Line data Source code
1 : /* Copyright (c) 2010-2021, The Tor Project, Inc. */
2 : /* See LICENSE for licensing information */
3 :
4 : #define TORTLS_PRIVATE
5 : #define TOR_X509_PRIVATE
6 : #define LOG_PRIVATE
7 : #include "orconfig.h"
8 :
9 : #ifdef _WIN32
10 : #include <winsock2.h>
11 : #endif
12 : #include <math.h>
13 : #include <stddef.h>
14 :
15 : #include "lib/cc/compat_compiler.h"
16 :
17 : #include "core/or/or.h"
18 : #include "lib/log/log.h"
19 : #include "app/config/config.h"
20 : #include "lib/crypt_ops/compat_openssl.h"
21 : #include "lib/tls/x509.h"
22 : #include "lib/tls/x509_internal.h"
23 : #include "lib/tls/tortls.h"
24 : #include "lib/tls/tortls_st.h"
25 : #include "lib/tls/tortls_internal.h"
26 : #include "lib/encoding/pem.h"
27 : #include "app/config/or_state_st.h"
28 :
29 : #include "test/test.h"
30 : #include "test/log_test_helpers.h"
31 : #include "test/test_tortls.h"
32 :
33 : #include "tinytest.h"
34 :
35 : const char* notCompletelyValidCertString =
36 : "-----BEGIN CERTIFICATE-----\n"
37 : "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n"
38 : "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n"
39 : "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n"
40 : "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n"
41 : "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n"
42 : "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n"
43 : "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n"
44 : "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n"
45 : "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n"
46 : "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n"
47 : "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n"
48 : "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n"
49 : "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n"
50 : "-----END CERTIFICATE-----\n";
51 :
52 : const char* validCertString = "-----BEGIN CERTIFICATE-----\n"
53 : "MIIDpTCCAY0CAg3+MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMREwDwYD\n"
54 : "VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwLVG9yIFRl\n"
55 : "c3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkwNjEzMzk1OVoXDTQz\n"
56 : "MDEyMjEzMzk1OVowVjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB0NoaWNhZ28xFDAS\n"
57 : "BgNVBAoMC1RvciBUZXN0aW5nMR8wHQYDVQQDDBZ0ZXN0aW5nLnRvcnByb2plY3Qu\n"
58 : "b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoT6uyVVhWyOF3wkHjjYbd\n"
59 : "nKaykyRv4JVtKQdZ4OpEErmX1zw4MmyzpQNV6iR4bQnWiyLfzyVJMZDIC/WILBfX\n"
60 : "w2Pza/yuLgUvDc3twMuhOACzOQVO8PrEF/aVv2+hbCCy2udXvKhnYn+CCXl3ozc8\n"
61 : "XcKYvujTXDyvGWY3xwAjlQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQCUvnhzQWuQ\n"
62 : "MrN+pERkE+zcTI/9dGS90rUMMLgu8VDNqTa0TUQh8uO0EQ6uDvI8Js6e8tgwS0BR\n"
63 : "UBahqb7ZHv+rejGCBr5OudqD+x4STiiuPNJVs86JTLN8SpM9CHjIBH5WCCN2KOy3\n"
64 : "mevNoRcRRyYJzSFULCunIK6FGulszigMYGscrO4oiTkZiHPh9KvWT40IMiHfL+Lw\n"
