test_tortls.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536
  1. /* Copyright (c) 2010-2018, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #define TORTLS_PRIVATE
  4. #define TOR_X509_PRIVATE
  5. #define LOG_PRIVATE
  6. #include "orconfig.h"
  7. #ifdef _WIN32
  8. #include <winsock2.h>
  9. #endif
  10. #include <math.h>
  11. #include <stddef.h>
  12. #include "lib/cc/compat_compiler.h"
  13. #include "core/or/or.h"
  14. #include "lib/log/log.h"
  15. #include "app/config/config.h"
  16. #include "lib/crypt_ops/compat_openssl.h"
  17. #include "lib/tls/x509.h"
  18. #include "lib/tls/x509_internal.h"
  19. #include "lib/tls/tortls.h"
  20. #include "lib/tls/tortls_st.h"
  21. #include "lib/tls/tortls_internal.h"
  22. #include "lib/encoding/pem.h"
  23. #include "app/config/or_state_st.h"
  24. #include "test/test.h"
  25. #include "test/log_test_helpers.h"
  26. #include "test/test_tortls.h"
  27. #include "tinytest.h"
  28. const char* notCompletelyValidCertString =
  29. "-----BEGIN CERTIFICATE-----\n"
  30. "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n"
  31. "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n"
  32. "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n"
  33. "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n"
  34. "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n"
  35. "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n"
  36. "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n"
  37. "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n"
  38. "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n"
  39. "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n"
  40. "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n"
  41. "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n"
  42. "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n"
  43. "-----END CERTIFICATE-----\n";
  44. const char* validCertString = "-----BEGIN CERTIFICATE-----\n"
  45. "MIIDpTCCAY0CAg3+MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMREwDwYD\n"
  46. "VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwLVG9yIFRl\n"
  47. "c3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkwNjEzMzk1OVoXDTQz\n"
  48. "MDEyMjEzMzk1OVowVjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB0NoaWNhZ28xFDAS\n"
  49. "BgNVBAoMC1RvciBUZXN0aW5nMR8wHQYDVQQDDBZ0ZXN0aW5nLnRvcnByb2plY3Qu\n"
  50. "b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoT6uyVVhWyOF3wkHjjYbd\n"
  51. "nKaykyRv4JVtKQdZ4OpEErmX1zw4MmyzpQNV6iR4bQnWiyLfzyVJMZDIC/WILBfX\n"
  52. "w2Pza/yuLgUvDc3twMuhOACzOQVO8PrEF/aVv2+hbCCy2udXvKhnYn+CCXl3ozc8\n"
  53. "XcKYvujTXDyvGWY3xwAjlQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQCUvnhzQWuQ\n"
  54. "MrN+pERkE+zcTI/9dGS90rUMMLgu8VDNqTa0TUQh8uO0EQ6uDvI8Js6e8tgwS0BR\n"
  55. "UBahqb7ZHv+rejGCBr5OudqD+x4STiiuPNJVs86JTLN8SpM9CHjIBH5WCCN2KOy3\n"
  56. "mevNoRcRRyYJzSFULCunIK6FGulszigMYGscrO4oiTkZiHPh9KvWT40IMiHfL+Lw\n"
  57. "EtEWiLex6064LcA2YQ1AMuSZyCexks63lcfaFmQbkYOKqXa1oLkIRuDsOaSVjTfe\n"
  58. "vec+X6jvf12cFTKS5WIeqkKF2Irt+dJoiHEGTe5RscUMN/f+gqHPzfFz5dR23sxo\n"
