search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'maint-0.2.9' into maint-0.3.3
[tor.git] / src / test / test_policy.c
blobf8aa8ac40bd86ca30a3b661a547f7f0c28e1f839
1 /* Copyright (c) 2013-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "or.h"
5 #define CONFIG_PRIVATE
6 #include "config.h"
7 #include "router.h"
8 #include "routerparse.h"
9 #define POLICIES_PRIVATE
10 #include "policies.h"
11 #include "test.h"
12
13 /* Helper: assert that short_policy parses and writes back out as itself,
14 or as <b>expected</b> if that's provided. */
15 static void
16 test_short_policy_parse(const char *input,
17 const char *expected)
18 {
19 short_policy_t *short_policy = NULL;
20 char *out = NULL;
21
22 if (expected == NULL)
23 expected = input;
24
25 short_policy = parse_short_policy(input);
26 tt_assert(short_policy);
27 out = write_short_policy(short_policy);
28 tt_str_op(out, OP_EQ, expected);
29
30 done:
31 tor_free(out);
32 short_policy_free(short_policy);
33 }
34
35 /** Helper: Parse the exit policy string in <b>policy_str</b> with
36 * <b>options</b>, and make sure that policies_summarize() produces the string
37 * <b>expected_summary</b> from it when called with family. */
38 static void
39 test_policy_summary_helper_family_flags(const char *policy_str,
40 const char *expected_summary,
41 sa_family_t family,
42 exit_policy_parser_cfg_t options)
43 {
44 config_line_t line;
45 smartlist_t *policy = smartlist_new();
46 char *summary = NULL;
47 char *summary_after = NULL;
48 int r;
49 short_policy_t *short_policy = NULL;
50 int success = 0;
51
52 line.key = (char*)"foo";
53 line.value = (char *)policy_str;
54 line.next = NULL;
55
56 r = policies_parse_exit_policy(&line, &policy,
57 options, NULL);
58 tt_int_op(r,OP_EQ, 0);
59
60 summary = policy_summarize(policy, family);
61
62 tt_ptr_op(summary, OP_NE, NULL);
63 tt_str_op(summary,OP_EQ, expected_summary);
64
65 short_policy = parse_short_policy(summary);
66 tt_assert(short_policy);
67 summary_after = write_short_policy(short_policy);
68 tt_str_op(summary,OP_EQ, summary_after);
69
70 success = 1;
71 done:
72 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
73 if (!success)
74 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
75 family == AF_INET ? 4 : 6, options, policy_str));
76 tor_free(summary_after);
77 tor_free(summary);
78 if (policy)
79 addr_policy_list_free(policy);
80 short_policy_free(short_policy);
81 }
82
83 /** Like test_policy_summary_helper_family_flags, but tries all the different
84 * flag combinations */
85 static void
86 test_policy_summary_helper_family(const char *policy_str,
87 const char *expected_summary,
88 sa_family_t family)
89 {
90 for (exit_policy_parser_cfg_t opt = 0;
91 opt <= EXIT_POLICY_OPTION_ALL;
92 opt++) {
93 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
94 /* Skip the test: IPv6 addresses need IPv6 enabled */
95 continue;
96
97 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
98 /* Skip the test: local interfaces are machine-specific */
99 continue;
100
101 test_policy_summary_helper_family_flags(policy_str, expected_summary,
102 family, opt);
103 }
104 }
105
106 /** Like test_policy_summary_helper_family, but uses expected_summary for
107 * both IPv4 and IPv6. */
108 static void
109 test_policy_summary_helper(const char *policy_str,
110 const char *expected_summary)
111 {
112 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
113 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
114 }
115
116 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
117 * IPv4 and expected_summary6 for IPv6. */
118 static void
119 test_policy_summary_helper6(const char *policy_str,
120 const char *expected_summary4,
121 const char *expected_summary6)
122 {
123 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
124 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
125 }
126
127 /** Run unit tests for generating summary lines of exit policies */
128 static void
129 test_policies_general(void *arg)
130 {
131 int i;
132 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
133 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
134 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
135 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
136 addr_policy_t *p;
137 tor_addr_t tar, tar2;
138 smartlist_t *addr_list = NULL;
139 config_line_t line;
140 smartlist_t *sm = NULL;
141 char *policy_str = NULL;
142 short_policy_t *short_parsed = NULL;
143 int malformed_list = -1;
144 (void)arg;
145
146 policy = smartlist_new();
147
148 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
149 &malformed_list);
150 tt_ptr_op(p, OP_NE, NULL);
151 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
152 tor_addr_from_ipv4h(&tar, 0xc0a80000u);
153 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
154 tt_int_op(16,OP_EQ, p->maskbits);
155 tt_int_op(1,OP_EQ, p->prt_min);
156 tt_int_op(65535,OP_EQ, p->prt_max);
157
158 smartlist_add(policy, p);
159
160 tor_addr_from_ipv4h(&tar, 0x01020304u);
161 tt_assert(ADDR_POLICY_ACCEPTED ==
162 compare_tor_addr_to_addr_policy(&tar, 2, policy));
163 tor_addr_make_unspec(&tar);
164 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
165 compare_tor_addr_to_addr_policy(&tar, 2, policy));
166 tor_addr_from_ipv4h(&tar, 0xc0a80102);
167 tt_assert(ADDR_POLICY_REJECTED ==
168 compare_tor_addr_to_addr_policy(&tar, 2, policy));
169
170 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
171 EXIT_POLICY_IPV6_ENABLED |
172 EXIT_POLICY_REJECT_PRIVATE |
173 EXIT_POLICY_ADD_DEFAULT, NULL));
174
175 tt_assert(policy2);
176
177 tor_addr_from_ipv4h(&tar, 0x0306090cu);
178 tor_addr_parse(&tar2, "[2000::1234]");
179 addr_list = smartlist_new();
180 smartlist_add(addr_list, &tar);
181 smartlist_add(addr_list, &tar2);
182 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
183 EXIT_POLICY_IPV6_ENABLED |
184 EXIT_POLICY_REJECT_PRIVATE |
185 EXIT_POLICY_ADD_DEFAULT,
186 addr_list));
187 smartlist_free(addr_list);
188 addr_list = NULL;
189
190 tt_assert(policy12);
191
192 policy3 = smartlist_new();
193 p = router_parse_addr_policy_item_from_string("reject *:*", -1,
194 &malformed_list);
195 tt_ptr_op(p, OP_NE, NULL);
196 smartlist_add(policy3, p);
197 p = router_parse_addr_policy_item_from_string("accept *:*", -1,
198 &malformed_list);
199 tt_ptr_op(p, OP_NE, NULL);
200 smartlist_add(policy3, p);
201
202 policy4 = smartlist_new();
203 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
204 &malformed_list);
205 tt_ptr_op(p, OP_NE, NULL);
206 smartlist_add(policy4, p);
207 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
208 &malformed_list);
209 tt_ptr_op(p, OP_NE, NULL);
210 smartlist_add(policy4, p);
211
212 policy5 = smartlist_new();
213 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
214 &malformed_list);
215 tt_ptr_op(p, OP_NE, NULL);
216 smartlist_add(policy5, p);
217 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
218 &malformed_list);
219 tt_ptr_op(p, OP_NE, NULL);
220 smartlist_add(policy5, p);
221 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
222 &malformed_list);
223 tt_ptr_op(p, OP_NE, NULL);
224 smartlist_add(policy5, p);
225 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
226 -1, &malformed_list);
227 tt_ptr_op(p, OP_NE, NULL);
228 smartlist_add(policy5, p);
229 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
230 &malformed_list);
231 tt_ptr_op(p, OP_NE, NULL);
232 smartlist_add(policy5, p);
233 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
234 &malformed_list);
235 tt_ptr_op(p, OP_NE, NULL);
236 smartlist_add(policy5, p);
237 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
238 &malformed_list);
239 tt_ptr_op(p, OP_NE, NULL);
240 smartlist_add(policy5, p);
241 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
242 &malformed_list);
243 tt_ptr_op(p, OP_NE, NULL);
244 smartlist_add(policy5, p);
245 p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
246 &malformed_list);
247 tt_ptr_op(p, OP_NE, NULL);
248 smartlist_add(policy5, p);
249 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
250 &malformed_list);
251 tt_ptr_op(p, OP_NE, NULL);
252 smartlist_add(policy5, p);
253
254 policy6 = smartlist_new();
255 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
256 &malformed_list);
257 tt_ptr_op(p, OP_NE, NULL);
258 smartlist_add(policy6, p);
259
260 policy7 = smartlist_new();
261 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
262 &malformed_list);
263 tt_ptr_op(p, OP_NE, NULL);
264 smartlist_add(policy7, p);
265
266 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
267 EXIT_POLICY_IPV6_ENABLED |
268 EXIT_POLICY_REJECT_PRIVATE |
269 EXIT_POLICY_ADD_DEFAULT,
270 NULL));
271
272 tt_assert(policy8);
273
274 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
275 EXIT_POLICY_REJECT_PRIVATE |
276 EXIT_POLICY_ADD_DEFAULT,
277 NULL));
278
279 tt_assert(policy9);
280
281 /* accept6 * and reject6 * produce IPv6 wildcards only */
282 policy10 = smartlist_new();
283 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
284 &malformed_list);
285 tt_ptr_op(p, OP_NE, NULL);
286 smartlist_add(policy10, p);
287
288 policy11 = smartlist_new();
289 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
290 &malformed_list);
291 tt_ptr_op(p, OP_NE, NULL);
292 smartlist_add(policy11, p);
293
294 tt_assert(!exit_policy_is_general_exit(policy));
295 tt_assert(exit_policy_is_general_exit(policy2));
296 tt_assert(!exit_policy_is_general_exit(NULL));
297 tt_assert(!exit_policy_is_general_exit(policy3));
298 tt_assert(!exit_policy_is_general_exit(policy4));