65 : "EtEWiLex6064LcA2YQ1AMuSZyCexks63lcfaFmQbkYOKqXa1oLkIRuDsOaSVjTfe\n"
66 : "vec+X6jvf12cFTKS5WIeqkKF2Irt+dJoiHEGTe5RscUMN/f+gqHPzfFz5dR23sxo\n"
67 : "g+HC6MZHlFkLAOx3wW6epPS8A/m1mw3zMPoTnb2U2YYt8T0dJMMlUn/7Y1sEAa+a\n"
68 : "dSTMaeUf6VnJ//11m454EZl1to9Z7oJOgqmFffSrdD4BGIWe8f7hhW6L1Enmqe/J\n"
69 : "BKL3wbzZh80O1W0bndAwhnEEhlzneFY84cbBo9pmVxpODHkUcStpr5Z7pBDrcL21\n"
70 : "Ss/aB/1YrsVXhdvJdOGxl3Mnl9dUY57CympLGlT8f0pPS6GAKOelECOhFMHmJd8L\n"
71 : "dj3XQSmKtYHevZ6IvuMXSlB/fJvSjSlkCuLo5+kJoaqPuRu+i/S1qxeRy3CBwmnE\n"
72 : "LdSNdcX4N79GQJ996PA8+mUCQG7YRtK+WA==\n"
73 : "-----END CERTIFICATE-----\n";
74 :
75 : const char* caCertString = "-----BEGIN CERTIFICATE-----\n"
76 : "MIIFjzCCA3egAwIBAgIJAKd5WgyfPMYRMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV\n"
77 : "BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIG\n"
78 : "A1UECgwLVG9yIFRlc3RpbmcxFDASBgNVBAMMC1RvciBUZXN0aW5nMB4XDTE1MDkw\n"
79 : "NjEzMzc0MVoXDTQzMDEyMjEzMzc0MVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM\n"
80 : "CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRQwEgYDVQQKDAtUb3IgVGVzdGlu\n"
81 : "ZzEUMBIGA1UEAwwLVG9yIFRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
82 : "ggIKAoICAQCpLMUEiLW5leUgBZoEJms2V7lZRhIAjnJBhVMHD0e3UubNknmaQoxf\n"
83 : "ARz3rvqOaRd0JlV+qM9qE0DjiYcCVP1cAfqAo9d83uS1vwY3YMVJzADlaIiHfyVW\n"
84 : "uEgBy0vvkeUBqaua24dYlcwsemOiXYLu41yM1wkcGHW1AhBNHppY6cznb8TyLgNM\n"
85 : "2x3SGUdzc5XMyAFx51faKGBA3wjs+Hg1PLY7d30nmCgEOBavpm5I1disM/0k+Mcy\n"
86 : "YmAKEo/iHJX/rQzO4b9znP69juLlR8PDBUJEVIG/CYb6+uw8MjjUyiWXYoqfVmN2\n"
87 : "hm/lH8b6rXw1a2Aa3VTeD0DxaWeacMYHY/i01fd5n7hCoDTRNdSw5KJ0L3Z0SKTu\n"
88 : "0lzffKzDaIfyZGlpW5qdouACkWYzsaitQOePVE01PIdO30vUfzNTFDfy42ccx3Di\n"
89 : "59UCu+IXB+eMtrBfsok0Qc63vtF1linJgjHW1z/8ujk8F7/qkOfODhk4l7wngc2A\n"
90 : "EmwWFIFoGaiTEZHB9qteXr4unbXZ0AHpM02uGGwZEGohjFyebEb73M+J57WKKAFb\n"
91 : "PqbLcGUksL1SHNBNAJcVLttX55sO4nbidOS/kA3m+F1R04MBTyQF9qA6YDDHqdI3\n"
92 : "h/3pw0Z4fxVouTYT4/NfRnX4JTP4u+7Mpcoof28VME0qWqD1LnRhFQIDAQABo1Aw\n"
93 : "TjAdBgNVHQ4EFgQUMoAgIXH7pZ3QMRwTjT+DM9Yo/v0wHwYDVR0jBBgwFoAUMoAg\n"
94 : "IXH7pZ3QMRwTjT+DM9Yo/v0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
95 : "AgEAUJxacjXR9sT+Xs6ISFiUsyd0T6WVKMnV46xrYJHirGfx+krWHrjxMY+ZtxYD\n"
96 : "DBDGlo11Qc4v6QrclNf5QUBfIiGQsP9Cm6hHcQ+Tpg9HHCgSqG1YNPwCPReCR4br\n"
97 : "BLvLfrfkcBL2IWM0PdQdCze+59DBfipsULD2mEn9fjYRXQEwb2QWtQ9qRc20Yb/x\n"
98 : "Q4b/+CvUodLkaq7B8MHz0BV8HHcBoph6DYaRmO/N+hPauIuSp6XyaGYcEefGKVKj\n"
99 : "G2+fcsdyXsoijNdL8vNKwm4j2gVwCBnw16J00yfFoV46YcbfqEdJB2je0XSvwXqt\n"
100 : "14AOTngxso2h9k9HLtrfpO1ZG/B5AcCMs1lzbZ2fp5DPHtjvvmvA2RJqgo3yjw4W\n"
101 : "4DHAuTglYFlC3mDHNfNtcGP20JvepcQNzNP2UzwcpOc94hfKikOFw+gf9Vf1qd0y\n"
102 : "h/Sk6OZHn2+JVUPiWHIQV98Vtoh4RmUZDJD+b55ia3fQGTGzt4z1XFzQYSva5sfs\n"
103 : "wocS/papthqWldQU7x+3wofNd5CNU1x6WKXG/yw30IT/4F8ADJD6GeygNT8QJYvt\n"
104 : "u/8lAkbOy6B9xGmSvr0Kk1oq9P2NshA6kalxp1Oz/DTNDdL4AeBXV3JmM6WWCjGn\n"
