search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bump copyright date to 2019
[tor.git] / src / test / test_policy.c
blob46d4a1b94af01507231875cbaf10d01ee3b7224b
1 /* Copyright (c) 2013-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define CONFIG_PRIVATE
5 #define POLICIES_PRIVATE
6
7 #include "core/or/or.h"
8 #include "app/config/config.h"
9 #include "core/or/policies.h"
10 #include "feature/dirparse/policy_parse.h"
11 #include "feature/relay/router.h"
12 #include "lib/encoding/confline.h"
13 #include "test/test.h"
14
15 #include "core/or/addr_policy_st.h"
16 #include "core/or/port_cfg_st.h"
17 #include "feature/nodelist/node_st.h"
18 #include "feature/nodelist/routerinfo_st.h"
19 #include "feature/nodelist/routerstatus_st.h"
20
21 /* Helper: assert that short_policy parses and writes back out as itself,
22 or as <b>expected</b> if that's provided. */
23 static void
24 test_short_policy_parse(const char *input,
25 const char *expected)
26 {
27 short_policy_t *short_policy = NULL;
28 char *out = NULL;
29
30 if (expected == NULL)
31 expected = input;
32
33 short_policy = parse_short_policy(input);
34 tt_assert(short_policy);
35 out = write_short_policy(short_policy);
36 tt_str_op(out, OP_EQ, expected);
37
38 done:
39 tor_free(out);
40 short_policy_free(short_policy);
41 }
42
43 /** Helper: Parse the exit policy string in <b>policy_str</b> with
44 * <b>options</b>, and make sure that policies_summarize() produces the string
45 * <b>expected_summary</b> from it when called with family. */
46 static void
47 test_policy_summary_helper_family_flags(const char *policy_str,
48 const char *expected_summary,
49 sa_family_t family,
50 exit_policy_parser_cfg_t options)
51 {
52 config_line_t line;
53 smartlist_t *policy = smartlist_new();
54 char *summary = NULL;
55 char *summary_after = NULL;
56 int r;
57 short_policy_t *short_policy = NULL;
58 int success = 0;
59
60 line.key = (char*)"foo";
61 line.value = (char *)policy_str;
62 line.next = NULL;
63
64 r = policies_parse_exit_policy(&line, &policy,
65 options, NULL);
66 tt_int_op(r,OP_EQ, 0);
67
68 summary = policy_summarize(policy, family);
69
70 tt_ptr_op(summary, OP_NE, NULL);
71 tt_str_op(summary,OP_EQ, expected_summary);
72
73 short_policy = parse_short_policy(summary);
74 tt_assert(short_policy);
75 summary_after = write_short_policy(short_policy);
76 tt_str_op(summary,OP_EQ, summary_after);
77
78 success = 1;
79 done:
80 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
81 if (!success)
82 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
83 family == AF_INET ? 4 : 6, options, policy_str));
84 tor_free(summary_after);
85 tor_free(summary);
86 if (policy)
87 addr_policy_list_free(policy);
88 short_policy_free(short_policy);
89 }
90
91 /** Like test_policy_summary_helper_family_flags, but tries all the different
92 * flag combinations */
93 static void
94 test_policy_summary_helper_family(const char *policy_str,
95 const char *expected_summary,
96 sa_family_t family)
97 {
98 for (exit_policy_parser_cfg_t opt = 0;
99 opt <= EXIT_POLICY_OPTION_ALL;
100 opt++) {
101 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
102 /* Skip the test: IPv6 addresses need IPv6 enabled */
103 continue;
104
105 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
106 /* Skip the test: local interfaces are machine-specific */
107 continue;
108
109 test_policy_summary_helper_family_flags(policy_str, expected_summary,
110 family, opt);
111 }
112 }
113
114 /** Like test_policy_summary_helper_family, but uses expected_summary for
115 * both IPv4 and IPv6. */
116 static void
117 test_policy_summary_helper(const char *policy_str,
118 const char *expected_summary)
119 {
120 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
121 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
122 }
123
124 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
125 * IPv4 and expected_summary6 for IPv6. */
126 static void
127 test_policy_summary_helper6(const char *policy_str,
128 const char *expected_summary4,
129 const char *expected_summary6)
130 {
131 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
132 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
133 }
134
135 /** Run unit tests for generating summary lines of exit policies */
136 static void
137 test_policies_general(void *arg)
138 {
139 int i;
140 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
141 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
142 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
143 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
144 addr_policy_t *p;
145 tor_addr_t tar, tar2;
146 smartlist_t *addr_list = NULL;
147 config_line_t line;
148 smartlist_t *sm = NULL;
149 char *policy_str = NULL;
150 short_policy_t *short_parsed = NULL;
151 int malformed_list = -1;
152 (void)arg;
153
154 policy = smartlist_new();
155
156 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
157 &malformed_list);
158 tt_ptr_op(p, OP_NE, NULL);
159 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
160 tor_addr_from_ipv4h(&tar, 0xc0a80000u);
161 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
162 tt_int_op(16,OP_EQ, p->maskbits);
163 tt_int_op(1,OP_EQ, p->prt_min);
164 tt_int_op(65535,OP_EQ, p->prt_max);
165
166 smartlist_add(policy, p);
167
168 tor_addr_from_ipv4h(&tar, 0x01020304u);
169 tt_assert(ADDR_POLICY_ACCEPTED ==
170 compare_tor_addr_to_addr_policy(&tar, 2, policy));
171 tor_addr_make_unspec(&tar);
172 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
173 compare_tor_addr_to_addr_policy(&tar, 2, policy));
174 tor_addr_from_ipv4h(&tar, 0xc0a80102);
175 tt_assert(ADDR_POLICY_REJECTED ==
176 compare_tor_addr_to_addr_policy(&tar, 2, policy));
177
178 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
179 EXIT_POLICY_IPV6_ENABLED |
180 EXIT_POLICY_REJECT_PRIVATE |
181 EXIT_POLICY_ADD_DEFAULT, NULL));
182
183 tt_assert(policy2);
184
185 tor_addr_from_ipv4h(&tar, 0x0306090cu);
186 tor_addr_parse(&tar2, "[2000::1234]");
187 addr_list = smartlist_new();
188 smartlist_add(addr_list, &tar);
189 smartlist_add(addr_list, &tar2);
190 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
191 EXIT_POLICY_IPV6_ENABLED |
192 EXIT_POLICY_REJECT_PRIVATE |
193 EXIT_POLICY_ADD_DEFAULT,
194 addr_list));
195 smartlist_free(addr_list);
196 addr_list = NULL;
197
198 tt_assert(policy12);
199
200 policy3 = smartlist_new();
201 p = router_parse_addr_policy_item_from_string("reject *:*", -1,
202 &malformed_list);
203 tt_ptr_op(p, OP_NE, NULL);
204 smartlist_add(policy3, p);
205 p = router_parse_addr_policy_item_from_string("accept *:*", -1,
206 &malformed_list);
207 tt_ptr_op(p, OP_NE, NULL);
208 smartlist_add(policy3, p);
209
210 policy4 = smartlist_new();
211 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
212 &malformed_list);
213 tt_ptr_op(p, OP_NE, NULL);
214 smartlist_add(policy4, p);
215 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
216 &malformed_list);
217 tt_ptr_op(p, OP_NE, NULL);
218 smartlist_add(policy4, p);
219
220 policy5 = smartlist_new();
221 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
222 &malformed_list);
223 tt_ptr_op(p, OP_NE, NULL);
224 smartlist_add(policy5, p);
225 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
226 &malformed_list);
227 tt_ptr_op(p, OP_NE, NULL);
228 smartlist_add(policy5, p);
229 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
230 &malformed_list);
231 tt_ptr_op(p, OP_NE, NULL);
232 smartlist_add(policy5, p);
233 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
234 -1, &malformed_list);
235 tt_ptr_op(p, OP_NE, NULL);
236 smartlist_add(policy5, p);
237 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
238 &malformed_list);
239 tt_ptr_op(p, OP_NE, NULL);
240 smartlist_add(policy5, p);
241 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
242 &malformed_list);
243 tt_ptr_op(p, OP_NE, NULL);
244 smartlist_add(policy5, p);
245 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
246 &malformed_list);
247 tt_ptr_op(p, OP_NE, NULL);
