1 /* Copyright (c) 2013-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
5 #define POLICIES_PRIVATE
7 #include "core/or/or.h"
8 #include "app/config/config.h"
9 #include "core/or/policies.h"
10 #include "feature/dirparse/policy_parse.h"
11 #include "feature/relay/router.h"
12 #include "lib/encoding/confline.h"
13 #include "test/test.h"
15 #include "core/or/addr_policy_st.h"
16 #include "core/or/port_cfg_st.h"
17 #include "feature/nodelist/node_st.h"
18 #include "feature/nodelist/routerinfo_st.h"
19 #include "feature/nodelist/routerstatus_st.h"
21 /* Helper: assert that short_policy parses and writes back out as itself,
22 or as <b>expected</b> if that's provided. */
24 test_short_policy_parse(const char *input
,
27 short_policy_t
*short_policy
= NULL
;
33 short_policy
= parse_short_policy(input
);
34 tt_assert(short_policy
);
35 out
= write_short_policy(short_policy
);
36 tt_str_op(out
, OP_EQ
, expected
);
40 short_policy_free(short_policy
);
43 /** Helper: Parse the exit policy string in <b>policy_str</b> with
44 * <b>options</b>, and make sure that policies_summarize() produces the string
45 * <b>expected_summary</b> from it when called with family. */
47 test_policy_summary_helper_family_flags(const char *policy_str
,
48 const char *expected_summary
,
50 exit_policy_parser_cfg_t options
)
53 smartlist_t
*policy
= smartlist_new();
55 char *summary_after
= NULL
;
57 short_policy_t
*short_policy
= NULL
;
60 line
.key
= (char*)"foo";
61 line
.value
= (char *)policy_str
;
64 r
= policies_parse_exit_policy(&line
, &policy
,
66 tt_int_op(r
,OP_EQ
, 0);
68 summary
= policy_summarize(policy
, family
);
70 tt_ptr_op(summary
, OP_NE
, NULL
);
71 tt_str_op(summary
,OP_EQ
, expected_summary
);
73 short_policy
= parse_short_policy(summary
);
74 tt_assert(short_policy
);
75 summary_after
= write_short_policy(short_policy
);
76 tt_str_op(summary
,OP_EQ
, summary_after
);
80 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
82 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
83 family
== AF_INET
? 4 : 6, options
, policy_str
));
84 tor_free(summary_after
);
87 addr_policy_list_free(policy
);
88 short_policy_free(short_policy
);
91 /** Like test_policy_summary_helper_family_flags, but tries all the different
92 * flag combinations */
94 test_policy_summary_helper_family(const char *policy_str
,
95 const char *expected_summary
,
98 for (exit_policy_parser_cfg_t opt
= 0;
99 opt
<= EXIT_POLICY_OPTION_ALL
;
101 if (family
== AF_INET6
&& !(opt
& EXIT_POLICY_IPV6_ENABLED
))
102 /* Skip the test: IPv6 addresses need IPv6 enabled */
105 if (opt
& EXIT_POLICY_REJECT_LOCAL_INTERFACES
)
106 /* Skip the test: local interfaces are machine-specific */
109 test_policy_summary_helper_family_flags(policy_str
, expected_summary
,
114 /** Like test_policy_summary_helper_family, but uses expected_summary for
115 * both IPv4 and IPv6. */
117 test_policy_summary_helper(const char *policy_str
,
118 const char *expected_summary
)
120 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET
);
121 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET6
);
124 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
125 * IPv4 and expected_summary6 for IPv6. */
127 test_policy_summary_helper6(const char *policy_str
,
128 const char *expected_summary4
,
129 const char *expected_summary6
)
131 test_policy_summary_helper_family(policy_str
, expected_summary4
, AF_INET
);
132 test_policy_summary_helper_family(policy_str
, expected_summary6
, AF_INET6
);
135 /** Run unit tests for generating summary lines of exit policies */
137 test_policies_general(void *arg
)
140 smartlist_t
*policy
= NULL
, *policy2
= NULL
, *policy3
= NULL
,
141 *policy4
= NULL
, *policy5
= NULL
, *policy6
= NULL
,
142 *policy7
= NULL
, *policy8
= NULL
, *policy9
= NULL
,
143 *policy10
= NULL
, *policy11
= NULL
, *policy12
= NULL
;
145 tor_addr_t tar
, tar2
;
146 smartlist_t
*addr_list
= NULL
;
148 smartlist_t
*sm
= NULL
;
149 char *policy_str
= NULL
;
150 short_policy_t
*short_parsed
= NULL
;
151 int malformed_list
= -1;
154 policy
= smartlist_new();
156 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
158 tt_ptr_op(p
, OP_NE
, NULL
);
159 tt_int_op(ADDR_POLICY_REJECT
,OP_EQ
, p
->policy_type
);
160 tor_addr_from_ipv4h(&tar
, 0xc0a80000u
);
161 tt_int_op(0,OP_EQ
, tor_addr_compare(&p
->addr
, &tar
, CMP_EXACT
));
162 tt_int_op(16,OP_EQ
, p
->maskbits
);
163 tt_int_op(1,OP_EQ
, p
->prt_min
);
164 tt_int_op(65535,OP_EQ
, p
->prt_max
);
166 smartlist_add(policy
, p
);
168 tor_addr_from_ipv4h(&tar
, 0x01020304u
);
169 tt_assert(ADDR_POLICY_ACCEPTED
==
170 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
171 tor_addr_make_unspec(&tar
);
172 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED
==
173 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
174 tor_addr_from_ipv4h(&tar
, 0xc0a80102);
175 tt_assert(ADDR_POLICY_REJECTED
==
176 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
178 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy2
,
179 EXIT_POLICY_IPV6_ENABLED
|
180 EXIT_POLICY_REJECT_PRIVATE
|
181 EXIT_POLICY_ADD_DEFAULT
, NULL
));
185 tor_addr_from_ipv4h(&tar
, 0x0306090cu
);
186 tor_addr_parse(&tar2
, "[2000::1234]");
187 addr_list
= smartlist_new();
188 smartlist_add(addr_list
, &tar
);
189 smartlist_add(addr_list
, &tar2
);
190 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy12
,
191 EXIT_POLICY_IPV6_ENABLED
|
192 EXIT_POLICY_REJECT_PRIVATE
|
193 EXIT_POLICY_ADD_DEFAULT
,
195 smartlist_free(addr_list
);
200 policy3
= smartlist_new();
201 p
= router_parse_addr_policy_item_from_string("reject *:*", -1,
203 tt_ptr_op(p
, OP_NE
, NULL
);
204 smartlist_add(policy3
, p
);
205 p
= router_parse_addr_policy_item_from_string("accept *:*", -1,
207 tt_ptr_op(p
, OP_NE
, NULL
);
208 smartlist_add(policy3
, p
);
210 policy4
= smartlist_new();
211 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
213 tt_ptr_op(p
, OP_NE
, NULL
);
214 smartlist_add(policy4
, p
);
215 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
217 tt_ptr_op(p
, OP_NE
, NULL
);
218 smartlist_add(policy4
, p
);
220 policy5
= smartlist_new();
221 p
= router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
223 tt_ptr_op(p
, OP_NE
, NULL
);
224 smartlist_add(policy5
, p
);
225 p
= router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
227 tt_ptr_op(p
, OP_NE
, NULL
);
228 smartlist_add(policy5
, p
);
229 p
= router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
231 tt_ptr_op(p
, OP_NE
, NULL
);
232 smartlist_add(policy5
, p
);
233 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
234 -1, &malformed_list
);
235 tt_ptr_op(p
, OP_NE
, NULL
);
236 smartlist_add(policy5
, p
);
237 p
= router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
239 tt_ptr_op(p
, OP_NE
, NULL
);
240 smartlist_add(policy5
, p
);
241 p
= router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
243 tt_ptr_op(p
, OP_NE
, NULL
);
244 smartlist_add(policy5
, p
);
245 p
= router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
247 tt_ptr_op(p
, OP_NE
, NULL
);
248 smartlist_add(policy5
, p
);
249 p
= router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
251 tt_ptr_op(p
, OP_NE
, NULL
);
252 smartlist_add(policy5
, p
);
253 p
= router_parse_addr_policy_item_from_string("reject *:65535", -1,
255 tt_ptr_op(p
, OP_NE
, NULL
);
256 smartlist_add(policy5
, p
);
257 p
= router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
259 tt_ptr_op(p
, OP_NE
, NULL
);
260 smartlist_add(policy5
, p
);
262 policy6
= smartlist_new();
263 p
= router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
265 tt_ptr_op(p
, OP_NE
, NULL
);
266 smartlist_add(policy6