105 : "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
106 : "-----END CERTIFICATE-----\n";
107 :
108 : static tor_x509_cert_t *fixed_x509_cert = NULL;
109 : static tor_x509_cert_t *
110 8 : get_peer_cert_mock_return_fixed(tor_tls_t *tls)
111 : {
112 8 : (void)tls;
113 8 : if (fixed_x509_cert)
114 4 : return tor_x509_cert_dup(fixed_x509_cert);
115 : else
116 : return NULL;
117 : }
118 :
119 : tor_x509_cert_impl_t *
120 6 : read_cert_from(const char *str)
121 : {
122 6 : size_t len = strlen(str);
123 6 : uint8_t *raw_cert = tor_malloc(len);
124 6 : ssize_t true_len = pem_decode(raw_cert, len, str, len, "CERTIFICATE");
125 6 : if (true_len < 0) {
126 0 : tor_free(raw_cert);
127 0 : return NULL;
128 : }
129 6 : tor_x509_cert_t *cert = tor_x509_cert_decode(raw_cert, true_len);
130 6 : tor_free(raw_cert);
131 6 : if (! cert) {
132 : return NULL;
133 : }
134 6 : tor_x509_cert_impl_t *res = tor_x509_cert_impl_dup_(cert->cert);
135 6 : tor_x509_cert_free(cert);
136 6 : return res;
137 : }
138 :
139 : static tor_x509_cert_impl_t *
140 : fixed_try_to_extract_certs_from_tls_cert_out_result = NULL;
141 : static tor_x509_cert_impl_t *
142 : fixed_try_to_extract_certs_from_tls_id_cert_out_result = NULL;
143 :
144 : static void
145 4 : fixed_try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
146 : tor_x509_cert_impl_t **cert_out,
147 : tor_x509_cert_impl_t **id_cert_out)
148 : {
149 4 : (void) severity;
150 4 : (void) tls;
151 4 : *cert_out = tor_x509_cert_impl_dup_(
152 : fixed_try_to_extract_certs_from_tls_cert_out_result);
153 4 : *id_cert_out = tor_x509_cert_impl_dup_(
154 : fixed_try_to_extract_certs_from_tls_id_cert_out_result);
155 4 : }
156 :
157 : static void
158 1 : test_tortls_errno_to_tls_error(void *data)
159 : {
160 1 : (void) data;
161 1 : tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNRESET)),OP_EQ,
162 : TOR_TLS_ERROR_CONNRESET);
163 1 : tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ETIMEDOUT)),OP_EQ,
164 : TOR_TLS_ERROR_TIMEOUT);
165 1 : tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(EHOSTUNREACH)),OP_EQ,
166 : TOR_TLS_ERROR_NO_ROUTE);
167 1 : tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ENETUNREACH)),OP_EQ,
168 : TOR_TLS_ERROR_NO_ROUTE);
169 1 : tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNREFUSED)),OP_EQ,
170 : TOR_TLS_ERROR_CONNREFUSED);
171 1 : tt_int_op(tor_errno_to_tls_error(0),OP_EQ,TOR_TLS_ERROR_MISC);
172 1 : done:
173 1 : (void)1;
174 1 : }
175 :
176 : static void
177 1 : test_tortls_err_to_string(void *data)
178 : {
179 1 : (void) data;
180 1 : tt_str_op(tor_tls_err_to_string(1),OP_EQ,"[Not an error.]");
181 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_MISC),OP_EQ,"misc error");
182 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_IO),OP_EQ,"unexpected close");
183 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNREFUSED),OP_EQ,
