search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Prop210: Refactor connection_get_* to produce lists and counts
[tor.git] / src / test / test_link_handshake.c
blob7ad2c30d0f35aa39c8d7a22ac9fb6ca8f8891562
1 /* Copyright (c) 2014, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "orconfig.h"
5
6 #define CHANNELTLS_PRIVATE
7 #define CONNECTION_PRIVATE
8 #define TOR_CHANNEL_INTERNAL_
9 #include "or.h"
10 #include "config.h"
11 #include "connection.h"
12 #include "connection_or.h"
13 #include "channeltls.h"
14 #include "link_handshake.h"
15 #include "scheduler.h"
16
17 #include "test.h"
18
19 var_cell_t *mock_got_var_cell = NULL;
20
21 static void
22 mock_write_var_cell(const var_cell_t *vc, or_connection_t *conn)
23 {
24 (void)conn;
25
26 var_cell_t *newcell = var_cell_new(vc->payload_len);
27 memcpy(newcell, vc, sizeof(var_cell_t));
28 memcpy(newcell->payload, vc->payload, vc->payload_len);
29
30 mock_got_var_cell = newcell;
31 }
32 static int
33 mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
34 {
35 (void) tls;
36 (void) cert; // XXXX look at this.
37 return 1;
38 }
39
40 static int mock_send_netinfo_called = 0;
41 static int
42 mock_send_netinfo(or_connection_t *conn)
43 {
44 (void) conn;
45 ++mock_send_netinfo_called;// XXX check_this
46 return 0;
47 }
48
49 static int mock_close_called = 0;
50 static void
51 mock_close_for_err(or_connection_t *orconn, int flush)
52 {
53 (void)orconn;
54 (void)flush;
55 ++mock_close_called;
56 }
57
58 static int mock_send_authenticate_called = 0;
59 static int
60 mock_send_authenticate(or_connection_t *conn, int type)
61 {
62 (void) conn;
63 (void) type;
64 ++mock_send_authenticate_called;// XXX check_this
65 return 0;
66 }
67
68 /* Test good certs cells */
69 static void
70 test_link_handshake_certs_ok(void *arg)
71 {
72 (void) arg;
73
74 or_connection_t *c1 = or_connection_new(CONN_TYPE_OR, AF_INET);
75 or_connection_t *c2 = or_connection_new(CONN_TYPE_OR, AF_INET);
76 var_cell_t *cell1 = NULL, *cell2 = NULL;
77 certs_cell_t *cc1 = NULL, *cc2 = NULL;
78 channel_tls_t *chan1 = NULL, *chan2 = NULL;
79 crypto_pk_t *key1 = NULL, *key2 = NULL;
80
81 scheduler_init();
82
83 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
84 MOCK(connection_or_write_var_cell_to_buf, mock_write_var_cell);
85 MOCK(connection_or_send_netinfo, mock_send_netinfo);
86
87 key1 = pk_generate(2);
88 key2 = pk_generate(3);
89
90 /* We need to make sure that our TLS certificates are set up before we can
91 * actually generate a CERTS cell.
92 */
93 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
94 key1, key2, 86400), ==, 0);
95
96 c1->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
97 c1->link_proto = 3;
98 tt_int_op(connection_init_or_handshake_state(c1, 1), ==, 0);
99
100 c2->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
101 c2->link_proto = 3;
102 tt_int_op(connection_init_or_handshake_state(c2, 0), ==, 0);
103
104 tt_int_op(0, ==, connection_or_send_certs_cell(c1));
105 tt_assert(mock_got_var_cell);
106 cell1 = mock_got_var_cell;
107
108 tt_int_op(0, ==, connection_or_send_certs_cell(c2));
109 tt_assert(mock_got_var_cell);
110 cell2 = mock_got_var_cell;
111
112 tt_int_op(cell1->command, ==, CELL_CERTS);
113 tt_int_op(cell1->payload_len, >, 1);
114
115 tt_int_op(cell2->command, ==, CELL_CERTS);
116 tt_int_op(cell2->payload_len, >, 1);
117
118 tt_int_op(cell1->payload_len, ==,
119 certs_cell_parse(&cc1, cell1->payload, cell1->payload_len));
120 tt_int_op(cell2->payload_len, ==,
121 certs_cell_parse(&cc2, cell2->payload, cell2->payload_len));
122
123 tt_int_op(2, ==, cc1->n_certs);
124 tt_int_op(2, ==, cc2->n_certs);
125
