test_tortls.c (17234B)
1 /* Copyright (c) 2010-2021, The Tor Project, Inc. */ 2 /* See LICENSE for licensing information */ 3 4 #define TORTLS_PRIVATE 5 #define TOR_X509_PRIVATE 6 #define LOG_PRIVATE 7 #include "orconfig.h" 8 9 #ifdef _WIN32 10 #include <winsock2.h> 11 #endif 12 #include <math.h> 13 #include <stddef.h> 14 15 #include "lib/cc/compat_compiler.h" 16 17 #include "core/or/or.h" 18 #include "lib/log/log.h" 19 #include "app/config/config.h" 20 #include "lib/crypt_ops/compat_openssl.h" 21 #include "lib/tls/x509.h" 22 #include "lib/tls/x509_internal.h" 23 #include "lib/tls/tortls.h" 24 #include "lib/tls/tortls_st.h" 25 #include "lib/tls/tortls_internal.h" 26 #include "lib/encoding/pem.h" 27 #include "app/config/or_state_st.h" 28 29 #include "test/test.h" 30 #include "test/log_test_helpers.h" 31 #include "test/test_tortls.h" 32 33 #include "tinytest.h" 34 35 const char* notCompletelyValidCertString = 36 "-----BEGIN CERTIFICATE-----\n" 37 "MIICVjCCAb8CAg37MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\n" 38 "A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\n" 39 "MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\n" 40 "YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\n" 41 "ODIyMDUyNzIzWhcNMTcwODIxMDUyNzIzWjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\n" 42 "CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\n" 43 "ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYBBrx5PlP0WNI/ZdzD\n" 44 "+6Pktmurn+F2kQYbtc7XQh8/LTBvCo+P6iZoLEmUA9e7EXLRxgU1CVqeAi7QcAn9\n" 45 "MwBlc8ksFJHB0rtf9pmf8Oza9E0Bynlq/4/Kb1x+d+AyhL7oK9tQwB24uHOueHi1\n" 46 "C/iVv8CSWKiYe6hzN1txYe8rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASPdjigJ\n" 47 "kXCqKWpnZ/Oc75EUcMi6HztaW8abUMlYXPIgkV2F7YanHOB7K4f7OOLjiz8DTPFf\n" 48 "jC9UeuErhaA/zzWi8ewMTFZW/WshOrm3fNvcMrMLKtH534JKvcdMg6qIdjTFINIr\n" 49 "evnAhf0cwULaebn+lMs8Pdl7y37+sfluVok=\n" 50 "-----END CERTIFICATE-----\n"; 51 52 // Tor www.torproject.org certificate. 53 // Fetched March 6 2025, ~1320 UTC. 54 const char* validCertString = 55 "-----BEGIN CERTIFICATE-----\n" 56 "MIIF8zCCBNugAwIBAgISBMmLkAm3fEUb8UQC5EdseU8ZMA0GCSqGSIb3DQEBCwUA\n" 57 "MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD\n" 58 "EwNSMTAwHhcNMjUwMTMwMDA1MTU0WhcNMjUwNDMwMDA1MTUzWjAdMRswGQYDVQQD\n" 59 "ExJ3d3cudG9ycHJvamVjdC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\n" 60 "AoICAQDGG3XaG3ZB5QbJisjUbyBW+dgoZy2E3dJ0qMaWyO3/dB8yz4gKKMFCr1Gj\n" 61 "xjcfWYiayN1mcL8/QWOiD8x1s25FHeWBoDpyHX70TlRK6ZL1u2imsgoIiNaOh7f6\n" 62 "zfY7EQHu5UTuwSF9xBVf6FGuJ1b+ZGfXE5dBg3JJ78E8unT+xz6TUzEBUHRF7mgR\n" 63 "nGSgy2vqTT2EpoGq2ZioV8v8JrjkLFUx40XimUPphBs0vdY+gzVCp2wKHRgxglAD\n" 64 "ut3UzLLs7dW/JV9OSSj5L46CQwuaC5xjGEBcarS202oyBdC7DZpolHVKmwJd6IOj\n" 65 "DcachL3VFDGPXQe3/TVcale8y6mfhYbGYn8v9SpeHOdsWv5kCNCpHaHYmdSCiCFG\n" 66 "lmFxnuisu74WghiLrHeHB3oydjACQOyJ4d3u1P9oFKqxPX4ui3ACVWcvksNVQSmR\n" 67 "LlLE2SrK9wIwn2oNs5jJuR68yMV57i20TGvqBSsCZ3m99glpXwG50tzgqfBwFFDX\n" 68 "QElJWI8GQvKQIh43TYBvpZXYIG9srvGdl9eUCNXTFhGosc0+sfKoPpUf7f0R58pj\n" 