, p
);
268 policy7
= smartlist_new();
269 p
= router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
271 tt_ptr_op(p
, OP_NE
, NULL
);
272 smartlist_add(policy7
, p
);
274 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy8
,
275 EXIT_POLICY_IPV6_ENABLED
|
276 EXIT_POLICY_REJECT_PRIVATE
|
277 EXIT_POLICY_ADD_DEFAULT
,
282 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy9
,
283 EXIT_POLICY_REJECT_PRIVATE
|
284 EXIT_POLICY_ADD_DEFAULT
,
289 /* accept6 * and reject6 * produce IPv6 wildcards only */
290 policy10
= smartlist_new();
291 p
= router_parse_addr_policy_item_from_string("accept6 *:*", -1,
293 tt_ptr_op(p
, OP_NE
, NULL
);
294 smartlist_add(policy10
, p
);
296 policy11
= smartlist_new();
297 p
= router_parse_addr_policy_item_from_string("reject6 *:*", -1,
299 tt_ptr_op(p
, OP_NE
, NULL
);
300 smartlist_add(policy11
, p
);
302 tt_assert(!exit_policy_is_general_exit(policy
));
303 tt_assert(exit_policy_is_general_exit(policy2
));
304 tt_assert(!exit_policy_is_general_exit(NULL
));
305 tt_assert(!exit_policy_is_general_exit(policy3
));
306 tt_assert(!exit_policy_is_general_exit(policy4
));
307 tt_assert(!exit_policy_is_general_exit(policy5
));
308 tt_assert(!exit_policy_is_general_exit(policy6
));
309 tt_assert(!exit_policy_is_general_exit(policy7
));
310 tt_assert(exit_policy_is_general_exit(policy8
));
311 tt_assert(exit_policy_is_general_exit(policy9
));
312 tt_assert(!exit_policy_is_general_exit(policy10
));
313 tt_assert(!exit_policy_is_general_exit(policy11
));
315 tt_assert(!addr_policies_eq(policy
, policy2
));
316 tt_assert(!addr_policies_eq(policy
, NULL
));
317 tt_assert(addr_policies_eq(policy2
, policy2
));
318 tt_assert(addr_policies_eq(NULL
, NULL
));
320 tt_assert(!policy_is_reject_star(policy2
, AF_INET
, 1));
321 tt_assert(policy_is_reject_star(policy
, AF_INET
, 1));
322 tt_assert(policy_is_reject_star(policy10
, AF_INET
, 1));
323 tt_assert(!policy_is_reject_star(policy10
, AF_INET6
, 1));
324 tt_assert(policy_is_reject_star(policy11
, AF_INET
, 1));
325 tt_assert(policy_is_reject_star(policy11
, AF_INET6
, 1));
326 tt_assert(policy_is_reject_star(NULL
, AF_INET
, 1));
327 tt_assert(policy_is_reject_star(NULL
, AF_INET6
, 1));
328 tt_assert(!policy_is_reject_star(NULL
, AF_INET
, 0));
329 tt_assert(!policy_is_reject_star(NULL
, AF_INET6
, 0));
331 addr_policy_list_free(policy
);
334 /* make sure assume_action works */
336 p
= router_parse_addr_policy_item_from_string("127.0.0.1",
341 tt_assert(!malformed_list
);
343 p
= router_parse_addr_policy_item_from_string("127.0.0.1:*",
348 tt_assert(!malformed_list
);
350 p
= router_parse_addr_policy_item_from_string("[::]",
355 tt_assert(!malformed_list
);
357 p
= router_parse_addr_policy_item_from_string("[::]:*",
362 tt_assert(!malformed_list
);
364 p
= router_parse_addr_policy_item_from_string("[face::b]",
369 tt_assert(!malformed_list
);
371 p
= router_parse_addr_policy_item_from_string("[b::aaaa]",
376 tt_assert(!malformed_list
);
378 p
= router_parse_addr_policy_item_from_string("*",
383 tt_assert(!malformed_list
);
385 p
= router_parse_addr_policy_item_from_string("*4",
390 tt_assert(!malformed_list
);
392 p
= router_parse_addr_policy_item_from_string("*6",
397 tt_assert(!malformed_list
);
399 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
400 p
= router_parse_addr_policy_item_from_string("acce::abcd",
403 tt_ptr_op(p
, OP_EQ
, NULL
);
404 tt_assert(malformed_list
);
407 p
= router_parse_addr_policy_item_from_string("7:1234",
410 tt_ptr_op(p
, OP_EQ
, NULL
);
411 tt_assert(malformed_list
);
414 p
= router_parse_addr_policy_item_from_string("::",
417 tt_ptr_op(p
, OP_EQ
, NULL
);
418 tt_assert(malformed_list
);
421 /* make sure compacting logic works. */
423 line
.key
= (char*)"foo";
424 line
.value
= (char*)"accept *:80,reject private:*,reject *:*";
426 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(&line
,&policy
,
427 EXIT_POLICY_IPV6_ENABLED
|
428 EXIT_POLICY_ADD_DEFAULT
, NULL
));
431 //test_streq(policy->string, "accept *:80");
432 //test_streq(policy->next->string, "reject *:*");
433 tt_int_op(smartlist_len(policy
),OP_EQ
, 4);
435 /* test policy summaries */
436 /* check if we properly ignore private IP addresses */
437 test_policy_summary_helper("reject 192.168.0.0/16:*,"
438 "reject 0.0.0.0/8:*,"
439 "reject 10.0.0.0/8:*,"
444 /* check all accept policies, and proper counting of rejects */
445 test_policy_summary_helper("reject 11.0.0.0/9:80,"
446 "reject 12.0.0.0/9:80,"
447 "reject 13.0.0.0/9:80,"
448 "reject 14.0.0.0/9:80,"
449 "accept *:*", "accept 1-65535");
450 test_policy_summary_helper("reject 11.0.0.0/9:80,"
451 "reject 12.0.0.0/9:80,"
452 "reject 13.0.0.0/9:80,"
453 "reject 14.0.0.0/9:80,"
454 "reject 15.0.0.0:81,"
455 "accept *:*", "accept 1-65535");
456 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
457 "reject 12.0.0.0/9:80,"
458 "reject 13.0.0.0/9:80,"
459 "reject 14.0.0.0/9:80,"
460 "reject 15.0.0.0:80,"
465 test_policy_summary_helper("accept 11.0.0.0/9:80,"
469 test_policy_summary_helper("accept *:80,"
474 "accept 80-81,100-111");
476 test_policy_summary_helper("accept *:1,"
482 test_policy_summary_helper("accept *:1,"
488 test_policy_summary_helper("reject *:1,"
495 /* standard long policy on many exits */
496 test_policy_summary_helper("accept *:20-23,"
530 "accept *:2086-2087,"
531 "accept *:2095-2096,"
532 "accept *:2102-2104,"
540 "accept *:5222-5223,"
543 "accept *:6660-6669,"
550 "accept *:8087-8088,"
551 "accept *:8332-8333,"
565 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
566 "443,464,531,543-544,554,563,636,706,749,873,"
567 "902-904,981,989-995,1194,1220,1293,1500,1533,"
568 "1677,1723,1755,1863,2082-2083,2086-2087,"
569 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
570 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
571 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
572 "8443,8888,9418,9999-10000,11371,12350,19294,"
573 "19638,23456,33033,64738");
574 /* short policy with configured addresses */
575 test_policy_summary_helper("reject 149.56.1.1:*,"
576 "reject [2607:5300:1:1::1:0]:*,"
581 /* short policy with configured and local interface addresses */
582 test_policy_summary_helper("reject 149.56.1.0:*,"
583 "reject 149.56.1.1:*,"
584 "reject 149.56.1.2:*,"
585 "reject 149.56.1.3:*,"
586 "reject 149.56.1.4:*,"
587 "reject 149.56.1.5:*,"
588 "reject 149.56.1.6:*,"
589 "reject 149.56.1.7:*,"
590 "reject [2607:5300:1:1::1:0]:*,"
591 "reject [2607:5300:1:1::1:1]:*,"
592 "reject [2607:5300:1:1::1:2]:*,"
593 "reject [2607:5300:1:1::1:3]:*,"
594 "reject [2607:5300:1:1::2:0]:*,"
595 "reject [2607:5300:1:1::2:1]:*,"
596 "reject [2607:5300:1:1::2:2]:*,"
597 "reject [2607:5300:1:1::2:3]:*,"
602 /* short policy with configured netblocks */
603 test_policy_summary_helper("reject 149.56.0.0/16,"
604 "reject6 2607:5300::/32,"
605 "reject6 2608:5300::/64,"
606 "reject6 2609:5300::/96,"
611 /* short policy with large netblocks that do not count as a rejection */
612 test_policy_summary_helper("reject 148.0.0.0/7,"
618 /* short policy with large netblocks that count as a rejection */
619 test_policy_summary_helper("reject 148.0.0.0/6,"
625 /* short policy with huge netblocks that count as a rejection */
626 test_policy_summary_helper("reject 128.0.0.0/1,"
632 /* short policy which blocks everything using netblocks */
633 test_policy_summary_helper("reject 0.0.0.0/0,"
639 /* short policy which has repeated redundant netblocks */
640 test_policy_summary_helper("reject 0.0.0.0/0,"
655 /* longest possible policy
656 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
657 * Going all the way to 65535 is incredibly slow, so we just go slightly
