local
1411 STACK_OF(X509
) *cert_chain
;
1413 CERT_PKEY_local
*peer_key
;
1414 CERT_PKEY_local peer_pkeys
[8];
1419 test_tortls_try_to_extract_certs_from_tls(void *ignored
)
1423 X509
*cert
= NULL
, *id_cert
= NULL
, *c1
= NULL
, *c2
= NULL
;
1424 SESS_CERT_local
*sess
= NULL
;
1426 c1
= read_cert_from(validCertString
);
1427 c2
= read_cert_from(caCertString
);
1429 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1430 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1431 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1432 sess
= tor_malloc_zero(sizeof(SESS_CERT_local
));
1433 tls
->ssl
->session
->sess_cert
= (void *)sess
;
1435 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
1437 tt_assert(!id_cert
);
1439 tls
->ssl
->session
->peer
= c1
;
1440 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
1441 tt_assert(cert
== c1
);
1442 tt_assert(!id_cert
);
1443 X509_free(cert
); /* decrease refcnt */
1445 sess
->cert_chain
= sk_X509_new_null();
1446 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
1447 tt_assert(cert
== c1
);
1448 tt_assert(!id_cert
);
1449 X509_free(cert
); /* decrease refcnt */
1451 sk_X509_push(sess
->cert_chain
, c1
);
1452 sk_X509_push(sess
->cert_chain
, c2
);
1454 try_to_extract_certs_from_tls(LOG_WARN
, tls
, &cert
, &id_cert
);
1455 tt_assert(cert
== c1
);
1457 X509_free(cert
); /* decrease refcnt */
1460 sk_X509_free(sess
->cert_chain
);
1462 tor_free(tls
->ssl
->session
);
1470 #ifndef OPENSSL_OPAQUE
1472 test_tortls_get_peer_cert(void *ignored
)
1475 tor_x509_cert_t
*ret
;
1479 cert
= read_cert_from(validCertString
);
1481 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1482 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1483 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1485 ret
= tor_tls_get_peer_cert(tls
);
1488 tls
->ssl
->session
->peer
= cert
;
1489 ret
= tor_tls_get_peer_cert(tls
);
1491 tt_assert(ret
->cert
== cert
);
1494 tor_x509_cert_free(ret
);
1495 tor_free(tls
->ssl
->session
);
1502 #ifndef OPENSSL_OPAQUE
1504 test_tortls_peer_has_cert(void *ignored
)
1511 cert
= read_cert_from(validCertString
);
1513 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1514 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1515 tls
->ssl
->session
= tor_malloc_zero(sizeof(SSL_SESSION
));
1517 ret
= tor_tls_peer_has_cert(tls
);
1520 tls
->ssl
->session
->peer
= cert
;
1521 ret
= tor_tls_peer_has_cert(tls
);
1525 tor_free(tls
->ssl
->session
);
1533 test_tortls_is_server(void *ignored
)
1539 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1541 ret
= tor_tls_is_server(tls
);
1542 tt_int_op(ret
, OP_EQ
, 1);
1548 #ifndef OPENSSL_OPAQUE
1550 test_tortls_session_secret_cb(void *ignored
)
1555 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
1559 SSL_load_error_strings();
1560 tor_tls_allocate_tor_tls_object_ex_data_index();
1562 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1564 tls
->magic
= TOR_TLS_MAGIC
;
1566 ctx
= SSL_CTX_new(TLSv1_method());
1567 tls
->ssl
= SSL_new(ctx
);
1568 SSL_set_ex_data(tls
->ssl
, tor_tls_object_ex_data_index
, tls
);
1570 SSL_set_session_secret_cb(tls
->ssl
, tor_tls_session_secret_cb
, NULL
);
1572 tor_tls_session_secret_cb(tls
->ssl
, NULL
, NULL
, NULL
, NULL
, NULL
);
1573 tt_assert(!tls
->ssl
->tls_session_secret_cb
);
1575 one
= get_cipher_by_name("ECDH-RSA-AES256-GCM-SHA384");
1577 ciphers
= sk_SSL_CIPHER_new_null();
1578 sk_SSL_CIPHER_push(ciphers
, one
);
1580 tls
->client_cipher_list_type
= 0;
1581 tor_tls_session_secret_cb(tls
->ssl
, NULL
, NULL
, ciphers
, NULL
, NULL
);
1582 tt_assert(!tls
->ssl
->tls_session_secret_cb
);
1585 sk_SSL_CIPHER_free(ciphers
);
1592 #ifndef OPENSSL_OPAQUE
1593 /* TODO: It seems block_renegotiation and unblock_renegotiation and
1594 * using different blags. This might not be correct */
1596 test_tortls_block_renegotiation(void *ignored
)
1601 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1602 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1603 tls
->ssl
->s3
= tor_malloc_zero(sizeof(SSL3_STATE
));
1604 tls
->ssl
->s3
->flags
= 0x0010;
1606 tor_tls_block_renegotiation(tls
);
1608 tt_assert(!(SSL_get_options(tls
->ssl
) & 0x0010));
1611 tor_free(tls
->ssl
->s3
);
1617 test_tortls_unblock_renegotiation(void *ignored
)
1622 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1623 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1624 tor_tls_unblock_renegotiation(tls
);
1626 tt_assert(SSL_get_options(tls
->ssl
) & 0x00040000L
);
1634 #ifndef OPENSSL_OPAQUE
1636 test_tortls_assert_renegotiation_unblocked(void *ignored
)
1641 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1642 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1643 tor_tls_unblock_renegotiation(tls
);
1644 tor_tls_assert_renegotiation_unblocked(tls
);