  59. "g+HC6MZHlFkLAOx3wW6epPS8A/m1mw3zMPoTnb2U2YYt8T0dJMMlUn/7Y1sEAa+a\n"
  60. "dSTMaeUf6VnJ//11m454EZl1to9Z7oJOgqmFffSrdD4BGIWe8f7hhW6L1Enmqe/J\n"
  61. "BKL3wbzZh80O1W0bndAwhnEEhlzneFY84cbBo9pmVxpODHkUcStpr5Z7pBDrcL21\n"
  62. "Ss/aB/1YrsVXhdvJdOGxl3Mnl9dUY57CympLGlT8f0pPS6GAKOelECOhFMHmJd8L\n"
  63. "dj3XQSmKtYHevZ6IvuMXSlB/fJvSjSlkCuLo5+kJoaqPuRu+i/S1qxeRy3CBwmnE\n"
  64. "LdSNdcX4N79GQJ996PA8+mUCQG7YRtK+WA==\n"
  65. "-----END CERTIFICATE-----\n";
  66. const char* caCertString = "-----BEGIN CERTIFICATE-----\n"
  67. "MIIFjzCCA3egAwIBAgIJAKd5WgyfPMYRMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV\n"
  68. "BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIG\n"
  69. "A1UECgwLVG9yIFRlc3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkw\n"
  70. "NjEzMzc0MVoXDTQzMDEyMjEzMzc0MVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM\n"
  71. "CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRQwEgYDVQQKDAtUb3IgVGVzdGlu\n"
  72. "ZzEUMBIGA1UEAwwLVG9yIFRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
  73. "ggIKAoICAQCpLMUEiLW5leUgBZoEJms2V7lZRhIAjnJBhVMHD0e3UubNknmaQoxf\n"
  74. "ARz3rvqOaRd0JlV+qM9qE0DjiYcCVP1cAfqAo9d83uS1vwY3YMVJzADlaIiHfyVW\n"
  75. "uEgBy0vvkeUBqaua24dYlcwsemOiXYLu41yM1wkcGHW1AhBNHppY6cznb8TyLgNM\n"
  76. "2x3SGUdzc5XMyAFx51faKGBA3wjs+Hg1PLY7d30nmCgEOBavpm5I1disM/0k+Mcy\n"
  77. "YmAKEo/iHJX/rQzO4b9znP69juLlR8PDBUJEVIG/CYb6+uw8MjjUyiWXYoqfVmN2\n"
  78. "hm/lH8b6rXw1a2Aa3VTeD0DxaWeacMYHY/i01fd5n7hCoDTRNdSw5KJ0L3Z0SKTu\n"
  79. "0lzffKzDaIfyZGlpW5qdouACkWYzsaitQOePVE01PIdO30vUfzNTFDfy42ccx3Di\n"
  80. "59UCu+IXB+eMtrBfsok0Qc63vtF1linJgjHW1z/8ujk8F7/qkOfODhk4l7wngc2A\n"
  81. "EmwWFIFoGaiTEZHB9qteXr4unbXZ0AHpM02uGGwZEGohjFyebEb73M+J57WKKAFb\n"
  82. "PqbLcGUksL1SHNBNAJcVLttX55sO4nbidOS/kA3m+F1R04MBTyQF9qA6YDDHqdI3\n"
  83. "h/3pw0Z4fxVouTYT4/NfRnX4JTP4u+7Mpcoof28VME0qWqD1LnRhFQIDAQABo1Aw\n"
  84. "TjAdBgNVHQ4EFgQUMoAgIXH7pZ3QMRwTjT+DM9Yo/v0wHwYDVR0jBBgwFoAUMoAg\n"
  85. "IXH7pZ3QMRwTjT+DM9Yo/v0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
  86. "AgEAUJxacjXR9sT+Xs6ISFiUsyd0T6WVKMnV46xrYJHirGfx+krWHrjxMY+ZtxYD\n"
  87. "DBDGlo11Qc4v6QrclNf5QUBfIiGQsP9Cm6hHcQ+Tpg9HHCgSqG1YNPwCPReCR4br\n"
  88. "BLvLfrfkcBL2IWM0PdQdCze+59DBfipsULD2mEn9fjYRXQEwb2QWtQ9qRc20Yb/x\n"
  89. "Q4b/+CvUodLkaq7B8MHz0BV8HHcBoph6DYaRmO/N+hPauIuSp6XyaGYcEefGKVKj\n"
  90. "G2+fcsdyXsoijNdL8vNKwm4j2gVwCBnw16J00yfFoV46YcbfqEdJB2je0XSvwXqt\n"
  91. "14AOTngxso2h9k9HLtrfpO1ZG/B5AcCMs1lzbZ2fp5DPHtjvvmvA2RJqgo3yjw4W\n"
  92. "4DHAuTglYFlC3mDHNfNtcGP20JvepcQNzNP2UzwcpOc94hfKikOFw+gf9Vf1qd0y\n"
  93. "h/Sk6OZHn2+JVUPiWHIQV98Vtoh4RmUZDJD+b55ia3fQGTGzt4z1XFzQYSva5sfs\n"
  94. "wocS/papthqWldQU7x+3wofNd5CNU1x6WKXG/yw30IT/4F8ADJD6GeygNT8QJYvt\n"
  95. "u/8lAkbOy6B9xGmSvr0Kk1oq9P2NshA6kalxp1Oz/DTNDdL4AeBXV3JmM6WWCjGn\n"
  96. "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
  97. "-----END CERTIFICATE-----\n";
  98. tor_x509_cert_impl_t *
  99. read_cert_from(const char *str)
  100. {
  101. size_t len = strlen(str);
  102. uint8_t *raw_cert = tor_malloc(len);
  103. ssize_t true_len = pem_decode(raw_cert, len, str, len, "CERTIFICATE");