248 smartlist_add(policy5, p);
249 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
250 &malformed_list);
251 tt_ptr_op(p, OP_NE, NULL);
252 smartlist_add(policy5, p);
253 p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
254 &malformed_list);
255 tt_ptr_op(p, OP_NE, NULL);
256 smartlist_add(policy5, p);
257 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
258 &malformed_list);
259 tt_ptr_op(p, OP_NE, NULL);
260 smartlist_add(policy5, p);
261
262 policy6 = smartlist_new();
263 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
264 &malformed_list);
265 tt_ptr_op(p, OP_NE, NULL);
266 smartlist_add(policy6, p);
267
268 policy7 = smartlist_new();
269 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
270 &malformed_list);
271 tt_ptr_op(p, OP_NE, NULL);
272 smartlist_add(policy7, p);
273
274 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
275 EXIT_POLICY_IPV6_ENABLED |
276 EXIT_POLICY_REJECT_PRIVATE |
277 EXIT_POLICY_ADD_DEFAULT,
278 NULL));
279
280 tt_assert(policy8);
281
282 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
283 EXIT_POLICY_REJECT_PRIVATE |
284 EXIT_POLICY_ADD_DEFAULT,
285 NULL));
286
287 tt_assert(policy9);
288
289 /* accept6 * and reject6 * produce IPv6 wildcards only */
290 policy10 = smartlist_new();
291 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
292 &malformed_list);
293 tt_ptr_op(p, OP_NE, NULL);
294 smartlist_add(policy10, p);
295
296 policy11 = smartlist_new();
297 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
298 &malformed_list);
299 tt_ptr_op(p, OP_NE, NULL);
300 smartlist_add(policy11, p);
301
302 tt_assert(!exit_policy_is_general_exit(policy));
303 tt_assert(exit_policy_is_general_exit(policy2));
304 tt_assert(!exit_policy_is_general_exit(NULL));
305 tt_assert(!exit_policy_is_general_exit(policy3));
306 tt_assert(!exit_policy_is_general_exit(policy4));
307 tt_assert(!exit_policy_is_general_exit(policy5));
308 tt_assert(!exit_policy_is_general_exit(policy6));
309 tt_assert(!exit_policy_is_general_exit(policy7));
310 tt_assert(exit_policy_is_general_exit(policy8));
311 tt_assert(exit_policy_is_general_exit(policy9));
312 tt_assert(!exit_policy_is_general_exit(policy10));
313 tt_assert(!exit_policy_is_general_exit(policy11));
314
315 tt_assert(!addr_policies_eq(policy, policy2));
316 tt_assert(!addr_policies_eq(policy, NULL));
317 tt_assert(addr_policies_eq(policy2, policy2));
318 tt_assert(addr_policies_eq(NULL, NULL));
319
320 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
321 tt_assert(policy_is_reject_star(policy, AF_INET, 1));
322 tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
323 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
324 tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
325 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
326 tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
327 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
328 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
329 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
330
331 addr_policy_list_free(policy);
332 policy = NULL;
333
334 /* make sure assume_action works */
335 malformed_list = 0;
336 p = router_parse_addr_policy_item_from_string("127.0.0.1",
337 ADDR_POLICY_ACCEPT,
338 &malformed_list);
339 tt_assert(p);
340 addr_policy_free(p);
341 tt_assert(!malformed_list);
342
343 p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
344 ADDR_POLICY_ACCEPT,
345 &malformed_list);
346 tt_assert(p);
347 addr_policy_free(p);
348 tt_assert(!malformed_list);
349
350 p = router_parse_addr_policy_item_from_string("[::]",
351 ADDR_POLICY_ACCEPT,
352 &malformed_list);
353 tt_assert(p);
354 addr_policy_free(p);
355 tt_assert(!malformed_list);
356
357 p = router_parse_addr_policy_item_from_string("[::]:*",
358 ADDR_POLICY_ACCEPT,
359 &malformed_list);
360 tt_assert(p);
361 addr_policy_free(p);
362 tt_assert(!malformed_list);
363
364 p = router_parse_addr_policy_item_from_string("[face::b]",
365 ADDR_POLICY_ACCEPT,
366 &malformed_list);
367 tt_assert(p);
368 addr_policy_free(p);
369 tt_assert(!malformed_list);
370
371 p = router_parse_addr_policy_item_from_string("[b::aaaa]",
372 ADDR_POLICY_ACCEPT,
373 &malformed_list);
374 tt_assert(p);
375 addr_policy_free(p);
376 tt_assert(!malformed_list);
377
378 p = router_parse_addr_policy_item_from_string("*",
379 ADDR_POLICY_ACCEPT,
380 &malformed_list);
381 tt_assert(p);
382 addr_policy_free(p);
383 tt_assert(!malformed_list);
384
385 p = router_parse_addr_policy_item_from_string("*4",
386 ADDR_POLICY_ACCEPT,
387 &malformed_list);
388 tt_assert(p);
389 addr_policy_free(p);
390 tt_assert(!malformed_list);
391
392 p = router_parse_addr_policy_item_from_string("*6",
393 ADDR_POLICY_ACCEPT,
394 &malformed_list);
395 tt_assert(p);
396 addr_policy_free(p);
397 tt_assert(!malformed_list);
398
399 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
400 p = router_parse_addr_policy_item_from_string("acce::abcd",
401 ADDR_POLICY_ACCEPT,
402 &malformed_list);
403 tt_ptr_op(p, OP_EQ, NULL);
404 tt_assert(malformed_list);
405 malformed_list = 0;
406
407 p = router_parse_addr_policy_item_from_string("7:1234",
408 ADDR_POLICY_ACCEPT,
409 &malformed_list);
410 tt_ptr_op(p, OP_EQ, NULL);
411 tt_assert(malformed_list);
412 malformed_list = 0;
413
414 p = router_parse_addr_policy_item_from_string("::",
415 ADDR_POLICY_ACCEPT,
416 &malformed_list);
417 tt_ptr_op(p, OP_EQ, NULL);
418 tt_assert(malformed_list);
419 malformed_list = 0;
420
421 /* make sure compacting logic works. */
422 policy = NULL;
423 line.key = (char*)"foo";
424 line.value = (char*)"accept *:80,reject private:*,reject *:*";
425 line.next = NULL;
426 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
427 EXIT_POLICY_IPV6_ENABLED |
428 EXIT_POLICY_ADD_DEFAULT, NULL));
429 tt_assert(policy);
430
431 //test_streq(policy->string, "accept *:80");
432 //test_streq(policy->next->string, "reject *:*");
433 tt_int_op(smartlist_len(policy),OP_EQ, 4);
434
435 /* test policy summaries */
436 /* check if we properly ignore private IP addresses */
437 test_policy_summary_helper("reject 192.168.0.0/16:*,"
438 "reject 0.0.0.0/8:*,"
439 "reject 10.0.0.0/8:*,"
440 "accept *:10-30,"
441 "accept *:90,"
442 "reject *:*",
443 "accept 10-30,90");
444 /* check all accept policies, and proper counting of rejects */
445 test_policy_summary_helper("reject 11.0.0.0/9:80,"
446 "reject 12.0.0.0/9:80,"
447 "reject 13.0.0.0/9:80,"
448 "reject 14.0.0.0/9:80,"
449 "accept *:*", "accept 1-65535");
450 test_policy_summary_helper("reject 11.0.0.0/9:80,"
451 "reject 12.0.0.0/9:80,"
452 "reject 13.0.0.0/9:80,"
453 "reject 14.0.0.0/9:80,"
454 "reject 15.0.0.0:81,"
455 "accept *:*", "accept 1-65535");
456 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
457 "reject 12.0.0.0/9:80,"
458 "reject 13.0.0.0/9:80,"
459 "reject 14.0.0.0/9:80,"
460 "reject 15.0.0.0:80,"
461 "accept *:*",
462 "reject 80",
463 "accept 1-65535");
464 /* no exits */
465 test_policy_summary_helper("accept 11.0.0.0/9:80,"
466 "reject *:*",
467 "reject 1-65535");
468 /* port merging */
469 test_policy_summary_helper("accept *:80,"
470 "accept *:81,"
471 "accept *:100-110,"
472 "accept *:111,"
473 "reject *:*",
474 "accept 80-81,100-111");
475 /* border ports */
476 test_policy_summary_helper("accept *:1,"
477 "accept *:3,"
478 "accept *:65535,"
479 "reject *:*",
480 "accept 1,3,65535");
481 /* holes */
482 test_policy_summary_helper("accept *:1,"
483 "accept *:3,"
484 "accept *:5,"
485 "accept *:7,"
486 "reject *:*",
487 "accept 1,3,5,7");
488 test_policy_summary_helper("reject *:1,"
489 "reject *:3,"
490 "reject *:5,"
491 "reject *:7,"
492 "accept *:*",
493 "reject 1,3,5,7");
494 /* long policies */
495 /* standard long policy on many exits */
496 test_policy_summary_helper("accept *:20-23,"
497 "accept *:43,"
498 "accept *:53,"
499 "accept *:79-81,"
500 "accept *:88,"
501 "accept *:110,"
502 "accept *:143,"
503 "accept *:194,"
504 "accept *:220,"
505 "accept *:389,"
506 "accept *:443,"
507 "accept *:464,"