1645 /* No assertion here - this test will fail if tor_assert is turned on
1646 * and things are bad. */
1654 test_tortls_set_logged_address(void *ignored
)
1659 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1661 tor_tls_set_logged_address(tls
, "foo bar");
1663 tt_str_op(tls
->address
, OP_EQ
, "foo bar");
1665 tor_tls_set_logged_address(tls
, "foo bar 2");
1666 tt_str_op(tls
->address
, OP_EQ
, "foo bar 2");
1669 tor_free(tls
->address
);
1673 #ifndef OPENSSL_OPAQUE
1675 example_cb(tor_tls_t
*t
, void *arg
)
1682 test_tortls_set_renegotiate_callback(void *ignored
)
1686 const char *arg
= "hello";
1688 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1689 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1691 tor_tls_set_renegotiate_callback(tls
, example_cb
, (void*)arg
);
1692 tt_assert(tls
->negotiated_callback
== example_cb
);
1693 tt_assert(tls
->callback_arg
== arg
);
1694 tt_assert(!tls
->got_renegotiate
);
1696 /* Assumes V2_HANDSHAKE_SERVER */
1697 tt_assert(tls
->ssl
->info_callback
== tor_tls_server_info_callback
);
1699 tor_tls_set_renegotiate_callback(tls
, NULL
, (void*)arg
);
1700 tt_assert(tls
->ssl
->info_callback
== tor_tls_debug_state_callback
);
1708 #ifndef OPENSSL_OPAQUE
1709 static SSL_CIPHER
*fixed_cipher1
= NULL
;
1710 static SSL_CIPHER
*fixed_cipher2
= NULL
;
1711 static const SSL_CIPHER
*
1712 fake_get_cipher(unsigned ncipher
)
1717 return fixed_cipher1
;
1719 return fixed_cipher2
;
1726 #ifndef OPENSSL_OPAQUE
1728 test_tortls_find_cipher_by_id(void *ignored
)
1734 const SSL_METHOD
*m
= TLSv1_method();
1735 SSL_METHOD
*empty_method
= tor_malloc_zero(sizeof(SSL_METHOD
));
1737 fixed_cipher1
= tor_malloc_zero(sizeof(SSL_CIPHER
));
1738 fixed_cipher2
= tor_malloc_zero(sizeof(SSL_CIPHER
));
1739 fixed_cipher2
->id
= 0xC00A;
1742 SSL_load_error_strings();
1744 ctx
= SSL_CTX_new(m
);
1747 ret
= find_cipher_by_id(ssl
, NULL
, 0xC00A);
1748 tt_int_op(ret
, OP_EQ
, 1);
1750 ret
= find_cipher_by_id(ssl
, m
, 0xC00A);
1751 tt_int_op(ret
, OP_EQ
, 1);
1753 ret
= find_cipher_by_id(ssl
, m
, 0xFFFF);
1754 tt_int_op(ret
, OP_EQ
, 0);
1756 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1757 tt_int_op(ret
, OP_EQ
, 1);
1759 ret
= find_cipher_by_id(ssl
, empty_method
, 0xFFFF);
1760 #ifdef HAVE_SSL_CIPHER_FIND
1761 tt_int_op(ret
, OP_EQ
, 0);
1763 tt_int_op(ret
, OP_EQ
, 1);
1766 empty_method
->get_cipher
= fake_get_cipher
;
1767 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1768 tt_int_op(ret
, OP_EQ
, 1);
1770 empty_method
->get_cipher
= m
->get_cipher
;
1771 empty_method
->num_ciphers
= m
->num_ciphers
;
1772 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1773 tt_int_op(ret
, OP_EQ
, 1);
1775 empty_method
->get_cipher
= fake_get_cipher
;
1776 empty_method
->num_ciphers
= m
->num_ciphers
;
1777 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1778 tt_int_op(ret
, OP_EQ
, 1);
1780 empty_method
->num_ciphers
= fake_num_ciphers
;
1781 ret
= find_cipher_by_id(ssl
, empty_method
, 0xC00A);
1782 #ifdef HAVE_SSL_CIPHER_FIND
1783 tt_int_op(ret
, OP_EQ
, 1);
1785 tt_int_op(ret
, OP_EQ
, 0);
1789 tor_free(empty_method
);
1792 tor_free(fixed_cipher1
);
1796 #ifndef OPENSSL_OPAQUE
1798 test_tortls_debug_state_callback(void *ignored
)
1802 char *buf
= tor_malloc_zero(1000);
1805 int previous_log
= setup_capture_of_logs(LOG_DEBUG
);
1807 ssl
= tor_malloc_zero(sizeof(SSL
));
1809 tor_tls_debug_state_callback(ssl
, 32, 45);
1811 n
= tor_snprintf(buf
, 1000, "SSL %p is now in state unknown"
1812 " state [type=32,val=45].\n", ssl
);
1813 /* tor's snprintf returns -1 on error */
1814 tt_int_op(n
, OP_NE
, -1);
1815 expect_log_msg(buf
);
1818 teardown_capture_of_logs(previous_log
);
1824 #ifndef OPENSSL_OPAQUE
1826 test_tortls_server_info_callback(void *ignored
)
1832 int previous_log
= setup_capture_of_logs(LOG_WARN
);
1835 SSL_load_error_strings();
1837 ctx
= SSL_CTX_new(TLSv1_method());
1840 tor_tls_allocate_tor_tls_object_ex_data_index();
1842 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1843 tls
->magic
= TOR_TLS_MAGIC
;
1846 tor_tls_server_info_callback(NULL
, 0, 0);
1848 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_A
);
1849 mock_clean_saved_logs();
1850 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1851 expect_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1853 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_B
);
1854 mock_clean_saved_logs();
1855 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1856 expect_log_msg("Couldn't look up the tls for an SSL*. How odd!\n");
1858 SSL_set_state(ssl
, 99);
1859 mock_clean_saved_logs();
1860 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1861 expect_no_log_entry();
1863 SSL_set_ex_data(tls
->ssl
, tor_tls_object_ex_data_index
, tls
);
1864 SSL_set_state(ssl
, SSL3_ST_SW_SRVR_HELLO_B