299 tt_assert(!exit_policy_is_general_exit(policy5));
300 tt_assert(!exit_policy_is_general_exit(policy6));
301 tt_assert(!exit_policy_is_general_exit(policy7));
302 tt_assert(exit_policy_is_general_exit(policy8));
303 tt_assert(exit_policy_is_general_exit(policy9));
304 tt_assert(!exit_policy_is_general_exit(policy10));
305 tt_assert(!exit_policy_is_general_exit(policy11));
306
307 tt_assert(!addr_policies_eq(policy, policy2));
308 tt_assert(!addr_policies_eq(policy, NULL));
309 tt_assert(addr_policies_eq(policy2, policy2));
310 tt_assert(addr_policies_eq(NULL, NULL));
311
312 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
313 tt_assert(policy_is_reject_star(policy, AF_INET, 1));
314 tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
315 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
316 tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
317 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
318 tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
319 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
320 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
321 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
322
323 addr_policy_list_free(policy);
324 policy = NULL;
325
326 /* make sure assume_action works */
327 malformed_list = 0;
328 p = router_parse_addr_policy_item_from_string("127.0.0.1",
329 ADDR_POLICY_ACCEPT,
330 &malformed_list);
331 tt_assert(p);
332 addr_policy_free(p);
333 tt_assert(!malformed_list);
334
335 p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
336 ADDR_POLICY_ACCEPT,
337 &malformed_list);
338 tt_assert(p);
339 addr_policy_free(p);
340 tt_assert(!malformed_list);
341
342 p = router_parse_addr_policy_item_from_string("[::]",
343 ADDR_POLICY_ACCEPT,
344 &malformed_list);
345 tt_assert(p);
346 addr_policy_free(p);
347 tt_assert(!malformed_list);
348
349 p = router_parse_addr_policy_item_from_string("[::]:*",
350 ADDR_POLICY_ACCEPT,
351 &malformed_list);
352 tt_assert(p);
353 addr_policy_free(p);
354 tt_assert(!malformed_list);
355
356 p = router_parse_addr_policy_item_from_string("[face::b]",
357 ADDR_POLICY_ACCEPT,
358 &malformed_list);
359 tt_assert(p);
360 addr_policy_free(p);
361 tt_assert(!malformed_list);
362
363 p = router_parse_addr_policy_item_from_string("[b::aaaa]",
364 ADDR_POLICY_ACCEPT,
365 &malformed_list);
366 tt_assert(p);
367 addr_policy_free(p);
368 tt_assert(!malformed_list);
369
370 p = router_parse_addr_policy_item_from_string("*",
371 ADDR_POLICY_ACCEPT,
372 &malformed_list);
373 tt_assert(p);
374 addr_policy_free(p);
375 tt_assert(!malformed_list);
376
377 p = router_parse_addr_policy_item_from_string("*4",
378 ADDR_POLICY_ACCEPT,
379 &malformed_list);
380 tt_assert(p);
381 addr_policy_free(p);
382 tt_assert(!malformed_list);
383
384 p = router_parse_addr_policy_item_from_string("*6",
385 ADDR_POLICY_ACCEPT,
386 &malformed_list);
387 tt_assert(p);
388 addr_policy_free(p);
389 tt_assert(!malformed_list);
390
391 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
392 p = router_parse_addr_policy_item_from_string("acce::abcd",
393 ADDR_POLICY_ACCEPT,
394 &malformed_list);
395 tt_ptr_op(p, OP_EQ, NULL);
396 tt_assert(malformed_list);
397 malformed_list = 0;
398
399 p = router_parse_addr_policy_item_from_string("7:1234",
400 ADDR_POLICY_ACCEPT,
401 &malformed_list);
402 tt_ptr_op(p, OP_EQ, NULL);
403 tt_assert(malformed_list);
404 malformed_list = 0;
405
406 p = router_parse_addr_policy_item_from_string("::",
407 ADDR_POLICY_ACCEPT,
408 &malformed_list);
409 tt_ptr_op(p, OP_EQ, NULL);
410 tt_assert(malformed_list);
411 malformed_list = 0;
412
413 /* make sure compacting logic works. */
414 policy = NULL;
415 line.key = (char*)"foo";
416 line.value = (char*)"accept *:80,reject private:*,reject *:*";
417 line.next = NULL;
418 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
419 EXIT_POLICY_IPV6_ENABLED |
420 EXIT_POLICY_ADD_DEFAULT, NULL));
421 tt_assert(policy);
422
423 //test_streq(policy->string, "accept *:80");
424 //test_streq(policy->next->string, "reject *:*");
425 tt_int_op(smartlist_len(policy),OP_EQ, 4);
426
427 /* test policy summaries */
428 /* check if we properly ignore private IP addresses */
429 test_policy_summary_helper("reject 192.168.0.0/16:*,"
430 "reject 0.0.0.0/8:*,"
431 "reject 10.0.0.0/8:*,"
432 "accept *:10-30,"
433 "accept *:90,"
434 "reject *:*",
435 "accept 10-30,90");
436 /* check all accept policies, and proper counting of rejects */
437 test_policy_summary_helper("reject 11.0.0.0/9:80,"
438 "reject 12.0.0.0/9:80,"
439 "reject 13.0.0.0/9:80,"
440 "reject 14.0.0.0/9:80,"
441 "accept *:*", "accept 1-65535");
442 test_policy_summary_helper("reject 11.0.0.0/9:80,"
443 "reject 12.0.0.0/9:80,"
444 "reject 13.0.0.0/9:80,"
445 "reject 14.0.0.0/9:80,"
446 "reject 15.0.0.0:81,"
447 "accept *:*", "accept 1-65535");
448 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
449 "reject 12.0.0.0/9:80,"
450 "reject 13.0.0.0/9:80,"
451 "reject 14.0.0.0/9:80,"
452 "reject 15.0.0.0:80,"
453 "accept *:*",
454 "reject 80",
455 "accept 1-65535");
456 /* no exits */
457 test_policy_summary_helper("accept 11.0.0.0/9:80,"
458 "reject *:*",
459 "reject 1-65535");
460 /* port merging */
461 test_policy_summary_helper("accept *:80,"
462 "accept *:81,"
463 "accept *:100-110,"
464 "accept *:111,"
465 "reject *:*",
466 "accept 80-81,100-111");
467 /* border ports */
468 test_policy_summary_helper("accept *:1,"
469 "accept *:3,"
470 "accept *:65535,"
471 "reject *:*",
472 "accept 1,3,65535");
473 /* holes */
474 test_policy_summary_helper("accept *:1,"
475 "accept *:3,"
476 "accept *:5,"
477 "accept *:7,"
478 "reject *:*",
479 "accept 1,3,5,7");
480 test_policy_summary_helper("reject *:1,"
481 "reject *:3,"
482 "reject *:5,"
483 "reject *:7,"
484 "accept *:*",
485 "reject 1,3,5,7");
486 /* long policies */
487 /* standard long policy on many exits */
488 test_policy_summary_helper("accept *:20-23,"
489 "accept *:43,"
490 "accept *:53,"
491 "accept *:79-81,"
492 "accept *:88,"
493 "accept *:110,"
494 "accept *:143,"
495 "accept *:194,"
496 "accept *:220,"
497 "accept *:389,"
498 "accept *:443,"
499 "accept *:464,"
500 "accept *:531,"
501 "accept *:543-544,"
502 "accept *:554,"
503 "accept *:563,"
504 "accept *:636,"
505 "accept *:706,"
506 "accept *:749,"
507 "accept *:873,"
508 "accept *:902-904,"
509 "accept *:981,"
510 "accept *:989-995,"
511 "accept *:1194,"
512 "accept *:1220,"
513 "accept *:1293,"
514 "accept *:1500,"
515 "accept *:1533,"
516 "accept *:1677,"
517 "accept *:1723,"
518 "accept *:1755,"
519 "accept *:1863,"
520 "accept *:2082,"
521 "accept *:2083,"
522 "accept *:2086-2087,"
523 "accept *:2095-2096,"
524 "accept *:2102-2104,"
525 "accept *:3128,"
526 "accept *:3389,"
527 "accept *:3690,"
528 "accept *:4321,"
529 "accept *:4643,"
530 "accept *:5050,"
531 "accept *:5190,"
532 "accept *:5222-5223,"
533 "accept *:5228,"
534 "accept *:5900,"
535 "accept *:6660-6669,"
536 "accept *:6679,"
537 "accept *:6697,"
538 "accept *:8000,"
539 "accept *:8008,"
540 "accept *:8074,"
541 "accept *:8080,"
542 "accept *:8087-8088,"
543 "accept *:8332-8333,"
544 "accept *:8443,"
545 "accept *:8888,"
546 "accept *:9418,"
547 "accept *:9999,"
548 "accept *:10000,"
549 "accept *:11371,"
550 "accept *:12350,"
551 "accept *:19294,"
552 "accept *:19638,"
553 "accept *:23456,"
554 "accept *:33033,"
555 "accept *:64738,"
556 "reject *:*",
557 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
558 "443,464,531,543-544,554,563,636,706,749,873,"
559 "902-904,981,989-995,1194,1220,1293,1500,1533,"
560 "1677,1723,1755,1863,2082-2083,2086-2087,"
561 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
562 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
563 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
564 "8443,8888,9418,9999-10000,11371,12350,19294,"
565 "19638,23456,33033,64738");
566 /* short policy with configured addresses */
567 test_policy_summary_helper("reject 149.56.1.1:*,"
568 "reject [2607:5300:1:1::1:0]:*,"
569 "accept *:80,"
570 "accept *:443,"
571 "reject *:*",
572 "accept 80,443");
573 /* short policy with configured and local interface addresses */
574 test_policy_summary_helper("reject 149.56.1.0:*,"
575 "reject 149.56.1.1:*,"
576 "reject 149.56.1.2:*,"
577 "reject 149.56.1.3:*,"
578 "reject 149.56.1.4:*,"
579 "reject 149.56.1.5:*,"
580 "reject 149.56.1.6:*,"
581 "reject 149.56.1.7:*,"
582 "reject [2607:5300:1:1::1:0]:*,"
583 "reject [2607:5300:1:1::1:1]:*,"
584 "reject [2607:5300:1:1::1:2]:*,"
585 "reject [2607:5300:1:1::1:3]:*,"
586 "reject [2607:5300:1:1::2:0]:*,"
587 "reject [2607:5300:1:1::2:1]:*,"
588 "reject [2607:5300:1:1::2:2]:*,"
589 "reject [2607:5300:1:1::2:3]:*,"
590 "accept *:80,"
591 "accept *:443,"
592 "reject *:*",
593 "accept 80,443");
594 /* short policy with configured netblocks */
595 test_policy_summary_helper("reject 149.56.0.0/16,"
596 "reject6 2607:5300::/32,"
597 "reject6 2608:5300::/64,"
598 "reject6 2609:5300::/96,"
599 "accept *:80,"
600 "accept *:443,"
601 "reject *:*",
602 "accept 80,443");
603 /* short policy with large netblocks that do not count as a rejection */
604 test_policy_summary_helper("reject 148.0.0.0/7,"
605 "reject6 2600::/16,"
606 "accept *:80,"
607 "accept *:443,"
608 "reject *:*",
609 "accept 80,443");
610 /* short policy with large netblocks that count as a rejection */
611 test_policy_summary_helper("reject 148.0.0.0/6,"
612 "reject6 2600::/15,"
613 "accept *:80,"
614 "accept *:443,"
615 "reject *:*",
616 "reject 1-65535");
