mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-24 22:58:50 +01:00
Code Issues Projects Releases Wiki Activity

Run tor_tls_cert_matches_key() Test Suite with both OpenSSL and NSS.

Browse source 
This patch lifts the `tor_tls_cert_matches_key()` tests out of the
OpenSSL specific TLS test suite and moves it into the generic TLS test
suite that is executed for both OpenSSL and NSS.

This patch is largely a code movement, but we had to rewrite parts of
the test to avoid using OpenSSL specific data-types (such as `X509 *`)
and replace it with the generic Tor abstraction type
(`tor_x509_cert_impl_t *`).

This patch is part of the fix for TROVE-2020-001.

See: https://bugs.torproject.org/33119
This commit is contained in:
Alexander Færøy 2020-03-31 02:28:12 +00:00 committed by Nick Mathewson
parent 39830b6408
commit 33e1c2e6fd
2 changed files with 73 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
src/test/test_tortls.c
View file

@ -105,6 +105,17 @@ const char* caCertString = "-----BEGIN CERTIFICATE-----\n"
"Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n" "Yy1RT69d0rwYc5u/vnqODz1IjvT90smsrkBumGt791FAFeg=\n"
"-----END CERTIFICATE-----\n"; "-----END CERTIFICATE-----\n";
static tor_x509_cert_t *fixed_x509_cert = NULL;
static tor_x509_cert_t *
get_peer_cert_mock_return_fixed(tor_tls_t *tls)
{
(void)tls;
if (fixed_x509_cert)
return tor_x509_cert_dup(fixed_x509_cert);
else
return NULL;
}
tor_x509_cert_impl_t * tor_x509_cert_impl_t *
read_cert_from(const char *str) read_cert_from(const char *str)
{ {
@ -513,6 +524,67 @@ test_tortls_verify(void *ignored)
crypto_pk_free(k); crypto_pk_free(k);
} }
static void
test_tortls_cert_matches_key(void *ignored)
{
(void)ignored;
tor_x509_cert_impl_t *cert1 = NULL,
*cert2 = NULL,
*cert3 = NULL,
*cert4 = NULL;
tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL;
crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL;
k1 = pk_generate(1);
k2 = pk_generate(2);
k3 = pk_generate(3);
cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000);
cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000);
cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000);
cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000);
tt_assert(cert1 && cert2 && cert3 && cert4);
c1 = tor_x509_cert_new(cert1); cert1 = NULL;
c2 = tor_x509_cert_new(cert2); cert2 = NULL;
c3 = tor_x509_cert_new(cert3); cert3 = NULL;
c4 = tor_x509_cert_new(cert4); cert4 = NULL;
tt_assert(c1 && c2 && c3 && c4);
MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed);
fixed_x509_cert = NULL;
/* If the peer has no certificate, it shouldn't match anything. */
tt_assert(! tor_tls_cert_matches_key(NULL, c1));
tt_assert(! tor_tls_cert_matches_key(NULL, c2));
tt_assert(! tor_tls_cert_matches_key(NULL, c3));
tt_assert(! tor_tls_cert_matches_key(NULL, c4));
fixed_x509_cert = c1;
/* If the peer has a certificate, it should match every cert with the same
* subject key. */
tt_assert(tor_tls_cert_matches_key(NULL, c1));
tt_assert(tor_tls_cert_matches_key(NULL, c2));
tt_assert(! tor_tls_cert_matches_key(NULL, c3));
tt_assert(! tor_tls_cert_matches_key(NULL, c4));
done:
tor_x509_cert_free(c1);
tor_x509_cert_free(c2);
tor_x509_cert_free(c3);
tor_x509_cert_free(c4);
if (cert1) tor_x509_cert_impl_free(cert1);
if (cert2) tor_x509_cert_impl_free(cert2);
if (cert3) tor_x509_cert_impl_free(cert3);
if (cert4) tor_x509_cert_impl_free(cert4);
crypto_pk_free(k1);
crypto_pk_free(k2);
crypto_pk_free(k3);
UNMOCK(tor_tls_get_peer_cert);
}
#define LOCAL_TEST_CASE(name, flags) \ #define LOCAL_TEST_CASE(name, flags) \
{ #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL } { #name, test_tortls_##name, (flags|TT_FORK), NULL, NULL }
@ -533,5 +605,6 @@ struct testcase_t tortls_tests[] = {
LOCAL_TEST_CASE(is_server, 0), LOCAL_TEST_CASE(is_server, 0),
LOCAL_TEST_CASE(bridge_init, TT_FORK), LOCAL_TEST_CASE(bridge_init, TT_FORK),
LOCAL_TEST_CASE(verify, TT_FORK), LOCAL_TEST_CASE(verify, TT_FORK),
LOCAL_TEST_CASE(cert_matches_key, 0),
END_OF_TESTCASES END_OF_TESTCASES
}; };