);
1865 tls
->negotiated_callback
= 0;
1866 tls
->server_handshake_count
= 120;
1867 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1868 tt_int_op(tls
->server_handshake_count
, OP_EQ
, 121);
1870 tls
->server_handshake_count
= 127;
1871 tls
->negotiated_callback
= (void *)1;
1872 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1873 tt_int_op(tls
->server_handshake_count
, OP_EQ
, 127);
1874 tt_int_op(tls
->got_renegotiate
, OP_EQ
, 1);
1876 tls
->ssl
->session
= SSL_SESSION_new();
1877 tls
->wasV2Handshake
= 0;
1878 tor_tls_server_info_callback(ssl
, SSL_CB_ACCEPT_LOOP
, 0);
1879 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 0);
1882 teardown_capture_of_logs(previous_log
);
1889 #ifndef OPENSSL_OPAQUE
1890 static int fixed_ssl_read_result_index
;
1891 static int fixed_ssl_read_result
[5];
1892 static int fixed_ssl_shutdown_result
;
1895 fixed_ssl_read(SSL
*s
, void *buf
, int len
)
1900 return fixed_ssl_read_result
[fixed_ssl_read_result_index
++];
1904 fixed_ssl_shutdown(SSL
*s
)
1907 return fixed_ssl_shutdown_result
;
1910 static int fixed_ssl_state_to_set
;
1911 static tor_tls_t
*fixed_tls
;
1914 setting_version_ssl_shutdown(SSL
*s
)
1916 s
->version
= SSL2_VERSION
;
1917 return fixed_ssl_shutdown_result
;
1921 setting_version_and_state_ssl_shutdown(SSL
*s
)
1923 fixed_tls
->state
= fixed_ssl_state_to_set
;
1924 s
->version
= SSL2_VERSION
;
1925 return fixed_ssl_shutdown_result
;
1929 dummy_handshake_func(SSL
*s
)
1936 test_tortls_shutdown(void *ignored
)
1941 SSL_METHOD
*method
= give_me_a_test_method();
1942 int previous_log
= setup_capture_of_logs(LOG_WARN
);
1944 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
1945 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
1946 tls
->ssl
->method
= method
;
1947 method
->ssl_read
= fixed_ssl_read
;
1948 method
->ssl_shutdown
= fixed_ssl_shutdown
;
1950 ret
= tor_tls_shutdown(tls
);
1951 tt_int_op(ret
, OP_EQ
, -9);
1953 tls
->state
= TOR_TLS_ST_SENTCLOSE
;
1954 fixed_ssl_read_result_index
= 0;
1955 fixed_ssl_read_result
[0] = 10;
1956 fixed_ssl_read_result
[1] = -1;
1957 ret
= tor_tls_shutdown(tls
);
1958 tt_int_op(ret
, OP_EQ
, -9);
1960 tls
->ssl
->handshake_func
= dummy_handshake_func
;
1962 fixed_ssl_read_result_index
= 0;
1963 fixed_ssl_read_result
[0] = 10;
1964 fixed_ssl_read_result
[1] = 42;
1965 fixed_ssl_read_result
[2] = 0;
1966 fixed_ssl_shutdown_result
= 1;
1968 tls
->ssl
->version
= SSL2_VERSION
;
1969 ret
= tor_tls_shutdown(tls
);
1970 tt_int_op(ret
, OP_EQ
, TOR_TLS_DONE
);
1971 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_CLOSED
);
1973 fixed_ssl_read_result_index
= 0;
1974 fixed_ssl_read_result
[0] = 10;
1975 fixed_ssl_read_result
[1] = 42;
1976 fixed_ssl_read_result
[2] = 0;
1977 fixed_ssl_shutdown_result
= 0;
1979 tls
->ssl
->version
= 0;
1980 ret
= tor_tls_shutdown(tls
);
1981 tt_int_op(ret
, OP_EQ
, TOR_TLS_DONE
);
1982 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_CLOSED
);
1984 fixed_ssl_read_result_index
= 0;
1985 fixed_ssl_read_result
[0] = 10;
1986 fixed_ssl_read_result
[1] = 42;
1987 fixed_ssl_read_result
[2] = 0;
1988 fixed_ssl_shutdown_result
= 0;
1990 tls
->ssl
->version
= 0;
1991 method
->ssl_shutdown
= setting_version_ssl_shutdown
;
1992 ret
= tor_tls_shutdown(tls
);
1993 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
1995 fixed_ssl_read_result_index
= 0;
1996 fixed_ssl_read_result
[0] = 10;
1997 fixed_ssl_read_result
[1] = 42;
1998 fixed_ssl_read_result
[2] = 0;
1999 fixed_ssl_shutdown_result
= 0;
2001 fixed_ssl_state_to_set
= TOR_TLS_ST_GOTCLOSE
;
2003 tls
->ssl
->version
= 0;
2004 method
->ssl_shutdown
= setting_version_and_state_ssl_shutdown
;
2005 ret
= tor_tls_shutdown(tls
);
2006 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
2008 fixed_ssl_read_result_index
= 0;
2009 fixed_ssl_read_result
[0] = 10;
2010 fixed_ssl_read_result
[1] = 42;
2011 fixed_ssl_read_result
[2] = 0;
2012 fixed_ssl_read_result
[3] = -1;
2013 fixed_ssl_shutdown_result
= 0;
2015 fixed_ssl_state_to_set
= 0;
2017 tls
->ssl
->version
= 0;
2018 method
->ssl_shutdown
= setting_version_and_state_ssl_shutdown
;
2019 ret
= tor_tls_shutdown(tls
);
2020 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
2023 teardown_capture_of_logs(previous_log
);
2029 static int negotiated_callback_called
;
2032 negotiated_callback_setter(tor_tls_t
*t
, void *arg
)
2036 negotiated_callback_called
++;
2040 test_tortls_read(void *ignored
)
2046 SSL_METHOD
*method
= give_me_a_test_method();
2047 int previous_log
= setup_capture_of_logs(LOG_WARN
);
2049 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
2050 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
2051 tls
->state
= TOR_TLS_ST_OPEN
;
2053 ret
= tor_tls_read(tls
, buf
, 10);
2054 tt_int_op(ret
, OP_EQ
, -9);