  104. if (true_len < 0) {
  105. tor_free(raw_cert);
  106. return NULL;
  107. }
  108. tor_x509_cert_t *cert = tor_x509_cert_decode(raw_cert, true_len);
  109. tor_free(raw_cert);
  110. if (! cert) {
  111. return NULL;
  112. }
  113. tor_x509_cert_impl_t *res = tor_x509_cert_impl_dup_(cert->cert);
  114. tor_x509_cert_free(cert);
  115. return res;
  116. }
  117. static tor_x509_cert_impl_t *
  118. fixed_try_to_extract_certs_from_tls_cert_out_result = NULL;
  119. static tor_x509_cert_impl_t *
  120. fixed_try_to_extract_certs_from_tls_id_cert_out_result = NULL;
  121. static void
  122. fixed_try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
  123. tor_x509_cert_impl_t **cert_out,
  124. tor_x509_cert_impl_t **id_cert_out)
  125. {
  126. (void) severity;
  127. (void) tls;
  128. *cert_out = tor_x509_cert_impl_dup_(
  129. fixed_try_to_extract_certs_from_tls_cert_out_result);
  130. *id_cert_out = tor_x509_cert_impl_dup_(
  131. fixed_try_to_extract_certs_from_tls_id_cert_out_result);
  132. }
  133. static void
  134. test_tortls_errno_to_tls_error(void *data)
  135. {
  136. (void) data;
  137. tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNRESET)),OP_EQ,
  138. TOR_TLS_ERROR_CONNRESET);
  139. tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ETIMEDOUT)),OP_EQ,
  140. TOR_TLS_ERROR_TIMEOUT);
  141. tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(EHOSTUNREACH)),OP_EQ,
  142. TOR_TLS_ERROR_NO_ROUTE);
  143. tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ENETUNREACH)),OP_EQ,
  144. TOR_TLS_ERROR_NO_ROUTE);
  145. tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNREFUSED)),OP_EQ,
  146. TOR_TLS_ERROR_CONNREFUSED);
  147. tt_int_op(tor_errno_to_tls_error(0),OP_EQ,TOR_TLS_ERROR_MISC);
  148. done:
  149. (void)1;
  150. }
  151. static void
  152. test_tortls_err_to_string(void *data)
  153. {
  154. (void) data;
  155. tt_str_op(tor_tls_err_to_string(1),OP_EQ,"[Not an error.]");
  156. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_MISC),OP_EQ,"misc error");
  157. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_IO),OP_EQ,"unexpected close");
  158. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNREFUSED),OP_EQ,
  159. "connection refused");
  160. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNRESET),OP_EQ,
  161. "connection reset");
  162. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_NO_ROUTE),OP_EQ,
  163. "host unreachable");
  164. tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_TIMEOUT),OP_EQ,
  165. "connection timed out");
  166. tt_str_op(tor_tls_err_to_string(TOR_TLS_CLOSE),OP_EQ,"closed");
  167. tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTREAD),OP_EQ,"want to read");
  168. tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTWRITE),OP_EQ,"want to write");
  169. tt_str_op(tor_tls_err_to_string(-100),OP_EQ,"(unknown error code)");
  170. done:
  171. (void)1;
  172. }
  173. #ifdef ENABLE_OPENSSL
  174. static int
  175. mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
  176. {
  177. (void) tls;
  178. (void) cert; // XXXX look at this.
