/** Return true iff cert1 and cert2 are the same cert, or if they are both
* NULL. */
int
tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2)
{
if (cert1 == NULL && cert2 == NULL)
return 1;
if (!cert1 || !cert2)
return 0;
return tor_cert_eq(cert1, cert2);
}
void
hs_helper_desc_equal(const hs_descriptor_t *desc1,
const hs_descriptor_t *desc2)
{
/* Plaintext data section. */
tt_int_op(desc1->plaintext_data.version, OP_EQ,
desc2->plaintext_data.version);
tt_uint_op(desc1->plaintext_data.lifetime_sec, OP_EQ,
desc2->plaintext_data.lifetime_sec);
tt_assert(tor_cert_eq(desc1->plaintext_data.signing_key_cert,
desc2->plaintext_data.signing_key_cert));
tt_mem_op(desc1->plaintext_data.signing_pubkey.pubkey, OP_EQ,
desc2->plaintext_data.signing_pubkey.pubkey,
ED25519_PUBKEY_LEN);
tt_mem_op(desc1->plaintext_data.blinded_pubkey.pubkey, OP_EQ,
desc2->plaintext_data.blinded_pubkey.pubkey,
ED25519_PUBKEY_LEN);
tt_u64_op(desc1->plaintext_data.revision_counter, ==,
desc2->plaintext_data.revision_counter);
/* NOTE: We can't compare the encrypted blob because when encoding the
* descriptor, the object is immutable thus we don't update it with the
* encrypted blob. As contrast to the decoding process where we populate a
* descriptor object. */
/* Superencrypted data section. */
tt_mem_op(desc1->superencrypted_data.auth_ephemeral_pubkey.public_key, OP_EQ,
desc2->superencrypted_data.auth_ephemeral_pubkey.public_key,
CURVE25519_PUBKEY_LEN);
/* Auth clients. */
{
tt_assert(desc1->superencrypted_data.clients);
tt_assert(desc2->superencrypted_data.clients);
tt_int_op(smartlist_len(desc1->superencrypted_data.clients), ==,
smartlist_len(desc2->superencrypted_data.clients));
for (int i=0;
i < smartlist_len(desc1->superencrypted_data.clients);
i++) {
hs_desc_authorized_client_t
*client1 = smartlist_get(desc1->superencrypted_data.clients, i),
*client2 = smartlist_get(desc2->superencrypted_data.clients, i);
tt_mem_op(client1->client_id, OP_EQ, client2->client_id,
sizeof(client1->client_id));
tt_mem_op(client1->iv, OP_EQ, client2->iv,
sizeof(client1->iv));
tt_mem_op(client1->encrypted_cookie, OP_EQ, client2->encrypted_cookie,
sizeof(client1->encrypted_cookie));
}
}
/* Encrypted data section. */
tt_uint_op(desc1->encrypted_data.create2_ntor, ==,
desc2->encrypted_data.create2_ntor);
/* Authentication type. */
tt_int_op(!!desc1->encrypted_data.intro_auth_types, ==,
!!desc2->encrypted_data.intro_auth_types);
if (desc1->encrypted_data.intro_auth_types &&
desc2->encrypted_data.intro_auth_types) {
tt_int_op(smartlist_len(desc1->encrypted_data.intro_auth_types), ==,
smartlist_len(desc2->encrypted_data.intro_auth_types));
for (int i = 0;
i < smartlist_len(desc1->encrypted_data.intro_auth_types);
i++) {
tt_str_op(smartlist_get(desc1->encrypted_data.intro_auth_types, i),OP_EQ,
smartlist_get(desc2->encrypted_data.intro_auth_types, i));
}
}
static void
test_routerkeys_ed_keys_init_all(void *arg)
{
(void)arg;
char *dir = tor_strdup(get_fname("test_ed_keys_init_all"));
char *keydir = tor_strdup(get_fname("test_ed_keys_init_all/KEYS"));
or_options_t *options = tor_malloc_zero(sizeof(or_options_t));
time_t now = time(NULL);
ed25519_public_key_t id;
ed25519_keypair_t sign, auth;
tor_cert_t *link_cert = NULL;
get_options_mutable()->ORPort_set = 1;
crypto_pk_t *rsa = pk_generate(0);
set_server_identity_key(rsa);
set_client_identity_key(rsa);
router_initialize_tls_context();
options->SigningKeyLifetime = 30*86400;
options->TestingAuthKeyLifetime = 2*86400;
options->TestingLinkCertLifetime = 2*86400;
options->TestingSigningKeySlop = 2*86400;
options->TestingAuthKeySlop = 2*3600;
options->TestingLinkKeySlop = 2*3600;
#ifdef _WIN32
mkdir(dir);
mkdir(keydir);
#else
mkdir(dir, 0700);
mkdir(keydir, 0700);
#endif /* defined(_WIN32) */
options->DataDirectory = dir;
options->KeyDirectory = keydir;
tt_int_op(1, OP_EQ, load_ed_keys(options, now));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now, 0));
tt_assert(get_master_identity_key());
tt_assert(get_master_identity_key());