658 * more than the expected length */
659 test_policy_summary_helper("accept *:1,"
925 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
926 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
927 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
928 "95,97,99,101,103,105,107,109,111,113,115,117,"
929 "119,121,123,125,127,129,131,133,135,137,139,141,"
930 "143,145,147,149,151,153,155,157,159,161,163,165,"
931 "167,169,171,173,175,177,179,181,183,185,187,189,"
932 "191,193,195,197,199,201,203,205,207,209,211,213,"
933 "215,217,219,221,223,225,227,229,231,233,235,237,"
934 "239,241,243,245,247,249,251,253,255,257,259,261,"
935 "263,265,267,269,271,273,275,277,279,281,283,285,"
936 "287,289,291,293,295,297,299,301,303,305,307,309,"
937 "311,313,315,317,319,321,323,325,327,329,331,333,"
938 "335,337,339,341,343,345,347,349,351,353,355,357,"
939 "359,361,363,365,367,369,371,373,375,377,379,381,"
940 "383,385,387,389,391,393,395,397,399,401,403,405,"
941 "407,409,411,413,415,417,419,421,423,425,427,429,"
942 "431,433,435,437,439,441,443,445,447,449,451,453,"
943 "455,457,459,461,463,465,467,469,471,473,475,477,"
944 "479,481,483,485,487,489,491,493,495,497,499,501,"
945 "503,505,507,509,511,513,515,517,519,521,523");
947 /* Short policies with unrecognized formats should get accepted. */
948 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
949 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
950 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
951 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
952 /* Short policies with nil entries are accepted too. */
953 test_short_policy_parse("accept 1,,3", "accept 1,3");
954 test_short_policy_parse("accept 100-200,,", "accept 100-200");
955 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
957 /* Try parsing various broken short policies */
958 #define TT_BAD_SHORT_POLICY(s) \
960 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
962 TT_BAD_SHORT_POLICY("accept 200-199");
963 TT_BAD_SHORT_POLICY("");
964 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
965 TT_BAD_SHORT_POLICY("reject ");
966 TT_BAD_SHORT_POLICY("reject");
967 TT_BAD_SHORT_POLICY("rej");
968 TT_BAD_SHORT_POLICY("accept 2,3,100000");
969 TT_BAD_SHORT_POLICY("accept 2,3x,4");
970 TT_BAD_SHORT_POLICY("accept 2,3x,4");
971 TT_BAD_SHORT_POLICY("accept 2-");
972 TT_BAD_SHORT_POLICY("accept 2-x");
973 TT_BAD_SHORT_POLICY("accept 1-,3");
974 TT_BAD_SHORT_POLICY("accept 1-,3");
976 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
977 p
= router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
979 tt_ptr_op(p
, OP_EQ
, NULL
);
980 tt_assert(!malformed_list
);
982 p
= router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
984 tt_ptr_op(p
, OP_EQ
, NULL
);
985 tt_assert(!malformed_list
);
987 p
= router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
989 tt_ptr_op(p
, OP_EQ
, NULL
);
990 tt_assert(!malformed_list
);
992 /* Make sure malformed policies are detected as such. */
993 p
= router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
995 tt_ptr_op(p
, OP_EQ
, NULL
);
996 tt_assert(malformed_list
);
998 p
= router_parse_addr_policy_item_from_string("accept6 **:*", -1,
1000 tt_ptr_op(p
, OP_EQ
, NULL
);
1001 tt_assert(malformed_list
);
1003 p
= router_parse_addr_policy_item_from_string("accept */15:*", -1,
1005 tt_ptr_op(p
, OP_EQ
, NULL
);
1006 tt_assert(malformed_list
);
1008 p
= router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1010 tt_ptr_op(p
, OP_EQ
, NULL
);
1011 tt_assert(malformed_list
);
1013 p
= router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1015 tt_ptr_op(p
, OP_EQ
, NULL
);
1016 tt_assert(malformed_list
);
1018 p
= router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1020 tt_ptr_op(p
, OP_EQ
, NULL
);
1021 tt_assert(malformed_list
);
1023 p
= router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1025 tt_ptr_op(p
, OP_EQ
, NULL
);
1026 tt_assert(malformed_list
);
1028 p
= router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1030 tt_ptr_op(p
, OP_EQ
, NULL
);
1031 tt_assert(malformed_list
);
1033 p
= router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1035 tt_ptr_op(p
, OP_EQ
, NULL
);
1036 tt_assert(malformed_list
);
1038 /* Test a too-long policy. */
1040 char *policy_strng
= NULL
;
1041 smartlist_t
*chunks
= smartlist_new();
1042 smartlist_add_strdup(chunks
, "accept ");
1043 for (i
=1; i
<10000; ++i
)
1044 smartlist_add_asprintf(chunks
, "%d,", i
);
1045 smartlist_add_strdup(chunks
, "20000");
1046 policy_strng
= smartlist_join_strings(chunks
, "", 0, NULL
);
1047 SMARTLIST_FOREACH(chunks
, char *, ch
, tor_free(ch
));
1048 smartlist_free(chunks
);
1049 short_parsed
= parse_short_policy(policy_strng
);/* shouldn't be accepted */
1050 tor_free(policy_strng
);
1051 tt_ptr_op(NULL
, OP_EQ
, short_parsed
);
1054 /* truncation ports */
1055 sm
= smartlist_new();
1056 for (i
=1; i
<2000; i
+=2) {
1057 char buf
[POLICY_BUF_LEN
];
1058 tor_snprintf(buf
, sizeof(buf
), "reject *:%d", i
);
1059 smartlist_add_strdup(sm
, buf
);
1061 smartlist_add_strdup(sm
, "accept *:*");
1062 policy_str
= smartlist_join_strings(sm
, ",", 0, NULL
);
1063 test_policy_summary_helper( policy_str
,
1064 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1065 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1066 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1067 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1068 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1069 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1070 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1071 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1072 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1073 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1074 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1075 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1076 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1077 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1080 addr_policy_list_free(policy
);
1081 addr_policy_list_free(policy2
);
1082 addr_policy_list_free(policy3
);
1083 addr_policy_list_free(policy4
);
1084 addr_policy_list_free(policy5
);
1085 addr_policy_list_free(policy6
);
1086 addr_policy_list_free(policy7
);
1087 addr_policy_list_free(policy8
);
1088 addr_policy_list_free(policy9
);
1089 addr_policy_list_free(policy10
);
1090 addr_policy_list_free(policy11
);
1091 addr_policy_list_free(policy12
);
1092 tor_free(policy_str
);
1094 SMARTLIST_FOREACH(sm
, char *, s
, tor_free(s
));
1097 short_policy_free(short_parsed
);
1100 /** Helper: Check that policy_list contains address */
1102 test_policy_has_address_helper(const smartlist_t
*policy_list
,
1103 const tor_addr_t
*addr
)
1107 tt_assert(policy_list
);
1110 SMARTLIST_FOREACH_BEGIN(policy_list
, addr_policy_t
*, p
) {
1111 if (tor_addr_eq(&p
->addr
, addr
)) {
1114 } SMARTLIST_FOREACH_END(p
);
1122 #define TEST_IPV4_ADDR (0x01020304)
1123 #define TEST_IPV6_ADDR ("2002::abcd")
1125 /** Run unit tests for rejecting the configured addresses on this exit relay
1126 * using policies_parse_exit_policy_reject_private */
1128 test_policies_reject_exit_address(void *arg
)
1130 smartlist_t
*policy
= NULL
;
1131 tor_addr_t ipv4_addr
, ipv6_addr
;
1132 smartlist_t
*ipv4_list
, *ipv6_list
, *both_list
, *dupl_list
;
1135 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1136 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1138 ipv4_list
= smartlist_new();
1139 ipv6_list
= smartlist_new();
1140 both_list
= smartlist_new();
1141 dupl_list
= smartlist_new();
1143 smartlist_add(ipv4_list
, &ipv4_addr