126 tt_int_op(certs_cell_get_certs(cc1, 0)->cert_type, ==,
127 CERTTYPE_RSA1024_ID_AUTH);
128 tt_int_op(certs_cell_get_certs(cc1, 1)->cert_type, ==,
129 CERTTYPE_RSA1024_ID_ID);
130
131 tt_int_op(certs_cell_get_certs(cc2, 0)->cert_type, ==,
132 CERTTYPE_RSA1024_ID_LINK);
133 tt_int_op(certs_cell_get_certs(cc2, 1)->cert_type, ==,
134 CERTTYPE_RSA1024_ID_ID);
135
136 chan1 = tor_malloc_zero(sizeof(*chan1));
137 channel_tls_common_init(chan1);
138 c1->chan = chan1;
139 chan1->conn = c1;
140 c1->base_.address = tor_strdup("C1");
141 c1->tls = tor_tls_new(-1, 0);
142 c1->link_proto = 4;
143 c1->base_.conn_array_index = -1;
144 crypto_pk_get_digest(key2, c1->identity_digest);
145
146 channel_tls_process_certs_cell(cell2, chan1);
147
148 tt_assert(c1->handshake_state->received_certs_cell);
149 tt_assert(c1->handshake_state->auth_cert == NULL);
150 tt_assert(c1->handshake_state->id_cert);
151 tt_assert(! tor_mem_is_zero(
152 (char*)c1->handshake_state->authenticated_peer_id, 20));
153
154 chan2 = tor_malloc_zero(sizeof(*chan2));
155 channel_tls_common_init(chan2);
156 c2->chan = chan2;
157 chan2->conn = c2;
158 c2->base_.address = tor_strdup("C2");
159 c2->tls = tor_tls_new(-1, 1);
160 c2->link_proto = 4;
161 c2->base_.conn_array_index = -1;
162 crypto_pk_get_digest(key1, c2->identity_digest);
163
164 channel_tls_process_certs_cell(cell1, chan2);
165
166 tt_assert(c2->handshake_state->received_certs_cell);
167 tt_assert(c2->handshake_state->auth_cert);
168 tt_assert(c2->handshake_state->id_cert);
169 tt_assert(tor_mem_is_zero(
170 (char*)c2->handshake_state->authenticated_peer_id, 20));
171
172 done:
173 UNMOCK(tor_tls_cert_matches_key);
174 UNMOCK(connection_or_write_var_cell_to_buf);
175 UNMOCK(connection_or_send_netinfo);
176 connection_free_(TO_CONN(c1));
177 connection_free_(TO_CONN(c2));
178 tor_free(cell1);
179 tor_free(cell2);
180 certs_cell_free(cc1);
181 certs_cell_free(cc2);
182 if (chan1)
183 circuitmux_free(chan1->base_.cmux);
184 tor_free(chan1);
185 if (chan2)
186 circuitmux_free(chan2->base_.cmux);
187 tor_free(chan2);
188 crypto_pk_free(key1);
189 crypto_pk_free(key2);
190 }
191
192 typedef struct certs_data_s {
193 or_connection_t *c;
194 channel_tls_t *chan;
195 certs_cell_t *ccell;
196 var_cell_t *cell;
197 crypto_pk_t *key1, *key2;
198 } certs_data_t;
199
200 static int
201 recv_certs_cleanup(const struct testcase_t *test, void *obj)
202 {
203 (void)test;
204 certs_data_t *d = obj;
205 UNMOCK(tor_tls_cert_matches_key);
206 UNMOCK(connection_or_send_netinfo);
207 UNMOCK(connection_or_close_for_error);
208
209 if (d) {
210 tor_free(d->cell);
211 certs_cell_free(d->ccell);
212 connection_free_(TO_CONN(d->c));
213 circuitmux_free(d->chan->base_.cmux);
214 tor_free(d->chan);
215 crypto_pk_free(d->key1);
216 crypto_pk_free(d->key2);
217 tor_free(d);
218 }
219 return 1;
220 }
221
222 static void *
223 recv_certs_setup(const struct testcase_t *test)
224 {
225 (void)test;
226 certs_data_t *d = tor_malloc_zero(sizeof(*d));
227 certs_cell_cert_t *ccc1 = NULL;
228 certs_cell_cert_t *ccc2 = NULL;
229 ssize_t n;
230
231 d->c = or_connection_new(CONN_TYPE_OR, AF_INET);
232 d->chan = tor_malloc_zero(sizeof(*d->chan));
233 d->c->chan = d->chan;
234 d->c->base_.address = tor_strdup("HaveAnAddress");
235 d->c->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
236 d->chan->conn = d->c;
237 tt_int_op(connection_init_or_handshake_state(d->c, 1), ==, 0);
238 d->c->link_proto = 4;
239
240 d->key1 = pk_generate(2);
241 d->key2 = pk_generate(3);
242
243 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
244 d->key1, d->key2, 86400), ==, 0);
245 d->ccell = certs_cell_new();
246 ccc1 = certs_cell_cert_new();
247 certs_cell_add_certs(d->ccell, ccc1);