617 /* short policy with huge netblocks that count as a rejection */
618 test_policy_summary_helper("reject 128.0.0.0/1,"
619 "reject6 8000::/1,"
620 "accept *:80,"
621 "accept *:443,"
622 "reject *:*",
623 "reject 1-65535");
624 /* short policy which blocks everything using netblocks */
625 test_policy_summary_helper("reject 0.0.0.0/0,"
626 "reject6 ::/0,"
627 "accept *:80,"
628 "accept *:443,"
629 "reject *:*",
630 "reject 1-65535");
631 /* short policy which has repeated redundant netblocks */
632 test_policy_summary_helper("reject 0.0.0.0/0,"
633 "reject 0.0.0.0/0,"
634 "reject 0.0.0.0/0,"
635 "reject 0.0.0.0/0,"
636 "reject 0.0.0.0/0,"
637 "reject6 ::/0,"
638 "reject6 ::/0,"
639 "reject6 ::/0,"
640 "reject6 ::/0,"
641 "reject6 ::/0,"
642 "accept *:80,"
643 "accept *:443,"
644 "reject *:*",
645 "reject 1-65535");
646
647 /* longest possible policy
648 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
649 * Going all the way to 65535 is incredibly slow, so we just go slightly
650 * more than the expected length */
651 test_policy_summary_helper("accept *:1,"
652 "accept *:3,"
653 "accept *:5,"
654 "accept *:7,"
655 "accept *:9,"
656 "accept *:11,"
657 "accept *:13,"
658 "accept *:15,"
659 "accept *:17,"
660 "accept *:19,"
661 "accept *:21,"
662 "accept *:23,"
663 "accept *:25,"
664 "accept *:27,"
665 "accept *:29,"
666 "accept *:31,"
667 "accept *:33,"
668 "accept *:35,"
669 "accept *:37,"
670 "accept *:39,"
671 "accept *:41,"
672 "accept *:43,"
673 "accept *:45,"
674 "accept *:47,"
675 "accept *:49,"
676 "accept *:51,"
677 "accept *:53,"
678 "accept *:55,"
679 "accept *:57,"
680 "accept *:59,"
681 "accept *:61,"
682 "accept *:63,"
683 "accept *:65,"
684 "accept *:67,"
685 "accept *:69,"
686 "accept *:71,"
687 "accept *:73,"
688 "accept *:75,"
689 "accept *:77,"
690 "accept *:79,"
691 "accept *:81,"
692 "accept *:83,"
693 "accept *:85,"
694 "accept *:87,"
695 "accept *:89,"
696 "accept *:91,"
697 "accept *:93,"
698 "accept *:95,"
699 "accept *:97,"
700 "accept *:99,"
701 "accept *:101,"
702 "accept *:103,"
703 "accept *:105,"
704 "accept *:107,"
705 "accept *:109,"
706 "accept *:111,"
707 "accept *:113,"
708 "accept *:115,"
709 "accept *:117,"
710 "accept *:119,"
711 "accept *:121,"
712 "accept *:123,"
713 "accept *:125,"
714 "accept *:127,"
715 "accept *:129,"
716 "accept *:131,"
717 "accept *:133,"
718 "accept *:135,"
719 "accept *:137,"
720 "accept *:139,"
721 "accept *:141,"
722 "accept *:143,"
723 "accept *:145,"
724 "accept *:147,"
725 "accept *:149,"
726 "accept *:151,"
727 "accept *:153,"
728 "accept *:155,"
729 "accept *:157,"
730 "accept *:159,"
731 "accept *:161,"
732 "accept *:163,"
733 "accept *:165,"
734 "accept *:167,"
735 "accept *:169,"
736 "accept *:171,"
737 "accept *:173,"
738 "accept *:175,"
739 "accept *:177,"
740 "accept *:179,"
741 "accept *:181,"
742 "accept *:183,"
743 "accept *:185,"
744 "accept *:187,"
745 "accept *:189,"
746 "accept *:191,"
747 "accept *:193,"
748 "accept *:195,"
749 "accept *:197,"
750 "accept *:199,"
751 "accept *:201,"
752 "accept *:203,"
753 "accept *:205,"
754 "accept *:207,"
755 "accept *:209,"
756 "accept *:211,"
757 "accept *:213,"
758 "accept *:215,"
759 "accept *:217,"
760 "accept *:219,"
761 "accept *:221,"
762 "accept *:223,"
763 "accept *:225,"
764 "accept *:227,"
765 "accept *:229,"
766 "accept *:231,"
767 "accept *:233,"
768 "accept *:235,"
769 "accept *:237,"
770 "accept *:239,"
771 "accept *:241,"
772 "accept *:243,"
773 "accept *:245,"
774 "accept *:247,"
775 "accept *:249,"
776 "accept *:251,"
777 "accept *:253,"
778 "accept *:255,"
779 "accept *:257,"
780 "accept *:259,"
781 "accept *:261,"
782 "accept *:263,"
783 "accept *:265,"
784 "accept *:267,"
785 "accept *:269,"
786 "accept *:271,"
787 "accept *:273,"
788 "accept *:275,"
789 "accept *:277,"
790 "accept *:279,"
791 "accept *:281,"
792 "accept *:283,"
793 "accept *:285,"
794 "accept *:287,"
795 "accept *:289,"
796 "accept *:291,"
797 "accept *:293,"
798 "accept *:295,"
799 "accept *:297,"
800 "accept *:299,"
801 "accept *:301,"
802 "accept *:303,"
803 "accept *:305,"
804 "accept *:307,"
805 "accept *:309,"
806 "accept *:311,"
807 "accept *:313,"
808 "accept *:315,"
809 "accept *:317,"
810 "accept *:319,"
811 "accept *:321,"
812 "accept *:323,"
813 "accept *:325,"
814 "accept *:327,"
815 "accept *:329,"
816 "accept *:331,"
817 "accept *:333,"
818 "accept *:335,"
819 "accept *:337,"
820 "accept *:339,"
821 "accept *:341,"
822 "accept *:343,"
823 "accept *:345,"
824 "accept *:347,"
825 "accept *:349,"
826 "accept *:351,"
827 "accept *:353,"
828 "accept *:355,"
829 "accept *:357,"
830 "accept *:359,"
831 "accept *:361,"
832 "accept *:363,"
833 "accept *:365,"
834 "accept *:367,"
835 "accept *:369,"
836 "accept *:371,"
837 "accept *:373,"
838 "accept *:375,"
839 "accept *:377,"
840 "accept *:379,"
841 "accept *:381,"
842 "accept *:383,"
843 "accept *:385,"
844 "accept *:387,"
845 "accept *:389,"
846 "accept *:391,"
847 "accept *:393,"
848 "accept *:395,"
849 "accept *:397,"
850 "accept *:399,"
851 "accept *:401,"
852 "accept *:403,"
853 "accept *:405,"
854 "accept *:407,"
855 "accept *:409,"
856 "accept *:411,"
857 "accept *:413,"
858 "accept *:415,"
859 "accept *:417,"
860 "accept *:419,"
861 "accept *:421,"
862 "accept *:423,"
863 "accept *:425,"
864 "accept *:427,"
865 "accept *:429,"
866 "accept *:431,"
867 "accept *:433,"
868 "accept *:435,"
869 "accept *:437,"
870 "accept *:439,"
871 "accept *:441,"
872 "accept *:443,"
873 "accept *:445,"
874 "accept *:447,"
875 "accept *:449,"
876 "accept *:451,"
877 "accept *:453,"
878 "accept *:455,"
879 "accept *:457,"
880 "accept *:459,"
881 "accept *:461,"
882 "accept *:463,"
883 "accept *:465,"
884 "accept *:467,"
885 "accept *:469,"
886 "accept *:471,"
887 "accept *:473,"
888 "accept *:475,"
889 "accept *:477,"
890 "accept *:479,"
891 "accept *:481,"
892 "accept *:483,"
893 "accept *:485,"
894 "accept *:487,"
895 "accept *:489,"
896 "accept *:491,"
897 "accept *:493,"
898 "accept *:495,"
899 "accept *:497,"
900 "accept *:499,"
901 "accept *:501,"
902 "accept *:503,"
903 "accept *:505,"
904 "accept *:507,"
905 "accept *:509,"
906 "accept *:511,"
907 "accept *:513,"
908 "accept *:515,"
909 "accept *:517,"
910 "accept *:519,"
911 "accept *:521,"
912 "accept *:523,"
913 "accept *:525,"
914 "accept *:527,"
915 "accept *:529,"
916 "reject *:*",
917 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
918 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
919 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
920 "95,97,99,101,103,105,107,109,111,113,115,117,"
921 "119,121,123,125,127,129,131,133,135,137,139,141,"
922 "143,145,147,149,151,153,155,157,159,161,163,165,"
923 "167,169,171,173,175,177,179,181,183,185,187,189,"
924 "191,193,195,197,199,201,203,205,207,209,211,213,"
925 "215,217,219,221,223,225,227,229,231,233,235,237,"
926 "239,241,243,245,247,249,251,253,255,257,259,261,"
927 "263,265,267,269,271,273,275,277,279,281,283,285,"
928 "287,289,291,293,295,297,299,301,303,305,307,309,"
929 "311,313,315,317,319,321,323,325,327,329,331,333,"
930 "335,337,339,341,343,345,347,349,351,353,355,357,"
931 "359,361,363,365,367,369,371,373,375,377,379,381,"
932 "383,385,387,389,391,393,395,397,399,401,403,405,"
933 "407,409,411,413,415,417,419,421,423,425,427,429,"
934 "431,433,435,437,439,441,443,445,447,449,451,453,"
935 "455,457,459,461,463,465,467,469,471,473,475,477,"
936 "479,481,483,485,487,489,491,493,495,497,499,501,"
937 "503,505,507,509,511,513,515,517,519,521,523");
938
939 /* Short policies with unrecognized formats should get accepted. */
940 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
941 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
942 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
943 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
944 /* Short policies with nil entries are accepted too. */
945 test_short_policy_parse("accept 1,,3", "accept 1,3");
946 test_short_policy_parse("accept 100-200,,", "accept 100-200");
947 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
948
949 /* Try parsing various broken short policies */
950 #define TT_BAD_SHORT_POLICY(s) \
951 do { \
952 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
953 } while (0)
954 TT_BAD_SHORT_POLICY("accept 200-199");
955 TT_BAD_SHORT_POLICY("");
956 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
957 TT_BAD_SHORT_POLICY("reject ");
958 TT_BAD_SHORT_POLICY("reject");
959 TT_BAD_SHORT_POLICY("rej");
960 TT_BAD_SHORT_POLICY("accept 2,3,100000");
961 TT_BAD_SHORT_POLICY("accept 2,3x,4");
962 TT_BAD_SHORT_POLICY("accept 2,3x,4");
963 TT_BAD_SHORT_POLICY("accept 2-");
964 TT_BAD_SHORT_POLICY("accept 2-x");
965 TT_BAD_SHORT_POLICY("accept 1-,3");
966 TT_BAD_SHORT_POLICY("accept 1-,3");
967
968 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
969 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
970 &malformed_list);
971 tt_ptr_op(p, OP_EQ, NULL);
972 tt_assert(!malformed_list);
973
974 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
975 &malformed_list);
976 tt_ptr_op(p, OP_EQ, NULL);
977 tt_assert(!malformed_list);
978
979 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
980 &malformed_list);
981 tt_ptr_op(p, OP_EQ, NULL);
982 tt_assert(!malformed_list);
983
984 /* Make sure malformed policies are detected as such. */
985 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
986 &malformed_list);
987 tt_ptr_op(p, OP_EQ, NULL);
988 tt_assert(malformed_list);
989
990 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
991 &malformed_list);