);
1144 smartlist_add(both_list
, &ipv4_addr
);
1145 smartlist_add(dupl_list
, &ipv4_addr
);
1146 smartlist_add(dupl_list
, &ipv4_addr
);
1147 smartlist_add(dupl_list
, &ipv4_addr
);
1149 smartlist_add(ipv6_list
, &ipv6_addr
);
1150 smartlist_add(both_list
, &ipv6_addr
);
1151 smartlist_add(dupl_list
, &ipv6_addr
);
1152 smartlist_add(dupl_list
, &ipv6_addr
);
1154 /* IPv4-Only Exits */
1156 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1157 policies_parse_exit_policy_reject_private(&policy
, 0, ipv4_list
, 0, 0);
1159 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1160 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1161 addr_policy_list_free(policy
);
1164 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1165 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1166 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1167 * need to do anything) */
1168 policies_parse_exit_policy_reject_private(&policy
, 0, ipv6_list
, 0, 0);
1169 tt_ptr_op(policy
, OP_EQ
, NULL
);
1171 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1172 policies_parse_exit_policy_reject_private(&policy
, 0, both_list
, 0, 0);
1174 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1175 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1176 addr_policy_list_free(policy
);
1179 /* Test that lists with duplicate entries produce the same results */
1180 policies_parse_exit_policy_reject_private(&policy
, 0, dupl_list
, 0, 0);
1182 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1183 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1184 addr_policy_list_free(policy
);
1187 /* IPv4/IPv6 Exits */
1189 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy
, 1, ipv4_list
, 0, 0);
1192 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1193 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1194 addr_policy_list_free(policy
);
1197 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy
, 1, ipv6_list
, 0, 0);
1200 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1201 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1202 addr_policy_list_free(policy
);
1205 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1206 policies_parse_exit_policy_reject_private(&policy
, 1, both_list
, 0, 0);
1208 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1209 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1210 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1211 addr_policy_list_free(policy
);
1214 /* Test that lists with duplicate entries produce the same results */
1215 policies_parse_exit_policy_reject_private(&policy
, 1, dupl_list
, 0, 0);
1217 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1218 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1219 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1220 addr_policy_list_free(policy
);
1224 addr_policy_list_free(policy
);
1225 smartlist_free(ipv4_list
);
1226 smartlist_free(ipv6_list
);
1227 smartlist_free(both_list
);
1228 smartlist_free(dupl_list
);
1231 static smartlist_t
*test_configured_ports
= NULL
;
1233 /** Returns test_configured_ports */
1234 static const smartlist_t
*
1235 mock_get_configured_ports(void)
1237 return test_configured_ports
;
1240 /** Run unit tests for rejecting publicly routable configured port addresses
1241 * on this exit relay using policies_parse_exit_policy_reject_private */
1243 test_policies_reject_port_address(void *arg
)
1245 smartlist_t
*policy
= NULL
;
1246 port_cfg_t
*ipv4_port
= NULL
;
1247 port_cfg_t
*ipv6_port
= NULL
;
1250 test_configured_ports
= smartlist_new();
1252 ipv4_port
= port_cfg_new(0);
1253 tor_addr_from_ipv4h(&ipv4_port
->addr
, TEST_IPV4_ADDR
);
1254 smartlist_add(test_configured_ports
, ipv4_port
);
1256 ipv6_port
= port_cfg_new(0);
1257 tor_addr_parse(&ipv6_port
->addr
, TEST_IPV6_ADDR
);
1258 smartlist_add(test_configured_ports
, ipv6_port
);
1260 MOCK(get_configured_ports
, mock_get_configured_ports
);
1262 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1263 * is NOT rejected (all IPv6 addresses are rejected by
1264 * policies_parse_exit_policy_internal on IPv4-only exits, so
1265 * policies_parse_exit_policy_reject_private doesn't need to do anything
1266 * with IPv6 addresses on IPv4-only exits) */
1267 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 1);
1269 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1270 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1271 addr_policy_list_free(policy
);
1274 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1275 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 0, 1);
1277 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1278 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1279 tt_assert(test_policy_has_address_helper(policy
, &ipv6_port
->addr
));
1280 addr_policy_list_free(policy
);
1284 addr_policy_list_free(policy
);
1285 if (test_configured_ports
) {
1286 SMARTLIST_FOREACH(test_configured_ports
,
1287 port_cfg_t
*, p
, port_cfg_free(p
));
1288 smartlist_free(test_configured_ports
);
1289 test_configured_ports
= NULL
;
1291 UNMOCK(get_configured_ports
);
1294 static smartlist_t
*mock_ipv4_addrs
= NULL
;
1295 static smartlist_t
*mock_ipv6_addrs
= NULL
;
1297 /* mock get_interface_address6_list, returning a deep copy of the template
1298 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1299 static smartlist_t
*
1300 mock_get_interface_address6_list(int severity
,
1302 int include_internal
)
1305 (void)include_internal
;
1306 smartlist_t
*clone_list
= smartlist_new();
1307 smartlist_t
*template_list
= NULL
;
1309 if (family
== AF_INET
) {
1310 template_list
= mock_ipv4_addrs
;
1311 } else if (family
== AF_INET6
) {
1312 template_list
= mock_ipv6_addrs
;
1317 tt_assert(template_list
);
1319 SMARTLIST_FOREACH_BEGIN(template_list
, tor_addr_t
*, src_addr
) {
1320 tor_addr_t
*dest_addr
= tor_malloc(sizeof(tor_addr_t
));
1321 memset(dest_addr
, 0, sizeof(*dest_addr
));
1322 tor_addr_copy_tight(dest_addr
, src_addr
);
1323 smartlist_add(clone_list
, dest_addr
);
1324 } SMARTLIST_FOREACH_END(src_addr
);
1329 interface_address6_list_free(clone_list
);
1333 /** Run unit tests for rejecting publicly routable interface addresses on this
1334 * exit relay using policies_parse_exit_policy_reject_private */
1336 test_policies_reject_interface_address(void *arg
)
1338 smartlist_t
*policy
= NULL
;
1339 smartlist_t
*public_ipv4_addrs
=
1340 get_interface_address6_list(LOG_INFO
, AF_INET
, 0);
1341 smartlist_t
*public_ipv6_addrs
=
1342 get_interface_address6_list(LOG_INFO
, AF_INET6
, 0);
1343 tor_addr_t ipv4_addr
, ipv6_addr
;
1346 /* test that no addresses are rejected when none are supplied/requested */
1347 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1348 tt_ptr_op(policy
, OP_EQ
, NULL
);
1350 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1351 * (and allow for duplicates)
1353 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1355 tt_assert(smartlist_len(policy
) <= smartlist_len(public_ipv4_addrs
));
1356 addr_policy_list_free(policy
);
1360 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1361 * exit (and allow for duplicates) */
1362 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1364 tt_assert(smartlist_len(policy
) <= (smartlist_len(public_ipv4_addrs
)
1365 + smartlist_len(public_ipv6_addrs
)));
1366 addr_policy_list_free(policy
);
1370 /* Now do it all again, but mocked */
1371 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1372 mock_ipv4_addrs
= smartlist_new();
1373 smartlist_add(mock_ipv4_addrs
, (void *)&ipv4_addr
);
1375 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1376 mock_ipv6_addrs
= smartlist_new();