248 ccc2 = certs_cell_cert_new();
249 certs_cell_add_certs(d->ccell, ccc2);
250 d->ccell->n_certs = 2;
251 ccc1->cert_type = 1;
252 ccc2->cert_type = 2;
253
254 const tor_x509_cert_t *a,*b;
255 const uint8_t *enca, *encb;
256 size_t lena, lenb;
257 tor_tls_get_my_certs(1, &a, &b);
258 tor_x509_cert_get_der(a, &enca, &lena);
259 tor_x509_cert_get_der(b, &encb, &lenb);
260 certs_cell_cert_setlen_body(ccc1, lena);
261 ccc1->cert_len = lena;
262 certs_cell_cert_setlen_body(ccc2, lenb);
263 ccc2->cert_len = lenb;
264
265 memcpy(certs_cell_cert_getarray_body(ccc1), enca, lena);
266 memcpy(certs_cell_cert_getarray_body(ccc2), encb, lenb);
267
268 d->cell = var_cell_new(4096);
269 d->cell->command = CELL_CERTS;
270
271 n = certs_cell_encode(d->cell->payload, 4096, d->ccell);
272 tt_int_op(n, >, 0);
273 d->cell->payload_len = n;
274
275 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
276 MOCK(connection_or_send_netinfo, mock_send_netinfo);
277 MOCK(connection_or_close_for_error, mock_close_for_err);
278
279 tt_int_op(0, ==, d->c->handshake_state->received_certs_cell);
280 tt_int_op(0, ==, mock_send_authenticate_called);
281 tt_int_op(0, ==, mock_send_netinfo_called);
282
283 return d;
284 done:
285 recv_certs_cleanup(test, d);
286 return NULL;
287 }
288
289 static struct testcase_setup_t setup_recv_certs = {
290 .setup_fn = recv_certs_setup,
291 .cleanup_fn = recv_certs_cleanup
292 };
293
294 static void
295 test_link_handshake_recv_certs_ok(void *arg)
296 {
297 certs_data_t *d = arg;
298 channel_tls_process_certs_cell(d->cell, d->chan);
299 tt_int_op(0, ==, mock_close_called);
300 tt_int_op(d->c->handshake_state->authenticated, ==, 1);
301 tt_int_op(d->c->handshake_state->received_certs_cell, ==, 1);
302 tt_assert(d->c->handshake_state->id_cert != NULL);
303 tt_assert(d->c->handshake_state->auth_cert == NULL);
304
305 done:
306 ;
307 }
308
309 static void
310 test_link_handshake_recv_certs_ok_server(void *arg)
311 {
312 certs_data_t *d = arg;
313 d->c->handshake_state->started_here = 0;
314 certs_cell_get_certs(d->ccell, 0)->cert_type = 3;
315 certs_cell_get_certs(d->ccell, 1)->cert_type = 2;
316 ssize_t n = certs_cell_encode(d->cell->payload, 2048, d->ccell);
317 tt_int_op(n, >, 0);
318 d->cell->payload_len = n;
319 channel_tls_process_certs_cell(d->cell, d->chan);
320 tt_int_op(0, ==, mock_close_called);
321 tt_int_op(d->c->handshake_state->authenticated, ==, 0);
322 tt_int_op(d->c->handshake_state->received_certs_cell, ==, 1);
323 tt_assert(d->c->handshake_state->id_cert != NULL);
324 tt_assert(d->c->handshake_state->auth_cert != NULL);
325
326 done:
327 ;
328 }
329
330 #define CERTS_FAIL(name, code) \
331 static void \
332 test_link_handshake_recv_certs_ ## name(void *arg) \
333 { \
334 certs_data_t *d = arg; \
335 { code ; } \
336 channel_tls_process_certs_cell(d->cell, d->chan); \
337 tt_int_op(1, ==, mock_close_called); \
338 tt_int_op(0, ==, mock_send_authenticate_called); \
339 tt_int_op(0, ==, mock_send_netinfo_called); \
340 done: \
341 ; \
342 }
343
344 CERTS_FAIL(badstate, d->c->base_.state = OR_CONN_STATE_CONNECTING)
345 CERTS_FAIL(badproto, d->c->link_proto = 2)
346 CERTS_FAIL(duplicate, d->c->handshake_state->received_certs_cell = 1)
347 CERTS_FAIL(already_authenticated,
348 d->c->handshake_state->authenticated = 1)
349 CERTS_FAIL(empty, d->cell->payload_len = 0)
350 CERTS_FAIL(bad_circid, d->cell->circ_id = 1)
351 CERTS_FAIL(truncated_1, d->cell->payload[0] = 5)
352 CERTS_FAIL(truncated_2,
353 {
354 d->cell->payload_len = 4;
355 memcpy(d->cell->payload, "\x01\x01\x00\x05", 4);
356 })
357 CERTS_FAIL(truncated_3,
358 {
359 d->cell->payload_len = 7;