992 tt_ptr_op(p, OP_EQ, NULL);
993 tt_assert(malformed_list);
994
995 p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
996 &malformed_list);
997 tt_ptr_op(p, OP_EQ, NULL);
998 tt_assert(malformed_list);
999
1000 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1001 &malformed_list);
1002 tt_ptr_op(p, OP_EQ, NULL);
1003 tt_assert(malformed_list);
1004
1005 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1006 &malformed_list);
1007 tt_ptr_op(p, OP_EQ, NULL);
1008 tt_assert(malformed_list);
1009
1010 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1011 &malformed_list);
1012 tt_ptr_op(p, OP_EQ, NULL);
1013 tt_assert(malformed_list);
1014
1015 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1016 &malformed_list);
1017 tt_ptr_op(p, OP_EQ, NULL);
1018 tt_assert(malformed_list);
1019
1020 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1021 &malformed_list);
1022 tt_ptr_op(p, OP_EQ, NULL);
1023 tt_assert(malformed_list);
1024
1025 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1026 &malformed_list);
1027 tt_ptr_op(p, OP_EQ, NULL);
1028 tt_assert(malformed_list);
1029
1030 /* Test a too-long policy. */
1031 {
1032 char *policy_strng = NULL;
1033 smartlist_t *chunks = smartlist_new();
1034 smartlist_add_strdup(chunks, "accept ");
1035 for (i=1; i<10000; ++i)
1036 smartlist_add_asprintf(chunks, "%d,", i);
1037 smartlist_add_strdup(chunks, "20000");
1038 policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1039 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1040 smartlist_free(chunks);
1041 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1042 tor_free(policy_strng);
1043 tt_ptr_op(NULL, OP_EQ, short_parsed);
1044 }
1045
1046 /* truncation ports */
1047 sm = smartlist_new();
1048 for (i=1; i<2000; i+=2) {
1049 char buf[POLICY_BUF_LEN];
1050 tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1051 smartlist_add_strdup(sm, buf);
1052 }
1053 smartlist_add_strdup(sm, "accept *:*");
1054 policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1055 test_policy_summary_helper( policy_str,
1056 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1057 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1058 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1059 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1060 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1061 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1062 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1063 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1064 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1065 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1066 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1067 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1068 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1069 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1070
1071 done:
1072 addr_policy_list_free(policy);
1073 addr_policy_list_free(policy2);
1074 addr_policy_list_free(policy3);
1075 addr_policy_list_free(policy4);
1076 addr_policy_list_free(policy5);
1077 addr_policy_list_free(policy6);
1078 addr_policy_list_free(policy7);
1079 addr_policy_list_free(policy8);
1080 addr_policy_list_free(policy9);
1081 addr_policy_list_free(policy10);
1082 addr_policy_list_free(policy11);
1083 addr_policy_list_free(policy12);
1084 tor_free(policy_str);
1085 if (sm) {
1086 SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1087 smartlist_free(sm);
1088 }
1089 short_policy_free(short_parsed);
1090 }
1091
1092 /** Helper: Check that policy_list contains address */
1093 static int
1094 test_policy_has_address_helper(const smartlist_t *policy_list,
1095 const tor_addr_t *addr)
1096 {
1097 int found = 0;
1098
1099 tt_assert(policy_list);
1100 tt_assert(addr);
1101
1102 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1103 if (tor_addr_eq(&p->addr, addr)) {
1104 found = 1;
1105 }
1106 } SMARTLIST_FOREACH_END(p);
1107
1108 return found;
1109
1110 done:
1111 return 0;
1112 }
1113
1114 #define TEST_IPV4_ADDR (0x01020304)
1115 #define TEST_IPV6_ADDR ("2002::abcd")
1116
1117 /** Run unit tests for rejecting the configured addresses on this exit relay
1118 * using policies_parse_exit_policy_reject_private */
1119 static void
1120 test_policies_reject_exit_address(void *arg)
1121 {
1122 smartlist_t *policy = NULL;
1123 tor_addr_t ipv4_addr, ipv6_addr;
1124 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1125 (void)arg;
1126
1127 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1128 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1129
1130 ipv4_list = smartlist_new();
1131 ipv6_list = smartlist_new();
1132 both_list = smartlist_new();
1133 dupl_list = smartlist_new();
1134
1135 smartlist_add(ipv4_list, &ipv4_addr);
1136 smartlist_add(both_list, &ipv4_addr);
1137 smartlist_add(dupl_list, &ipv4_addr);
1138 smartlist_add(dupl_list, &ipv4_addr);
1139 smartlist_add(dupl_list, &ipv4_addr);
1140
1141 smartlist_add(ipv6_list, &ipv6_addr);
1142 smartlist_add(both_list, &ipv6_addr);
1143 smartlist_add(dupl_list, &ipv6_addr);
1144 smartlist_add(dupl_list, &ipv6_addr);
1145
1146 /* IPv4-Only Exits */
1147
1148 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1149 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1150 tt_assert(policy);
1151 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1152 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1153 addr_policy_list_free(policy);
1154 policy = NULL;
1155
1156 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1157 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1158 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1159 * need to do anything) */
1160 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1161 tt_ptr_op(policy, OP_EQ, NULL);
1162
1163 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1164 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1165 tt_assert(policy);
1166 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1167 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1168 addr_policy_list_free(policy);
1169 policy = NULL;
1170
1171 /* Test that lists with duplicate entries produce the same results */
1172 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1173 tt_assert(policy);
1174 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1175 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1176 addr_policy_list_free(policy);
1177 policy = NULL;
1178
1179 /* IPv4/IPv6 Exits */
1180
1181 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1182 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1183 tt_assert(policy);
1184 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1185 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1186 addr_policy_list_free(policy);
1187 policy = NULL;
1188
1189 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1191 tt_assert(policy);
1192 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1193 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1194 addr_policy_list_free(policy);
1195 policy = NULL;
1196
1197 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1199 tt_assert(policy);
1200 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1201 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1202 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1203 addr_policy_list_free(policy);
1204 policy = NULL;
1205
1206 /* Test that lists with duplicate entries produce the same results */
1207 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1208 tt_assert(policy);
1209 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1210 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1211 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1212 addr_policy_list_free(policy);
1213 policy = NULL;
1214
1215 done:
1216 addr_policy_list_free(policy);
1217 smartlist_free(ipv4_list);
1218 smartlist_free(ipv6_list);
1219 smartlist_free(both_list);
1220 smartlist_free(dupl_list);
1221 }
1222
1223 static smartlist_t *test_configured_ports = NULL;
1224
1225 /** Returns test_configured_ports */
1226 static const smartlist_t *
1227 mock_get_configured_ports(void)
1228 {
1229 return test_configured_ports;
1230 }
1231
1232 /** Run unit tests for rejecting publicly routable configured port addresses
1233 * on this exit relay using policies_parse_exit_policy_reject_private */
1234 static void
1235 test_policies_reject_port_address(void *arg)
1236 {
1237 smartlist_t *policy = NULL;
1238 port_cfg_t *ipv4_port = NULL;
1239 port_cfg_t *ipv6_port = NULL;
1240 (void)arg;
1241
1242 test_configured_ports = smartlist_new();
1243
1244 ipv4_port = port_cfg_new(0);
1245 tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
1246 smartlist_add(test_configured_ports, ipv4_port);
1247
1248 ipv6_port = port_cfg_new(0);
1249 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1250 smartlist_add(test_configured_ports, ipv6_port);
1251
1252 MOCK(get_configured_ports, mock_get_configured_ports);
1253
1254 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1255 * is NOT rejected (all IPv6 addresses are rejected by
1256 * policies_parse_exit_policy_internal on IPv4-only exits, so
1257 * policies_parse_exit_policy_reject_private doesn't need to do anything
1258 * with IPv6 addresses on IPv4-only exits) */
1259 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1260 tt_assert(policy);
1261 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1262 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1263 addr_policy_list_free(policy);
1264 policy = NULL;
1265