2056 /* These tests assume that V2_HANDSHAKE_SERVER is set */
2057 tls
->ssl
->handshake_func
= dummy_handshake_func
;
2058 tls
->ssl
->method
= method
;
2059 method
->ssl_read
= fixed_ssl_read
;
2060 fixed_ssl_read_result_index
= 0;
2061 fixed_ssl_read_result
[0] = 42;
2062 tls
->state
= TOR_TLS_ST_OPEN
;
2064 ret
= tor_tls_read(tls
, buf
, 10);
2065 tt_int_op(ret
, OP_EQ
, 42);
2067 tls
->state
= TOR_TLS_ST_OPEN
;
2068 tls
->got_renegotiate
= 1;
2069 fixed_ssl_read_result_index
= 0;
2071 ret
= tor_tls_read(tls
, buf
, 10);
2072 tt_int_op(tls
->got_renegotiate
, OP_EQ
, 0);
2074 tls
->state
= TOR_TLS_ST_OPEN
;
2075 tls
->got_renegotiate
= 1;
2076 negotiated_callback_called
= 0;
2077 tls
->negotiated_callback
= negotiated_callback_setter
;
2078 fixed_ssl_read_result_index
= 0;
2080 ret
= tor_tls_read(tls
, buf
, 10);
2081 tt_int_op(negotiated_callback_called
, OP_EQ
, 1);
2083 fixed_ssl_read_result_index
= 0;
2084 fixed_ssl_read_result
[0] = 0;
2085 tls
->ssl
->version
= SSL2_VERSION
;
2087 ret
= tor_tls_read(tls
, buf
, 10);
2088 tt_int_op(ret
, OP_EQ
, TOR_TLS_CLOSE
);
2089 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_CLOSED
);
2094 teardown_capture_of_logs(previous_log
);
2100 static int fixed_ssl_write_result
;
2103 fixed_ssl_write(SSL
*s
, const void *buf
, int len
)
2108 return fixed_ssl_write_result
;
2112 test_tortls_write(void *ignored
)
2117 SSL_METHOD
*method
= give_me_a_test_method();
2119 int previous_log
= setup_capture_of_logs(LOG_WARN
);
2121 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
2122 tls
->ssl
= tor_malloc_zero(sizeof(SSL
));
2123 tls
->state
= TOR_TLS_ST_OPEN
;
2125 ret
= tor_tls_write(tls
, buf
, 0);
2126 tt_int_op(ret
, OP_EQ
, 0);
2128 ret
= tor_tls_write(tls
, buf
, 10);
2129 tt_int_op(ret
, OP_EQ
, -9);
2131 tls
->ssl
->method
= method
;
2132 tls
->wantwrite_n
= 1;
2133 ret
= tor_tls_write(tls
, buf
, 10);
2134 tt_int_op(tls
->wantwrite_n
, OP_EQ
, 0);
2136 method
->ssl_write
= fixed_ssl_write
;
2137 tls
->ssl
->handshake_func
= dummy_handshake_func
;
2138 fixed_ssl_write_result
= 1;
2140 ret
= tor_tls_write(tls
, buf
, 10);
2141 tt_int_op(ret
, OP_EQ
, 1);
2143 fixed_ssl_write_result
= -1;
2145 tls
->ssl
->rwstate
= SSL_READING
;
2146 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
2147 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_READ
;
2148 ret
= tor_tls_write(tls
, buf
, 10);
2149 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTREAD
);
2152 tls
->ssl
->rwstate
= SSL_READING
;
2153 SSL_set_bio(tls
->ssl
, BIO_new(BIO_s_mem()), NULL
);
2154 SSL_get_rbio(tls
->ssl
)->flags
= BIO_FLAGS_WRITE
;
2155 ret
= tor_tls_write(tls
, buf
, 10);
2156 tt_int_op(ret
, OP_EQ
, TOR_TLS_WANTWRITE
);
2159 teardown_capture_of_logs(previous_log
);
2160 BIO_free(tls
->ssl
->rbio
);
2167 #ifndef OPENSSL_OPAQUE
2168 static int fixed_ssl_accept_result
;
2169 static int fixed_ssl_connect_result
;
2172 setting_error_ssl_accept(SSL
*ssl
)
2175 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
2176 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
2177 return fixed_ssl_accept_result
;
2181 setting_error_ssl_connect(SSL
*ssl
)
2184 ERR_put_error(ERR_LIB_BN
, 2, -1, "somewhere.c", 99);
2185 ERR_put_error(ERR_LIB_SYS
, 2, -1, "somewhere.c", 99);
2186 return fixed_ssl_connect_result
;
2190 fixed_ssl_accept(SSL
*ssl
)
2193 return fixed_ssl_accept_result
;
2197 test_tortls_handshake(void *ignored
)
2203 SSL_METHOD
*method
= give_me_a_test_method();
2204 int previous_log
= setup_capture_of_logs(LOG_INFO
);
2207 SSL_load_error_strings();
2209 ctx
= SSL_CTX_new(TLSv1_method());
2211 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
2212 tls
->ssl
= SSL_new(ctx
);
2213 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
2215 ret
= tor_tls_handshake(tls
);
2216 tt_int_op(ret
, OP_EQ
, -9);
2219 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
2220 ret
= tor_tls_handshake(tls
);
2221 tt_int_op(ret
, OP_EQ
, -9);
2223 tls
->ssl
->method
= method
;
2224 method
->ssl_accept
= fixed_ssl_accept
;
2225 fixed_ssl_accept_result
= 2;
2227 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
2228 ret
= tor_tls_handshake(tls
);
2229 tt_int_op(tls
->state
, OP_EQ
, TOR_TLS_ST_OPEN
);
2231 method
->ssl_accept
= setting_error_ssl_accept
;
2232 fixed_ssl_accept_result
= 1;
2234 mock_clean_saved_logs();
2235 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
2236 ret
= tor_tls_handshake(tls
);
2237 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
2239 /* This fails on jessie. Investigate why! */
2241 expect_log_msg("TLS error while handshaking: (null) (in bignum routines:"
2242 "(null):SSLv3 write client hello B)\n");
2243 expect_log_msg("TLS error while handshaking: (null) (in system library:"
2244 "connect:SSLv3 write client hello B)\n");
2246 expect_log_severity(LOG_INFO
);