360 memcpy(d->cell->payload, "\x01\x01\x00\x05""abc", 7);
361 })
362 #define REENCODE() do { \
363 ssize_t n = certs_cell_encode(d->cell->payload, 4096, d->ccell); \
364 tt_int_op(n, >, 0); \
365 d->cell->payload_len = n; \
366 } while (0)
367
368 CERTS_FAIL(not_x509,
369 {
370 certs_cell_cert_setlen_body(certs_cell_get_certs(d->ccell, 0), 3);
371 certs_cell_get_certs(d->ccell, 0)->cert_len = 3;
372 REENCODE();
373 })
374 CERTS_FAIL(both_link,
375 {
376 certs_cell_get_certs(d->ccell, 0)->cert_type = 1;
377 certs_cell_get_certs(d->ccell, 1)->cert_type = 1;
378 REENCODE();
379 })
380 CERTS_FAIL(both_id_rsa,
381 {
382 certs_cell_get_certs(d->ccell, 0)->cert_type = 2;
383 certs_cell_get_certs(d->ccell, 1)->cert_type = 2;
384 REENCODE();
385 })
386 CERTS_FAIL(both_auth,
387 {
388 certs_cell_get_certs(d->ccell, 0)->cert_type = 3;
389 certs_cell_get_certs(d->ccell, 1)->cert_type = 3;
390 REENCODE();
391 })
392 CERTS_FAIL(wrong_labels_1,
393 {
394 certs_cell_get_certs(d->ccell, 0)->cert_type = 2;
395 certs_cell_get_certs(d->ccell, 1)->cert_type = 1;
396 REENCODE();
397 })
398 CERTS_FAIL(wrong_labels_2,
399 {
400 const tor_x509_cert_t *a;
401 const tor_x509_cert_t *b;
402 const uint8_t *enca;
403 size_t lena;
404 tor_tls_get_my_certs(1, &a, &b);
405 tor_x509_cert_get_der(a, &enca, &lena);
406 certs_cell_cert_setlen_body(certs_cell_get_certs(d->ccell, 1), lena);
407 memcpy(certs_cell_cert_getarray_body(certs_cell_get_certs(d->ccell, 1)),
408 enca, lena);
409 certs_cell_get_certs(d->ccell, 1)->cert_len = lena;
410 REENCODE();
411 })
412 CERTS_FAIL(wrong_labels_3,
413 {
414 certs_cell_get_certs(d->ccell, 0)->cert_type = 2;
415 certs_cell_get_certs(d->ccell, 1)->cert_type = 3;
416 REENCODE();
417 })
418 CERTS_FAIL(server_missing_certs,
419 {
420 d->c->handshake_state->started_here = 0;
421 })
422 CERTS_FAIL(server_wrong_labels_1,
423 {
424 d->c->handshake_state->started_here = 0;
425 certs_cell_get_certs(d->ccell, 0)->cert_type = 2;
426 certs_cell_get_certs(d->ccell, 1)->cert_type = 3;
427 REENCODE();
428 })
429
430 static void
431 test_link_handshake_send_authchallenge(void *arg)
432 {
433 (void)arg;
434
435 or_connection_t *c1 = or_connection_new(CONN_TYPE_OR, AF_INET);
436 var_cell_t *cell1=NULL, *cell2=NULL;
437
438 MOCK(connection_or_write_var_cell_to_buf, mock_write_var_cell);
439
440 tt_int_op(connection_init_or_handshake_state(c1, 0), ==, 0);
441 c1->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
442 tt_assert(! mock_got_var_cell);
443 tt_int_op(0, ==, connection_or_send_auth_challenge_cell(c1));
444 cell1 = mock_got_var_cell;
445 tt_int_op(0, ==, connection_or_send_auth_challenge_cell(c1));
446 cell2 = mock_got_var_cell;
447 tt_int_op(36, ==, cell1->payload_len);
448 tt_int_op(36, ==, cell2->payload_len);
449 tt_int_op(0, ==, cell1->circ_id);
450 tt_int_op(0, ==, cell2->circ_id);
451 tt_int_op(CELL_AUTH_CHALLENGE, ==, cell1->command);
452 tt_int_op(CELL_AUTH_CHALLENGE, ==, cell2->command);
453
454 tt_mem_op("\x00\x01\x00\x01", ==, cell1->payload + 32, 4);
455 tt_mem_op("\x00\x01\x00\x01", ==, cell2->payload + 32, 4);
456 tt_mem_op(cell1->payload, !=, cell2->payload, 32);
457
458 done:
459 UNMOCK(connection_or_write_var_cell_to_buf);
460 connection_free_(TO_CONN(c1));
461 tor_free(cell1);
462 tor_free(cell2);
463 }
464
465 typedef struct authchallenge_data_s {
466 or_connection_t *c;
467 channel_tls_t *chan;
468 var_cell_t *cell;
469 } authchallenge_data_t;
470
471 static int
472 recv_authchallenge_cleanup(const struct testcase_t *test, void *obj)
473 {
474 (void)test;
475 authchallenge_data_t *d = obj;
476
477 UNMOCK(connection_or_send_netinfo);
478 UNMOCK(connection_or_close_for_error);