1266 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1267 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1268 tt_assert(policy);
1269 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1270 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1271 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1272 addr_policy_list_free(policy);
1273 policy = NULL;
1274
1275 done:
1276 addr_policy_list_free(policy);
1277 if (test_configured_ports) {
1278 SMARTLIST_FOREACH(test_configured_ports,
1279 port_cfg_t *, p, port_cfg_free(p));
1280 smartlist_free(test_configured_ports);
1281 test_configured_ports = NULL;
1282 }
1283 UNMOCK(get_configured_ports);
1284 }
1285
1286 static smartlist_t *mock_ipv4_addrs = NULL;
1287 static smartlist_t *mock_ipv6_addrs = NULL;
1288
1289 /* mock get_interface_address6_list, returning a deep copy of the template
1290 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1291 static smartlist_t *
1292 mock_get_interface_address6_list(int severity,
1293 sa_family_t family,
1294 int include_internal)
1295 {
1296 (void)severity;
1297 (void)include_internal;
1298 smartlist_t *clone_list = smartlist_new();
1299 smartlist_t *template_list = NULL;
1300
1301 if (family == AF_INET) {
1302 template_list = mock_ipv4_addrs;
1303 } else if (family == AF_INET6) {
1304 template_list = mock_ipv6_addrs;
1305 } else {
1306 return NULL;
1307 }
1308
1309 tt_assert(template_list);
1310
1311 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1312 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1313 memset(dest_addr, 0, sizeof(*dest_addr));
1314 tor_addr_copy_tight(dest_addr, src_addr);
1315 smartlist_add(clone_list, dest_addr);
1316 } SMARTLIST_FOREACH_END(src_addr);
1317
1318 return clone_list;
1319
1320 done:
1321 interface_address6_list_free(clone_list);
1322 return NULL;
1323 }
1324
1325 /** Run unit tests for rejecting publicly routable interface addresses on this
1326 * exit relay using policies_parse_exit_policy_reject_private */
1327 static void
1328 test_policies_reject_interface_address(void *arg)
1329 {
1330 smartlist_t *policy = NULL;
1331 smartlist_t *public_ipv4_addrs =
1332 get_interface_address6_list(LOG_INFO, AF_INET, 0);
1333 smartlist_t *public_ipv6_addrs =
1334 get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1335 tor_addr_t ipv4_addr, ipv6_addr;
1336 (void)arg;
1337
1338 /* test that no addresses are rejected when none are supplied/requested */
1339 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1340 tt_ptr_op(policy, OP_EQ, NULL);
1341
1342 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1343 * (and allow for duplicates)
1344 */
1345 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1346 if (policy) {
1347 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1348 addr_policy_list_free(policy);
1349 policy = NULL;
1350 }
1351
1352 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1353 * exit (and allow for duplicates) */
1354 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1355 if (policy) {
1356 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1357 + smartlist_len(public_ipv6_addrs)));
1358 addr_policy_list_free(policy);
1359 policy = NULL;
1360 }
1361
1362 /* Now do it all again, but mocked */
1363 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1364 mock_ipv4_addrs = smartlist_new();
1365 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1366
1367 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1368 mock_ipv6_addrs = smartlist_new();
1369 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1370
1371 MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1372
1373 /* test that no addresses are rejected when none are supplied/requested */
1374 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1375 tt_ptr_op(policy, OP_EQ, NULL);
1376
1377 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1378 */
1379 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1380 tt_assert(policy);
1381 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1382 addr_policy_list_free(policy);
1383 policy = NULL;
1384
1385 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1386 * exit */
1387 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1388 tt_assert(policy);
1389 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1390 + smartlist_len(mock_ipv6_addrs)));
1391 addr_policy_list_free(policy);
1392 policy = NULL;
1393
1394 done:
1395 addr_policy_list_free(policy);
1396 interface_address6_list_free(public_ipv4_addrs);
1397 interface_address6_list_free(public_ipv6_addrs);
1398
1399 UNMOCK(get_interface_address6_list);
1400 /* we don't use interface_address6_list_free on these lists because their
1401 * address pointers are stack-based */
1402 smartlist_free(mock_ipv4_addrs);
1403 smartlist_free(mock_ipv6_addrs);
1404 }
1405
1406 #undef TEST_IPV4_ADDR
1407 #undef TEST_IPV6_ADDR
1408
1409 static void
1410 test_dump_exit_policy_to_string(void *arg)
1411 {
1412 char *ep;
1413 addr_policy_t *policy_entry;
1414 int malformed_list = -1;
1415
1416 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1417
1418 (void)arg;
1419
1420 ri->policy_is_reject_star = 1;
1421 ri->exit_policy = NULL; // expecting "reject *:*"
1422 ep = router_dump_exit_policy_to_string(ri,1,1);
1423
1424 tt_str_op("reject *:*",OP_EQ, ep);
1425
1426 tor_free(ep);
1427
1428 ri->exit_policy = smartlist_new();
1429 ri->policy_is_reject_star = 0;
1430
1431 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1432 &malformed_list);
1433
1434 smartlist_add(ri->exit_policy,policy_entry);
1435
1436 ep = router_dump_exit_policy_to_string(ri,1,1);
1437
1438 tt_str_op("accept *:*",OP_EQ, ep);
1439
1440 tor_free(ep);
1441
1442 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1443 &malformed_list);
1444
1445 smartlist_add(ri->exit_policy,policy_entry);
1446
1447 ep = router_dump_exit_policy_to_string(ri,1,1);
1448
1449 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1450
1451 tor_free(ep);
1452
1453 policy_entry =
1454 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1455 &malformed_list);
1456
1457 smartlist_add(ri->exit_policy,policy_entry);
1458
1459 ep = router_dump_exit_policy_to_string(ri,1,1);
1460
1461 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1462 tor_free(ep);
1463
1464 policy_entry =
1465 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1466 &malformed_list);
1467
1468 smartlist_add(ri->exit_policy,policy_entry);
1469
1470 ep = router_dump_exit_policy_to_string(ri,1,1);
1471
1472 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1473 "reject6 [fc00::]/7:*",OP_EQ, ep);
1474 tor_free(ep);
1475
1476 policy_entry =
1477 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1478 &malformed_list);
1479
1480 smartlist_add(ri->exit_policy,policy_entry);
1481
1482 ep = router_dump_exit_policy_to_string(ri,1,1);
1483
1484 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1485 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1486
1487 done:
1488
1489 if (ri->exit_policy) {
1490 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1491 entry, addr_policy_free(entry));
1492 smartlist_free(ri->exit_policy);
1493 }
1494 tor_free(ri);
1495 tor_free(ep);
1496 }
1497
1498 static routerinfo_t *mock_desc_routerinfo = NULL;
1499 static const routerinfo_t *
1500 mock_router_get_my_routerinfo(void)
1501 {
1502 return mock_desc_routerinfo;
1503 }
1504
1505 #define DEFAULT_POLICY_STRING "reject *:*"
1506 #define TEST_IPV4_ADDR (0x02040608)
1507 #define TEST_IPV6_ADDR ("2003::ef01")
1508
1509 static or_options_t mock_options;
1510
1511 static const or_options_t *
1512 mock_get_options(void)
1513 {
1514 return &mock_options;
1515 }
1516
1517 /** Run unit tests for generating summary lines of exit policies */
1518 static void
1519 test_policies_getinfo_helper_policies(void *arg)
1520 {
1521 (void)arg;
1522 int rv = 0;
1523 size_t ipv4_len = 0, ipv6_len = 0;
1524 char *answer = NULL;
1525 const char *errmsg = NULL;
1526 routerinfo_t mock_my_routerinfo;
1527
1528 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1529
1530 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1531 tt_int_op(rv, OP_EQ, 0);
1532 tt_ptr_op(answer, OP_NE, NULL);
1533 tt_assert(strlen(answer) > 0);
1534 tor_free(answer);
1535
1536 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1537 &answer, &errmsg);
1538 tt_int_op(rv, OP_EQ, 0);
1539 tt_ptr_op(answer, OP_NE, NULL);
1540 tt_assert(strlen(answer) > 0);
1541 tor_free(answer);
1542
1543 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1544 MOCK(router_get_my_routerinfo, mock_router_get_my_routerinfo);
1545 mock_my_routerinfo.exit_policy = smartlist_new();
1546 mock_desc_routerinfo = &mock_my_routerinfo;
1547
1548 memset(&mock_options, 0, sizeof(or_options_t));
1549 MOCK(get_options, mock_get_options);
1550
1551 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1552 &answer, &errmsg);
1553 tt_int_op(rv, OP_EQ, 0);
1554 tt_ptr_op(answer, OP_NE, NULL);
1555 tt_assert(strlen(answer) == 0);
1556 tor_free(answer);
1557
1558 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1559 &errmsg);
1560 tt_int_op(rv, OP_EQ, 0);
1561 tt_ptr_op(answer, OP_NE, NULL);
1562 ipv4_len = strlen(answer);
1563 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1564 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1565 tor_free(answer);
1566
1567 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1568 &errmsg);
1569 tt_int_op(rv, OP_EQ, 0);
1570 tt_ptr_op(answer, OP_NE, NULL);
1571 ipv6_len = strlen(answer);