2249 method
->ssl_connect
= setting_error_ssl_connect
;
2250 fixed_ssl_connect_result
= 1;
2252 mock_clean_saved_logs();
2253 tls
->state
= TOR_TLS_ST_HANDSHAKE
;
2254 ret
= tor_tls_handshake(tls
);
2255 tt_int_op(ret
, OP_EQ
, TOR_TLS_ERROR_MISC
);
2259 expect_log_msg("TLS error while handshaking: "
2260 "(null) (in bignum routines:(null):SSLv3 write client hello B)\n");
2261 expect_log_msg("TLS error while handshaking: "
2262 "(null) (in system library:connect:SSLv3 write client hello B)\n");
2264 expect_log_severity(LOG_WARN
);
2267 teardown_capture_of_logs(previous_log
);
2275 #ifndef OPENSSL_OPAQUE
2277 test_tortls_finish_handshake(void *ignored
)
2283 SSL_METHOD
*method
= give_me_a_test_method();
2285 SSL_load_error_strings();
2287 X509
*c1
= read_cert_from(validCertString
);
2288 SESS_CERT_local
*sess
= NULL
;
2290 ctx
= SSL_CTX_new(method
);
2292 tls
= tor_malloc_zero(sizeof(tor_tls_t
));
2293 tls
->ssl
= SSL_new(ctx
);
2294 tls
->state
= TOR_TLS_ST_OPEN
;
2296 ret
= tor_tls_finish_handshake(tls
);
2297 tt_int_op(ret
, OP_EQ
, 0);
2300 tls
->wasV2Handshake
= 0;
2301 ret
= tor_tls_finish_handshake(tls
);
2302 tt_int_op(ret
, OP_EQ
, 0);
2303 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
2305 tls
->wasV2Handshake
= 1;
2306 ret
= tor_tls_finish_handshake(tls
);
2307 tt_int_op(ret
, OP_EQ
, 0);
2308 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
2310 tls
->wasV2Handshake
= 1;
2311 tls
->ssl
->session
= SSL_SESSION_new();
2312 ret
= tor_tls_finish_handshake(tls
);
2313 tt_int_op(ret
, OP_EQ
, 0);
2314 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 0);
2318 sess
= tor_malloc_zero(sizeof(SESS_CERT_local
));
2319 tls
->ssl
->session
->sess_cert
= (void *)sess
;
2320 sess
->cert_chain
= sk_X509_new_null();
2321 sk_X509_push(sess
->cert_chain
, c1
);
2322 tls
->ssl
->session
->peer
= c1
;
2323 tls
->wasV2Handshake
= 0;
2324 ret
= tor_tls_finish_handshake(tls
);
2325 tt_int_op(ret
, OP_EQ
, 0);
2326 tt_int_op(tls
->wasV2Handshake
, OP_EQ
, 1);
2328 method
->num_ciphers
= fake_num_ciphers
;
2329 ret
= tor_tls_finish_handshake(tls
);
2330 tt_int_op(ret
, OP_EQ
, -9);
2334 sk_X509_free(sess
->cert_chain
);
2335 if (tls
->ssl
&& tls
->ssl
->session
) {
2336 tor_free(tls
->ssl
->session
->sess_cert
);
2345 static int fixed_crypto_pk_new_result_index
;
2346 static crypto_pk_t
*fixed_crypto_pk_new_result
[5];
2348 static crypto_pk_t
*
2349 fixed_crypto_pk_new(void)
2351 return fixed_crypto_pk_new_result
[fixed_crypto_pk_new_result_index
++];
2354 #ifndef OPENSSL_OPAQUE
2355 static int fixed_crypto_pk_generate_key_with_bits_result_index
;
2356 static int fixed_crypto_pk_generate_key_with_bits_result
[5];
2357 static int fixed_tor_tls_create_certificate_result_index
;
2358 static X509
*fixed_tor_tls_create_certificate_result
[5];
2359 static int fixed_tor_x509_cert_new_result_index
;
2360 static tor_x509_cert_t
*fixed_tor_x509_cert_new_result
[5];
2363 fixed_crypto_pk_generate_key_with_bits(crypto_pk_t
*env
, int bits
)
2367 return fixed_crypto_pk_generate_key_with_bits_result
[
2368 fixed_crypto_pk_generate_key_with_bits_result_index
++];
2372 fixed_tor_tls_create_certificate(crypto_pk_t
*rsa
,
2373 crypto_pk_t
*rsa_sign
,
2375 const char *cname_sign
,
2376 unsigned int cert_lifetime
)
2382 (void)cert_lifetime
;
2383 return fixed_tor_tls_create_certificate_result
[
2384 fixed_tor_tls_create_certificate_result_index
++];
2387 static tor_x509_cert_t
*
2388 fixed_tor_x509_cert_new(X509
*x509_cert
)
2391 return fixed_tor_x509_cert_new_result
[
2392 fixed_tor_x509_cert_new_result_index
++];
2396 test_tortls_context_new(void *ignored
)
2399 tor_tls_context_t
*ret
;
2400 crypto_pk_t
*pk1
, *pk2
, *pk3
, *pk4
, *pk5
, *pk6
, *pk7
, *pk8
, *pk9
, *pk10
,
2401 *pk11
, *pk12
, *pk13
, *pk14
, *pk15
, *pk16
, *pk17
, *pk18
;
2403 pk1
= crypto_pk_new();
2404 pk2
= crypto_pk_new();
2405 pk3
= crypto_pk_new();
2406 pk4
= crypto_pk_new();
2407 pk5
= crypto_pk_new();
2408 pk6
= crypto_pk_new();
2409 pk7
= crypto_pk_new();
2410 pk8
= crypto_pk_new();
2411 pk9
= crypto_pk_new();
2412 pk10
= crypto_pk_new();
2413 pk11
= crypto_pk_new();
2414 pk12
= crypto_pk_new();
2415 pk13
= crypto_pk_new();
2416 pk14
= crypto_pk_new();
2417 pk15
= crypto_pk_new();
2418 pk16
= crypto_pk_new();
2419 pk17
= crypto_pk_new();
2420 pk18
= crypto_pk_new();
2422 fixed_crypto_pk_new_result_index
= 0;
2423 fixed_crypto_pk_new_result
[0] = NULL
;
2424 MOCK(crypto_pk_new
, fixed_crypto_pk_new
);
2425 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2428 MOCK(crypto_pk_generate_key_with_bits
,
2429 fixed_crypto_pk_generate_key_with_bits
);
2430 fixed_crypto_pk_new_result_index
= 0;
2431 fixed_crypto_pk_new_result
[0] = pk1
;
2432 fixed_crypto_pk_new_result
[1] = NULL
;
2433 fixed_crypto_pk_generate_key_with_bits_result
[0] = -1;