69 "fjdyDyXb+M6Z60mflOeUM+UR9Q5VeTJ69IfpLypC2JaHy2HCuNekvkbB7TuPuvC9\n" 70 "vANjovgo5zI3MAcp2v9Y6EDgeScKMbZBQM6nuljvw9npaqkHXQIDAQABo4ICFTCC\n" 71 "AhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD\n" 72 "AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRWG7Q4+uqENJPVGkL74DH+LCrhjzAf\n" 73 "BgNVHSMEGDAWgBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkw\n" 74 "IgYIKwYBBQUHMAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKG\n" 75 "F2h0dHA6Ly9yMTAuaS5sZW5jci5vcmcvMB0GA1UdEQQWMBSCEnd3dy50b3Jwcm9q\n" 76 "ZWN0Lm9yZzATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQE\n" 77 "gfEA7wB1AMz7D2qFcQll/pWbU87psnwi6YVcDZeNtql+VMD+TA2wAAABlLTm/wYA\n" 78 "AAQDAEYwRAIgHWbnkMLOUDDJg7vog3J66Aa2wuRYg4DFS21uUtPVUQgCIFZhio8Z\n" 79 "CQcZsdFpeGzAUjXcyboVrvdMg3/3jwWgdQ82AHYA5tIxY0B3jMEQQQbXcbnOwdJA\n" 80 "9paEhvu6hzId/R43jlAAAAGUtOb/DQAABAMARzBFAiBHNO8CjQdQcMENnXyH5oBL\n" 81 "kfdZghUHzMEfFKlg5p+QDAIhAP0dEqz+Q2A2XCvN09vZJ1gsG8IzQELHpBM8QDyM\n" 82 "KSavMA0GCSqGSIb3DQEBCwUAA4IBAQDNh8KjUWJKio63zn2JrFlpIsnrVchPP+ee\n" 83 "1XUrHQt/BA1pUdlTFPQrHOCf6KOGpiyjXxKkBdtJvc/5ZJZYJ26E6Ytd0nGOCirE\n" 84 "v0W45Vh22rH1w0Q1fH1xOqZx1qeh4QYr1/QJ3gWWMTOH5uV5dTzK9RWfp0C1pjQ6\n" 85 "Rct/0ZqyZHYqMD9VoAiVap7lwnWNWOj+UEioH2cMqjCkD5g8QGNHEfereB3DtoV3\n" 86 "Qw1Z3KoUEr2zEDfq+Uv6RLKCw3HjzDYKbHWSYkrUO7YyIQ3nlZAT861478k5WSKv\n" 87 "hpy8XisMLpQLAhSByV965gINlmHXbe61anJUh3JJpnOu/JyMfaf/\n" 88 "-----END CERTIFICATE-----\n"; 89 90 // Let's encrypt certificate, used to sign validCertString. 91 // Also fetched March 6 2025, ~1320 UTC. 92 const char* caCertString = 93 "-----BEGIN CERTIFICATE-----\n" 94 "MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP\n" 95 "MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy\n" 96 "Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa\n" 97 "Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF\n" 98 "bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n" 99 "AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL\n" 100 "YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a\n" 101 "/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4\n" 102 "FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR\n" 103 "mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3\n" 104 "DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG\n" 105 "MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/\n" 106 "AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5\n" 107 "tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG\n" 108 "Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD\n" 109 "VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B\n" 110 "AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo\n" 111 "zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd\n" 112 "u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9\n" 113 "1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0\n" 114 "GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh\n" 115 "1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ\n" 116 "QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N\n" 117 "4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz\n" 118 "rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei\n" 119 "RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx\n" 120 "KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=\n" 121 "-----END CERTIFICATE-----\n"; 122 123 // A time at which the certs above are valid. 