1572 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1573 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1574 tor_free(answer);
1575
1576 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1577 &errmsg);
1578 tt_int_op(rv, OP_EQ, 0);
1579 tt_ptr_op(answer, OP_NE, NULL);
1580 /* It's either empty or it's the default */
1581 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1582 tor_free(answer);
1583
1584 mock_my_routerinfo.addr = TEST_IPV4_ADDR;
1585 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1586 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1587 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1588
1589 mock_options.IPv6Exit = 1;
1590 tor_addr_from_ipv4h(
1591 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
1592 TEST_IPV4_ADDR);
1593 tor_addr_parse(
1594 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
1595 TEST_IPV6_ADDR);
1596
1597 mock_options.ExitPolicyRejectPrivate = 1;
1598 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1599
1600 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1601 &answer, &errmsg);
1602 tt_int_op(rv, OP_EQ, 0);
1603 tt_ptr_op(answer, OP_NE, NULL);
1604 tt_assert(strlen(answer) > 0);
1605 tor_free(answer);
1606
1607 mock_options.ExitPolicyRejectPrivate = 1;
1608 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1609
1610 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1611 &answer, &errmsg);
1612 tt_int_op(rv, OP_EQ, 0);
1613 tt_ptr_op(answer, OP_NE, NULL);
1614 tt_assert(strlen(answer) > 0);
1615 tor_free(answer);
1616
1617 mock_options.ExitPolicyRejectPrivate = 0;
1618 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1619
1620 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1621 &answer, &errmsg);
1622 tt_int_op(rv, OP_EQ, 0);
1623 tt_ptr_op(answer, OP_NE, NULL);
1624 tt_assert(strlen(answer) > 0);
1625 tor_free(answer);
1626
1627 mock_options.ExitPolicyRejectPrivate = 0;
1628 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1629
1630 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1631 &answer, &errmsg);
1632 tt_int_op(rv, OP_EQ, 0);
1633 tt_ptr_op(answer, OP_NE, NULL);
1634 tt_assert(strlen(answer) == 0);
1635 tor_free(answer);
1636
1637 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1638 &errmsg);
1639 tt_int_op(rv, OP_EQ, 0);
1640 tt_ptr_op(answer, OP_NE, NULL);
1641 ipv4_len = strlen(answer);
1642 tt_assert(ipv4_len > 0);
1643 tor_free(answer);
1644
1645 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1646 &errmsg);
1647 tt_int_op(rv, OP_EQ, 0);
1648 tt_ptr_op(answer, OP_NE, NULL);
1649 ipv6_len = strlen(answer);
1650 tt_assert(ipv6_len > 0);
1651 tor_free(answer);
1652
1653 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1654 &errmsg);
1655 tt_int_op(rv, OP_EQ, 0);
1656 tt_ptr_op(answer, OP_NE, NULL);
1657 tt_assert(strlen(answer) > 0);
1658 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1659 tor_free(answer);
1660
1661 done:
1662 tor_free(answer);
1663 UNMOCK(get_options);
1664 UNMOCK(router_get_my_routerinfo);
1665 addr_policy_list_free(mock_my_routerinfo.exit_policy);
1666 }
1667
1668 #undef DEFAULT_POLICY_STRING
1669 #undef TEST_IPV4_ADDR
1670 #undef TEST_IPV6_ADDR
1671
1672 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1673 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1674 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1675 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1676
1677 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1678 #define OTHER_IPV6_ADDR_STR "[afff::]"
1679
1680 /** Run unit tests for fascist_firewall_allows_address */
1681 static void
1682 test_policies_fascist_firewall_allows_address(void *arg)
1683 {
1684 (void)arg;
1685 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1686 tor_addr_t n_ipv4_addr, n_ipv6_addr;
1687 const uint16_t port = 1234;
1688 smartlist_t *policy = NULL;
1689 smartlist_t *e_policy = NULL;
1690 addr_policy_t *item = NULL;
1691 int malformed_list = 0;
1692
1693 /* Setup the options and the items in the policies */
1694 memset(&mock_options, 0, sizeof(or_options_t));
1695 MOCK(get_options, mock_get_options);
1696
1697 policy = smartlist_new();
1698 item = router_parse_addr_policy_item_from_string("accept "
1699 TEST_IPV4_ADDR_STR ":*",
1700 ADDR_POLICY_ACCEPT,
1701 &malformed_list);
1702 tt_assert(item);
1703 tt_assert(!malformed_list);
1704 smartlist_add(policy, item);
1705 item = router_parse_addr_policy_item_from_string("accept "
1706 TEST_IPV6_ADDR_STR,
1707 ADDR_POLICY_ACCEPT,
1708 &malformed_list);
1709 tt_assert(item);
1710 tt_assert(!malformed_list);
1711 smartlist_add(policy, item);
1712 /* Normally, policy_expand_unspec would do this for us */
1713 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1714 ADDR_POLICY_ACCEPT,
1715 &malformed_list);
1716 tt_assert(item);
1717 tt_assert(!malformed_list);
1718 smartlist_add(policy, item);
1719 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1720 ADDR_POLICY_ACCEPT,
1721 &malformed_list);
1722 tt_assert(item);
1723 tt_assert(!malformed_list);
1724 smartlist_add(policy, item);
1725 item = NULL;
1726
1727 e_policy = smartlist_new();
1728
1729 /*
1730 char *polstr = policy_dump_to_string(policy, 1, 1);
1731 printf("%s\n", polstr);
1732 tor_free(polstr);
1733 */
1734
1735 /* Parse the addresses */
1736 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1737 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1738 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1739 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1740 tor_addr_make_null(&n_ipv4_addr, AF_INET);
1741 tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1742
1743 /* Test the function's address matching with IPv4 and IPv6 on */
1744 memset(&mock_options, 0, sizeof(or_options_t));
1745 mock_options.ClientUseIPv4 = 1;
1746 mock_options.ClientUseIPv6 = 1;
1747 mock_options.UseBridges = 0;
1748
1749 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1750 OP_EQ, 1);
1751 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1752 OP_EQ, 1);
1753 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1754 OP_EQ, 0);
1755 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1756 OP_EQ, 0);
1757
1758 /* Preferring IPv4 */
1759 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1760 OP_EQ, 1);
1761 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1762 OP_EQ, 0);
1763 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1764 OP_EQ, 0);
1765 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1766 OP_EQ, 0);
1767
1768 /* Preferring IPv6 */
1769 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1770 OP_EQ, 0);
1771 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1772 OP_EQ, 1);
1773 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1774 OP_EQ, 0);
1775 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1776 OP_EQ, 0);
1777
1778 /* Test the function's address matching with UseBridges on */
1779 memset(&mock_options, 0, sizeof(or_options_t));
1780 mock_options.ClientUseIPv4 = 1;
1781 mock_options.ClientUseIPv6 = 1;
1782 mock_options.UseBridges = 1;
1783
1784 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1785 OP_EQ, 1);
1786 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1787 OP_EQ, 1);
1788 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1789 OP_EQ, 0);
1790 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1791 OP_EQ, 0);
1792
1793 /* Preferring IPv4 */
1794 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1795 OP_EQ, 1);
1796 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1797 OP_EQ, 0);
1798 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1799 OP_EQ, 0);
1800 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1801 OP_EQ, 0);
1802
1803 /* Preferring IPv6 */
1804 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1805 OP_EQ, 0);
1806 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1807 OP_EQ, 1);
1808 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1809 OP_EQ, 0);
1810 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1811 OP_EQ, 0);
1812
1813 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1814 mock_options.ClientUseIPv4 = 1;
1815 mock_options.ClientUseIPv6 = 0;
1816 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1817 OP_EQ, 1);
1818 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1819 OP_EQ, 1);
1820 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1821 OP_EQ, 0);
1822 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1823 OP_EQ, 0);
1824
1825 /* Test the function's address matching with IPv4 on */
1826 memset(&mock_options, 0, sizeof(or_options_t));
1827 mock_options.ClientUseIPv4 = 1;
1828 mock_options.ClientUseIPv6 = 0;
1829 mock_options.UseBridges = 0;
1830
1831 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1832 OP_EQ, 1);
1833 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1834 OP_EQ, 0);
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1836 OP_EQ, 0);
1837 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1838 OP_EQ, 0);
1839
1840 /* Test the function's address matching with IPv6 on */
1841 memset(&mock_options, 0, sizeof(or_options_t));
1842 mock_options.ClientUseIPv4 = 0;
1843 mock_options.ClientUseIPv6 = 1;
1844 mock_options.UseBridges = 0;
1845
1846 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1847 OP_EQ, 0);
1848 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1849 OP_EQ, 1);
1850 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1851 OP_EQ, 0);
1852 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1853 OP_EQ, 0);
1854
1855 /* Test the function's address matching with ClientUseIPv4 0.