2434 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2435 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2438 fixed_crypto_pk_new_result_index
= 0;
2439 fixed_crypto_pk_new_result
[0] = pk2
;
2440 fixed_crypto_pk_new_result
[1] = NULL
;
2441 fixed_crypto_pk_generate_key_with_bits_result
[0] = 0;
2442 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2443 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2446 fixed_crypto_pk_new_result_index
= 0;
2447 fixed_crypto_pk_new_result
[0] = pk3
;
2448 fixed_crypto_pk_new_result
[1] = pk4
;
2449 fixed_crypto_pk_new_result
[2] = NULL
;
2450 fixed_crypto_pk_generate_key_with_bits_result
[0] = 0;
2451 fixed_crypto_pk_generate_key_with_bits_result
[1] = -1;
2452 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2453 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2456 MOCK(tor_tls_create_certificate
, fixed_tor_tls_create_certificate
);
2458 fixed_crypto_pk_new_result_index
= 0;
2459 fixed_crypto_pk_new_result
[0] = pk5
;
2460 fixed_crypto_pk_new_result
[1] = pk6
;
2461 fixed_crypto_pk_new_result
[2] = NULL
;
2462 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2463 fixed_crypto_pk_generate_key_with_bits_result
[1] = 0;
2464 fixed_tor_tls_create_certificate_result_index
= 0;
2465 fixed_tor_tls_create_certificate_result
[0] = NULL
;
2466 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2467 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2468 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2471 fixed_crypto_pk_new_result_index
= 0;
2472 fixed_crypto_pk_new_result
[0] = pk7
;
2473 fixed_crypto_pk_new_result
[1] = pk8
;
2474 fixed_crypto_pk_new_result
[2] = NULL
;
2475 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2476 fixed_tor_tls_create_certificate_result_index
= 0;
2477 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2478 fixed_tor_tls_create_certificate_result
[1] = NULL
;
2479 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2480 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2483 fixed_crypto_pk_new_result_index
= 0;
2484 fixed_crypto_pk_new_result
[0] = pk9
;
2485 fixed_crypto_pk_new_result
[1] = pk10
;
2486 fixed_crypto_pk_new_result
[2] = NULL
;
2487 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2488 fixed_tor_tls_create_certificate_result_index
= 0;
2489 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2490 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2491 fixed_tor_tls_create_certificate_result
[2] = NULL
;
2492 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2495 MOCK(tor_x509_cert_new
, fixed_tor_x509_cert_new
);
2496 fixed_crypto_pk_new_result_index
= 0;
2497 fixed_crypto_pk_new_result
[0] = pk11
;
2498 fixed_crypto_pk_new_result
[1] = pk12
;
2499 fixed_crypto_pk_new_result
[2] = NULL
;
2500 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2501 fixed_tor_tls_create_certificate_result_index
= 0;
2502 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2503 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2504 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2505 fixed_tor_x509_cert_new_result_index
= 0;
2506 fixed_tor_x509_cert_new_result
[0] = NULL
;
2507 fixed_tor_x509_cert_new_result
[1] = NULL
;
2508 fixed_tor_x509_cert_new_result
[2] = NULL
;
2509 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2512 fixed_crypto_pk_new_result_index
= 0;
2513 fixed_crypto_pk_new_result
[0] = pk13
;
2514 fixed_crypto_pk_new_result
[1] = pk14
;
2515 fixed_crypto_pk_new_result
[2] = NULL
;
2516 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2517 fixed_tor_tls_create_certificate_result_index
= 0;
2518 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2519 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2520 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2521 fixed_tor_x509_cert_new_result_index
= 0;
2522 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2523 fixed_tor_x509_cert_new_result
[1] = NULL
;
2524 fixed_tor_x509_cert_new_result
[2] = NULL
;
2525 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2528 fixed_crypto_pk_new_result_index
= 0;
2529 fixed_crypto_pk_new_result
[0] = pk15
;
2530 fixed_crypto_pk_new_result
[1] = pk16
;
2531 fixed_crypto_pk_new_result
[2] = NULL
;
2532 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2533 fixed_tor_tls_create_certificate_result_index
= 0;
2534 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2535 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2536 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2537 fixed_tor_x509_cert_new_result_index
= 0;
2538 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2539 fixed_tor_x509_cert_new_result
[1] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2540 fixed_tor_x509_cert_new_result
[2] = NULL
;