  179. return 1;
  180. }
  181. static void
  182. test_tortls_tor_tls_get_error(void *data)
  183. {
  184. (void) data;
  185. MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
  186. crypto_pk_t *key1 = NULL, *key2 = NULL;
  187. key1 = pk_generate(2);
  188. key2 = pk_generate(3);
  189. tor_tls_t *tls = NULL;
  190. tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
  191. key1, key2, 86400), OP_EQ, 0);
  192. tls = tor_tls_new(-1, 0);
  193. setup_capture_of_logs(LOG_WARN);
  194. tor_tls_get_error(tls, 0, 0,
  195. (const char *)"in unit test", LOG_WARN, LD_GENERAL);
  196. expect_single_log_msg_containing("unexpected close while in unit test");
  197. done:
  198. UNMOCK(tor_tls_cert_matches_key);
  199. NS_UNMOCK(logv);
  200. crypto_pk_free(key1);
  201. crypto_pk_free(key2);
  202. tor_tls_free(tls);
  203. }
  204. #endif
  205. static void
  206. test_tortls_x509_cert_get_id_digests(void *ignored)
  207. {
  208. (void)ignored;
  209. tor_x509_cert_t *cert;
  210. common_digests_t *d;
  211. const common_digests_t *res;
  212. cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
  213. d = tor_malloc_zero(sizeof(common_digests_t));
  214. d->d[0][0] = 42;
  215. res = tor_x509_cert_get_id_digests(cert);
  216. tt_assert(!res);
  217. cert->pkey_digests_set = 1;
  218. cert->pkey_digests = *d;
  219. res = tor_x509_cert_get_id_digests(cert);
  220. tt_int_op(res->d[0][0], OP_EQ, 42);
  221. done:
  222. tor_free(cert);
  223. tor_free(d);
  224. }
  225. static void
  226. test_tortls_get_my_certs(void *ignored)
  227. {
  228. (void)ignored;
  229. int ret;
  230. tor_tls_context_t *ctx;
  231. const tor_x509_cert_t *link_cert_out = NULL;
  232. const tor_x509_cert_t *id_cert_out = NULL;
  233. ctx = tor_malloc_zero(sizeof(tor_tls_context_t));
  234. client_tls_context = NULL;
  235. ret = tor_tls_get_my_certs(0, NULL, NULL);
  236. tt_int_op(ret, OP_EQ, -1);
  237. server_tls_context = NULL;
  238. ret = tor_tls_get_my_certs(1, NULL, NULL);
  239. tt_int_op(ret, OP_EQ, -1);
  240. client_tls_context = ctx;
  241. ret = tor_tls_get_my_certs(0, NULL, NULL);
  242. tt_int_op(ret, OP_EQ, 0);
  243. client_tls_context = ctx;
  244. ret = tor_tls_get_my_certs(0, &link_cert_out, &id_cert_out);
  245. tt_int_op(ret, OP_EQ, 0);
  246. server_tls_context = ctx;
  247. ret = tor_tls_get_my_certs(1, &link_cert_out, &id_cert_out);
  248. tt_int_op(ret, OP_EQ, 0);
  249. done:
  250. (void)1;
  251. }
  252. #ifdef ENABLE_OPENSSL
  253. static void
  254. test_tortls_get_forced_write_size(void *ignored)
  255. {
  256. (void)ignored;
  257. long ret;
  258. tor_tls_t *tls;
  259. tls = tor_malloc_zero(sizeof(tor_tls_t));
  260. tls->wantwrite_n = 43;
  261. ret = tor_tls_get_forced_write_size(tls);
  262. tt_int_op(ret, OP_EQ, 43);
  263. done:
  264. tor_free(tls);
  265. }
  266. static void
  267. test_tortls_used_v1_handshake(void *ignored)
  268. {
  269. (void)ignored;
  270. int ret;
  271. tor_tls_t *tls;
  272. tls = tor_malloc_zero(sizeof(tor_tls_t));
  273. // These tests assume both V2 handshake server and client are enabled
  274. tls->wasV2Handshake = 0;
  275. ret = tor_tls_used_v1_handshake(tls);
  276. tt_int_op(ret, OP_EQ, 1);