1856 * This means "use IPv6" regardless of the other settings. */
1857 memset(&mock_options, 0, sizeof(or_options_t));
1858 mock_options.ClientUseIPv4 = 0;
1859 mock_options.ClientUseIPv6 = 0;
1860 mock_options.UseBridges = 0;
1861
1862 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1863 OP_EQ, 0);
1864 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1865 OP_EQ, 1);
1866 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1867 OP_EQ, 0);
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1869 OP_EQ, 0);
1870
1871 /* Test the function's address matching for unusual inputs */
1872 memset(&mock_options, 0, sizeof(or_options_t));
1873 mock_options.ClientUseIPv4 = 1;
1874 mock_options.ClientUseIPv6 = 1;
1875 mock_options.UseBridges = 1;
1876
1877 /* NULL and tor_addr_is_null addresses are rejected */
1878 tt_int_op(fascist_firewall_allows_address(NULL, port, policy, 0, 0), OP_EQ,
1879 0);
1880 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr, port, policy, 0, 0),
1881 OP_EQ, 0);
1882 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr, port, policy, 0, 0),
1883 OP_EQ, 0);
1884
1885 /* zero ports are rejected */
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, 0, policy, 0, 0),
1887 OP_EQ, 0);
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, 0, policy, 0, 0),
1889 OP_EQ, 0);
1890
1891 /* NULL and empty policies accept everything */
1892 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, NULL, 0, 0),
1893 OP_EQ, 1);
1894 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, NULL, 0, 0),
1895 OP_EQ, 1);
1896 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, e_policy, 0, 0),
1897 OP_EQ, 1);
1898 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, e_policy, 0, 0),
1899 OP_EQ, 1);
1900
1901 done:
1902 addr_policy_free(item);
1903 addr_policy_list_free(policy);
1904 addr_policy_list_free(e_policy);
1905 UNMOCK(get_options);
1906 }
1907
1908 #undef REJECT_IPv4_FINAL_STR
1909 #undef REJECT_IPv6_FINAL_STR
1910 #undef OTHER_IPV4_ADDR_STR
1911 #undef OTHER_IPV6_ADDR_STR
1912
1913 #define TEST_IPV4_OR_PORT 1234
1914 #define TEST_IPV4_DIR_PORT 2345
1915 #define TEST_IPV6_OR_PORT 61234
1916 #define TEST_IPV6_DIR_PORT 62345
1917
1918 /* Check that fascist_firewall_choose_address_rs() returns the expected
1919 * results. */
1920 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1921 expect_ap) \
1922 STMT_BEGIN \
1923 tor_addr_port_t chosen_rs_ap; \
1924 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1925 chosen_rs_ap.port = 0; \
1926 tt_int_op(fascist_firewall_choose_address_rs(&(fake_rs), \
1927 (fw_connection), \
1928 (pref_only), \
1929 &chosen_rs_ap), \
1930 OP_EQ, (expect_rv)); \
1931 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1932 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
1933 STMT_END
1934
1935 /* Check that fascist_firewall_choose_address_node() returns the expected
1936 * results. */
1937 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
1938 expect_rv, expect_ap) \
1939 STMT_BEGIN \
1940 tor_addr_port_t chosen_node_ap; \
1941 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
1942 chosen_node_ap.port = 0; \
1943 tt_int_op(fascist_firewall_choose_address_node(&(fake_node), \
1944 (fw_connection), \
1945 (pref_only), \
1946 &chosen_node_ap), \
1947 OP_EQ, (expect_rv)); \
1948 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
1949 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
1950 STMT_END
1951
1952 /* Check that fascist_firewall_choose_address_rs and
1953 * fascist_firewall_choose_address_node() both return the expected results. */
1954 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
1955 expect_rv, expect_ap) \
1956 STMT_BEGIN \
1957 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1958 expect_ap); \
1959 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
1960 expect_ap); \
1961 STMT_END
1962
1963 /** Run unit tests for fascist_firewall_choose_address */
1964 static void
1965 test_policies_fascist_firewall_choose_address(void *arg)
1966 {
1967 (void)arg;
1968 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
1969 tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
1970
1971 /* Setup the options */
1972 memset(&mock_options, 0, sizeof(or_options_t));
1973 MOCK(get_options, mock_get_options);
1974
1975 /* Parse the addresses */
1976 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
1977 ipv4_or_ap.port = TEST_IPV4_OR_PORT;
1978 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
1979 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
1980
1981 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
1982 ipv6_or_ap.port = TEST_IPV6_OR_PORT;
1983 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
1984 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
1985
1986 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
1987 n_ipv4_ap.port = 0;
1988 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
1989 n_ipv6_ap.port = 0;
1990
1991 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
1992 memset(&mock_options, 0, sizeof(or_options_t));
1993 mock_options.ClientUseIPv4 = 1;
1994 mock_options.ClientUseIPv6 = 1;
1995 mock_options.UseBridges = 0;
1996
1997 /* Prefer IPv4 */
1998 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
1999 FIREWALL_OR_CONNECTION, 0, 0)
2000 == &ipv4_or_ap);
2001 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2002 FIREWALL_OR_CONNECTION, 1, 0)
2003 == &ipv4_or_ap);
2004 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2005 FIREWALL_DIR_CONNECTION, 0, 0)
2006 == &ipv4_dir_ap);
2007 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2008 FIREWALL_DIR_CONNECTION, 1, 0)
2009 == &ipv4_dir_ap);
2010
2011 /* Prefer IPv6 */
2012 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2013 FIREWALL_OR_CONNECTION, 0, 1)
2014 == &ipv6_or_ap);
2015 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2016 FIREWALL_OR_CONNECTION, 1, 1)
2017 == &ipv6_or_ap);
2018 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2019 FIREWALL_DIR_CONNECTION, 0, 1)
2020 == &ipv6_dir_ap);
2021 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2022 FIREWALL_DIR_CONNECTION, 1, 1)
2023 == &ipv6_dir_ap);
2024
2025 /* Unusual inputs */
2026
2027 /* null preferred OR addresses */
2028 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &n_ipv6_ap, 0,
2029 FIREWALL_OR_CONNECTION, 0, 1)
2030 == &ipv4_or_ap);
2031 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_or_ap, 1,
2032 FIREWALL_OR_CONNECTION, 0, 0)
2033 == &ipv6_or_ap);
2034
2035 /* null both OR addresses */
2036 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2037 FIREWALL_OR_CONNECTION, 0, 1),
2038 OP_EQ, NULL);
2039 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2040 FIREWALL_OR_CONNECTION, 0, 0),
2041 OP_EQ, NULL);
2042
2043 /* null preferred Dir addresses */
2044 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &n_ipv6_ap, 0,
2045 FIREWALL_DIR_CONNECTION, 0, 1)
2046 == &ipv4_dir_ap);
2047 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_dir_ap, 1,
2048 FIREWALL_DIR_CONNECTION, 0, 0)
2049 == &ipv6_dir_ap);
2050
2051 /* null both Dir addresses */
2052 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2053 FIREWALL_DIR_CONNECTION, 0, 1),
2054 OP_EQ, NULL);
2055 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2056 FIREWALL_DIR_CONNECTION, 0, 0),
2057 OP_EQ, NULL);
2058
2059 /* Prefer IPv4 but want IPv6 (contradictory) */
2060 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2061 FIREWALL_OR_CONNECTION, 0, 0)
2062 == &ipv4_or_ap);
2063 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2064 FIREWALL_OR_CONNECTION, 1, 0)
2065 == &ipv4_or_ap);
2066
2067 /* Prefer IPv6 but want IPv4 (contradictory) */
2068 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2069 FIREWALL_OR_CONNECTION, 0, 1)
2070 == &ipv6_or_ap);
2071 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2072 FIREWALL_OR_CONNECTION, 1, 1)
2073 == &ipv6_or_ap);
2074
2075 /* Make a fake rs. There will be no corresponding node.