184 : "connection refused");
185 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNRESET),OP_EQ,
186 : "connection reset");
187 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_NO_ROUTE),OP_EQ,
188 : "host unreachable");
189 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_TIMEOUT),OP_EQ,
190 : "connection timed out");
191 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_CLOSE),OP_EQ,"closed");
192 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTREAD),OP_EQ,"want to read");
193 1 : tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTWRITE),OP_EQ,"want to write");
194 1 : tt_str_op(tor_tls_err_to_string(-100),OP_EQ,"(unknown error code)");
195 1 : done:
196 1 : (void)1;
197 1 : }
198 :
199 : #ifdef ENABLE_OPENSSL
200 : static int
201 0 : mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert)
202 : {
203 0 : (void) tls;
204 0 : (void) cert; // XXXX look at this.
205 0 : return 1;
206 : }
207 :
208 : static void
209 1 : test_tortls_tor_tls_get_error(void *data)
210 : {
211 1 : (void) data;
212 1 : MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
213 1 : crypto_pk_t *key1 = NULL, *key2 = NULL;
214 1 : key1 = pk_generate(2);
215 1 : key2 = pk_generate(3);
216 :
217 1 : tor_tls_t *tls = NULL;
218 1 : tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
219 : key1, key2, 86400), OP_EQ, 0);
220 1 : tls = tor_tls_new(-1, 0);
221 1 : setup_capture_of_logs(LOG_WARN);
222 1 : tor_tls_get_error(tls, 0, 0,
223 : (const char *)"in unit test", LOG_WARN, LD_GENERAL);
224 1 : expect_single_log_msg_containing("unexpected close while in unit test");
225 :
226 1 : done:
227 1 : UNMOCK(tor_tls_cert_matches_key);
228 1 : UNMOCK(logv);
229 1 : crypto_pk_free(key1);
230 1 : crypto_pk_free(key2);
231 1 : tor_tls_free(tls);
232 1 : }
233 : #endif /* defined(ENABLE_OPENSSL) */
234 :
235 : static void
236 1 : test_tortls_x509_cert_get_id_digests(void *ignored)
237 : {
238 1 : (void)ignored;
239 1 : tor_x509_cert_t *cert;
240 1 : common_digests_t *d;
241 1 : const common_digests_t *res;
242 1 : cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
243 1 : d = tor_malloc_zero(sizeof(common_digests_t));
244 1 : d->d[0][0] = 42;
245 :
246 1 : res = tor_x509_cert_get_id_digests(cert);
247 1 : tt_assert(!res);
248 :
249 1 : cert->pkey_digests_set = 1;
250 1 : cert->pkey_digests = *d;
251 1 : res = tor_x509_cert_get_id_digests(cert);
252 1 : tt_assert(res);
253 1 : tt_int_op(res->d[0][0], OP_EQ, 42);
254 :
255 1 : done:
256 1 : tor_free(cert);
257 1 : tor_free(d);
258 1 : }
259 :
260 : static void
261 1 : test_tortls_get_my_certs(void *ignored)
262 : {
263 1 : (void)ignored;
264 1 : int ret;
265 1 : tor_tls_context_t *ctx;
266 1 : const tor_x509_cert_t *link_cert_out = NULL;
267 1 : const tor_x509_cert_t *id_cert_out = NULL;
268 :
269 1 : ctx = tor_malloc_zero(sizeof(tor_tls_context_t));
270 :
271 1 : client_tls_context = NULL;