124 const time_t cert_strings_valid_at = 1741267580; 125 126 static tor_x509_cert_t *fixed_x509_cert = NULL; 127 static tor_x509_cert_t * 128 get_peer_cert_mock_return_fixed(tor_tls_t *tls) 129 { 130 (void)tls; 131 if (fixed_x509_cert) 132 return tor_x509_cert_dup(fixed_x509_cert); 133 else 134 return NULL; 135 } 136 137 tor_x509_cert_impl_t * 138 read_cert_from(const char *str) 139 { 140 size_t len = strlen(str); 141 uint8_t *raw_cert = tor_malloc(len); 142 ssize_t true_len = pem_decode(raw_cert, len, str, len, "CERTIFICATE"); 143 if (true_len < 0) { 144 tor_free(raw_cert); 145 return NULL; 146 } 147 tor_x509_cert_t *cert = tor_x509_cert_decode(raw_cert, true_len); 148 tor_free(raw_cert); 149 if (! cert) { 150 return NULL; 151 } 152 tor_x509_cert_impl_t *res = tor_x509_cert_impl_dup_(cert->cert); 153 tor_x509_cert_free(cert); 154 return res; 155 } 156 157 static void 158 test_tortls_errno_to_tls_error(void *data) 159 { 160 (void) data; 161 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNRESET)),OP_EQ, 162 TOR_TLS_ERROR_CONNRESET); 163 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ETIMEDOUT)),OP_EQ, 164 TOR_TLS_ERROR_TIMEOUT); 165 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(EHOSTUNREACH)),OP_EQ, 166 TOR_TLS_ERROR_NO_ROUTE); 167 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ENETUNREACH)),OP_EQ, 168 TOR_TLS_ERROR_NO_ROUTE); 169 tt_int_op(tor_errno_to_tls_error(SOCK_ERRNO(ECONNREFUSED)),OP_EQ, 170 TOR_TLS_ERROR_CONNREFUSED); 171 tt_int_op(tor_errno_to_tls_error(0),OP_EQ,TOR_TLS_ERROR_MISC); 172 done: 173 (void)1; 174 } 175 176 static void 177 test_tortls_err_to_string(void *data) 178 { 179 (void) data; 180 tt_str_op(tor_tls_err_to_string(1),OP_EQ,"[Not an error.]"); 181 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_MISC),OP_EQ,"misc error"); 182 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_IO),OP_EQ,"unexpected close"); 183 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNREFUSED),OP_EQ, 184 "connection refused"); 185 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_CONNRESET),OP_EQ, 186 "connection reset"); 187 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_NO_ROUTE),OP_EQ, 188 "host unreachable"); 189 tt_str_op(tor_tls_err_to_string(TOR_TLS_ERROR_TIMEOUT),OP_EQ, 190 "connection timed out"); 191 tt_str_op(tor_tls_err_to_string(TOR_TLS_CLOSE),OP_EQ,"closed"); 192 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTREAD),OP_EQ,"want to read"); 193 tt_str_op(tor_tls_err_to_string(TOR_TLS_WANTWRITE),OP_EQ,"want to write"); 194 tt_str_op(tor_tls_err_to_string(-100),OP_EQ,"(unknown error