1377 smartlist_add(mock_ipv6_addrs
, (void *)&ipv6_addr
);
1379 MOCK(get_interface_address6_list
, mock_get_interface_address6_list
);
1381 /* test that no addresses are rejected when none are supplied/requested */
1382 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1383 tt_ptr_op(policy
, OP_EQ
, NULL
);
1385 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1387 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1389 tt_assert(smartlist_len(policy
) == smartlist_len(mock_ipv4_addrs
));
1390 addr_policy_list_free(policy
);
1393 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1395 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1397 tt_assert(smartlist_len(policy
) == (smartlist_len(mock_ipv4_addrs
)
1398 + smartlist_len(mock_ipv6_addrs
)));
1399 addr_policy_list_free(policy
);
1403 addr_policy_list_free(policy
);
1404 interface_address6_list_free(public_ipv4_addrs
);
1405 interface_address6_list_free(public_ipv6_addrs
);
1407 UNMOCK(get_interface_address6_list
);
1408 /* we don't use interface_address6_list_free on these lists because their
1409 * address pointers are stack-based */
1410 smartlist_free(mock_ipv4_addrs
);
1411 smartlist_free(mock_ipv6_addrs
);
1414 #undef TEST_IPV4_ADDR
1415 #undef TEST_IPV6_ADDR
1418 test_dump_exit_policy_to_string(void *arg
)
1421 addr_policy_t
*policy_entry
;
1422 int malformed_list
= -1;
1424 routerinfo_t
*ri
= tor_malloc_zero(sizeof(routerinfo_t
));
1428 ri
->policy_is_reject_star
= 1;
1429 ri
->exit_policy
= NULL
; // expecting "reject *:*"
1430 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1432 tt_str_op("reject *:*",OP_EQ
, ep
);
1436 ri
->exit_policy
= smartlist_new();
1437 ri
->policy_is_reject_star
= 0;
1439 policy_entry
= router_parse_addr_policy_item_from_string("accept *:*", -1,
1442 smartlist_add(ri
->exit_policy
,policy_entry
);
1444 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1446 tt_str_op("accept *:*",OP_EQ
, ep
);
1450 policy_entry
= router_parse_addr_policy_item_from_string("reject *:25", -1,
1453 smartlist_add(ri
->exit_policy
,policy_entry
);
1455 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1457 tt_str_op("accept *:*\nreject *:25",OP_EQ
, ep
);
1462 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1465 smartlist_add(ri
->exit_policy
,policy_entry
);
1467 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1469 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ
, ep
);
1473 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1476 smartlist_add(ri
->exit_policy
,policy_entry
);
1478 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1480 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1481 "reject6 [fc00::]/7:*",OP_EQ
, ep
);
1485 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1488 smartlist_add(ri
->exit_policy
,policy_entry
);
1490 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1492 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1493 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ
, ep
);
1497 if (ri
->exit_policy
) {
1498 SMARTLIST_FOREACH(ri
->exit_policy
, addr_policy_t
*,
1499 entry
, addr_policy_free(entry
));
1500 smartlist_free(ri
->exit_policy
);
1506 static routerinfo_t
*mock_desc_routerinfo
= NULL
;
1507 static int routerinfo_err
;
1509 static const routerinfo_t
*
1510 mock_router_get_my_routerinfo_with_err(int *err
)
1512 if (routerinfo_err
) {
1514 *err
= routerinfo_err
;
1522 return mock_desc_routerinfo
;
1525 #define DEFAULT_POLICY_STRING "reject *:*"
1526 #define TEST_IPV4_ADDR (0x02040608)
1527 #define TEST_IPV6_ADDR ("2003::ef01")
1529 static or_options_t mock_options
;
1531 static const or_options_t
*
1532 mock_get_options(void)
1534 return &mock_options
;
1537 /** Run unit tests for generating summary lines of exit policies */
1539 test_policies_getinfo_helper_policies(void *arg
)
1543 size_t ipv4_len
= 0, ipv6_len
= 0;
1544 char *answer
= NULL
;
1545 const char *errmsg
= NULL
;
1546 routerinfo_t mock_my_routerinfo
;
1548 memset(&mock_my_routerinfo
, 0, sizeof(mock_my_routerinfo
));
1550 rv
= getinfo_helper_policies(NULL
, "exit-policy/default", &answer
, &errmsg
);
1551 tt_int_op(rv
, OP_EQ
, 0);
1552 tt_ptr_op(answer
, OP_NE
, NULL
);
1553 tt_assert(strlen(answer
) > 0);
1556 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/default",
1558 tt_int_op(rv
, OP_EQ
, 0);
1559 tt_ptr_op(answer
, OP_NE
, NULL
);
1560 tt_assert(strlen(answer
) > 0);
1563 memset(&mock_my_routerinfo
, 0, sizeof(routerinfo_t
));
1564 MOCK(router_get_my_routerinfo_with_err
,
1565 mock_router_get_my_routerinfo_with_err
);
1566 mock_my_routerinfo
.exit_policy
= smartlist_new();
1567 mock_desc_routerinfo
= &mock_my_routerinfo
;
1569 memset(&mock_options
, 0, sizeof(or_options_t
));
1570 MOCK(get_options
, mock_get_options
);
1572 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1574 tt_int_op(rv
, OP_EQ
, 0);
1575 tt_ptr_op(answer
, OP_NE
, NULL
);
1576 tt_assert(strlen(answer
) == 0);
1579 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1581 tt_int_op(rv
, OP_EQ
, 0);
1582 tt_ptr_op(answer
, OP_NE
, NULL
);
1583 ipv4_len
= strlen(answer
);
1584 tt_assert(ipv4_len
== 0 || ipv4_len
== strlen(DEFAULT_POLICY_STRING
));
1585 tt_assert(ipv4_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1588 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1590 tt_int_op(rv
, OP_EQ
, 0);
1591 tt_ptr_op(answer
, OP_NE
, NULL
);
1592 ipv6_len
= strlen(answer
);
1593 tt_assert(ipv6_len
== 0 || ipv6_len
== strlen(DEFAULT_POLICY_STRING
));
1594 tt_assert(ipv6_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1597 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1599 tt_int_op(rv
, OP_EQ
, 0);
1600 tt_ptr_op(answer
, OP_NE
, NULL
);
1601 /* It's either empty or it's the default */
1602 tt_assert(strlen(answer
) == 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1605 mock_my_routerinfo
.addr
= TEST_IPV4_ADDR
;
1606 tor_addr_parse(&mock_my_routerinfo
.ipv6_addr
, TEST_IPV6_ADDR
);
1607 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "accept *4:*");
1608 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "reject *6:*");
1610 mock_options
.IPv6Exit
= 1;
1611 tor_addr_from_ipv4h(
1612 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][0],
1615 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][1],
1618 mock_options
.ExitPolicyRejectPrivate
= 1;
1619 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1621 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1623 tt_int_op(rv
, OP_EQ
, 0);
1624 tt_ptr_op(answer
, OP_NE
, NULL
);
1625 tt_assert(strlen(answer
) > 0);
1628 mock_options
.ExitPolicyRejectPrivate
= 1;
1629 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1631 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1633 tt_int_op(rv
, OP_EQ
, 0);
1634 tt_ptr_op(answer
, OP_NE
, NULL
);
1635 tt_assert(strlen(answer
) > 0);
1638 mock_options
.ExitPolicyRejectPrivate
= 0;
1639 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1641 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1643 tt_int_op(rv
, OP_EQ
, 0);
1644 tt_ptr_op(answer
, OP_NE
, NULL
);
1645 tt_assert(strlen(answer
) > 0);
1648 mock_options
.ExitPolicyRejectPrivate
= 0;
1649 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1651 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1653 tt_int_op(rv
, OP_EQ
, 0);
1654 tt_ptr_op(answer
, OP_NE
, NULL
);
1655 tt_assert(strlen(answer
) == 0);
1658 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1660 tt_int_op(rv
, OP_EQ
, 0);
1661 tt_ptr_op(answer
, OP_NE
, NULL
);
1662 ipv4_len
= strlen(answer
);
1663 tt_assert(ipv4_len
> 0);
1666 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1668 tt_int_op(rv
, OP_EQ
, 0);