508 "accept *:531,"
509 "accept *:543-544,"
510 "accept *:554,"
511 "accept *:563,"
512 "accept *:636,"
513 "accept *:706,"
514 "accept *:749,"
515 "accept *:873,"
516 "accept *:902-904,"
517 "accept *:981,"
518 "accept *:989-995,"
519 "accept *:1194,"
520 "accept *:1220,"
521 "accept *:1293,"
522 "accept *:1500,"
523 "accept *:1533,"
524 "accept *:1677,"
525 "accept *:1723,"
526 "accept *:1755,"
527 "accept *:1863,"
528 "accept *:2082,"
529 "accept *:2083,"
530 "accept *:2086-2087,"
531 "accept *:2095-2096,"
532 "accept *:2102-2104,"
533 "accept *:3128,"
534 "accept *:3389,"
535 "accept *:3690,"
536 "accept *:4321,"
537 "accept *:4643,"
538 "accept *:5050,"
539 "accept *:5190,"
540 "accept *:5222-5223,"
541 "accept *:5228,"
542 "accept *:5900,"
543 "accept *:6660-6669,"
544 "accept *:6679,"
545 "accept *:6697,"
546 "accept *:8000,"
547 "accept *:8008,"
548 "accept *:8074,"
549 "accept *:8080,"
550 "accept *:8087-8088,"
551 "accept *:8332-8333,"
552 "accept *:8443,"
553 "accept *:8888,"
554 "accept *:9418,"
555 "accept *:9999,"
556 "accept *:10000,"
557 "accept *:11371,"
558 "accept *:12350,"
559 "accept *:19294,"
560 "accept *:19638,"
561 "accept *:23456,"
562 "accept *:33033,"
563 "accept *:64738,"
564 "reject *:*",
565 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
566 "443,464,531,543-544,554,563,636,706,749,873,"
567 "902-904,981,989-995,1194,1220,1293,1500,1533,"
568 "1677,1723,1755,1863,2082-2083,2086-2087,"
569 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
570 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
571 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
572 "8443,8888,9418,9999-10000,11371,12350,19294,"
573 "19638,23456,33033,64738");
574 /* short policy with configured addresses */
575 test_policy_summary_helper("reject 149.56.1.1:*,"
576 "reject [2607:5300:1:1::1:0]:*,"
577 "accept *:80,"
578 "accept *:443,"
579 "reject *:*",
580 "accept 80,443");
581 /* short policy with configured and local interface addresses */
582 test_policy_summary_helper("reject 149.56.1.0:*,"
583 "reject 149.56.1.1:*,"
584 "reject 149.56.1.2:*,"
585 "reject 149.56.1.3:*,"
586 "reject 149.56.1.4:*,"
587 "reject 149.56.1.5:*,"
588 "reject 149.56.1.6:*,"
589 "reject 149.56.1.7:*,"
590 "reject [2607:5300:1:1::1:0]:*,"
591 "reject [2607:5300:1:1::1:1]:*,"
592 "reject [2607:5300:1:1::1:2]:*,"
593 "reject [2607:5300:1:1::1:3]:*,"
594 "reject [2607:5300:1:1::2:0]:*,"
595 "reject [2607:5300:1:1::2:1]:*,"
596 "reject [2607:5300:1:1::2:2]:*,"
597 "reject [2607:5300:1:1::2:3]:*,"
598 "accept *:80,"
599 "accept *:443,"
600 "reject *:*",
601 "accept 80,443");
602 /* short policy with configured netblocks */
603 test_policy_summary_helper("reject 149.56.0.0/16,"
604 "reject6 2607:5300::/32,"
605 "reject6 2608:5300::/64,"
606 "reject6 2609:5300::/96,"
607 "accept *:80,"
608 "accept *:443,"
609 "reject *:*",
610 "accept 80,443");
611 /* short policy with large netblocks that do not count as a rejection */
612 test_policy_summary_helper("reject 148.0.0.0/7,"
613 "reject6 2600::/16,"
614 "accept *:80,"
615 "accept *:443,"
616 "reject *:*",
617 "accept 80,443");
618 /* short policy with large netblocks that count as a rejection */
619 test_policy_summary_helper("reject 148.0.0.0/6,"
620 "reject6 2600::/15,"
621 "accept *:80,"
622 "accept *:443,"
623 "reject *:*",
624 "reject 1-65535");
625 /* short policy with huge netblocks that count as a rejection */
626 test_policy_summary_helper("reject 128.0.0.0/1,"
627 "reject6 8000::/1,"
628 "accept *:80,"
629 "accept *:443,"
630 "reject *:*",
631 "reject 1-65535");
632 /* short policy which blocks everything using netblocks */
633 test_policy_summary_helper("reject 0.0.0.0/0,"
634 "reject6 ::/0,"
635 "accept *:80,"
636 "accept *:443,"
637 "reject *:*",
638 "reject 1-65535");
639 /* short policy which has repeated redundant netblocks */
640 test_policy_summary_helper("reject 0.0.0.0/0,"
641 "reject 0.0.0.0/0,"
642 "reject 0.0.0.0/0,"
643 "reject 0.0.0.0/0,"
644 "reject 0.0.0.0/0,"
645 "reject6 ::/0,"
646 "reject6 ::/0,"
647 "reject6 ::/0,"
648 "reject6 ::/0,"
649 "reject6 ::/0,"
650 "accept *:80,"
651 "accept *:443,"
652 "reject *:*",
653 "reject 1-65535");
654
655 /* longest possible policy
656 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
657 * Going all the way to 65535 is incredibly slow, so we just go slightly
658 * more than the expected length */
659 test_policy_summary_helper("accept *:1,"
660 "accept *:3,"
661 "accept *:5,"
662 "accept *:7,"
663 "accept *:9,"
664 "accept *:11,"
665 "accept *:13,"
666 "accept *:15,"
667 "accept *:17,"
668 "accept *:19,"
669 "accept *:21,"
670 "accept *:23,"
671 "accept *:25,"
672 "accept *:27,"
673 "accept *:29,"
674 "accept *:31,"
675 "accept *:33,"
676 "accept *:35,"
677 "accept *:37,"
678 "accept *:39,"
679 "accept *:41,"
680 "accept *:43,"
681 "accept *:45,"
682 "accept *:47,"
683 "accept *:49,"
684 "accept *:51,"
685 "accept *:53,"
686 "accept *:55,"
687 "accept *:57,"
688 "accept *:59,"
689 "accept *:61,"
690 "accept *:63,"
691 "accept *:65,"
692 "accept *:67,"
693 "accept *:69,"
694 "accept *:71,"
695 "accept *:73,"
696 "accept *:75,"
697 "accept *:77,"
698 "accept *:79,"
699 "accept *:81,"
700 "accept *:83,"
701 "accept *:85,"
702 "accept *:87,"
703 "accept *:89,"
704 "accept *:91,"
705 "accept *:93,"
706 "accept *:95,"
707 "accept *:97,"
708 "accept *:99,"
709 "accept *:101,"
710 "accept *:103,"
711 "accept *:105,"
712 "accept *:107,"
713 "accept *:109,"
714 "accept *:111,"
715 "accept *:113,"
716 "accept *:115,"
717 "accept *:117,"
718 "accept *:119,"
719 "accept *:121,"
720 "accept *:123,"
721 "accept *:125,"
722 "accept *:127,"
723 "accept *:129,"
724 "accept *:131,"
725 "accept *:133,"
726 "accept *:135,"
727 "accept *:137,"
728 "accept *:139,"
729 "accept *:141,"
730 "accept *:143,"
731 "accept *:145,"
732 "accept *:147,"
733 "accept *:149,"
734 "accept *:151,"
735 "accept *:153,"
736 "accept *:155,"
737 "accept *:157,"
738 "accept *:159,"
739 "accept *:161,"
740 "accept *:163,"
741 "accept *:165,"
742 "accept *:167,"
743 "accept *:169,"
744 "accept *:171,"
745 "accept *:173,"
746 "accept *:175,"
747 "accept *:177,"
748 "accept *:179,"
749 "accept *:181,"
750 "accept *:183,"
751 "accept *:185,"
752 "accept *:187,"
753 "accept *:189,"
754 "accept *:191,"
755 "accept *:193,"
756 "accept *:195,"
757 "accept *:197,"
758 "accept *:199,"
759 "accept *:201,"
760 "accept *:203,"
761 "accept *:205,"
762 "accept *:207,"
763 "accept *:209,"
764 "accept *:211,"
765 "accept *:213,"
766 "accept *:215,"
767 "accept *:217,"
768 "accept *:219,"
769 "accept *:221,"
770 "accept *:223,"
771 "accept *:225,"
772 "accept *:227,"
773 "accept *:229,"
774 "accept *:231,"
775 "accept *:233,"
776 "accept *:235,"
777 "accept *:237,"
778 "accept *:239,"
779 "accept *:241,"
780 "accept *:243,"
781 "accept *:245,"
782 "accept *:247,"
783 "accept *:249,"
784 "accept *:251,"
785 "accept *:253,"
786 "accept *:255,"
787 "accept *:257,"
788 "accept *:259,"
789 "accept *:261,"
790 "accept *:263,"
791 "accept *:265,"
792 "accept *:267,"
793 "accept *:269,"
794 "accept *:271,"
795 "accept *:273,"
796 "accept *:275,"
797 "accept *:277,"
798 "accept *:279,"
799 "accept *:281,"
800 "accept *:283,"
801 "accept *:285,"
802 "accept *:287,"
803 "accept *:289,"
804 "accept *:291,"
805 "accept *:293,"
806 "accept *:295,"
807 "accept *:297,"
808 "accept *:299,"
809 "accept *:301,"
810 "accept *:303,"
811 "accept *:305,"
812 "accept *:307,"
813 "accept *:309,"
814 "accept *:311,"
815 "accept *:313,"
816 "accept *:315,"
817 "accept *:317,"
818 "accept *:319,"
819 "accept *:321,"
820 "accept *:323,"
821 "accept *:325,"
822 "accept *:327,"
823 "accept *:329,"
824 "accept *:331,"
825 "accept *:333,"
826 "accept *:335,"
827 "accept *:337,"
828 "accept *:339,"
829 "accept *:341,"
830 "accept *:343,"
831 "accept *:345,"
832 "accept *:347,"
833 "accept *:349,"
834 "accept *:351,"
835 "accept *:353,"
836 "accept *:355,"
837 "accept *:357,"
838 "accept *:359,"
839 "accept *:361,"
840 "accept *:363,"