2541 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2544 fixed_crypto_pk_new_result_index
= 0;
2545 fixed_crypto_pk_new_result
[0] = pk17
;
2546 fixed_crypto_pk_new_result
[1] = pk18
;
2547 fixed_crypto_pk_new_result
[2] = NULL
;
2548 fixed_crypto_pk_generate_key_with_bits_result_index
= 0;
2549 fixed_tor_tls_create_certificate_result_index
= 0;
2550 fixed_tor_tls_create_certificate_result
[0] = tor_malloc_zero(sizeof(X509
));
2551 fixed_tor_tls_create_certificate_result
[1] = tor_malloc_zero(sizeof(X509
));
2552 fixed_tor_tls_create_certificate_result
[2] = tor_malloc_zero(sizeof(X509
));
2553 fixed_tor_x509_cert_new_result_index
= 0;
2554 fixed_tor_x509_cert_new_result
[0] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2555 fixed_tor_x509_cert_new_result
[1] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2556 fixed_tor_x509_cert_new_result
[2] = tor_malloc_zero(sizeof(tor_x509_cert_t
));
2557 ret
= tor_tls_context_new(NULL
, 0, 0, 0);
2561 UNMOCK(tor_x509_cert_new
);
2562 UNMOCK(tor_tls_create_certificate
);
2563 UNMOCK(crypto_pk_generate_key_with_bits
);
2564 UNMOCK(crypto_pk_new
);
2568 static int fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2569 static EVP_PKEY
*fixed_crypto_pk_get_evp_pkey_result
[5];
2572 fixed_crypto_pk_get_evp_pkey_(crypto_pk_t
*env
, int private)
2576 return fixed_crypto_pk_get_evp_pkey_result
[
2577 fixed_crypto_pk_get_evp_pkey_result_index
++];
2581 test_tortls_create_certificate(void *ignored
)
2585 crypto_pk_t
*pk1
, *pk2
;
2587 pk1
= crypto_pk_new();
2588 pk2
= crypto_pk_new();
2590 MOCK(crypto_pk_get_evp_pkey_
, fixed_crypto_pk_get_evp_pkey_
);
2591 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2592 fixed_crypto_pk_get_evp_pkey_result
[0] = NULL
;
2593 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2596 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2597 fixed_crypto_pk_get_evp_pkey_result
[0] = tor_malloc_zero(sizeof(EVP_PKEY
));
2598 fixed_crypto_pk_get_evp_pkey_result
[1] = NULL
;
2599 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2602 fixed_crypto_pk_get_evp_pkey_result_index
= 0;
2603 fixed_crypto_pk_get_evp_pkey_result
[0] = tor_malloc_zero(sizeof(EVP_PKEY
));
2604 fixed_crypto_pk_get_evp_pkey_result
[1] = tor_malloc_zero(sizeof(EVP_PKEY
));
2605 ret
= tor_tls_create_certificate(pk1
, pk2
, "hello", "hello2", 1);
2609 UNMOCK(crypto_pk_get_evp_pkey_
);
2610 crypto_pk_free(pk1
);
2611 crypto_pk_free(pk2
);
2615 test_tortls_cert_new(void *ignored
)
2618 tor_x509_cert_t
*ret
;
2619 X509
*cert
= read_cert_from(validCertString
);
2621 ret
= tor_x509_cert_new(NULL
);
2624 ret
= tor_x509_cert_new(cert
);
2626 tor_x509_cert_free(ret
);
2630 cert
= read_cert_from(validCertString
);
2631 /* XXX this doesn't do what you think: it alters a copy of the pubkey. */
2632 X509_get_pubkey(cert
)->type
= EVP_PKEY_DSA
;
2633 ret
= tor_x509_cert_new(cert
);
2637 #ifndef OPENSSL_OPAQUE
2638 cert
= read_cert_from(validCertString
);
2639 X509_CINF_free(cert
->cert_info
);
2640 cert
->cert_info
= NULL
;
2641 ret
= tor_x509_cert_new(cert
);
2646 tor_x509_cert_free(ret
);
2650 test_tortls_cert_is_valid(void *ignored
)
2654 tor_x509_cert_t
*cert
= NULL
, *scert
= NULL
;
2656 scert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
2657 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2658 tt_int_op(ret
, OP_EQ
, 0);
2660 cert
= tor_malloc_zero(sizeof(tor_x509_cert_t
));
2661 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2662 tt_int_op(ret
, OP_EQ
, 0);
2666 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2667 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2668 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2669 tt_int_op(ret
, OP_EQ
, 1);
2671 #ifndef OPENSSL_OPAQUE
2672 tor_x509_cert_free(cert
);
2673 tor_x509_cert_free(scert
);
2674 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2675 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2676 ASN1_TIME_free(cert
->cert
->cert_info
->validity
->notAfter
);
2677 cert
->cert
->cert_info
->validity
->notAfter
=
2678 ASN1_TIME_set(NULL
, time(NULL
)-1000000);
2679 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2680 tt_int_op(ret
, OP_EQ
, 0);
2682 tor_x509_cert_free(cert
);
2683 tor_x509_cert_free(scert
);
2684 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2685 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2686 X509_PUBKEY_free(cert
->cert
->cert_info
->key
);
2687 cert
->cert
->cert_info
->key
= NULL
;
2688 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 1);
2689 tt_int_op(ret
, OP_EQ
, 0);
2693 tor_x509_cert_free(cert
);
2694 tor_x509_cert_free(scert
);
2695 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2696 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2697 /* This doesn't actually change the key in the cert. XXXXXX */