1669 tt_ptr_op(answer
, OP_NE
, NULL
);
1670 ipv6_len
= strlen(answer
);
1671 tt_assert(ipv6_len
> 0);
1674 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1676 tt_int_op(rv
, OP_EQ
, 0);
1677 tt_ptr_op(answer
, OP_NE
, NULL
);
1678 tt_assert(strlen(answer
) > 0);
1679 tt_assert(strlen(answer
) == ipv4_len
+ ipv6_len
+ 1);
1682 routerinfo_err
= TOR_ROUTERINFO_ERROR_NO_EXT_ADDR
;
1683 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1685 tt_int_op(rv
, OP_EQ
, -1);
1686 tt_ptr_op(answer
, OP_EQ
, NULL
);
1687 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1688 tt_str_op(errmsg
, OP_EQ
, "No known exit address yet");
1690 routerinfo_err
= TOR_ROUTERINFO_ERROR_CANNOT_PARSE
;
1691 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1693 tt_int_op(rv
, OP_EQ
, -1);
1694 tt_ptr_op(answer
, OP_EQ
, NULL
);
1695 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1696 tt_str_op(errmsg
, OP_EQ
, "Cannot parse descriptor");
1698 routerinfo_err
= TOR_ROUTERINFO_ERROR_NOT_A_SERVER
;
1699 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1701 tt_int_op(rv
, OP_EQ
, 0);
1702 tt_ptr_op(answer
, OP_EQ
, NULL
);
1703 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1704 tt_str_op(errmsg
, OP_EQ
, "Not running in server mode");
1706 routerinfo_err
= TOR_ROUTERINFO_ERROR_DIGEST_FAILED
;
1707 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1710 tt_int_op(rv
, OP_EQ
, -1);
1711 tt_ptr_op(answer
, OP_EQ
, NULL
);
1712 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1713 tt_str_op(errmsg
, OP_EQ
, "Key digest failed");
1715 routerinfo_err
= TOR_ROUTERINFO_ERROR_CANNOT_GENERATE
;
1716 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1718 tt_int_op(rv
, OP_EQ
, -1);
1719 tt_ptr_op(answer
, OP_EQ
, NULL
);
1720 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1721 tt_str_op(errmsg
, OP_EQ
, "Cannot generate descriptor");
1723 routerinfo_err
= TOR_ROUTERINFO_ERROR_DESC_REBUILDING
;
1724 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1726 tt_int_op(rv
, OP_EQ
, -1);
1727 tt_ptr_op(answer
, OP_EQ
, NULL
);
1728 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1729 tt_str_op(errmsg
, OP_EQ
, "Descriptor still rebuilding - not ready yet");
1733 UNMOCK(get_options
);
1734 UNMOCK(router_get_my_routerinfo
);
1735 addr_policy_list_free(mock_my_routerinfo
.exit_policy
);
1738 #undef DEFAULT_POLICY_STRING
1739 #undef TEST_IPV4_ADDR
1740 #undef TEST_IPV6_ADDR
1742 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1743 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1744 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1745 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1747 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1748 #define OTHER_IPV6_ADDR_STR "[afff::]"
1750 /** Run unit tests for fascist_firewall_allows_address */
1752 test_policies_fascist_firewall_allows_address(void *arg
)
1755 tor_addr_t ipv4_addr
, ipv6_addr
, r_ipv4_addr
, r_ipv6_addr
;
1756 tor_addr_t n_ipv4_addr
, n_ipv6_addr
;
1757 const uint16_t port
= 1234;
1758 smartlist_t
*policy
= NULL
;
1759 smartlist_t
*e_policy
= NULL
;
1760 addr_policy_t
*item
= NULL
;
1761 int malformed_list
= 0;
1763 /* Setup the options and the items in the policies */
1764 memset(&mock_options
, 0, sizeof(or_options_t
));
1765 MOCK(get_options
, mock_get_options
);
1767 policy
= smartlist_new();
1768 item
= router_parse_addr_policy_item_from_string("accept "
1769 TEST_IPV4_ADDR_STR
":*",
1773 tt_assert(!malformed_list
);
1774 smartlist_add(policy
, item
);
1775 item
= router_parse_addr_policy_item_from_string("accept "
1780 tt_assert(!malformed_list
);
1781 smartlist_add(policy
, item
);
1782 /* Normally, policy_expand_unspec would do this for us */
1783 item
= router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR
,
1787 tt_assert(!malformed_list
);
1788 smartlist_add(policy
, item
);
1789 item
= router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR
,
1793 tt_assert(!malformed_list
);
1794 smartlist_add(policy
, item
);
1797 e_policy
= smartlist_new();
1800 char *polstr = policy_dump_to_string(policy, 1, 1);
1801 printf("%s\n", polstr);
1805 /* Parse the addresses */
1806 tor_addr_parse(&ipv4_addr
, TEST_IPV4_ADDR_STR
);
1807 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR_STR
);
1808 tor_addr_parse(&r_ipv4_addr
, OTHER_IPV4_ADDR_STR
);
1809 tor_addr_parse(&r_ipv6_addr
, OTHER_IPV6_ADDR_STR
);
1810 tor_addr_make_null(&n_ipv4_addr
, AF_INET
);
1811 tor_addr_make_null(&n_ipv6_addr
, AF_INET6
);
1813 /* Test the function's address matching with IPv4 and IPv6 on */
1814 memset(&mock_options
, 0, sizeof(or_options_t
));
1815 mock_options
.ClientUseIPv4
= 1;
1816 mock_options
.ClientUseIPv6
= 1;
1817 mock_options
.UseBridges
= 0;
1819 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1821 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1823 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1825 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1828 /* Preferring IPv4 */
1829 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1831 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1833 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1838 /* Preferring IPv6 */
1839 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1841 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1843 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1845 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1848 /* Test the function's address matching with UseBridges on */
1849 memset(&mock_options
, 0, sizeof(or_options_t
));
1850 mock_options
.ClientUseIPv4
= 1;
1851 mock_options
.ClientUseIPv6
= 1;
1852 mock_options
.UseBridges
= 1;
1854 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1856 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1858 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1860 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1863 /* Preferring IPv4 */
1864 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1866 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1870 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1873 /* Preferring IPv6 */
1874 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1876 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1878 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1880 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1883 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1884 mock_options
.ClientUseIPv4
= 1;
1885 mock_options
.ClientUseIPv6
= 0;
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1890 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1892 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1895 /* Test the function's address matching with IPv4 on */
1896 memset(&mock_options
, 0, sizeof(or_options_t
));
1897 mock_options
.ClientUseIPv4
= 1;
1898 mock_options
.ClientUseIPv6
= 0;
1899 mock_options
.UseBridges
= 0;
1901 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1903 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1905 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1907 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1910 /* Test the function's address matching with IPv6 on */
1911 memset(&mock_options
, 0, sizeof(or_options_t
));
1912 mock_options
.ClientUseIPv4
= 0;
1913 mock_options
.ClientUseIPv6
= 1;
1914 mock_options
.UseBridges
= 0;
1916 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1918 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1920 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1922 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1925 /* Test the function's address matching with ClientUseIPv4 0.