code)"); 195 done: 196 (void)1; 197 } 198 199 #ifdef ENABLE_OPENSSL 200 static int 201 mock_tls_cert_matches_key(const tor_tls_t *tls, const tor_x509_cert_t *cert) 202 { 203 (void) tls; 204 (void) cert; // XXXX look at this. 205 return 1; 206 } 207 208 static void 209 test_tortls_tor_tls_get_error(void *data) 210 { 211 (void) data; 212 MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key); 213 crypto_pk_t *key1 = NULL, *key2 = NULL; 214 key1 = pk_generate(2); 215 key2 = pk_generate(3); 216 217 tor_tls_t *tls = NULL; 218 tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, 219 key1, key2, 86400), OP_EQ, 0); 220 tls = tor_tls_new(-1, 0); 221 setup_capture_of_logs(LOG_WARN); 222 tor_tls_get_error(tls, 0, 0, 223 (const char *)"in unit test", LOG_WARN, LD_GENERAL); 224 expect_single_log_msg_containing("unexpected close while in unit test"); 225 226 done: 227 UNMOCK(tor_tls_cert_matches_key); 228 UNMOCK(logv); 229 crypto_pk_free(key1); 230 crypto_pk_free(key2); 231 tor_tls_free(tls); 232 } 233 #endif /* defined(ENABLE_OPENSSL) */ 234 235 static void 236 test_tortls_x509_cert_get_id_digests(void *ignored) 237 { 238 (void)ignored; 239 tor_x509_cert_t *cert; 240 common_digests_t *d; 241 const common_digests_t *res; 242 cert = tor_malloc_zero(sizeof(tor_x509_cert_t)); 243 d = tor_malloc_zero(sizeof(common_digests_t)); 244 d->d[0][0] = 42; 245 246 res = tor_x509_cert_get_id_digests(cert); 247 tt_assert(!res); 248 249 cert->pkey_digests_set = 1; 250 cert->pkey_digests = *d; 251 res = tor_x509_cert_get_id_digests(cert); 252 tt_assert(res); 253 tt_int_op(res->d[0][0], OP_EQ, 42); 254 255 done: 256 tor_free(cert); 257 tor_free(d); 258 } 259 260 static void 261 test_tortls_get_my_certs(void *ignored) 262 { 263 (void)ignored; 264 int ret; 265 tor_tls_context_t *ctx; 266 const tor_x509_cert_t *link_cert_out = NULL; 267 const tor_x509_cert_t *id_cert_out = NULL; 268 269 ctx = tor_malloc_zero(sizeof(tor_tls_context_t)); 270 271 client_tls_context = NULL; 272 ret = tor_tls_get_my_certs(0, NULL, NULL); 273 tt_int_op(ret, OP_EQ, -1); 274 275 server_tls_context = NULL; 276 ret = tor_tls_get_my_certs(1, NULL, NULL); 277 tt_int_op(ret, OP_EQ, -1); 278 279 client_tls_context = ctx; 280 ret = tor_tls_get_my_certs(0, NULL, NULL); 281 tt_int_op(ret, OP_EQ, 0); 282 283 client_tls_context = ctx; 284 ret = tor_tls_get_my_certs(0, &link_cert_out, &id_cert_out); 285 tt_int_op(ret, OP_EQ, 0); 286 287 server_tls_context = ctx; 288 ret = tor_tls_get_my_certs(1, &link_cert_out, &id_cert_out); 289 tt_int_op(ret, OP_EQ, 0); 290 291 done: 292 (void)1; 293 } 294 295 #ifdef ENABLE_OPENSSL 296 static void 297 test_tortls_get_forced_write_size(void *ignored) 298 { 299 (void)ignored; 300 long ret; 301 tor_tls_t *tls; 302 303 tls = tor_malloc_zero(sizeof(tor_tls_t)); 304 305 tls->wantwrite_n = 43; 306 ret = tor_tls_get_forced_write_size(tls); 307 tt_int_op(ret, OP_EQ, 43); 308 309 done: 310 tor_free(tls); 311 } 312 #endif /* defined(ENABLE_OPENSSL) */ 313 314 static void 315 