479 UNMOCK(connection_or_send_authenticate_cell);
480
481 if (d) {
482 tor_free(d->cell);
483 connection_free_(TO_CONN(d->c));
484 circuitmux_free(d->chan->base_.cmux);
485 tor_free(d->chan);
486 tor_free(d);
487 }
488 return 1;
489 }
490
491 static void *
492 recv_authchallenge_setup(const struct testcase_t *test)
493 {
494 (void)test;
495 authchallenge_data_t *d = tor_malloc_zero(sizeof(*d));
496 d->c = or_connection_new(CONN_TYPE_OR, AF_INET);
497 d->chan = tor_malloc_zero(sizeof(*d->chan));
498 d->c->chan = d->chan;
499 d->c->base_.address = tor_strdup("HaveAnAddress");
500 d->c->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
501 d->chan->conn = d->c;
502 tt_int_op(connection_init_or_handshake_state(d->c, 1), ==, 0);
503 d->c->link_proto = 4;
504 d->c->handshake_state->received_certs_cell = 1;
505 d->cell = var_cell_new(128);
506 d->cell->payload_len = 38;
507 d->cell->payload[33] = 2;
508 d->cell->payload[35] = 7;
509 d->cell->payload[37] = 1;
510 d->cell->command = CELL_AUTH_CHALLENGE;
511
512 get_options_mutable()->ORPort_set = 1;
513
514 MOCK(connection_or_close_for_error, mock_close_for_err);
515 MOCK(connection_or_send_netinfo, mock_send_netinfo);
516 MOCK(connection_or_send_authenticate_cell, mock_send_authenticate);
517
518 tt_int_op(0, ==, d->c->handshake_state->received_auth_challenge);
519 tt_int_op(0, ==, mock_send_authenticate_called);
520 tt_int_op(0, ==, mock_send_netinfo_called);
521
522 return d;
523 done:
524 recv_authchallenge_cleanup(test, d);
525 return NULL;
526 }
527
528 static struct testcase_setup_t setup_recv_authchallenge = {
529 .setup_fn = recv_authchallenge_setup,
530 .cleanup_fn = recv_authchallenge_cleanup
531 };
532
533 static void
534 test_link_handshake_recv_authchallenge_ok(void *arg)
535 {
536 authchallenge_data_t *d = arg;
537
538 channel_tls_process_auth_challenge_cell(d->cell, d->chan);
539 tt_int_op(0, ==, mock_close_called);
540 tt_int_op(1, ==, d->c->handshake_state->received_auth_challenge);
541 tt_int_op(1, ==, mock_send_authenticate_called);
542 tt_int_op(1, ==, mock_send_netinfo_called);
543 done:
544 ;
545 }
546
547 static void
548 test_link_handshake_recv_authchallenge_ok_noserver(void *arg)
549 {
550 authchallenge_data_t *d = arg;
551 get_options_mutable()->ORPort_set = 0;
552
553 channel_tls_process_auth_challenge_cell(d->cell, d->chan);
554 tt_int_op(0, ==, mock_close_called);
555 tt_int_op(1, ==, d->c->handshake_state->received_auth_challenge);
556 tt_int_op(0, ==, mock_send_authenticate_called);
557 tt_int_op(0, ==, mock_send_netinfo_called);
558 done:
559 ;
560 }
561
562 static void
563 test_link_handshake_recv_authchallenge_ok_unrecognized(void *arg)
564 {
565 authchallenge_data_t *d = arg;
566 d->cell->payload[37] = 99;
567
568 channel_tls_process_auth_challenge_cell(d->cell, d->chan);
569 tt_int_op(0, ==, mock_close_called);
570 tt_int_op(1, ==, d->c->handshake_state->received_auth_challenge);
571 tt_int_op(0, ==, mock_send_authenticate_called);
572 tt_int_op(1, ==, mock_send_netinfo_called);
573 done:
574 ;
575 }
576
577 #define AUTHCHALLENGE_FAIL(name, code) \
578 static void \
579 test_link_handshake_recv_authchallenge_ ## name(void *arg) \
580 { \
581 authchallenge_data_t *d = arg; \
582 { code ; } \
583 channel_tls_process_auth_challenge_cell(d->cell, d->chan); \
584 tt_int_op(1, ==, mock_close_called); \
585 tt_int_op(0, ==, mock_send_authenticate_called); \
586 tt_int_op(0, ==, mock_send_netinfo_called); \
587 done: \
588 ; \
589 }
590
591 AUTHCHALLENGE_FAIL(badstate,
592 d->c->base_.state = OR_CONN_STATE_CONNECTING)
593 AUTHCHALLENGE_FAIL(badproto,
594 d->c->link_proto = 2)
595 AUTHCHALLENGE_FAIL(as_server,
596 d->c->handshake_state->started_here = 0;)