841 "accept *:365,"
842 "accept *:367,"
843 "accept *:369,"
844 "accept *:371,"
845 "accept *:373,"
846 "accept *:375,"
847 "accept *:377,"
848 "accept *:379,"
849 "accept *:381,"
850 "accept *:383,"
851 "accept *:385,"
852 "accept *:387,"
853 "accept *:389,"
854 "accept *:391,"
855 "accept *:393,"
856 "accept *:395,"
857 "accept *:397,"
858 "accept *:399,"
859 "accept *:401,"
860 "accept *:403,"
861 "accept *:405,"
862 "accept *:407,"
863 "accept *:409,"
864 "accept *:411,"
865 "accept *:413,"
866 "accept *:415,"
867 "accept *:417,"
868 "accept *:419,"
869 "accept *:421,"
870 "accept *:423,"
871 "accept *:425,"
872 "accept *:427,"
873 "accept *:429,"
874 "accept *:431,"
875 "accept *:433,"
876 "accept *:435,"
877 "accept *:437,"
878 "accept *:439,"
879 "accept *:441,"
880 "accept *:443,"
881 "accept *:445,"
882 "accept *:447,"
883 "accept *:449,"
884 "accept *:451,"
885 "accept *:453,"
886 "accept *:455,"
887 "accept *:457,"
888 "accept *:459,"
889 "accept *:461,"
890 "accept *:463,"
891 "accept *:465,"
892 "accept *:467,"
893 "accept *:469,"
894 "accept *:471,"
895 "accept *:473,"
896 "accept *:475,"
897 "accept *:477,"
898 "accept *:479,"
899 "accept *:481,"
900 "accept *:483,"
901 "accept *:485,"
902 "accept *:487,"
903 "accept *:489,"
904 "accept *:491,"
905 "accept *:493,"
906 "accept *:495,"
907 "accept *:497,"
908 "accept *:499,"
909 "accept *:501,"
910 "accept *:503,"
911 "accept *:505,"
912 "accept *:507,"
913 "accept *:509,"
914 "accept *:511,"
915 "accept *:513,"
916 "accept *:515,"
917 "accept *:517,"
918 "accept *:519,"
919 "accept *:521,"
920 "accept *:523,"
921 "accept *:525,"
922 "accept *:527,"
923 "accept *:529,"
924 "reject *:*",
925 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
926 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
927 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
928 "95,97,99,101,103,105,107,109,111,113,115,117,"
929 "119,121,123,125,127,129,131,133,135,137,139,141,"
930 "143,145,147,149,151,153,155,157,159,161,163,165,"
931 "167,169,171,173,175,177,179,181,183,185,187,189,"
932 "191,193,195,197,199,201,203,205,207,209,211,213,"
933 "215,217,219,221,223,225,227,229,231,233,235,237,"
934 "239,241,243,245,247,249,251,253,255,257,259,261,"
935 "263,265,267,269,271,273,275,277,279,281,283,285,"
936 "287,289,291,293,295,297,299,301,303,305,307,309,"
937 "311,313,315,317,319,321,323,325,327,329,331,333,"
938 "335,337,339,341,343,345,347,349,351,353,355,357,"
939 "359,361,363,365,367,369,371,373,375,377,379,381,"
940 "383,385,387,389,391,393,395,397,399,401,403,405,"
941 "407,409,411,413,415,417,419,421,423,425,427,429,"
942 "431,433,435,437,439,441,443,445,447,449,451,453,"
943 "455,457,459,461,463,465,467,469,471,473,475,477,"
944 "479,481,483,485,487,489,491,493,495,497,499,501,"
945 "503,505,507,509,511,513,515,517,519,521,523");
946
947 /* Short policies with unrecognized formats should get accepted. */
948 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
949 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
950 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
951 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
952 /* Short policies with nil entries are accepted too. */
953 test_short_policy_parse("accept 1,,3", "accept 1,3");
954 test_short_policy_parse("accept 100-200,,", "accept 100-200");
955 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
956
957 /* Try parsing various broken short policies */
958 #define TT_BAD_SHORT_POLICY(s) \
959 do { \
960 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
961 } while (0)
962 TT_BAD_SHORT_POLICY("accept 200-199");
963 TT_BAD_SHORT_POLICY("");
964 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
965 TT_BAD_SHORT_POLICY("reject ");
966 TT_BAD_SHORT_POLICY("reject");
967 TT_BAD_SHORT_POLICY("rej");
968 TT_BAD_SHORT_POLICY("accept 2,3,100000");
969 TT_BAD_SHORT_POLICY("accept 2,3x,4");
970 TT_BAD_SHORT_POLICY("accept 2,3x,4");
971 TT_BAD_SHORT_POLICY("accept 2-");
972 TT_BAD_SHORT_POLICY("accept 2-x");
973 TT_BAD_SHORT_POLICY("accept 1-,3");
974 TT_BAD_SHORT_POLICY("accept 1-,3");
975
976 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
977 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
978 &malformed_list);
979 tt_ptr_op(p, OP_EQ, NULL);
980 tt_assert(!malformed_list);
981
982 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
983 &malformed_list);
984 tt_ptr_op(p, OP_EQ, NULL);
985 tt_assert(!malformed_list);
986
987 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
988 &malformed_list);
989 tt_ptr_op(p, OP_EQ, NULL);
990 tt_assert(!malformed_list);
991
992 /* Make sure malformed policies are detected as such. */
993 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
994 &malformed_list);
995 tt_ptr_op(p, OP_EQ, NULL);
996 tt_assert(malformed_list);
997
998 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
999 &malformed_list);
1000 tt_ptr_op(p, OP_EQ, NULL);
1001 tt_assert(malformed_list);
1002
1003 p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
1004 &malformed_list);
1005 tt_ptr_op(p, OP_EQ, NULL);
1006 tt_assert(malformed_list);
1007
1008 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1009 &malformed_list);
1010 tt_ptr_op(p, OP_EQ, NULL);
1011 tt_assert(malformed_list);
1012
1013 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1014 &malformed_list);
1015 tt_ptr_op(p, OP_EQ, NULL);
1016 tt_assert(malformed_list);
1017
1018 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1019 &malformed_list);
1020 tt_ptr_op(p, OP_EQ, NULL);
1021 tt_assert(malformed_list);
1022
1023 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1024 &malformed_list);
1025 tt_ptr_op(p, OP_EQ, NULL);
1026 tt_assert(malformed_list);
1027
1028 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1029 &malformed_list);
1030 tt_ptr_op(p, OP_EQ, NULL);
1031 tt_assert(malformed_list);
1032
1033 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1034 &malformed_list);
1035 tt_ptr_op(p, OP_EQ, NULL);
1036 tt_assert(malformed_list);
1037
1038 /* Test a too-long policy. */
1039 {
1040 char *policy_strng = NULL;
1041 smartlist_t *chunks = smartlist_new();
1042 smartlist_add_strdup(chunks, "accept ");
1043 for (i=1; i<10000; ++i)
1044 smartlist_add_asprintf(chunks, "%d,", i);
1045 smartlist_add_strdup(chunks, "20000");
1046 policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1047 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1048 smartlist_free(chunks);
1049 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1050 tor_free(policy_strng);
1051 tt_ptr_op(NULL, OP_EQ, short_parsed);
1052 }
1053
1054 /* truncation ports */
1055 sm = smartlist_new();
1056 for (i=1; i<2000; i+=2) {
1057 char buf[POLICY_BUF_LEN];
1058 tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1059 smartlist_add_strdup(sm, buf);
1060 }
1061 smartlist_add_strdup(sm, "accept *:*");
1062 policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1063 test_policy_summary_helper( policy_str,
1064 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1065 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1066 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1067 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1068 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1069 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1070 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1071 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1072 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1073 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1074 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1075 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1076 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1077 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1078
1079 done:
1080 addr_policy_list_free(policy);
1081 addr_policy_list_free(policy2);
1082 addr_policy_list_free(policy3);
1083 addr_policy_list_free(policy4);
1084 addr_policy_list_free(policy5);
1085 addr_policy_list_free(policy6);