test_tortls_evaluate_ecgroup_for_tls(void *ignored) 316 { 317 (void)ignored; 318 int ret; 319 320 ret = evaluate_ecgroup_for_tls(NULL); 321 tt_int_op(ret, OP_EQ, 1); 322 323 ret = evaluate_ecgroup_for_tls("foobar"); 324 tt_int_op(ret, OP_EQ, 0); 325 326 ret = evaluate_ecgroup_for_tls("P256"); 327 tt_int_op(ret, OP_EQ, 1); 328 329 ret = evaluate_ecgroup_for_tls("P224"); 330 // tt_int_op(ret, OP_EQ, 1); This varies between machines 331 tt_assert(ret == 0 || ret == 1); 332 333 done: 334 (void)0; 335 } 336 337 static void 338 test_tortls_double_init(void *arg) 339 { 340 (void) arg; 341 /* If we call tor_tls_context_init() a second time, nothing should go 342 * wrong. 343 */ 344 crypto_pk_t *pk1 = NULL, *pk2 = NULL; 345 pk1 = pk_generate(2); 346 pk2 = pk_generate(0); 347 348 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, 349 pk1, pk2, 86400); 350 tt_int_op(r, OP_EQ, 0); 351 352 r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, 353 pk2, pk1, 86400); 354 tt_int_op(r, OP_EQ, 0); 355 /* For a public server context, these are the same */ 356 tt_ptr_op(tor_tls_context_get(0), OP_EQ, tor_tls_context_get(1)); 357 358 done: 359 crypto_pk_free(pk1); 360 crypto_pk_free(pk2); 361 } 362 363 static void 364 test_tortls_bridge_init(void *arg) 365 { 366 (void)arg; 367 crypto_pk_t *pk1 = NULL, *pk2 = NULL; 368 pk1 = pk_generate(2); 369 pk2 = pk_generate(0); 370 371 /* If we pass in a server identity key but not the 372 TOR_TLS_CTX_IS_PUBLIC_SERVER flag, we should get a bridge-style 373 configuration, with two distinct contexts. */ 374 int r = tor_tls_context_init(0 /* flags */, pk1, pk2, 86400); 375 376 tt_int_op(r, OP_EQ, 0); 377 tt_ptr_op(tor_tls_context_get(0), OP_NE, tor_tls_context_get(1)); 378 done: 379 crypto_pk_free(pk1); 380 crypto_pk_free(pk2); 381 } 382 383 static void 384 test_tortls_address(void *arg) 385 { 386 (void)arg; 387 tor_tls_t *tls = NULL; 388 crypto_pk_t *pk1=NULL, *pk2=NULL; 389 pk1 = pk_generate(2); 390 pk2 = pk_generate(0); 391 392 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, 393 pk1, pk2, 86400); 394 tt_int_op(r, OP_EQ, 0); 395 396 tls = tor_tls_new(-1, 0); 397 tls->state = TOR_TLS_ST_OPEN; 398 tor_tls_set_logged_address(tls, "zombo.com"); 399 400 /* This write should fail, since the fd is -1. */ 401 setup_capture_of_logs(LOG_INFO); 402 int n = tor_tls_write(tls, "welcome", 7); 403 tt_int_op(n, OP_LT, 0); 404 expect_log_msg_containing("with zombo.com"); 405 406 done: 407 teardown_capture_of_logs(); 408 tor_tls_free(tls); 409 crypto_pk_free(pk1); 410 crypto_pk_free(pk2); 411 } 412 413 static void 414 test_tortls_is_server(void *arg) 415 { 416 (void)arg; 417 crypto_pk_t *pk1=NULL, *pk2=NULL; 418 tor_tls_t *tls1=NULL, *tls2=NULL; 419 pk1 = pk_generate(2); 420 pk2 = pk_generate(0); 421 422 int r = tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, 423 pk1, pk2, 86400); 424 tt_int_op(r, OP_EQ, 0); 425 tls1 = tor_tls_new(-1, 0); 426 tls2 = tor_tls_new(-1, 1); 427 428 tt_assert(! tor_tls_is_server(tls1)); 429 