2698 BN_one(EVP_PKEY_get1_RSA(X509_get_pubkey(cert
->cert
))->n
);
2699 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 1);
2700 tt_int_op(ret
, OP_EQ
, 0);
2702 tor_x509_cert_free(cert
);
2703 tor_x509_cert_free(scert
);
2704 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2705 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2706 /* This doesn't actually change the key in the cert. XXXXXX */
2707 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2708 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 1);
2709 tt_int_op(ret
, OP_EQ
, 0);
2711 tor_x509_cert_free(cert
);
2712 tor_x509_cert_free(scert
);
2713 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2714 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2715 /* This doesn't actually change the key in the cert. XXXXXX */
2716 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2717 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2718 tt_int_op(ret
, OP_EQ
, 1);
2720 tor_x509_cert_free(cert
);
2721 tor_x509_cert_free(scert
);
2722 cert
= tor_x509_cert_new(read_cert_from(validCertString
));
2723 scert
= tor_x509_cert_new(read_cert_from(caCertString
));
2724 /* This doesn't actually change the key in the cert. XXXXXX */
2725 X509_get_pubkey(cert
->cert
)->type
= EVP_PKEY_EC
;
2726 X509_get_pubkey(cert
->cert
)->ameth
= NULL
;
2727 ret
= tor_tls_cert_is_valid(LOG_WARN
, cert
, scert
, 0);
2728 tt_int_op(ret
, OP_EQ
, 0);
2732 tor_x509_cert_free(cert
);
2733 tor_x509_cert_free(scert
);
2737 test_tortls_context_init_one(void *ignored
)
2741 tor_tls_context_t
*old
= NULL
;
2743 MOCK(crypto_pk_new
, fixed_crypto_pk_new
);
2745 fixed_crypto_pk_new_result_index
= 0;
2746 fixed_crypto_pk_new_result
[0] = NULL
;
2747 ret
= tor_tls_context_init_one(&old
, NULL
, 0, 0, 0);
2748 tt_int_op(ret
, OP_EQ
, -1);
2751 UNMOCK(crypto_pk_new
);
2754 #define LOCAL_TEST_CASE(name, flags) \
2755 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
2757 #ifdef OPENSSL_OPAQUE
2758 #define INTRUSIVE_TEST_CASE(name, flags) \
2759 { #name, NULL, TT_SKIP, NULL, NULL }
2761 #define INTRUSIVE_TEST_CASE(name, flags) LOCAL_TEST_CASE(name, flags)
2764 struct testcase_t tortls_tests
[] = {
2765 LOCAL_TEST_CASE(errno_to_tls_error
, 0),
2766 LOCAL_TEST_CASE(err_to_string
, 0),
2767 LOCAL_TEST_CASE(tor_tls_new
, TT_FORK
),
2768 LOCAL_TEST_CASE(tor_tls_get_error
, 0),
2769 LOCAL_TEST_CASE(get_state_description
, TT_FORK
),
2770 LOCAL_TEST_CASE(get_by_ssl
, TT_FORK
),
2771 LOCAL_TEST_CASE(allocate_tor_tls_object_ex_data_index
, TT_FORK
),
2772 LOCAL_TEST_CASE(log_one_error
, TT_FORK
),
2773 INTRUSIVE_TEST_CASE(get_error
, TT_FORK
),
2774 LOCAL_TEST_CASE(always_accept_verify_cb
, 0),
2775 INTRUSIVE_TEST_CASE(x509_cert_free
, 0),
2776 LOCAL_TEST_CASE(x509_cert_get_id_digests
, 0),
2777 INTRUSIVE_TEST_CASE(cert_matches_key
, 0),
2778 INTRUSIVE_TEST_CASE(cert_get_key
, 0),
2779 LOCAL_TEST_CASE(get_my_client_auth_key
, TT_FORK
),
2780 LOCAL_TEST_CASE(get_my_certs
, TT_FORK
),
2781 INTRUSIVE_TEST_CASE(get_ciphersuite_name
, 0),
2782 INTRUSIVE_TEST_CASE(classify_client_ciphers
, 0),
2783 LOCAL_TEST_CASE(client_is_using_v2_ciphers
, 0),
2784 INTRUSIVE_TEST_CASE(verify
, 0),
2785 INTRUSIVE_TEST_CASE(check_lifetime
, 0),
2786 INTRUSIVE_TEST_CASE(get_pending_bytes
, 0),
2787 LOCAL_TEST_CASE(get_forced_write_size
, 0),
2788 LOCAL_TEST_CASE(get_write_overhead_ratio
, TT_FORK
),
2789 LOCAL_TEST_CASE(used_v1_handshake
, TT_FORK
),
2790 LOCAL_TEST_CASE(get_num_server_handshakes
, 0),
2791 LOCAL_TEST_CASE(server_got_renegotiate
, 0),
2792 INTRUSIVE_TEST_CASE(SSL_SESSION_get_master_key
, 0),
2793 INTRUSIVE_TEST_CASE(get_tlssecrets
, 0),
2794 INTRUSIVE_TEST_CASE(get_buffer_sizes
, 0),
2795 LOCAL_TEST_CASE(evaluate_ecgroup_for_tls
, 0),
2796 INTRUSIVE_TEST_CASE(try_to_extract_certs_from_tls
, 0),
2797 INTRUSIVE_TEST_CASE(get_peer_cert
, 0),
2798 INTRUSIVE_TEST_CASE(peer_has_cert
, 0),
2799 INTRUSIVE_TEST_CASE(shutdown
, 0),
2800 INTRUSIVE_TEST_CASE(finish_handshake
, 0),
2801 INTRUSIVE_TEST_CASE(handshake
, 0),
2802 INTRUSIVE_TEST_CASE(write
, 0),
2803 INTRUSIVE_TEST_CASE(read
, 0),
2804 INTRUSIVE_TEST_CASE(server_info_callback
, 0),
2805 LOCAL_TEST_CASE(is_server
, 0),
2806 INTRUSIVE_TEST_CASE(assert_renegotiation_unblocked
, 0),
2807 INTRUSIVE_TEST_CASE(block_renegotiation
, 0),
2808 INTRUSIVE_TEST_CASE(unblock_renegotiation
, 0),
2809 INTRUSIVE_TEST_CASE(set_renegotiate_callback
, 0),
2810 LOCAL_TEST_CASE(set_logged_address
, 0),
2811 INTRUSIVE_TEST_CASE(find_cipher_by_id
, 0),
2812 INTRUSIVE_TEST_CASE(session_secret_cb
, 0),
2813 INTRUSIVE_TEST_CASE(debug_state_callback
, 0),
2814 INTRUSIVE_TEST_CASE(context_new
, 0),
2815 LOCAL_TEST_CASE(create_certificate
, 0),
2816 LOCAL_TEST_CASE(cert_new
, 0),
2817 LOCAL_TEST_CASE(cert_is_valid
, 0),
2818 LOCAL_TEST_CASE(context_init_one
, 0),