1926 * This means "use IPv6" regardless of the other settings. */
1927 memset(&mock_options
, 0, sizeof(or_options_t
));
1928 mock_options
.ClientUseIPv4
= 0;
1929 mock_options
.ClientUseIPv6
= 0;
1930 mock_options
.UseBridges
= 0;
1932 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1934 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1936 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1938 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1941 /* Test the function's address matching for unusual inputs */
1942 memset(&mock_options
, 0, sizeof(or_options_t
));
1943 mock_options
.ClientUseIPv4
= 1;
1944 mock_options
.ClientUseIPv6
= 1;
1945 mock_options
.UseBridges
= 1;
1947 /* NULL and tor_addr_is_null addresses are rejected */
1948 tt_int_op(fascist_firewall_allows_address(NULL
, port
, policy
, 0, 0), OP_EQ
,
1950 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr
, port
, policy
, 0, 0),
1952 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr
, port
, policy
, 0, 0),
1955 /* zero ports are rejected */
1956 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, 0, policy
, 0, 0),
1958 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, 0, policy
, 0, 0),
1961 /* NULL and empty policies accept everything */
1962 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, NULL
, 0, 0),
1964 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, NULL
, 0, 0),
1966 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, e_policy
, 0, 0),
1968 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, e_policy
, 0, 0),
1972 addr_policy_free(item
);
1973 addr_policy_list_free(policy
);
1974 addr_policy_list_free(e_policy
);
1975 UNMOCK(get_options
);
1978 #undef REJECT_IPv4_FINAL_STR
1979 #undef REJECT_IPv6_FINAL_STR
1980 #undef OTHER_IPV4_ADDR_STR
1981 #undef OTHER_IPV6_ADDR_STR
1983 #define TEST_IPV4_OR_PORT 1234
1984 #define TEST_IPV4_DIR_PORT 2345
1985 #define TEST_IPV6_OR_PORT 61234
1986 #define TEST_IPV6_DIR_PORT 62345
1988 /* Check that fascist_firewall_choose_address_rs() returns the expected
1990 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1993 tor_addr_port_t chosen_rs_ap; \
1994 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1995 chosen_rs_ap.port = 0; \
1996 fascist_firewall_choose_address_rs(&(fake_rs), (fw_connection), \
1997 (pref_only), &chosen_rs_ap); \
1998 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1999 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2002 /* Check that fascist_firewall_choose_address_node() returns the expected
2004 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2005 expect_rv, expect_ap) \
2007 tor_addr_port_t chosen_node_ap; \
2008 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2009 chosen_node_ap.port = 0; \
2010 fascist_firewall_choose_address_node(&(fake_node),(fw_connection), \
2011 (pref_only), &chosen_node_ap); \
2012 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2013 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2016 /* Check that fascist_firewall_choose_address_rs and
2017 * fascist_firewall_choose_address_node() both return the expected results. */
2018 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2019 expect_rv, expect_ap) \
2021 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2023 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2027 /** Mock the preferred address function to return zero (prefer IPv4). */
2029 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4(void)
2034 /** Mock the preferred address function to return one (prefer IPv6). */
2036 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6(void)
2041 /** Run unit tests for fascist_firewall_choose_address */
2043 test_policies_fascist_firewall_choose_address(void *arg
)
2046 tor_addr_port_t ipv4_or_ap
, ipv4_dir_ap
, ipv6_or_ap
, ipv6_dir_ap
;
2047 tor_addr_port_t n_ipv4_ap
, n_ipv6_ap
;
2049 /* Setup the options */
2050 memset(&mock_options
, 0, sizeof(or_options_t
));
2051 MOCK(get_options
, mock_get_options
);
2053 /* Parse the addresses */
2054 tor_addr_parse(&ipv4_or_ap
.addr
, TEST_IPV4_ADDR_STR
);
2055 ipv4_or_ap
.port
= TEST_IPV4_OR_PORT
;
2056 tor_addr_parse(&ipv4_dir_ap
.addr
, TEST_IPV4_ADDR_STR
);
2057 ipv4_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
2059 tor_addr_parse(&ipv6_or_ap
.addr
, TEST_IPV6_ADDR_STR
);
2060 ipv6_or_ap
.port
= TEST_IPV6_OR_PORT
;
2061 tor_addr_parse(&ipv6_dir_ap
.addr
, TEST_IPV6_ADDR_STR
);
2062 ipv6_dir_ap
.port
= TEST_IPV6_DIR_PORT
;
2064 tor_addr_make_null(&n_ipv4_ap
.addr
, AF_INET
);
2066 tor_addr_make_null(&n_ipv6_ap
.addr
, AF_INET6
);
2069 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
2070 memset(&mock_options
, 0, sizeof(or_options_t
));
2071 mock_options
.ClientUseIPv4
= 1;
2072 mock_options
.ClientUseIPv6
= 1;
2073 mock_options
.UseBridges
= 0;
2076 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2077 FIREWALL_OR_CONNECTION
, 0, 0)
2079 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2080 FIREWALL_OR_CONNECTION
, 1, 0)
2082 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2083 FIREWALL_DIR_CONNECTION
, 0, 0)
2085 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2086 FIREWALL_DIR_CONNECTION
, 1, 0)
2090 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2091 FIREWALL_OR_CONNECTION
, 0, 1)
2093 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2094 FIREWALL_OR_CONNECTION
, 1, 1)
2096 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2097 FIREWALL_DIR_CONNECTION
, 0, 1)
2099 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2100 FIREWALL_DIR_CONNECTION
, 1, 1)
2103 /* Unusual inputs */
2105 /* null preferred OR addresses */
2106 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &n_ipv6_ap
, 0,
2107 FIREWALL_OR_CONNECTION
, 0, 1)
2109 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_or_ap
, 1,
2110 FIREWALL_OR_CONNECTION
, 0, 0)
2113 /* null both OR addresses */
2114 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2115 FIREWALL_OR_CONNECTION
, 0, 1),
2117 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2118 FIREWALL_OR_CONNECTION
, 0, 0),
2121 /* null preferred Dir addresses */
2122 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &n_ipv6_ap
, 0,
2123 FIREWALL_DIR_CONNECTION
, 0, 1)
2125 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_dir_ap
, 1,
2126 FIREWALL_DIR_CONNECTION
, 0, 0)
2129 /* null both Dir addresses */
2130 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2131 FIREWALL_DIR_CONNECTION
, 0, 1),
2133 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2134 FIREWALL_DIR_CONNECTION
, 0, 0),
2137 /* Prefer IPv4 but want IPv6 (contradictory) */
2138 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2139 FIREWALL_OR_CONNECTION
, 0, 0)
2141 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2142 FIREWALL_OR_CONNECTION
, 1, 0)
2145 /* Prefer IPv6 but want IPv4 (contradictory) */
2146 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2147 FIREWALL_OR_CONNECTION
, 0, 1)
2149 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2150 FIREWALL_OR_CONNECTION
, 1, 1)
2153 /* Make a fake rs. There will be no corresponding node.