tt_assert(tor_tls_is_server(tls2)); 430 431 done: 432 tor_tls_free(tls1); 433 tor_tls_free(tls2); 434 crypto_pk_free(pk1); 435 crypto_pk_free(pk2); 436 } 437 438 static void 439 test_tortls_cert_matches_key(void *ignored) 440 { 441 (void)ignored; 442 443 tor_x509_cert_impl_t *cert1 = NULL, 444 *cert2 = NULL, 445 *cert3 = NULL, 446 *cert4 = NULL; 447 tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL; 448 crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL; 449 450 k1 = pk_generate(1); 451 k2 = pk_generate(2); 452 k3 = pk_generate(3); 453 454 cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000); 455 cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000); 456 cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000); 457 cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000); 458 459 tt_assert(cert1 && cert2 && cert3 && cert4); 460 461 c1 = tor_x509_cert_new(cert1); cert1 = NULL; 462 c2 = tor_x509_cert_new(cert2); cert2 = NULL; 463 c3 = tor_x509_cert_new(cert3); cert3 = NULL; 464 c4 = tor_x509_cert_new(cert4); cert4 = NULL; 465 466 tt_assert(c1 && c2 && c3 && c4); 467 468 MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed); 469 470 fixed_x509_cert = NULL; 471 /* If the peer has no certificate, it shouldn't match anything. */ 472 tt_assert(! tor_tls_cert_matches_key(NULL, c1)); 473 tt_assert(! tor_tls_cert_matches_key(NULL, c2)); 474 tt_assert(! tor_tls_cert_matches_key(NULL, c3)); 475 tt_assert(! tor_tls_cert_matches_key(NULL, c4)); 476 fixed_x509_cert = c1; 477 /* If the peer has a certificate, it should match every cert with the same 478 * subject key. */ 479 tt_assert(tor_tls_cert_matches_key(NULL, c1)); 480 tt_assert(tor_tls_cert_matches_key(NULL, c2)); 481 tt_assert(! tor_tls_cert_matches_key(NULL, c3)); 482 tt_assert(! tor_tls_cert_matches_key(NULL, c4)); 483 484 done: 485 tor_x509_cert_free(c1); 486 tor_x509_cert_free(c2); 487 tor_x509_cert_free(c3); 488 tor_x509_cert_free(c4); 489 if (cert1) tor_x509_cert_impl_free(cert1); 490 if (cert2) tor_x509_cert_impl_free(cert2); 491 if (cert3) tor_x509_cert_impl_free(cert3); 492 if (cert4) tor_x509_cert_impl_free(cert4); 493 crypto_pk_free(k1); 494 crypto_pk_free(k2); 495 crypto_pk_free(k3); 496 UNMOCK(tor_tls_get_peer_cert); 497 } 498 499 #define LOCAL_TEST_CASE(name, flags) \ 500 { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL } 501 502 struct testcase_t tortls_tests[] = { 503 LOCAL_TEST_CASE(errno_to_tls_error, 0), 504 LOCAL_TEST_CASE(err_to_string, 0), 505 LOCAL_TEST_CASE(x509_cert_get_id_digests, 0), 506 LOCAL_TEST_CASE(get_my_certs, TT_FORK), 507 #ifdef ENABLE_OPENSSL 508 LOCAL_TEST_CASE(tor_tls_get_error, 0), 509 LOCAL_TEST_CASE(get_forced_write_size, 0), 510 #endif /* defined(ENABLE_OPENSSL) */ 511 LOCAL_TEST_CASE(evaluate_ecgroup_for_tls, 0), 512 LOCAL_TEST_CASE(double_init, TT_FORK), 513 LOCAL_TEST_CASE(address, TT_FORK), 514 LOCAL_TEST_CASE(is_server, 0), 515 LOCAL_TEST_CASE(bridge_init, TT_FORK), 516 LOCAL_TEST_CASE(cert_matches_key, 0), 517 END_OF_TESTCASES 518 };