2076 * This is what happens when there's no consensus and we're bootstrapping
2077 * from authorities / fallbacks. */
2078 routerstatus_t fake_rs;
2079 memset(&fake_rs, 0, sizeof(routerstatus_t));
2080 /* In a routerstatus, the OR and Dir addresses are the same */
2081 fake_rs.addr = tor_addr_to_ipv4h(&ipv4_or_ap.addr);
2082 fake_rs.or_port = ipv4_or_ap.port;
2083 fake_rs.dir_port = ipv4_dir_ap.port;
2084
2085 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2086 fake_rs.ipv6_orport = ipv6_or_ap.port;
2087 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2088 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2089
2090 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2091 * find the node from the rs, because they're not in the hash table. */
2092 node_t fake_node;
2093 memset(&fake_node, 0, sizeof(node_t));
2094 fake_node.rs = &fake_rs;
2095
2096 /* Choose an address with IPv4 and IPv6 on */
2097 memset(&mock_options, 0, sizeof(or_options_t));
2098 mock_options.ClientUseIPv4 = 1;
2099 mock_options.ClientUseIPv6 = 1;
2100 mock_options.UseBridges = 0;
2101
2102 /* Preferring IPv4 */
2103 mock_options.ClientPreferIPv6ORPort = 0;
2104 mock_options.ClientPreferIPv6DirPort = 0;
2105 /* Simulate the initialisation of fake_node.ipv6_preferred */
2106 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2107 &mock_options);
2108
2109 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2110 ipv4_or_ap);
2111 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2112 ipv4_or_ap);
2113 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2114 ipv4_dir_ap);
2115 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2116 ipv4_dir_ap);
2117
2118 /* Auto (Preferring IPv4) */
2119 mock_options.ClientPreferIPv6ORPort = -1;
2120 mock_options.ClientPreferIPv6DirPort = -1;
2121 /* Simulate the initialisation of fake_node.ipv6_preferred */
2122 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2123 &mock_options);
2124
2125 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2126 ipv4_or_ap);
2127 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2128 ipv4_or_ap);
2129 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2130 ipv4_dir_ap);
2131 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2132 ipv4_dir_ap);
2133
2134 /* Preferring IPv6 */
2135 mock_options.ClientPreferIPv6ORPort = 1;
2136 mock_options.ClientPreferIPv6DirPort = 1;
2137 /* Simulate the initialisation of fake_node.ipv6_preferred */
2138 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2139 &mock_options);
2140
2141 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2142 ipv6_or_ap);
2143 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2144 ipv6_or_ap);
2145 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2146 ipv6_dir_ap);
2147 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2148 ipv6_dir_ap);
2149
2150 /* Preferring IPv4 OR / IPv6 Dir */
2151 mock_options.ClientPreferIPv6ORPort = 0;
2152 mock_options.ClientPreferIPv6DirPort = 1;
2153 /* Simulate the initialisation of fake_node.ipv6_preferred */
2154 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2155 &mock_options);
2156
2157 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2158 ipv4_or_ap);
2159 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2160 ipv4_or_ap);
2161 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2162 ipv6_dir_ap);
2163 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2164 ipv6_dir_ap);
2165
2166 /* Preferring IPv6 OR / IPv4 Dir */
2167 mock_options.ClientPreferIPv6ORPort = 1;
2168 mock_options.ClientPreferIPv6DirPort = 0;
2169 /* Simulate the initialisation of fake_node.ipv6_preferred */
2170 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2171 &mock_options);
2172
2173 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2174 ipv6_or_ap);
2175 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2176 ipv6_or_ap);
2177 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2178 ipv4_dir_ap);
2179 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2180 ipv4_dir_ap);
2181
2182 /* Choose an address with UseBridges on */
2183 memset(&mock_options, 0, sizeof(or_options_t));
2184 mock_options.UseBridges = 1;
2185 mock_options.ClientUseIPv4 = 1;
2186 mock_options.ClientUseIPv6 = 1;
2187
2188 /* Preferring IPv4 */
2189 mock_options.ClientPreferIPv6ORPort = 0;
2190 mock_options.ClientPreferIPv6DirPort = 0;
2191 /* Simulate the initialisation of fake_node.ipv6_preferred */
2192 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2193 &mock_options);
2194
2195 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2196 ipv4_or_ap);
2197 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2198 ipv4_or_ap);
2199 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2200 ipv4_dir_ap);
2201 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2202 ipv4_dir_ap);
2203
2204 /* Auto:
2205 * - bridge clients prefer the configured bridge OR address from the node,
2206 * (the configured address family sets node.ipv6_preferred)
2207 * - other clients prefer IPv4 OR by default (see above),
2208 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2209 */
2210 mock_options.ClientPreferIPv6ORPort = -1;
2211 mock_options.ClientPreferIPv6DirPort = -1;
2212
2213 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2214 * configured with an IPv4 address */
2215 fake_node.ipv6_preferred = 0;
2216 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2217 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2218 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2219 ipv4_dir_ap);
2220 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2221 ipv4_dir_ap);
2222
2223 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2224 * configured with an IPv6 address */
2225 fake_node.ipv6_preferred = 1;
2226 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2227 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2228 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2229 ipv4_dir_ap);
2230 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2231 ipv4_dir_ap);
2232
2233 /* When a rs has no node, it defaults to IPv4 under auto. */
2234 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2235 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2236 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2237 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2238
2239 /* Preferring IPv6 */
2240 mock_options.ClientPreferIPv6ORPort = 1;
2241 mock_options.ClientPreferIPv6DirPort = 1;
2242 /* Simulate the initialisation of fake_node.ipv6_preferred */
2243 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2244 &mock_options);
2245
2246 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2247 ipv6_or_ap);
2248 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2249 ipv6_or_ap);
2250 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2251 ipv6_dir_ap);
2252 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2253 ipv6_dir_ap);
2254
2255 /* In the default configuration (Auto / IPv6 off), bridge clients should
2256 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2257 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2258 mock_options.ClientUseIPv6 = 0;
2259 mock_options.ClientPreferIPv6ORPort = -1;
2260 mock_options.ClientPreferIPv6DirPort = -1;
2261 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2262 * configured with an IPv4 address */
2263 fake_node.ipv6_preferred = 0;
2264 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2265 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2266 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2267 ipv4_dir_ap);
2268 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2269 ipv4_dir_ap);
2270
2271 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2272 * configured with an IPv6 address */
2273 fake_node.ipv6_preferred = 1;
2274 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2275 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2276 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2277 ipv4_dir_ap);
2278 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2279 ipv4_dir_ap);
2280
2281 /* When a rs has no node, it defaults to IPv4 under auto. */
2282 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2283 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2284 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2285 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2286
2287 /* Choose an address with IPv4 on */
2288 memset(&mock_options, 0, sizeof(or_options_t));
2289 mock_options.ClientUseIPv4 = 1;
2290 mock_options.ClientUseIPv6 = 0;
2291 /* Simulate the initialisation of fake_node.ipv6_preferred */
2292 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2293 &mock_options);
2294
2295 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2296 ipv4_or_ap);
2297 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2298 ipv4_or_ap);
2299 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2300 ipv4_dir_ap);
2301 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2302 ipv4_dir_ap);
2303
2304 /* Choose an address with IPv6 on */
2305 memset(&mock_options, 0, sizeof(or_options_t));
2306 mock_options.ClientUseIPv4 = 0;
2307 mock_options.ClientUseIPv6 = 1;
2308 /* Simulate the initialisation of fake_node.ipv6_preferred */
2309 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2310 &mock_options);
2311
2312 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2313 ipv6_or_ap);
2314 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2315 ipv6_or_ap);
2316 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2317 ipv6_dir_ap);
2318 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2319 ipv6_dir_ap);
2320
2321 /* Choose an address with ClientUseIPv4 0.
2322 * This means "use IPv6" regardless of the other settings. */
2323 memset(&mock_options, 0, sizeof(or_options_t));
2324 mock_options.ClientUseIPv4 = 0;
2325 mock_options.ClientUseIPv6 = 0;
2326 /* Simulate the initialisation of fake_node.ipv6_preferred */
2327 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2328 &mock_options);
2329
2330 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2331 ipv6_or_ap);
2332 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2333 ipv6_or_ap);
2334 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2335 ipv6_dir_ap);
2336 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2337 ipv6_dir_ap);
2338
2339 /* Choose an address with ORPort_set 1 (server mode).
2340 * This means "use IPv4" regardless of the other settings. */
2341 memset(&mock_options, 0, sizeof(or_options_t));
2342 mock_options.ORPort_set = 1;
2343 mock_options.ClientUseIPv4 = 0;
2344 mock_options.ClientUseIPv6 = 1;
2345 mock_options.ClientPreferIPv6ORPort = 1;
2346 mock_options.ClientPreferIPv6DirPort = 1;
2347
2348 /* Simulate the initialisation of fake_node.ipv6_preferred */
2349 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2350 &mock_options);
2351
2352 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2353 ipv4_or_ap);
2354 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2355 ipv4_or_ap);
2356 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2357 ipv4_dir_ap);
2358 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2359 ipv4_dir_ap);
2360
2361 done:
2362 UNMOCK(get_options);
2363 }
2364
2365 #undef TEST_IPV4_ADDR_STR
2366 #undef TEST_IPV6_ADDR_STR
2367 #undef TEST_IPV4_OR_PORT
2368 #undef TEST_IPV4_DIR_PORT
2369 #undef TEST_IPV6_OR_PORT
2370 #undef TEST_IPV6_DIR_PORT
2371
2372 #undef CHECK_CHOSEN_ADDR_RS
2373 #undef CHECK_CHOSEN_ADDR_NODE
2374 #undef CHECK_CHOSEN_ADDR_RN
2375
2376 struct testcase_t policy_tests[] = {
2377 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2378 NULL, NULL },
2379 { "general", test_policies_general, 0, NULL, NULL },
2380 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2381 NULL },
2382 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2383 { "reject_interface_address", test_policies_reject_interface_address, 0,
2384 NULL, NULL },
2385 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2386 { "fascist_firewall_allows_address",
2387 test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2388 { "fascist_firewall_choose_address",
2389 test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2390 END_OF_TESTCASES
2391 };
2392
The Onion Router