1086 addr_policy_list_free(policy7);
1087 addr_policy_list_free(policy8);
1088 addr_policy_list_free(policy9);
1089 addr_policy_list_free(policy10);
1090 addr_policy_list_free(policy11);
1091 addr_policy_list_free(policy12);
1092 tor_free(policy_str);
1093 if (sm) {
1094 SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1095 smartlist_free(sm);
1096 }
1097 short_policy_free(short_parsed);
1098 }
1099
1100 /** Helper: Check that policy_list contains address */
1101 static int
1102 test_policy_has_address_helper(const smartlist_t *policy_list,
1103 const tor_addr_t *addr)
1104 {
1105 int found = 0;
1106
1107 tt_assert(policy_list);
1108 tt_assert(addr);
1109
1110 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1111 if (tor_addr_eq(&p->addr, addr)) {
1112 found = 1;
1113 }
1114 } SMARTLIST_FOREACH_END(p);
1115
1116 return found;
1117
1118 done:
1119 return 0;
1120 }
1121
1122 #define TEST_IPV4_ADDR (0x01020304)
1123 #define TEST_IPV6_ADDR ("2002::abcd")
1124
1125 /** Run unit tests for rejecting the configured addresses on this exit relay
1126 * using policies_parse_exit_policy_reject_private */
1127 static void
1128 test_policies_reject_exit_address(void *arg)
1129 {
1130 smartlist_t *policy = NULL;
1131 tor_addr_t ipv4_addr, ipv6_addr;
1132 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1133 (void)arg;
1134
1135 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1136 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1137
1138 ipv4_list = smartlist_new();
1139 ipv6_list = smartlist_new();
1140 both_list = smartlist_new();
1141 dupl_list = smartlist_new();
1142
1143 smartlist_add(ipv4_list, &ipv4_addr);
1144 smartlist_add(both_list, &ipv4_addr);
1145 smartlist_add(dupl_list, &ipv4_addr);
1146 smartlist_add(dupl_list, &ipv4_addr);
1147 smartlist_add(dupl_list, &ipv4_addr);
1148
1149 smartlist_add(ipv6_list, &ipv6_addr);
1150 smartlist_add(both_list, &ipv6_addr);
1151 smartlist_add(dupl_list, &ipv6_addr);
1152 smartlist_add(dupl_list, &ipv6_addr);
1153
1154 /* IPv4-Only Exits */
1155
1156 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1157 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1158 tt_assert(policy);
1159 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1160 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1161 addr_policy_list_free(policy);
1162 policy = NULL;
1163
1164 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1165 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1166 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1167 * need to do anything) */
1168 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1169 tt_ptr_op(policy, OP_EQ, NULL);
1170
1171 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1172 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1173 tt_assert(policy);
1174 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1175 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1176 addr_policy_list_free(policy);
1177 policy = NULL;
1178
1179 /* Test that lists with duplicate entries produce the same results */
1180 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1181 tt_assert(policy);
1182 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1183 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1184 addr_policy_list_free(policy);
1185 policy = NULL;
1186
1187 /* IPv4/IPv6 Exits */
1188
1189 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1191 tt_assert(policy);
1192 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1193 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1194 addr_policy_list_free(policy);
1195 policy = NULL;
1196
1197 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1199 tt_assert(policy);
1200 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1201 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1202 addr_policy_list_free(policy);
1203 policy = NULL;
1204
1205 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1206 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1207 tt_assert(policy);
1208 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1209 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1210 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1211 addr_policy_list_free(policy);
1212 policy = NULL;
1213
1214 /* Test that lists with duplicate entries produce the same results */
1215 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1216 tt_assert(policy);
1217 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1218 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1219 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1220 addr_policy_list_free(policy);
1221 policy = NULL;
1222
1223 done:
1224 addr_policy_list_free(policy);
1225 smartlist_free(ipv4_list);
1226 smartlist_free(ipv6_list);
1227 smartlist_free(both_list);
1228 smartlist_free(dupl_list);
1229 }
1230
1231 static smartlist_t *test_configured_ports = NULL;
1232
1233 /** Returns test_configured_ports */
1234 static const smartlist_t *
1235 mock_get_configured_ports(void)
1236 {
1237 return test_configured_ports;
1238 }
1239
1240 /** Run unit tests for rejecting publicly routable configured port addresses
1241 * on this exit relay using policies_parse_exit_policy_reject_private */
1242 static void
1243 test_policies_reject_port_address(void *arg)
1244 {
1245 smartlist_t *policy = NULL;
1246 port_cfg_t *ipv4_port = NULL;
1247 port_cfg_t *ipv6_port = NULL;
1248 (void)arg;
1249
1250 test_configured_ports = smartlist_new();
1251
1252 ipv4_port = port_cfg_new(0);
1253 tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
1254 smartlist_add(test_configured_ports, ipv4_port);
1255
1256 ipv6_port = port_cfg_new(0);
1257 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1258 smartlist_add(test_configured_ports, ipv6_port);
1259
1260 MOCK(get_configured_ports, mock_get_configured_ports);
1261
1262 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1263 * is NOT rejected (all IPv6 addresses are rejected by
1264 * policies_parse_exit_policy_internal on IPv4-only exits, so
1265 * policies_parse_exit_policy_reject_private doesn't need to do anything
1266 * with IPv6 addresses on IPv4-only exits) */
1267 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1268 tt_assert(policy);
1269 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1270 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1271 addr_policy_list_free(policy);
1272 policy = NULL;
1273
1274 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1275 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1276 tt_assert(policy);
1277 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1278 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1279 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1280 addr_policy_list_free(policy);
1281 policy = NULL;
1282
1283 done:
1284 addr_policy_list_free(policy);
1285 if (test_configured_ports) {
1286 SMARTLIST_FOREACH(test_configured_ports,
1287 port_cfg_t *, p, port_cfg_free(p));
1288 smartlist_free(test_configured_ports);
1289 test_configured_ports = NULL;
1290 }
1291 UNMOCK(get_configured_ports);
1292 }
1293
1294 static smartlist_t *mock_ipv4_addrs = NULL;
1295 static smartlist_t *mock_ipv6_addrs = NULL;
1296
1297 /* mock get_interface_address6_list, returning a deep copy of the template
1298 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1299 static smartlist_t *
1300 mock_get_interface_address6_list(int severity,
1301 sa_family_t family,
1302 int include_internal)
1303 {
1304 (void)severity;
1305 (void)include_internal;
1306 smartlist_t *clone_list = smartlist_new();
1307 smartlist_t *template_list = NULL;
1308
1309 if (family == AF_INET) {
1310 template_list = mock_ipv4_addrs;
1311 } else if (family == AF_INET6) {
1312 template_list = mock_ipv6_addrs;
1313 } else {
1314 return NULL;
1315 }
1316
1317 tt_assert(template_list);
1318
1319 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1320 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1321 memset(dest_addr, 0, sizeof(*dest_addr));