597 AUTHCHALLENGE_FAIL(duplicate,
598 d->c->handshake_state->received_auth_challenge = 1)
599 AUTHCHALLENGE_FAIL(nocerts,
600 d->c->handshake_state->received_certs_cell = 0)
601 AUTHCHALLENGE_FAIL(tooshort,
602 d->cell->payload_len = 33)
603 AUTHCHALLENGE_FAIL(truncated,
604 d->cell->payload_len = 34)
605 AUTHCHALLENGE_FAIL(nonzero_circid,
606 d->cell->circ_id = 1337)
607
608 static tor_x509_cert_t *mock_peer_cert = NULL;
609 static tor_x509_cert_t *
610 mock_get_peer_cert(tor_tls_t *tls)
611 {
612 (void)tls;
613 return mock_peer_cert;
614 }
615
616 static int
617 mock_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out)
618 {
619 (void)tls;
620 memcpy(secrets_out, "int getRandomNumber(){return 4;}", 32);
621 return 0;
622 }
623
624 static void
625 mock_set_circid_type(channel_t *chan,
626 crypto_pk_t *identity_rcvd,
627 int consider_identity)
628 {
629 (void) chan;
630 (void) identity_rcvd;
631 (void) consider_identity;
632 }
633
634 typedef struct authenticate_data_s {
635 or_connection_t *c1, *c2;
636 channel_tls_t *chan2;
637 var_cell_t *cell;
638 crypto_pk_t *key1, *key2;
639 } authenticate_data_t;
640
641 static int
642 authenticate_data_cleanup(const struct testcase_t *test, void *arg)
643 {
644 (void) test;
645 UNMOCK(connection_or_write_var_cell_to_buf);
646 UNMOCK(tor_tls_get_peer_cert);
647 UNMOCK(tor_tls_get_tlssecrets);
648 UNMOCK(connection_or_close_for_error);
649 UNMOCK(channel_set_circid_type);
650 authenticate_data_t *d = arg;
651 if (d) {
652 tor_free(d->cell);
653 connection_free_(TO_CONN(d->c1));
654 connection_free_(TO_CONN(d->c2));
655 circuitmux_free(d->chan2->base_.cmux);
656 tor_free(d->chan2);
657 crypto_pk_free(d->key1);
658 crypto_pk_free(d->key2);
659 tor_free(d);
660 }
661 mock_peer_cert = NULL;
662
663 return 1;
664 }
665
666 static void *
667 authenticate_data_setup(const struct testcase_t *test)
668 {
669 authenticate_data_t *d = tor_malloc_zero(sizeof(*d));
670
671 scheduler_init();
672
673 MOCK(connection_or_write_var_cell_to_buf, mock_write_var_cell);
674 MOCK(tor_tls_get_peer_cert, mock_get_peer_cert);
675 MOCK(tor_tls_get_tlssecrets, mock_get_tlssecrets);
676 MOCK(connection_or_close_for_error, mock_close_for_err);
677 MOCK(channel_set_circid_type, mock_set_circid_type);
678 d->c1 = or_connection_new(CONN_TYPE_OR, AF_INET);
679 d->c2 = or_connection_new(CONN_TYPE_OR, AF_INET);
680
681 d->key1 = pk_generate(2);
682 d->key2 = pk_generate(3);
683 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
684 d->key1, d->key2, 86400), ==, 0);
685
686 d->c1->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
687 d->c1->link_proto = 3;
688 tt_int_op(connection_init_or_handshake_state(d->c1, 1), ==, 0);
689
690 d->c2->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3;
691 d->c2->link_proto = 3;
692 tt_int_op(connection_init_or_handshake_state(d->c2, 0), ==, 0);
693 var_cell_t *cell = var_cell_new(16);
694 cell->command = CELL_CERTS;
695 or_handshake_state_record_var_cell(d->c1, d->c1->handshake_state, cell, 1);
696 or_handshake_state_record_var_cell(d->c2, d->c2->handshake_state, cell, 0);
697 memset(cell->payload, 0xf0, 16);
698 or_handshake_state_record_var_cell(d->c1, d->c1->handshake_state, cell, 0);
699 or_handshake_state_record_var_cell(d->c2, d->c2->handshake_state, cell, 1);
700 tor_free(cell);
701
702 d->chan2 = tor_malloc_zero(sizeof(*d->chan2));
703 channel_tls_common_init(d->chan2);
704 d->c2->chan = d->chan2;
705 d->chan2->conn = d->c2;
706 d->c2->base_.address = tor_strdup("C2");
707 d->c2->tls = tor_tls_new(-1, 1);
708 d->c2->handshake_state->received_certs_cell = 1;
709
710 const tor_x509_cert_t *id_cert=NULL, *link_cert=NULL, *auth_cert=NULL;