tt_assert(get_master_signing_keypair());
tt_assert(get_current_auth_keypair());
tt_assert(get_master_signing_key_cert());
tt_assert(get_current_link_cert_cert());
tt_assert(get_current_auth_key_cert());
memcpy(&id, get_master_identity_key(), sizeof(id));
memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
link_cert = tor_cert_dup(get_current_link_cert_cert());
/* Call load_ed_keys again, but nothing has changed. */
tt_int_op(0, OP_EQ, load_ed_keys(options, now));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now, 0));
tt_mem_op(&id, OP_EQ, get_master_identity_key(), sizeof(id));
tt_mem_op(&sign, OP_EQ, get_master_signing_keypair(), sizeof(sign));
tt_mem_op(&auth, OP_EQ, get_current_auth_keypair(), sizeof(auth));
tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
/* Force a reload: we make new link/auth keys. */
routerkeys_free_all();
tt_int_op(1, OP_EQ, load_ed_keys(options, now));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now, 0));
tt_mem_op(&id, OP_EQ, get_master_identity_key(), sizeof(id));
tt_mem_op(&sign, OP_EQ, get_master_signing_keypair(), sizeof(sign));
tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
tt_mem_op(&auth, OP_NE, get_current_auth_keypair(), sizeof(auth));
tt_assert(get_master_signing_key_cert());
tt_assert(get_current_link_cert_cert());
tt_assert(get_current_auth_key_cert());
tor_cert_free(link_cert);
link_cert = tor_cert_dup(get_current_link_cert_cert());
memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
/* Force a link/auth-key regeneration by advancing time. */
tt_int_op(0, OP_EQ, load_ed_keys(options, now+3*86400));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now+3*86400, 0));
tt_mem_op(&id, OP_EQ, get_master_identity_key(), sizeof(id));
tt_mem_op(&sign, OP_EQ, get_master_signing_keypair(), sizeof(sign));
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
tt_mem_op(&auth, OP_NE, get_current_auth_keypair(), sizeof(auth));
tt_assert(get_master_signing_key_cert());
tt_assert(get_current_link_cert_cert());
tt_assert(get_current_auth_key_cert());
tor_cert_free(link_cert);
link_cert = tor_cert_dup(get_current_link_cert_cert());
memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
/* Force a signing-key regeneration by advancing time. */
tt_int_op(1, OP_EQ, load_ed_keys(options, now+100*86400));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now+100*86400, 0));
tt_mem_op(&id, OP_EQ, get_master_identity_key(), sizeof(id));
tt_mem_op(&sign, OP_NE, get_master_signing_keypair(), sizeof(sign));
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
tt_mem_op(&auth, OP_NE, get_current_auth_keypair(), sizeof(auth));
tt_assert(get_master_signing_key_cert());
tt_assert(get_current_link_cert_cert());
tt_assert(get_current_auth_key_cert());
memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
tor_cert_free(link_cert);
link_cert = tor_cert_dup(get_current_link_cert_cert());
memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
/* Demonstrate that we can start up with no secret identity key */
routerkeys_free_all();
unlink(get_fname("test_ed_keys_init_all/KEYS/"
"ed25519_master_id_secret_key"));
tt_int_op(1, OP_EQ, load_ed_keys(options, now));
tt_int_op(0, OP_EQ, generate_ed_link_cert(options, now, 0));
tt_mem_op(&id, OP_EQ, get_master_identity_key(), sizeof(id));
tt_mem_op(&sign, OP_EQ, get_master_signing_keypair(), sizeof(sign));
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
tt_mem_op(&auth, OP_NE, get_current_auth_keypair(), sizeof(auth));
tt_assert(get_master_signing_key_cert());
tt_assert(get_current_link_cert_cert());
tt_assert(get_current_auth_key_cert());
/* But we're in trouble if we have no id key and our signing key has
expired. */
log_global_min_severity_ = LOG_ERR; /* Suppress warnings.
* XXX (better way to do this)? */
routerkeys_free_all();
tt_int_op(-1, OP_EQ, load_ed_keys(options, now+200*86400));
done:
tor_free(dir);
tor_free(keydir);
tor_free(options);
tor_cert_free(link_cert);
routerkeys_free_all();
}