1322 tor_addr_copy_tight(dest_addr, src_addr);
1323 smartlist_add(clone_list, dest_addr);
1324 } SMARTLIST_FOREACH_END(src_addr);
1325
1326 return clone_list;
1327
1328 done:
1329 interface_address6_list_free(clone_list);
1330 return NULL;
1331 }
1332
1333 /** Run unit tests for rejecting publicly routable interface addresses on this
1334 * exit relay using policies_parse_exit_policy_reject_private */
1335 static void
1336 test_policies_reject_interface_address(void *arg)
1337 {
1338 smartlist_t *policy = NULL;
1339 smartlist_t *public_ipv4_addrs =
1340 get_interface_address6_list(LOG_INFO, AF_INET, 0);
1341 smartlist_t *public_ipv6_addrs =
1342 get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1343 tor_addr_t ipv4_addr, ipv6_addr;
1344 (void)arg;
1345
1346 /* test that no addresses are rejected when none are supplied/requested */
1347 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1348 tt_ptr_op(policy, OP_EQ, NULL);
1349
1350 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1351 * (and allow for duplicates)
1352 */
1353 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1354 if (policy) {
1355 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1356 addr_policy_list_free(policy);
1357 policy = NULL;
1358 }
1359
1360 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1361 * exit (and allow for duplicates) */
1362 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1363 if (policy) {
1364 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1365 + smartlist_len(public_ipv6_addrs)));
1366 addr_policy_list_free(policy);
1367 policy = NULL;
1368 }
1369
1370 /* Now do it all again, but mocked */
1371 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1372 mock_ipv4_addrs = smartlist_new();
1373 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1374
1375 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1376 mock_ipv6_addrs = smartlist_new();
1377 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1378
1379 MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1380
1381 /* test that no addresses are rejected when none are supplied/requested */
1382 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1383 tt_ptr_op(policy, OP_EQ, NULL);
1384
1385 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1386 */
1387 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1388 tt_assert(policy);
1389 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1390 addr_policy_list_free(policy);
1391 policy = NULL;
1392
1393 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1394 * exit */
1395 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1396 tt_assert(policy);
1397 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1398 + smartlist_len(mock_ipv6_addrs)));
1399 addr_policy_list_free(policy);
1400 policy = NULL;
1401
1402 done:
1403 addr_policy_list_free(policy);
1404 interface_address6_list_free(public_ipv4_addrs);
1405 interface_address6_list_free(public_ipv6_addrs);
1406
1407 UNMOCK(get_interface_address6_list);
1408 /* we don't use interface_address6_list_free on these lists because their
1409 * address pointers are stack-based */
1410 smartlist_free(mock_ipv4_addrs);
1411 smartlist_free(mock_ipv6_addrs);
1412 }
1413
1414 #undef TEST_IPV4_ADDR
1415 #undef TEST_IPV6_ADDR
1416
1417 static void
1418 test_dump_exit_policy_to_string(void *arg)
1419 {
1420 char *ep;
1421 addr_policy_t *policy_entry;
1422 int malformed_list = -1;
1423
1424 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1425
1426 (void)arg;
1427
1428 ri->policy_is_reject_star = 1;
1429 ri->exit_policy = NULL; // expecting "reject *:*"
1430 ep = router_dump_exit_policy_to_string(ri,1,1);
1431
1432 tt_str_op("reject *:*",OP_EQ, ep);
1433
1434 tor_free(ep);
1435
1436 ri->exit_policy = smartlist_new();
1437 ri->policy_is_reject_star = 0;
1438
1439 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1440 &malformed_list);
1441
1442 smartlist_add(ri->exit_policy,policy_entry);
1443
1444 ep = router_dump_exit_policy_to_string(ri,1,1);
1445
1446 tt_str_op("accept *:*",OP_EQ, ep);
1447
1448 tor_free(ep);
1449
1450 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1451 &malformed_list);
1452
1453 smartlist_add(ri->exit_policy,policy_entry);
1454
1455 ep = router_dump_exit_policy_to_string(ri,1,1);
1456
1457 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1458
1459 tor_free(ep);
1460
1461 policy_entry =
1462 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1463 &malformed_list);
1464
1465 smartlist_add(ri->exit_policy,policy_entry);
1466
1467 ep = router_dump_exit_policy_to_string(ri,1,1);
1468
1469 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1470 tor_free(ep);
1471
1472 policy_entry =
1473 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1474 &malformed_list);
1475
1476 smartlist_add(ri->exit_policy,policy_entry);
1477
1478 ep = router_dump_exit_policy_to_string(ri,1,1);
1479
1480 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1481 "reject6 [fc00::]/7:*",OP_EQ, ep);
1482 tor_free(ep);
1483
1484 policy_entry =
1485 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1486 &malformed_list);
1487
1488 smartlist_add(ri->exit_policy,policy_entry);
1489
1490 ep = router_dump_exit_policy_to_string(ri,1,1);
1491
1492 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1493 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1494
1495 done:
1496
1497 if (ri->exit_policy) {
1498 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1499 entry, addr_policy_free(entry));
1500 smartlist_free(ri->exit_policy);
1501 }
1502 tor_free(ri);
1503 tor_free(ep);
1504 }
1505
1506 static routerinfo_t *mock_desc_routerinfo = NULL;
1507 static int routerinfo_err;
1508
1509 static const routerinfo_t *
1510 mock_router_get_my_routerinfo_with_err(int *err)
1511 {
1512 if (routerinfo_err) {
1513 if (err)
1514 *err = routerinfo_err;
1515
1516 return NULL;
1517 }
1518
1519 if (err)
1520 *err = 0;
1521
1522 return mock_desc_routerinfo;
1523 }
1524
1525 #define DEFAULT_POLICY_STRING "reject *:*"
1526 #define TEST_IPV4_ADDR (0x02040608)
1527 #define TEST_IPV6_ADDR ("2003::ef01")
1528
1529 static or_options_t mock_options;
1530
1531 static const or_options_t *
1532 mock_get_options(void)
1533 {
1534 return &mock_options;
1535 }
1536
1537 /** Run unit tests for generating summary lines of exit policies */
1538 static void
1539 test_policies_getinfo_helper_policies(void *arg)
1540 {
1541 (void)arg;
1542 int rv = 0;
1543 size_t ipv4_len = 0, ipv6_len = 0;
1544 char *answer = NULL;
1545 const char *errmsg = NULL;
1546 routerinfo_t mock_my_routerinfo;
1547
1548 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1549
1550 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1551 tt_int_op(rv, OP_EQ, 0);
1552 tt_ptr_op(answer, OP_NE, NULL);
1553 tt_assert(strlen(answer) > 0);
1554 tor_free(answer);
1555
1556 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1557 &answer, &errmsg);
1558 tt_int_op(rv, OP_EQ, 0);
1559 tt_ptr_op(answer, OP_NE, NULL);
1560 tt_assert(strlen(answer) > 0);
1561 tor_free(answer);
1562
1563 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1564 MOCK(router_get_my_routerinfo_with_err,
1565 mock_router_get_my_routerinfo_with_err);
1566 mock_my_routerinfo.exit_policy = smartlist_new();
1567 mock_desc_routerinfo = &mock_my_routerinfo;
1568
1569 memset(&mock_options, 0, sizeof(or_options_t));
1570 MOCK(get_options, mock_get_options);
1571
1572 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1573 &answer, &errmsg);
1574 tt_int_op(rv, OP_EQ, 0);
1575 tt_ptr_op(answer, OP_NE, NULL);
1576 tt_assert(strlen(answer) == 0);
1577 tor_free(answer);
1578
1579 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1580 &errmsg);
1581 tt_int_op(rv, OP_EQ, 0);
1582 tt_ptr_op(answer, OP_NE, NULL);
1583 ipv4_len = strlen(answer);
1584 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1585 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1586 tor_free(answer);
1587
1588 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1589 &errmsg);