272 1 : ret = tor_tls_get_my_certs(0, NULL, NULL);
273 1 : tt_int_op(ret, OP_EQ, -1);
274 :
275 1 : server_tls_context = NULL;
276 1 : ret = tor_tls_get_my_certs(1, NULL, NULL);
277 1 : tt_int_op(ret, OP_EQ, -1);
278 :
279 1 : client_tls_context = ctx;
280 1 : ret = tor_tls_get_my_certs(0, NULL, NULL);
281 1 : tt_int_op(ret, OP_EQ, 0);
282 :
283 1 : client_tls_context = ctx;
284 1 : ret = tor_tls_get_my_certs(0, &link_cert_out, &id_cert_out);
285 1 : tt_int_op(ret, OP_EQ, 0);
286 :
287 1 : server_tls_context = ctx;
288 1 : ret = tor_tls_get_my_certs(1, &link_cert_out, &id_cert_out);
289 1 : tt_int_op(ret, OP_EQ, 0);
290 :
291 1 : done:
292 1 : (void)1;
293 1 : }
294 :
295 : #ifdef ENABLE_OPENSSL
296 : static void
297 1 : test_tortls_get_forced_write_size(void *ignored)
298 : {
299 1 : (void)ignored;
300 1 : long ret;
301 1 : tor_tls_t *tls;
302 :
303 1 : tls = tor_malloc_zero(sizeof(tor_tls_t));
304 :
305 1 : tls->wantwrite_n = 43;
306 1 : ret = tor_tls_get_forced_write_size(tls);
307 1 : tt_int_op(ret, OP_EQ, 43);
308 :
309 1 : done:
310 1 : tor_free(tls);
311 1 : }
312 :
313 : static void
314 1 : test_tortls_used_v1_handshake(void *ignored)
315 : {
316 1 : (void)ignored;
317 1 : int ret;
318 1 : tor_tls_t *tls;
319 1 : tls = tor_malloc_zero(sizeof(tor_tls_t));
320 :
321 : // These tests assume both V2 handshake server and client are enabled
322 1 : tls->wasV2Handshake = 0;
323 1 : ret = tor_tls_used_v1_handshake(tls);
324 1 : tt_int_op(ret, OP_EQ, 1);
325 :
326 1 : tls->wasV2Handshake = 1;
327 1 : ret = tor_tls_used_v1_handshake(tls);
328 1 : tt_int_op(ret, OP_EQ, 0);
329 :
330 1 : done:
331 1 : tor_free(tls);
332 1 : }
333 :
334 : static void
335 1 : test_tortls_server_got_renegotiate(void *ignored)
336 : {
337 1 : (void)ignored;
338 1 : int ret;
339 1 : tor_tls_t *tls;
340 :
341 1 : tls = tor_malloc_zero(sizeof(tor_tls_t));
342 :
343 1 : tls->got_renegotiate = 1;
344 1 : ret = tor_tls_server_got_renegotiate(tls);
345 1 : tt_int_op(ret, OP_EQ, 1);
346 :
347 1 : done:
348 1 : tor_free(tls);
349 1 : }
350 : #endif /* defined(ENABLE_OPENSSL) */
351 :
352 : static void
353 1 : test_tortls_evaluate_ecgroup_for_tls(void *ignored)
354 : {
355 1 : (void)ignored;
356 1 : int ret;
357 :
358 1 : ret = evaluate_ecgroup_for_tls(NULL);
359 1 : tt_int_op(ret, OP_EQ, 1);
360 :
361 1 : ret = evaluate_ecgroup_for_tls("foobar");
362 1 : tt_int_op(ret, OP_EQ, 0);
363 :
364 1 : ret = evaluate_ecgroup_for_tls("P256");
365 1 : tt_int_op(ret, OP_EQ, 1);
366 :
367 1 : ret = evaluate_ecgroup_for_tls("P224");
368 : // tt_int_op(ret, OP_EQ, 1); This varies between machines
369 1 : tt_assert(ret == 0 || ret == 1);
370 :
371 1 : done:
372 1 : (void)0;
373 1 : }
374 :
375 : static void
376 1 : test_tortls_double_init(void *arg)
377 : {
378 1 : (void) arg;
379 : /* If we call tor_tls_context_init() a second time, nothing should go
380 : * wrong.
