Several unit tests to improve test coverage of x509*.c

5 files changed, 14 insertions, 8 deletions

diff --git a/src/lib/crypt_ops/crypto_digest.c b/src/lib/crypt_ops/crypto_digest.c
index 2bc5f08342..77cf18dca9 100644
--- a/src/lib/crypt_ops/crypto_digest.c
+++ b/src/lib/crypt_ops/crypto_digest.c
@@ -116,8 +116,8 @@ library_supports_digest(digest_algorithm_t alg)
  * <b>m</b>.  Write the DIGEST_LEN byte result into <b>digest</b>.
  * Return 0 on success, -1 on failure.
  */
-int
-crypto_digest(char *digest, const char *m, size_t len)
+MOCK_IMPL(int,
+crypto_digest,(char *digest, const char *m, size_t len))
 {
   tor_assert(m);
   tor_assert(digest);
diff --git a/src/lib/crypt_ops/crypto_digest.h b/src/lib/crypt_ops/crypto_digest.h
index 59713d2b9f..204f1aaff3 100644
--- a/src/lib/crypt_ops/crypto_digest.h
+++ b/src/lib/crypt_ops/crypto_digest.h
@@ -16,6 +16,7 @@
 #include "lib/cc/torint.h"
 #include "lib/defs/digest_sizes.h"
 #include "lib/malloc/malloc.h"
+#include "lib/testsupport/testsupport.h"
 
 /** Length of a sha1 message digest when encoded in base32 with trailing =
  * signs removed. */
@@ -75,7 +76,7 @@ typedef struct crypto_xof_t crypto_xof_t;
 struct smartlist_t;
 
 /* SHA-1 and other digests */
-int crypto_digest(char *digest, const char *m, size_t len);
+MOCK_DECL(int, crypto_digest,(char *digest, const char *m, size_t len));
 int crypto_digest256(char *digest, const char *m, size_t len,
                      digest_algorithm_t algorithm);
 int crypto_digest512(char *digest, const char *m, size_t len,
diff --git a/src/lib/tls/x509.c b/src/lib/tls/x509.c
index cff1c1302c..c88298b6cf 100644
--- a/src/lib/tls/x509.c
+++ b/src/lib/tls/x509.c
@@ -118,6 +118,7 @@ tor_x509_cert_new,(tor_x509_cert_impl_t *x509_cert))
     crypto_pk_t *pk = tor_tls_cert_get_key(cert);
     if (pk) {
       if (crypto_pk_get_common_digests(pk, &cert->pkey_digests) < 0) {
+        log_warn(LD_CRYPTO, "unable to compute digests of certificate key");
         crypto_pk_free(pk);
         goto err;
       }
@@ -128,10 +129,8 @@ tor_x509_cert_new,(tor_x509_cert_impl_t *x509_cert))
 
   return cert;
  err:
-  /* LCOV_EXCL_START for the same reason as the exclusion above */
   tor_free(cert);
   log_err(LD_CRYPTO, "Couldn't wrap encoded X509 certificate.");
   tor_x509_cert_impl_free_(x509_cert);
   return NULL;
-  /* LCOV_EXCL_STOP */
 }
diff --git a/src/lib/tls/x509_nss.c b/src/lib/tls/x509_nss.c
index 35b3d2542b..68aebbb69a 100644
--- a/src/lib/tls/x509_nss.c
+++ b/src/lib/tls/x509_nss.c
@@ -62,9 +62,11 @@ tor_tls_create_certificate_internal(crypto_pk_t *rsa,
 
   validity = CERT_CreateValidity(((PRTime)start_time) * PRTIME_PER_SEC,
                                  ((PRTime)end_time) * PRTIME_PER_SEC);
-  if (! validity) {
+  if (BUG(! validity)) {
+    /* LCOV_EXCL_START */
     crypto_nss_log_errors(LOG_WARN, "creating a validity object");
     goto err;
+    /* LCOV_EXCL_STOP */
   }
 
   unsigned long serial_number;
diff --git a/src/lib/tls/x509_openssl.c b/src/lib/tls/x509_openssl.c
index 28a30b66e1..f315b88f36 100644
--- a/src/lib/tls/x509_openssl.c
+++ b/src/lib/tls/x509_openssl.c
@@ -327,11 +327,15 @@ tor_tls_cert_is_valid(int severity,
   if (check_rsa_1024 && cert_key) {
     RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
 #ifdef OPENSSL_1_1_API
-    if (rsa && RSA_bits(rsa) == 1024)
+    if (rsa && RSA_bits(rsa) == 1024) {
 #else
-    if (rsa && BN_num_bits(rsa->n) == 1024)
+    if (rsa && BN_num_bits(rsa->n) == 1024) {
 #endif
       key_ok = 1;
+    } else {
+      log_fn(severity, LD_CRYPTO, "Invalid certificate: Key is not RSA1024.");
+    }
+
     if (rsa)
       RSA_free(rsa);
   } else if (cert_key) {