1590 tt_int_op(rv, OP_EQ, 0);
1591 tt_ptr_op(answer, OP_NE, NULL);
1592 ipv6_len = strlen(answer);
1593 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1594 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1595 tor_free(answer);
1596
1597 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1598 &errmsg);
1599 tt_int_op(rv, OP_EQ, 0);
1600 tt_ptr_op(answer, OP_NE, NULL);
1601 /* It's either empty or it's the default */
1602 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1603 tor_free(answer);
1604
1605 mock_my_routerinfo.addr = TEST_IPV4_ADDR;
1606 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1607 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1608 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1609
1610 mock_options.IPv6Exit = 1;
1611 tor_addr_from_ipv4h(
1612 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
1613 TEST_IPV4_ADDR);
1614 tor_addr_parse(
1615 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
1616 TEST_IPV6_ADDR);
1617
1618 mock_options.ExitPolicyRejectPrivate = 1;
1619 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1620
1621 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1622 &answer, &errmsg);
1623 tt_int_op(rv, OP_EQ, 0);
1624 tt_ptr_op(answer, OP_NE, NULL);
1625 tt_assert(strlen(answer) > 0);
1626 tor_free(answer);
1627
1628 mock_options.ExitPolicyRejectPrivate = 1;
1629 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1630
1631 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1632 &answer, &errmsg);
1633 tt_int_op(rv, OP_EQ, 0);
1634 tt_ptr_op(answer, OP_NE, NULL);
1635 tt_assert(strlen(answer) > 0);
1636 tor_free(answer);
1637
1638 mock_options.ExitPolicyRejectPrivate = 0;
1639 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1640
1641 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1642 &answer, &errmsg);
1643 tt_int_op(rv, OP_EQ, 0);
1644 tt_ptr_op(answer, OP_NE, NULL);
1645 tt_assert(strlen(answer) > 0);
1646 tor_free(answer);
1647
1648 mock_options.ExitPolicyRejectPrivate = 0;
1649 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1650
1651 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1652 &answer, &errmsg);
1653 tt_int_op(rv, OP_EQ, 0);
1654 tt_ptr_op(answer, OP_NE, NULL);
1655 tt_assert(strlen(answer) == 0);
1656 tor_free(answer);
1657
1658 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1659 &errmsg);
1660 tt_int_op(rv, OP_EQ, 0);
1661 tt_ptr_op(answer, OP_NE, NULL);
1662 ipv4_len = strlen(answer);
1663 tt_assert(ipv4_len > 0);
1664 tor_free(answer);
1665
1666 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1667 &errmsg);
1668 tt_int_op(rv, OP_EQ, 0);
1669 tt_ptr_op(answer, OP_NE, NULL);
1670 ipv6_len = strlen(answer);
1671 tt_assert(ipv6_len > 0);
1672 tor_free(answer);
1673
1674 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1675 &errmsg);
1676 tt_int_op(rv, OP_EQ, 0);
1677 tt_ptr_op(answer, OP_NE, NULL);
1678 tt_assert(strlen(answer) > 0);
1679 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1680 tor_free(answer);
1681
1682 routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
1683 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1684 &errmsg);
1685 tt_int_op(rv, OP_EQ, -1);
1686 tt_ptr_op(answer, OP_EQ, NULL);
1687 tt_ptr_op(errmsg, OP_NE, NULL);
1688 tt_str_op(errmsg, OP_EQ, "No known exit address yet");
1689
1690 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE;
1691 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1692 &errmsg);
1693 tt_int_op(rv, OP_EQ, -1);
1694 tt_ptr_op(answer, OP_EQ, NULL);
1695 tt_ptr_op(errmsg, OP_NE, NULL);
1696 tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor");
1697
1698 routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
1699 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1700 &errmsg);
1701 tt_int_op(rv, OP_EQ, 0);
1702 tt_ptr_op(answer, OP_EQ, NULL);
1703 tt_ptr_op(errmsg, OP_NE, NULL);
1704 tt_str_op(errmsg, OP_EQ, "Not running in server mode");
1705
1706 routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
1707 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1708 &errmsg);
1709
1710 tt_int_op(rv, OP_EQ, -1);
1711 tt_ptr_op(answer, OP_EQ, NULL);
1712 tt_ptr_op(errmsg, OP_NE, NULL);
1713 tt_str_op(errmsg, OP_EQ, "Key digest failed");
1714
1715 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
1716 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1717 &errmsg);
1718 tt_int_op(rv, OP_EQ, -1);
1719 tt_ptr_op(answer, OP_EQ, NULL);
1720 tt_ptr_op(errmsg, OP_NE, NULL);
1721 tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor");
1722
1723 routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
1724 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1725 &errmsg);
1726 tt_int_op(rv, OP_EQ, -1);
1727 tt_ptr_op(answer, OP_EQ, NULL);
1728 tt_ptr_op(errmsg, OP_NE, NULL);
1729 tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet");
1730
1731 done:
1732 tor_free(answer);
1733 UNMOCK(get_options);
1734 UNMOCK(router_get_my_routerinfo);
1735 addr_policy_list_free(mock_my_routerinfo.exit_policy);
1736 }
1737
1738 #undef DEFAULT_POLICY_STRING
1739 #undef TEST_IPV4_ADDR
1740 #undef TEST_IPV6_ADDR
1741
1742 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1743 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1744 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1745 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1746
1747 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1748 #define OTHER_IPV6_ADDR_STR "[afff::]"
1749
1750 /** Run unit tests for fascist_firewall_allows_address */
1751 static void
1752 test_policies_fascist_firewall_allows_address(void *arg)
1753 {
1754 (void)arg;
1755 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1756 tor_addr_t n_ipv4_addr, n_ipv6_addr;
1757 const uint16_t port = 1234;
1758 smartlist_t *policy = NULL;
1759 smartlist_t *e_policy = NULL;
1760 addr_policy_t *item = NULL;
1761 int malformed_list = 0;
1762
1763 /* Setup the options and the items in the policies */
1764 memset(&mock_options, 0, sizeof(or_options_t));
1765 MOCK(get_options, mock_get_options);
1766
1767 policy = smartlist_new();
1768 item = router_parse_addr_policy_item_from_string("accept "
1769 TEST_IPV4_ADDR_STR ":*",
1770 ADDR_POLICY_ACCEPT,
1771 &malformed_list);
1772 tt_assert(item);
1773 tt_assert(!malformed_list);
1774 smartlist_add(policy, item);
1775 item = router_parse_addr_policy_item_from_string("accept "
1776 TEST_IPV6_ADDR_STR,
1777 ADDR_POLICY_ACCEPT,
1778 &malformed_list);
1779 tt_assert(item);
1780 tt_assert(!malformed_list);
1781 smartlist_add(policy, item);
1782 /* Normally, policy_expand_unspec would do this for us */
1783 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1784 ADDR_POLICY_ACCEPT,
1785 &malformed_list);
1786 tt_assert(item);
1787 tt_assert(!malformed_list);
1788 smartlist_add(policy, item);
1789 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1790 ADDR_POLICY_ACCEPT,
1791 &malformed_list);
1792 tt_assert(item);
1793 tt_assert(!malformed_list);
1794 smartlist_add(policy, item);
1795 item = NULL;
1796
1797 e_policy = smartlist_new();
1798
1799 /*
1800 char *polstr = policy_dump_to_string(policy, 1, 1);
1801 printf("%s\n", polstr);
1802 tor_free(polstr);
1803 */
1804
1805 /* Parse the addresses */
1806 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1807 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1808 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1809 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1810 tor_addr_make_null(&n_ipv4_addr, AF_INET);
1811 tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1812
1813 /* Test the function's address matching with IPv4 and IPv6 on */
1814 memset(&mock_options, 0, sizeof(or_options_t));
1815 mock_options.ClientUseIPv4 = 1;
1816 mock_options.ClientUseIPv6 = 1;
1817 mock_options.UseBridges = 0;
1818
1819 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1820 OP_EQ, 1);
1821 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1822 OP_EQ, 1);
1823 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1824 OP_EQ, 0);