  277. tls->wasV2Handshake = 1;
  278. ret = tor_tls_used_v1_handshake(tls);
  279. tt_int_op(ret, OP_EQ, 0);
  280. done:
  281. tor_free(tls);
  282. }
  283. static void
  284. test_tortls_server_got_renegotiate(void *ignored)
  285. {
  286. (void)ignored;
  287. int ret;
  288. tor_tls_t *tls;
  289. tls = tor_malloc_zero(sizeof(tor_tls_t));
  290. tls->got_renegotiate = 1;
  291. ret = tor_tls_server_got_renegotiate(tls);
  292. tt_int_op(ret, OP_EQ, 1);
  293. done:
  294. tor_free(tls);
  295. }
  296. #endif
  297. static void
  298. test_tortls_evaluate_ecgroup_for_tls(void *ignored)
  299. {
  300. (void)ignored;
  301. int ret;
  302. ret = evaluate_ecgroup_for_tls(NULL);
  303. tt_int_op(ret, OP_EQ, 1);
  304. ret = evaluate_ecgroup_for_tls("foobar");
  305. tt_int_op(ret, OP_EQ, 0);
  306. ret = evaluate_ecgroup_for_tls("P256");
  307. tt_int_op(ret, OP_EQ, 1);
  308. ret = evaluate_ecgroup_for_tls("P224");
  309. // tt_int_op(ret, OP_EQ, 1); This varies between machines
  310. tt_assert(ret == 0 || ret == 1);
  311. done:
  312. (void)0;
  313. }
  314. static void
  315. test_tortls_double_init(void *arg)
  316. {
  317. (void) arg;
  318. /* If we call tor_tls_context_init() a second time, nothing should go
  319. * wrong.
  320. */
  321. crypto_pk_t *pk1 = NULL, *pk2 = NULL;
  322. pk1 = pk_generate(2);
  323. pk2 = pk_generate(0);
  324. int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
  325. pk1, pk2, 86400);
  326. tt_int_op(r, OP_EQ, 0);
  327. r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
  328. pk2, pk1, 86400);
  329. tt_int_op(r, OP_EQ, 0);
  330. /* For a public server context, these are the same */
  331. tt_ptr_op(tor_tls_context_get(0), OP_EQ, tor_tls_context_get(1));
  332. done:
  333. crypto_pk_free(pk1);
  334. crypto_pk_free(pk2);
  335. }
  336. static void
  337. test_tortls_bridge_init(void *arg)
  338. {
  339. (void)arg;
  340. crypto_pk_t *pk1 = NULL, *pk2 = NULL;
  341. pk1 = pk_generate(2);
  342. pk2 = pk_generate(0);
  343. /* If we pass in a server identity key but not the
  344. TOR_TLS_CTX_IS_PUBLIC_SERVER flag, we should get a bridge-style
  345. configuration, with two distinct contexts. */
  346. int r = tor_tls_context_init(0 /* flags */, pk1, pk2, 86400);
  347. tt_int_op(r, OP_EQ, 0);
  348. tt_ptr_op(tor_tls_context_get(0), OP_NE, tor_tls_context_get(1));
  349. done:
  350. crypto_pk_free(pk1);
  351. crypto_pk_free(pk2);
  352. }
  353. static void
  354. test_tortls_address(void *arg)
  355. {
  356. (void)arg;
  357. tor_tls_t *tls = NULL;
  358. crypto_pk_t *pk1=NULL, *pk2=NULL;
  359. pk1 = pk_generate(2);
  360. pk2 = pk_generate(0);
  361. int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
  362. pk1, pk2, 86400);
  363. tt_int_op(r, OP_EQ, 0);
  364. tls = tor_tls_new(-1, 0);
  365. tls->state = TOR_TLS_ST_OPEN;
  366. tor_tls_set_logged_address(tls, "zombo.com");
  367. /* This write should fail, since the fd is -1. */
  368. setup_capture_of_logs(LOG_INFO);
  369. int n = tor_tls_write(tls, "welcome", 7);
  370. tt_int_op(n, OP_LT, 0);
  371. expect_log_msg_containing("with zombo.com");
  372. done:
  373. teardown_capture_of_logs();
  374. tor_tls_free(tls);
  375. crypto_pk_free(pk1);