70
src/test/test_tortls_openssl.c
View file

@ -479,75 +479,6 @@ fake_x509_free(X509 *cert)
} }
#endif #endif
static tor_x509_cert_t *fixed_x509_cert = NULL;
static tor_x509_cert_t *
get_peer_cert_mock_return_fixed(tor_tls_t *tls)
{
(void)tls;
if (fixed_x509_cert)
return tor_x509_cert_dup(fixed_x509_cert);
else
return NULL;
}
static void
test_tortls_cert_matches_key(void *ignored)
{
(void)ignored;
X509 *cert1 = NULL, *cert2 = NULL, *cert3 = NULL, *cert4 = NULL;
tor_x509_cert_t *c1 = NULL, *c2 = NULL, *c3 = NULL, *c4 = NULL;
crypto_pk_t *k1 = NULL, *k2 = NULL, *k3 = NULL;
k1 = pk_generate(1);
k2 = pk_generate(2);
k3 = pk_generate(3);
cert1 = tor_tls_create_certificate(k1, k2, "A", "B", 1000);
cert2 = tor_tls_create_certificate(k1, k3, "C", "D", 1000);
cert3 = tor_tls_create_certificate(k2, k3, "C", "D", 1000);
cert4 = tor_tls_create_certificate(k3, k2, "E", "F", 1000);
tt_assert(cert1 && cert2 && cert3 && cert4);
c1 = tor_x509_cert_new(cert1); cert1 = NULL;
c2 = tor_x509_cert_new(cert2); cert2 = NULL;
c3 = tor_x509_cert_new(cert3); cert3 = NULL;
c4 = tor_x509_cert_new(cert4); cert4 = NULL;
tt_assert(c1 && c2 && c3 && c4);
MOCK(tor_tls_get_peer_cert, get_peer_cert_mock_return_fixed);
fixed_x509_cert = NULL;
/* If the peer has no certificate, it shouldn't match anything. */
tt_assert(! tor_tls_cert_matches_key(NULL, c1));
tt_assert(! tor_tls_cert_matches_key(NULL, c2));
tt_assert(! tor_tls_cert_matches_key(NULL, c3));
tt_assert(! tor_tls_cert_matches_key(NULL, c4));
fixed_x509_cert = c1;
/* If the peer has a certificate, it should match every cert with the same
* subject key. */
tt_assert(tor_tls_cert_matches_key(NULL, c1));
tt_assert(tor_tls_cert_matches_key(NULL, c2));
tt_assert(! tor_tls_cert_matches_key(NULL, c3));
tt_assert(! tor_tls_cert_matches_key(NULL, c4));
done:
tor_x509_cert_free(c1);
tor_x509_cert_free(c2);
tor_x509_cert_free(c3);
tor_x509_cert_free(c4);
if (cert1) X509_free(cert1);
if (cert2) X509_free(cert2);
if (cert3) X509_free(cert3);
if (cert4) X509_free(cert4);
crypto_pk_free(k1);
crypto_pk_free(k2);
crypto_pk_free(k3);
UNMOCK(tor_tls_get_peer_cert);
}
#ifndef OPENSSL_OPAQUE #ifndef OPENSSL_OPAQUE
static void static void
test_tortls_cert_get_key(void *ignored) test_tortls_cert_get_key(void *ignored)
@ -2279,7 +2210,6 @@ struct testcase_t tortls_openssl_tests[] = {
INTRUSIVE_TEST_CASE(get_error, TT_FORK), INTRUSIVE_TEST_CASE(get_error, TT_FORK),
LOCAL_TEST_CASE(always_accept_verify_cb, 0), LOCAL_TEST_CASE(always_accept_verify_cb, 0),
INTRUSIVE_TEST_CASE(x509_cert_free, 0), INTRUSIVE_TEST_CASE(x509_cert_free, 0),
LOCAL_TEST_CASE(cert_matches_key, 0),
INTRUSIVE_TEST_CASE(cert_get_key, 0), INTRUSIVE_TEST_CASE(cert_get_key, 0),
LOCAL_TEST_CASE(get_my_client_auth_key, TT_FORK), LOCAL_TEST_CASE(get_my_client_auth_key, TT_FORK),
INTRUSIVE_TEST_CASE(get_ciphersuite_name, 0), INTRUSIVE_TEST_CASE(get_ciphersuite_name, 0),