2154 * This is what happens when there's no consensus and we're bootstrapping
2155 * from authorities / fallbacks. */
2156 routerstatus_t fake_rs
;
2157 memset(&fake_rs
, 0, sizeof(routerstatus_t
));
2158 /* In a routerstatus, the OR and Dir addresses are the same */
2159 fake_rs
.addr
= tor_addr_to_ipv4h(&ipv4_or_ap
.addr
);
2160 fake_rs
.or_port
= ipv4_or_ap
.port
;
2161 fake_rs
.dir_port
= ipv4_dir_ap
.port
;
2163 tor_addr_copy(&fake_rs
.ipv6_addr
, &ipv6_or_ap
.addr
);
2164 fake_rs
.ipv6_orport
= ipv6_or_ap
.port
;
2165 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2166 ipv6_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
2168 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2169 * find the node from the rs, because they're not in the hash table. */
2171 memset(&fake_node
, 0, sizeof(node_t
));
2172 fake_node
.rs
= &fake_rs
;
2174 /* Choose an address with IPv4 and IPv6 on */
2175 memset(&mock_options
, 0, sizeof(or_options_t
));
2176 mock_options
.ClientUseIPv4
= 1;
2177 mock_options
.ClientUseIPv6
= 1;
2178 mock_options
.UseBridges
= 0;
2180 /* Preferring IPv4 */
2181 mock_options
.ClientPreferIPv6ORPort
= 0;
2182 mock_options
.ClientPreferIPv6DirPort
= 0;
2183 /* Simulate the initialisation of fake_node.ipv6_preferred */
2184 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2187 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2189 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2191 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2193 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2196 /* Auto (Preferring IPv4) */
2197 mock_options
.ClientPreferIPv6ORPort
= -1;
2198 mock_options
.ClientPreferIPv6DirPort
= -1;
2199 /* Simulate the initialisation of fake_node.ipv6_preferred */
2200 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2203 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2205 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2207 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2209 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2212 /* Preferring IPv6 */
2213 mock_options
.ClientPreferIPv6ORPort
= 1;
2214 mock_options
.ClientPreferIPv6DirPort
= 1;
2215 /* Simulate the initialisation of fake_node.ipv6_preferred */
2216 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2219 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2221 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2223 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2225 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2228 /* Preferring IPv4 OR / IPv6 Dir */
2229 mock_options
.ClientPreferIPv6ORPort
= 0;
2230 mock_options
.ClientPreferIPv6DirPort
= 1;
2231 /* Simulate the initialisation of fake_node.ipv6_preferred */
2232 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2235 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2237 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2239 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2241 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2244 /* Preferring IPv6 OR / IPv4 Dir */
2245 mock_options
.ClientPreferIPv6ORPort
= 1;
2246 mock_options
.ClientPreferIPv6DirPort
= 0;
2247 /* Simulate the initialisation of fake_node.ipv6_preferred */
2248 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2251 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2253 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2255 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2257 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2260 /* Choose an address with UseBridges on */
2261 memset(&mock_options
, 0, sizeof(or_options_t
));
2262 mock_options
.UseBridges
= 1;
2263 mock_options
.ClientUseIPv4
= 1;
2264 mock_options
.ClientUseIPv6
= 1;
2266 /* Preferring IPv4 */
2267 mock_options
.ClientPreferIPv6ORPort
= 0;
2268 mock_options
.ClientPreferIPv6DirPort
= 0;
2269 /* Simulate the initialisation of fake_node.ipv6_preferred */
2270 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2273 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2275 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2277 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2279 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2283 * - bridge clients prefer the configured bridge OR address from the node,
2284 * (the configured address family sets node.ipv6_preferred)
2285 * - other clients prefer IPv4 OR by default (see above),
2286 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2288 mock_options
.ClientPreferIPv6ORPort
= -1;
2289 mock_options
.ClientPreferIPv6DirPort
= -1;
2291 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2292 * configured with an IPv4 address */
2293 fake_node
.ipv6_preferred
= 0;
2294 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2295 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2296 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2298 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2301 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2302 * configured with an IPv6 address */
2303 fake_node
.ipv6_preferred
= 1;
2304 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2305 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2306 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2308 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2311 /* When a rs has no node, it defaults to IPv4 under auto. */
2312 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2313 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2314 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2315 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2317 /* Preferring IPv6 */
2318 mock_options
.ClientPreferIPv6ORPort
= 1;
2319 mock_options
.ClientPreferIPv6DirPort
= 1;
2320 /* Simulate the initialisation of fake_node.ipv6_preferred */
2321 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2324 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2326 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2328 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2330 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2333 /* In the default configuration (Auto / IPv6 off), bridge clients should
2334 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2335 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2336 mock_options
.ClientUseIPv6
= 0;
2337 mock_options
.ClientPreferIPv6ORPort
= -1;
2338 mock_options
.ClientPreferIPv6DirPort
= -1;
2339 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2340 * configured with an IPv4 address */
2341 fake_node
.ipv6_preferred
= 0;
2342 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2343 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2344 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2346 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2349 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2350 * configured with an IPv6 address */
2351 fake_node
.ipv6_preferred
= 1;
2352 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2353 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2354 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2356 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2359 /* When a rs has no node, it defaults to IPv4 under auto. */
2360 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2361 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2362 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2363 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2365 /* Choose an address with IPv4 on */
2366 memset(&mock_options
, 0, sizeof(or_options_t
));
2367 mock_options
.ClientUseIPv4
= 1;
2368 mock_options
.ClientUseIPv6
= 0;
2369 /* Simulate the initialisation of fake_node.ipv6_preferred */
2370 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2373 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2375 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2377 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2379 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2382 /* Choose an address with IPv6 on */
2383 memset(&mock_options
, 0, sizeof(or_options_t
));
2384 mock_options
.ClientUseIPv4
= 0;
2385 mock_options
.ClientUseIPv6
= 1;
2386 /* Simulate the initialisation of fake_node.ipv6_preferred */
2387 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2390 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2392 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2394 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2396 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2399 /* Choose an address with ClientUseIPv4 0.
2400 * This means "use IPv6" regardless of the other settings. */
2401 memset(&mock_options
, 0, sizeof(or_options_t
));
2402 mock_options
.ClientUseIPv4
= 0;
2403 mock_options
.ClientUseIPv6
= 0;
2404 /* Simulate the initialisation of fake_node.ipv6_preferred */
2405 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2408 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2410 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2412 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2414 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2417 /* Choose an address with ORPort_set 1 (server mode).
2418 * This means "use IPv4" regardless of the other settings. */
2419 memset(&mock_options
, 0, sizeof(or_options_t
));
2420 mock_options
.ORPort_set
= 1;
2421 mock_options
.ClientUseIPv4
= 0;
2422 mock_options
.ClientUseIPv6
= 1;
2423 mock_options
.ClientPreferIPv6ORPort
= 1;
2424 mock_options
.ClientPreferIPv6DirPort
= 1;
2426 /* Simulate the initialisation of fake_node.ipv6_preferred */
2427 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2430 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2432 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2434 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2436 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2439 /* Test ClientAutoIPv6ORPort and pretend we prefer IPv4. */
2440 memset(&mock_options
, 0, sizeof(or_options_t
));
2441 mock_options
.ClientAutoIPv6ORPort
= 1;
2442 mock_options
.ClientUseIPv4
= 1;
2443 mock_options
.ClientUseIPv6
= 1;
2444 MOCK(fascist_firewall_rand_prefer_ipv6_addr
,
2445 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4
);
2446 /* Simulate the initialisation of fake_node.ipv6_preferred */
2447 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2450 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2452 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2455 UNMOCK(fascist_firewall_rand_prefer_ipv6_addr
);
2457 /* Test ClientAutoIPv6ORPort and pretend we prefer IPv6. */
2458 memset(&mock_options
, 0, sizeof(or_options_t
));
2459 mock_options
.ClientAutoIPv6ORPort
= 1;
2460 mock_options
.ClientUseIPv4
= 1;
2461 mock_options
.ClientUseIPv6
= 1;
2462 MOCK(fascist_firewall_rand_prefer_ipv6_addr
,
2463 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6
);
2464 /* Simulate the initialisation of fake_node.ipv6_preferred */
2465 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2468 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2470 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2473 UNMOCK(fascist_firewall_rand_prefer_ipv6_addr
);
2476 UNMOCK(get_options
);
2479 #undef TEST_IPV4_ADDR_STR
2480 #undef TEST_IPV6_ADDR_STR
2481 #undef TEST_IPV4_OR_PORT
2482 #undef TEST_IPV4_DIR_PORT
2483 #undef TEST_IPV6_OR_PORT
2484 #undef TEST_IPV6_DIR_PORT
2486 #undef CHECK_CHOSEN_ADDR_RS
2487 #undef CHECK_CHOSEN_ADDR_NODE
2488 #undef CHECK_CHOSEN_ADDR_RN
2490 struct testcase_t policy_tests
[] = {
2491 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string
, 0,
2493 { "general", test_policies_general
, 0, NULL
, NULL
},
2494 { "getinfo_helper_policies", test_policies_getinfo_helper_policies
, 0, NULL
,
2496 { "reject_exit_address", test_policies_reject_exit_address
, 0, NULL
, NULL
},
2497 { "reject_interface_address", test_policies_reject_interface_address
, 0,
2499 { "reject_port_address", test_policies_reject_port_address
, 0, NULL
, NULL
},
2500 { "fascist_firewall_allows_address",
2501 test_policies_fascist_firewall_allows_address
, 0, NULL
, NULL
},
2502 { "fascist_firewall_choose_address",
2503 test_policies_fascist_firewall_choose_address
, 0, NULL
, NULL
},