  376. crypto_pk_free(pk2);
  377. }
  378. static void
  379. test_tortls_is_server(void *arg)
  380. {
  381. (void)arg;
  382. crypto_pk_t *pk1=NULL, *pk2=NULL;
  383. tor_tls_t *tls1=NULL, *tls2=NULL;
  384. pk1 = pk_generate(2);
  385. pk2 = pk_generate(0);
  386. int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
  387. pk1, pk2, 86400);
  388. tt_int_op(r, OP_EQ, 0);
  389. tls1 = tor_tls_new(-1, 0);
  390. tls2 = tor_tls_new(-1, 1);
  391. tt_assert(! tor_tls_is_server(tls1));
  392. tt_assert(tor_tls_is_server(tls2));
  393. done:
  394. tor_tls_free(tls1);
  395. tor_tls_free(tls2);
  396. crypto_pk_free(pk1);
  397. crypto_pk_free(pk2);
  398. }
  399. static void
  400. test_tortls_verify(void *ignored)
  401. {
  402. (void)ignored;
  403. int ret;
  404. tor_tls_t *tls;
  405. crypto_pk_t *k = NULL;
  406. tor_x509_cert_impl_t *cert1 = NULL, *cert2 = NULL, *invalidCert = NULL,
  407. *validCert = NULL, *caCert = NULL;
  408. validCert = read_cert_from(validCertString);
  409. caCert = read_cert_from(caCertString);
  410. invalidCert = read_cert_from(notCompletelyValidCertString);
  411. tls = tor_malloc_zero(sizeof(tor_tls_t));
  412. MOCK(try_to_extract_certs_from_tls, fixed_try_to_extract_certs_from_tls);
  413. fixed_try_to_extract_certs_from_tls_cert_out_result = cert1;
  414. ret = tor_tls_verify(LOG_WARN, tls, &k);
  415. tt_int_op(ret, OP_EQ, -1);
  416. fixed_try_to_extract_certs_from_tls_id_cert_out_result = cert2;
  417. ret = tor_tls_verify(LOG_WARN, tls, &k);
  418. tt_int_op(ret, OP_EQ, -1);
  419. fixed_try_to_extract_certs_from_tls_cert_out_result = invalidCert;
  420. fixed_try_to_extract_certs_from_tls_id_cert_out_result = invalidCert;
  421. ret = tor_tls_verify(LOG_WARN, tls, &k);
  422. tt_int_op(ret, OP_EQ, -1);
  423. fixed_try_to_extract_certs_from_tls_cert_out_result = validCert;
  424. fixed_try_to_extract_certs_from_tls_id_cert_out_result = caCert;
  425. ret = tor_tls_verify(LOG_WARN, tls, &k);
  426. tt_int_op(ret, OP_EQ, 0);
  427. tt_assert(k);
  428. done:
  429. UNMOCK(try_to_extract_certs_from_tls);
  430. tor_x509_cert_impl_free(cert1);
  431. tor_x509_cert_impl_free(cert2);
  432. tor_x509_cert_impl_free(validCert);
  433. tor_x509_cert_impl_free(invalidCert);
  434. tor_x509_cert_impl_free(caCert);
  435. tor_free(tls);
  436. crypto_pk_free(k);
  437. }
  438. #define LOCAL_TEST_CASE(name, flags) \
  439. { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
  440. struct testcase_t tortls_tests[] = {
  441. LOCAL_TEST_CASE(errno_to_tls_error, 0),
  442. LOCAL_TEST_CASE(err_to_string, 0),
  443. LOCAL_TEST_CASE(x509_cert_get_id_digests, 0),
  444. LOCAL_TEST_CASE(get_my_certs, TT_FORK),
  445. #ifdef ENABLE_OPENSSL
  446. LOCAL_TEST_CASE(tor_tls_get_error, 0),
  447. LOCAL_TEST_CASE(get_forced_write_size, 0),
  448. LOCAL_TEST_CASE(used_v1_handshake, TT_FORK),
  449. LOCAL_TEST_CASE(server_got_renegotiate, 0),
  450. #endif
  451. LOCAL_TEST_CASE(evaluate_ecgroup_for_tls, 0),
  452. LOCAL_TEST_CASE(double_init, TT_FORK),
  453. LOCAL_TEST_CASE(address, TT_FORK),
  454. LOCAL_TEST_CASE(is_server, 0),
  455. LOCAL_TEST_CASE(bridge_init, TT_FORK),
  456. LOCAL_TEST_CASE(verify, TT_FORK),
  457. END_OF_TESTCASES
  458. };