381 : */
382 1 : crypto_pk_t *pk1 = NULL, *pk2 = NULL;
383 1 : pk1 = pk_generate(2);
384 1 : pk2 = pk_generate(0);
385 :
386 1 : int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
387 : pk1, pk2, 86400);
388 1 : tt_int_op(r, OP_EQ, 0);
389 :
390 1 : r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
391 : pk2, pk1, 86400);
392 1 : tt_int_op(r, OP_EQ, 0);
393 : /* For a public server context, these are the same */
394 1 : tt_ptr_op(tor_tls_context_get(0), OP_EQ, tor_tls_context_get(1));
395 :
396 1 : done:
397 1 : crypto_pk_free(pk1);
398 1 : crypto_pk_free(pk2);
399 1 : }
400 :
401 : static void
402 1 : test_tortls_bridge_init(void *arg)
403 : {
404 1 : (void)arg;
405 1 : crypto_pk_t *pk1 = NULL, *pk2 = NULL;
406 1 : pk1 = pk_generate(2);
407 1 : pk2 = pk_generate(0);
408 :
409 : /* If we pass in a server identity key but not the
410 : TOR_TLS_CTX_IS_PUBLIC_SERVER flag, we should get a bridge-style
411 : configuration, with two distinct contexts. */
412 1 : int r = tor_tls_context_init(0 /* flags */, pk1, pk2, 86400);
413 :
414 1 : tt_int_op(r, OP_EQ, 0);
415 1 : tt_ptr_op(tor_tls_context_get(0), OP_NE, tor_tls_context_get(1));
416 1 : done:
417 1 : crypto_pk_free(pk1);
418 1 : crypto_pk_free(pk2);
419 1 : }
420 :
421 : static void
422 1 : test_tortls_address(void *arg)
423 : {
424 1 : (void)arg;
425 1 : tor_tls_t *tls = NULL;
426 1 : crypto_pk_t *pk1=NULL, *pk2=NULL;
427 1 : pk1 = pk_generate(2);
428 1 : pk2 = pk_generate(0);
429 :
430 1 : int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
431 : pk1, pk2, 86400);
432 1 : tt_int_op(r, OP_EQ, 0);
433 :
434 1 : tls = tor_tls_new(-1, 0);
435 1 : tls->state = TOR_TLS_ST_OPEN;
436 1 : tor_tls_set_logged_address(tls, "zombo.com");
437 :
438 : /* This write should fail, since the fd is -1. */
439 1 : setup_capture_of_logs(LOG_INFO);
440 1 : int n = tor_tls_write(tls, "welcome", 7);
441 1 : tt_int_op(n, OP_LT, 0);
442 1 : expect_log_msg_containing("with zombo.com");
443 :
444 1 : done:
445 1 : teardown_capture_of_logs();
446 1 : tor_tls_free(tls);
447 1 : crypto_pk_free(pk1);
448 1 : crypto_pk_free(pk2);
449 1 : }
450 :
451 : static void
452 1 : test_tortls_is_server(void *arg)
453 : {
454 1 : (void)arg;
455 1 : crypto_pk_t *pk1=NULL, *pk2=NULL;
456 1 : tor_tls_t *tls1=NULL, *tls2=NULL;
457 1 : pk1 = pk_generate(2);
458 1 : pk2 = pk_generate(0);
459 :
460 1 : int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER,
461 : pk1, pk2, 86400);
462 1 : tt_int_op(r, OP_EQ, 0);
463 1 : tls1 = tor_tls_new(-1, 0);
464 1 : tls2 = tor_tls_new(-1, 1);
465 :
466 1 : tt_assert(! tor_tls_is_server(tls1));
467 1 : tt_assert(tor_tls_is_server(tls2));
