diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-08-21 19:16:40 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-08-21 19:16:40 -0400 |
| commit | 245025a3dff5ffb893c0cc079a8e5d59df553529 (patch) | |
| tree | 466e3d8421cc62d027a8c3d7ed9d2159f5d6419a /src | |
| parent | 4c0c4d4ade2f5e87202055d44a1226c4af8397dc (diff) | |
| parent | d52f406001082474c3decf04747bf6f742b82c96 (diff) | |
| download | tor-245025a3dff5ffb893c0cc079a8e5d59df553529.tar.gz tor-245025a3dff5ffb893c0cc079a8e5d59df553529.zip | |
Merge branch 'maint-0.3.2' into maint-0.3.3
Diffstat (limited to 'src')
| -rw-r--r-- | src/common/tortls.c | 10 | ||||
| -rw-r--r-- | src/test/test_tortls.c | 119 |
2 files changed, 66 insertions, 63 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index 50609b8ac7..388c97e3a3 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -896,18 +896,20 @@ tor_tls_cert_get_key(tor_x509_cert_t *cert) MOCK_IMPL(int, tor_tls_cert_matches_key,(const tor_tls_t *tls, const tor_x509_cert_t *cert)) { - X509 *peercert = SSL_get_peer_certificate(tls->ssl); + tor_x509_cert_t *peer = tor_tls_get_peer_cert((tor_tls_t *)tls); + if (!peer) + return 0; + + X509 *peercert = peer->cert; EVP_PKEY *link_key = NULL, *cert_key = NULL; int result; - if (!peercert) - return 0; link_key = X509_get_pubkey(peercert); cert_key = X509_get_pubkey(cert->cert); result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1; - X509_free(peercert); + tor_x509_cert_free(peer); if (link_key) EVP_PKEY_free(link_key); if (cert_key) diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index ef038c661e..bb899a9577 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -547,13 +547,6 @@ test_tortls_x509_cert_get_id_digests(void *ignored) } #ifndef OPENSSL_OPAQUE -static int -fixed_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) -{ - (void) a; (void) b; - return 1; -} - static void fake_x509_free(X509 *cert) { @@ -570,70 +563,78 @@ fake_x509_free(X509 *cert) tor_free(cert); } } +#endif + +static tor_x509_cert_t *fixed_x509_cert = NULL; +static tor_x509_cert_t * +get_peer_cert_mock_return_fixed(tor_tls_t *tls) +{ + (void)tls; + if (fixed_x509_cert) + return tor_x509_cert_dup(fixed_x509_cert); + else + return NULL; +} static void test_tortls_cert_matches_key(void *ignored) { (void)ignored; - int res; - tor_tls_t *tls; - tor_x509_cert_t *cert; - X509 *one = NULL, *two = NULL; - EVP_PKEY_ASN1_METHOD *meth = EVP_PKEY_asn1_new(999, 0, NULL, NULL); - EVP_PKEY_asn1_set_public(meth, NULL, NULL, fixed_pub_cmp, NULL, NULL, NULL); - tls = tor_malloc_zero(sizeof(tor_tls_t)); - cert = tor_malloc_zero(sizeof(tor_x509_cert_t)); - one = tor_malloc_zero(sizeof(X509)); - one->references = 1; - two = tor_malloc_zero(sizeof(X509)); - two->references = 1; + X509 *cert1 = NULL, *cert2 = NULL, *cert3 = NULL, *cert4 = NULL; + tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL; + crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL; - res = tor_tls_cert_matches_key(tls, cert); - tt_int_op(res, OP_EQ, 0); + k1 = pk_generate(1); + k2 = pk_generate(2); + k3 = pk_generate(3); - tls->ssl = tor_malloc_zero(sizeof(SSL)); - tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION)); - tls->ssl->session->peer = one; - res = tor_tls_cert_matches_key(tls, cert); - tt_int_op(res, OP_EQ, 0); - - cert->cert = two; - res = tor_tls_cert_matches_key(tls, cert); - tt_int_op(res, OP_EQ, 0); - - one->cert_info = tor_malloc_zero(sizeof(X509_CINF)); - one->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY)); - one->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY)); - one->cert_info->key->pkey->references = 1; - one->cert_info->key->pkey->ameth = meth; - one->cert_info->key->pkey->type = 1; - - two->cert_info = tor_malloc_zero(sizeof(X509_CINF)); - two->cert_info->key = tor_malloc_zero(sizeof(X509_PUBKEY)); - two->cert_info->key->pkey = tor_malloc_zero(sizeof(EVP_PKEY)); - two->cert_info->key->pkey->references = 1; - two->cert_info->key->pkey->ameth = meth; - two->cert_info->key->pkey->type = 2; - - res = tor_tls_cert_matches_key(tls, cert); - tt_int_op(res, OP_EQ, 0); - - one->cert_info->key->pkey->type = 1; - two->cert_info->key->pkey->type = 1; - res = tor_tls_cert_matches_key(tls, cert); - tt_int_op(res, OP_EQ, 1); + cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000); + cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000); + cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000); + cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000); + + tt_assert(cert1 && cert2 && cert3 && cert4); + + c1 = tor_x509_cert_new(cert1); cert1 = NULL; + c2 = tor_x509_cert_new(cert2); cert2 = NULL; + c3 = tor_x509_cert_new(cert3); cert3 = NULL; + c4 = tor_x509_cert_new(cert4); cert4 = NULL; + + tt_assert(c1 && c2 && c3 && c4); + + MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed); + + fixed_x509_cert = NULL; + /* If the peer has no certificate, it shouldn't match anything. */ + tt_assert(! tor_tls_cert_matches_key(NULL, c1)); + tt_assert(! tor_tls_cert_matches_key(NULL, c2)); + tt_assert(! tor_tls_cert_matches_key(NULL, c3)); + tt_assert(! tor_tls_cert_matches_key(NULL, c4)); + fixed_x509_cert = c1; + /* If the peer has a certificate, it should match every cert with the same + * subject key. */ + tt_assert(tor_tls_cert_matches_key(NULL, c1)); + tt_assert(tor_tls_cert_matches_key(NULL, c2)); + tt_assert(! tor_tls_cert_matches_key(NULL, c3)); + tt_assert(! tor_tls_cert_matches_key(NULL, c4)); done: - EVP_PKEY_asn1_free(meth); - tor_free(tls->ssl->session); - tor_free(tls->ssl); - tor_free(tls); - tor_free(cert); - fake_x509_free(one); - fake_x509_free(two); + tor_x509_cert_free(c1); + tor_x509_cert_free(c2); + tor_x509_cert_free(c3); + tor_x509_cert_free(c4); + if (cert1) X509_free(cert1); + if (cert2) X509_free(cert2); + if (cert3) X509_free(cert3); + if (cert4) X509_free(cert4); + crypto_pk_free(k1); + crypto_pk_free(k2); + crypto_pk_free(k3); + UNMOCK(tor_tls_get_peer_cert); } +#ifndef OPENSSL_OPAQUE static void test_tortls_cert_get_key(void *ignored) { |