711 tt_assert(! tor_tls_get_my_certs(1, &link_cert, &id_cert));
712
713 const uint8_t *der;
714 size_t sz;
715 tor_x509_cert_get_der(id_cert, &der, &sz);
716 d->c1->handshake_state->id_cert = tor_x509_cert_decode(der, sz);
717 d->c2->handshake_state->id_cert = tor_x509_cert_decode(der, sz);
718
719 tor_x509_cert_get_der(link_cert, &der, &sz);
720 mock_peer_cert = tor_x509_cert_decode(der, sz);
721 tt_assert(mock_peer_cert);
722 tt_assert(! tor_tls_get_my_certs(0, &auth_cert, &id_cert));
723 tor_x509_cert_get_der(auth_cert, &der, &sz);
724 d->c2->handshake_state->auth_cert = tor_x509_cert_decode(der, sz);
725
726 /* Make an authenticate cell ... */
727 tt_int_op(0, ==, connection_or_send_authenticate_cell(d->c1,
728 AUTHTYPE_RSA_SHA256_TLSSECRET));
729 tt_assert(mock_got_var_cell);
730 d->cell = mock_got_var_cell;
731 mock_got_var_cell = NULL;
732
733 return d;
734 done:
735 authenticate_data_cleanup(test, d);
736 return NULL;
737 }
738
739 static struct testcase_setup_t setup_authenticate = {
740 .setup_fn = authenticate_data_setup,
741 .cleanup_fn = authenticate_data_cleanup
742 };
743
744 static void
745 test_link_handshake_auth_cell(void *arg)
746 {
747 authenticate_data_t *d = arg;
748 auth1_t *auth1 = NULL;
749 crypto_pk_t *auth_pubkey = NULL;
750
751 /* Is the cell well-formed on the outer layer? */
752 tt_int_op(d->cell->command, ==, CELL_AUTHENTICATE);
753 tt_int_op(d->cell->payload[0], ==, 0);
754 tt_int_op(d->cell->payload[1], ==, 1);
755 tt_int_op(ntohs(get_uint16(d->cell->payload + 2)), ==,
756 d->cell->payload_len - 4);
757
758 /* Check it out for plausibility... */
759 auth_ctx_t ctx;
760 ctx.is_ed = 0;
761 tt_int_op(d->cell->payload_len-4, ==, auth1_parse(&auth1,
762 d->cell->payload+4,
763 d->cell->payload_len - 4, &ctx));
764 tt_assert(auth1);
765
766 tt_mem_op(auth1->type, ==, "AUTH0001", 8);
767 tt_mem_op(auth1->tlssecrets, ==, "int getRandomNumber(){return 4;}", 32);
768 tt_int_op(auth1_getlen_sig(auth1), >, 120);
769
770 /* Is the signature okay? */
771 uint8_t sig[128];
772 uint8_t digest[32];
773
774 auth_pubkey = tor_tls_cert_get_key(d->c2->handshake_state->auth_cert);
775 int n = crypto_pk_public_checksig(
776 auth_pubkey,
777 (char*)sig, sizeof(sig), (char*)auth1_getarray_sig(auth1),
778 auth1_getlen_sig(auth1));
779 tt_int_op(n, ==, 32);
780 const uint8_t *start = d->cell->payload+4, *end = auth1->end_of_signed;
781 crypto_digest256((char*)digest,
782 (const char*)start, end-start, DIGEST_SHA256);
783 tt_mem_op(sig, ==, digest, 32);
784
785 /* Then feed it to c2. */
786 tt_int_op(d->c2->handshake_state->authenticated, ==, 0);
787 channel_tls_process_authenticate_cell(d->cell, d->chan2);
788 tt_int_op(mock_close_called, ==, 0);
789 tt_int_op(d->c2->handshake_state->authenticated, ==, 1);
790
791 done:
792 auth1_free(auth1);
793 crypto_pk_free(auth_pubkey);
794 }
795
796 #define AUTHENTICATE_FAIL(name, code) \
797 static void \
798 test_link_handshake_auth_ ## name(void *arg) \
799 { \
800 authenticate_data_t *d = arg; \
801 { code ; } \
802 tt_int_op(d->c2->handshake_state->authenticated, ==, 0); \
803 channel_tls_process_authenticate_cell(d->cell, d->chan2); \
804 tt_int_op(mock_close_called, ==, 1); \
805 tt_int_op(d->c2->handshake_state->authenticated, ==, 0); \
806 done: \
807 ; \
808 }
809
810 AUTHENTICATE_FAIL(badstate,
811 d->c2->base_.state = OR_CONN_STATE_CONNECTING)
812 AUTHENTICATE_FAIL(badproto,
813 d->c2->link_proto = 2)
814 AUTHENTICATE_FAIL(atclient,
815 d->c2->handshake_state->started_here = 1)
816 AUTHENTICATE_FAIL(duplicate,
817 d->c2->handshake_state->received_authenticate = 1)
818 static void
819 test_link_handshake_auth_already_authenticated(void *arg)