468 :
469 1 : done:
470 1 : tor_tls_free(tls1);
471 1 : tor_tls_free(tls2);
472 1 : crypto_pk_free(pk1);
473 1 : crypto_pk_free(pk2);
474 1 : }
475 :
476 : static void
477 1 : test_tortls_verify(void *ignored)
478 : {
479 1 : (void)ignored;
480 1 : int ret;
481 1 : tor_tls_t *tls;
482 1 : crypto_pk_t *k = NULL;
483 1 : tor_x509_cert_impl_t *cert1 = NULL, *cert2 = NULL, *invalidCert = NULL,
484 1 : *validCert = NULL, *caCert = NULL;
485 :
486 1 : validCert = read_cert_from(validCertString);
487 1 : caCert = read_cert_from(caCertString);
488 1 : invalidCert = read_cert_from(notCompletelyValidCertString);
489 :
490 1 : tls = tor_malloc_zero(sizeof(tor_tls_t));
491 :
492 1 : MOCK(try_to_extract_certs_from_tls, fixed_try_to_extract_certs_from_tls);
493 :
494 1 : fixed_try_to_extract_certs_from_tls_cert_out_result = cert1;
495 1 : ret = tor_tls_verify(LOG_WARN, tls, &k);
496 1 : tt_int_op(ret, OP_EQ, -1);
497 :
498 1 : fixed_try_to_extract_certs_from_tls_id_cert_out_result = cert2;
499 1 : ret = tor_tls_verify(LOG_WARN, tls, &k);
500 1 : tt_int_op(ret, OP_EQ, -1);
501 :
502 1 : fixed_try_to_extract_certs_from_tls_cert_out_result = invalidCert;
503 1 : fixed_try_to_extract_certs_from_tls_id_cert_out_result = invalidCert;
504 :
505 1 : ret = tor_tls_verify(LOG_WARN, tls, &k);
506 1 : tt_int_op(ret, OP_EQ, -1);
507 :
508 1 : fixed_try_to_extract_certs_from_tls_cert_out_result = validCert;
509 1 : fixed_try_to_extract_certs_from_tls_id_cert_out_result = caCert;
510 :
511 1 : ret = tor_tls_verify(LOG_WARN, tls, &k);
512 1 : tt_int_op(ret, OP_EQ, 0);
513 1 : tt_assert(k);
514 :
515 1 : done:
516 1 : UNMOCK(try_to_extract_certs_from_tls);
517 1 : tor_x509_cert_impl_free(cert1);
518 1 : tor_x509_cert_impl_free(cert2);
519 1 : tor_x509_cert_impl_free(validCert);
520 1 : tor_x509_cert_impl_free(invalidCert);
521 1 : tor_x509_cert_impl_free(caCert);
522 :
523 1 : tor_free(tls);
524 1 : crypto_pk_free(k);
525 1 : }
526 :
527 : static void
528 1 : test_tortls_cert_matches_key(void *ignored)
529 : {
530 1 : (void)ignored;
531 :
532 1 : tor_x509_cert_impl_t *cert1 = NULL,
533 1 : *cert2 = NULL,
534 1 : *cert3 = NULL,
535 1 : *cert4 = NULL;
536 1 : tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL;
537 1 : crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL;
538 :
539 1 : k1 = pk_generate(1);
540 1 : k2 = pk_generate(2);
541 1 : k3 = pk_generate(3);
542 :
543 1 : cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000);
544 1 : cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000);
545 1 : cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000);