820 {
821 authenticate_data_t *d = arg;
822 d->c2->handshake_state->authenticated = 1;
823 channel_tls_process_authenticate_cell(d->cell, d->chan2);
824 tt_int_op(mock_close_called, ==, 1);
825 tt_int_op(d->c2->handshake_state->authenticated, ==, 1);
826 done:
827 ;
828 }
829 AUTHENTICATE_FAIL(nocerts,
830 d->c2->handshake_state->received_certs_cell = 0)
831 AUTHENTICATE_FAIL(noidcert,
832 tor_x509_cert_free(d->c2->handshake_state->id_cert);
833 d->c2->handshake_state->id_cert = NULL)
834 AUTHENTICATE_FAIL(noauthcert,
835 tor_x509_cert_free(d->c2->handshake_state->auth_cert);
836 d->c2->handshake_state->auth_cert = NULL)
837 AUTHENTICATE_FAIL(tooshort,
838 d->cell->payload_len = 3)
839 AUTHENTICATE_FAIL(badtype,
840 d->cell->payload[0] = 0xff)
841 AUTHENTICATE_FAIL(truncated_1,
842 d->cell->payload[2]++)
843 AUTHENTICATE_FAIL(truncated_2,
844 d->cell->payload[3]++)
845 AUTHENTICATE_FAIL(tooshort_1,
846 tt_int_op(d->cell->payload_len, >=, 260);
847 d->cell->payload[2] -= 1;
848 d->cell->payload_len -= 256;)
849 AUTHENTICATE_FAIL(badcontent,
850 d->cell->payload[10] ^= 0xff)
851 AUTHENTICATE_FAIL(badsig_1,
852 d->cell->payload[d->cell->payload_len - 5] ^= 0xff)
853
854 #define TEST(name, flags) \
855 { #name , test_link_handshake_ ## name, (flags), NULL, NULL }
856
857 #define TEST_RCV_AUTHCHALLENGE(name) \
858 { "recv_authchallenge/" #name , \
859 test_link_handshake_recv_authchallenge_ ## name, TT_FORK, \
860 &setup_recv_authchallenge, NULL }
861
862 #define TEST_RCV_CERTS(name) \
863 { "recv_certs/" #name , \
864 test_link_handshake_recv_certs_ ## name, TT_FORK, \
865 &setup_recv_certs, NULL }
866
867 #define TEST_AUTHENTICATE(name) \
868 { "authenticate/" #name , test_link_handshake_auth_ ## name, TT_FORK, \
869 &setup_authenticate, NULL }
870
871 struct testcase_t link_handshake_tests[] = {
872 TEST(certs_ok, TT_FORK),
873 //TEST(certs_bad, TT_FORK),
874 TEST_RCV_CERTS(ok),
875 TEST_RCV_CERTS(ok_server),
876 TEST_RCV_CERTS(badstate),
877 TEST_RCV_CERTS(badproto),
878 TEST_RCV_CERTS(duplicate),
879 TEST_RCV_CERTS(already_authenticated),
880 TEST_RCV_CERTS(empty),
881 TEST_RCV_CERTS(bad_circid),
882 TEST_RCV_CERTS(truncated_1),
883 TEST_RCV_CERTS(truncated_2),
884 TEST_RCV_CERTS(truncated_3),
885 TEST_RCV_CERTS(not_x509),
886 TEST_RCV_CERTS(both_link),
887 TEST_RCV_CERTS(both_id_rsa),
888 TEST_RCV_CERTS(both_auth),
889 TEST_RCV_CERTS(wrong_labels_1),
890 TEST_RCV_CERTS(wrong_labels_2),
891 TEST_RCV_CERTS(wrong_labels_3),
892 TEST_RCV_CERTS(server_missing_certs),
893 TEST_RCV_CERTS(server_wrong_labels_1),
894
895 TEST(send_authchallenge, TT_FORK),
896 TEST_RCV_AUTHCHALLENGE(ok),
897 TEST_RCV_AUTHCHALLENGE(ok_noserver),
898 TEST_RCV_AUTHCHALLENGE(ok_unrecognized),
899 TEST_RCV_AUTHCHALLENGE(badstate),
900 TEST_RCV_AUTHCHALLENGE(badproto),
901 TEST_RCV_AUTHCHALLENGE(as_server),
902 TEST_RCV_AUTHCHALLENGE(duplicate),
903 TEST_RCV_AUTHCHALLENGE(nocerts),
904 TEST_RCV_AUTHCHALLENGE(tooshort),
905 TEST_RCV_AUTHCHALLENGE(truncated),
906 TEST_RCV_AUTHCHALLENGE(nonzero_circid),
907
908 TEST_AUTHENTICATE(cell),
909 TEST_AUTHENTICATE(badstate),
910 TEST_AUTHENTICATE(badproto),
911 TEST_AUTHENTICATE(atclient),
912 TEST_AUTHENTICATE(duplicate),
913 TEST_AUTHENTICATE(already_authenticated),
914 TEST_AUTHENTICATE(nocerts),
915 TEST_AUTHENTICATE(noidcert),
916 TEST_AUTHENTICATE(noauthcert),
917 TEST_AUTHENTICATE(tooshort),
918 TEST_AUTHENTICATE(badtype),
919 TEST_AUTHENTICATE(truncated_1),
920 TEST_AUTHENTICATE(truncated_2),
921 TEST_AUTHENTICATE(tooshort_1),
922 TEST_AUTHENTICATE(badcontent),
923 TEST_AUTHENTICATE(badsig_1),
924 //TEST_AUTHENTICATE(),
925
926 END_OF_TESTCASES
927 };
928
The Onion Router