546 1 : cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000);
547 :
548 1 : tt_assert(cert1 && cert2 && cert3 && cert4);
549 :
550 1 : c1 = tor_x509_cert_new(cert1); cert1 = NULL;
551 1 : c2 = tor_x509_cert_new(cert2); cert2 = NULL;
552 1 : c3 = tor_x509_cert_new(cert3); cert3 = NULL;
553 1 : c4 = tor_x509_cert_new(cert4); cert4 = NULL;
554 :
555 1 : tt_assert(c1 && c2 && c3 && c4);
556 :
557 1 : MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed);
558 :
559 1 : fixed_x509_cert = NULL;
560 : /* If the peer has no certificate, it shouldn't match anything. */
561 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c1));
562 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c2));
563 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c3));
564 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c4));
565 1 : fixed_x509_cert = c1;
566 : /* If the peer has a certificate, it should match every cert with the same
567 : * subject key. */
568 1 : tt_assert(tor_tls_cert_matches_key(NULL, c1));
569 1 : tt_assert(tor_tls_cert_matches_key(NULL, c2));
570 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c3));
571 1 : tt_assert(! tor_tls_cert_matches_key(NULL, c4));
572 :
573 1 : done:
574 1 : tor_x509_cert_free(c1);
575 1 : tor_x509_cert_free(c2);
576 1 : tor_x509_cert_free(c3);
577 1 : tor_x509_cert_free(c4);
578 1 : if (cert1) tor_x509_cert_impl_free(cert1);
579 1 : if (cert2) tor_x509_cert_impl_free(cert2);
580 1 : if (cert3) tor_x509_cert_impl_free(cert3);
581 1 : if (cert4) tor_x509_cert_impl_free(cert4);
582 1 : crypto_pk_free(k1);
583 1 : crypto_pk_free(k2);
584 1 : crypto_pk_free(k3);
585 1 : UNMOCK(tor_tls_get_peer_cert);
586 1 : }
587 :
588 : #define LOCAL_TEST_CASE(name, flags) \
589 : { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
590 :
591 : struct testcase_t tortls_tests[] = {
592 : LOCAL_TEST_CASE(errno_to_tls_error, 0),
593 : LOCAL_TEST_CASE(err_to_string, 0),
594 : LOCAL_TEST_CASE(x509_cert_get_id_digests, 0),
595 : LOCAL_TEST_CASE(get_my_certs, TT_FORK),
596 : #ifdef ENABLE_OPENSSL
597 : LOCAL_TEST_CASE(tor_tls_get_error, 0),
598 : LOCAL_TEST_CASE(get_forced_write_size, 0),
599 : LOCAL_TEST_CASE(used_v1_handshake, TT_FORK),
600 : LOCAL_TEST_CASE(server_got_renegotiate, 0),
601 : #endif /* defined(ENABLE_OPENSSL) */
602 : LOCAL_TEST_CASE(evaluate_ecgroup_for_tls, 0),
603 : LOCAL_TEST_CASE(double_init, TT_FORK),
604 : LOCAL_TEST_CASE(address, TT_FORK),
605 : LOCAL_TEST_CASE(is_server, 0),
606 : LOCAL_TEST_CASE(bridge_init, TT_FORK),
607 : LOCAL_TEST_CASE(verify, TT_FORK),
608 : LOCAL_TEST_CASE(cert_matches_key, 0),
609 : END_OF_TESTCASES
610 : };
|