1825 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1826 OP_EQ, 0);
1827
1828 /* Preferring IPv4 */
1829 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1830 OP_EQ, 1);
1831 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1832 OP_EQ, 0);
1833 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1834 OP_EQ, 0);
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1836 OP_EQ, 0);
1837
1838 /* Preferring IPv6 */
1839 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1840 OP_EQ, 0);
1841 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1842 OP_EQ, 1);
1843 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1844 OP_EQ, 0);
1845 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1846 OP_EQ, 0);
1847
1848 /* Test the function's address matching with UseBridges on */
1849 memset(&mock_options, 0, sizeof(or_options_t));
1850 mock_options.ClientUseIPv4 = 1;
1851 mock_options.ClientUseIPv6 = 1;
1852 mock_options.UseBridges = 1;
1853
1854 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1855 OP_EQ, 1);
1856 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1857 OP_EQ, 1);
1858 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1859 OP_EQ, 0);
1860 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1861 OP_EQ, 0);
1862
1863 /* Preferring IPv4 */
1864 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1865 OP_EQ, 1);
1866 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1867 OP_EQ, 0);
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1869 OP_EQ, 0);
1870 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1871 OP_EQ, 0);
1872
1873 /* Preferring IPv6 */
1874 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1875 OP_EQ, 0);
1876 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1877 OP_EQ, 1);
1878 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1879 OP_EQ, 0);
1880 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1881 OP_EQ, 0);
1882
1883 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1884 mock_options.ClientUseIPv4 = 1;
1885 mock_options.ClientUseIPv6 = 0;
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1887 OP_EQ, 1);
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1889 OP_EQ, 1);
1890 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1891 OP_EQ, 0);
1892 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1893 OP_EQ, 0);
1894
1895 /* Test the function's address matching with IPv4 on */
1896 memset(&mock_options, 0, sizeof(or_options_t));
1897 mock_options.ClientUseIPv4 = 1;
1898 mock_options.ClientUseIPv6 = 0;
1899 mock_options.UseBridges = 0;
1900
1901 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1902 OP_EQ, 1);
1903 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1904 OP_EQ, 0);
1905 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1906 OP_EQ, 0);
1907 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1908 OP_EQ, 0);
1909
1910 /* Test the function's address matching with IPv6 on */
1911 memset(&mock_options, 0, sizeof(or_options_t));
1912 mock_options.ClientUseIPv4 = 0;
1913 mock_options.ClientUseIPv6 = 1;
1914 mock_options.UseBridges = 0;
1915
1916 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1917 OP_EQ, 0);
1918 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1919 OP_EQ, 1);
1920 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1921 OP_EQ, 0);
1922 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1923 OP_EQ, 0);
1924
1925 /* Test the function's address matching with ClientUseIPv4 0.
1926 * This means "use IPv6" regardless of the other settings. */
1927 memset(&mock_options, 0, sizeof(or_options_t));
1928 mock_options.ClientUseIPv4 = 0;
1929 mock_options.ClientUseIPv6 = 0;
1930 mock_options.UseBridges = 0;
1931
1932 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1933 OP_EQ, 0);
1934 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1935 OP_EQ, 1);
1936 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1937 OP_EQ, 0);
1938 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1939 OP_EQ, 0);
1940
1941 /* Test the function's address matching for unusual inputs */
1942 memset(&mock_options, 0, sizeof(or_options_t));
1943 mock_options.ClientUseIPv4 = 1;
1944 mock_options.ClientUseIPv6 = 1;
1945 mock_options.UseBridges = 1;
1946
1947 /* NULL and tor_addr_is_null addresses are rejected */
1948 tt_int_op(fascist_firewall_allows_address(NULL, port, policy, 0, 0), OP_EQ,
1949 0);
1950 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr, port, policy, 0, 0),
1951 OP_EQ, 0);
1952 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr, port, policy, 0, 0),
1953 OP_EQ, 0);
1954
1955 /* zero ports are rejected */
1956 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, 0, policy, 0, 0),
1957 OP_EQ, 0);
1958 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, 0, policy, 0, 0),
1959 OP_EQ, 0);
1960
1961 /* NULL and empty policies accept everything */
1962 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, NULL, 0, 0),
1963 OP_EQ, 1);
1964 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, NULL, 0, 0),
1965 OP_EQ, 1);
1966 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, e_policy, 0, 0),
1967 OP_EQ, 1);
1968 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, e_policy, 0, 0),
1969 OP_EQ, 1);
1970
1971 done:
1972 addr_policy_free(item);
1973 addr_policy_list_free(policy);
1974 addr_policy_list_free(e_policy);
1975 UNMOCK(get_options);
1976 }
1977
1978 #undef REJECT_IPv4_FINAL_STR
1979 #undef REJECT_IPv6_FINAL_STR
1980 #undef OTHER_IPV4_ADDR_STR
1981 #undef OTHER_IPV6_ADDR_STR
1982
1983 #define TEST_IPV4_OR_PORT 1234
1984 #define TEST_IPV4_DIR_PORT 2345
1985 #define TEST_IPV6_OR_PORT 61234
1986 #define TEST_IPV6_DIR_PORT 62345
1987
1988 /* Check that fascist_firewall_choose_address_rs() returns the expected
1989 * results. */
1990 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1991 expect_ap) \
1992 STMT_BEGIN \
1993 tor_addr_port_t chosen_rs_ap; \
1994 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1995 chosen_rs_ap.port = 0; \
1996 fascist_firewall_choose_address_rs(&(fake_rs), (fw_connection), \
1997 (pref_only), &chosen_rs_ap); \
1998 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1999 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2000 STMT_END
2001
2002 /* Check that fascist_firewall_choose_address_node() returns the expected
2003 * results. */
2004 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2005 expect_rv, expect_ap) \
2006 STMT_BEGIN \
2007 tor_addr_port_t chosen_node_ap; \
2008 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2009 chosen_node_ap.port = 0; \
2010 fascist_firewall_choose_address_node(&(fake_node),(fw_connection), \
2011 (pref_only), &chosen_node_ap); \
2012 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2013 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2014 STMT_END
2015
2016 /* Check that fascist_firewall_choose_address_rs and
2017 * fascist_firewall_choose_address_node() both return the expected results. */
2018 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2019 expect_rv, expect_ap) \
2020 STMT_BEGIN \
2021 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2022 expect_ap); \
2023 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2024 expect_ap); \
2025 STMT_END
2026
2027 /** Mock the preferred address function to return zero (prefer IPv4). */
2028 static int
2029 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4(void)
2030 {
2031 return 0;
2032 }
2033
2034 /** Mock the preferred address function to return one (prefer IPv6). */
2035 static int
2036 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6(void)
2037 {
2038 return 1;
2039 }
2040
2041 /** Run unit tests for fascist_firewall_choose_address */
2042 static void
2043 test_policies_fascist_firewall_choose_address(void *arg)
2044 {
2045 (void)arg;
2046 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
2047 tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
2048
2049 /* Setup the options */
2050 memset(&mock_options, 0, sizeof(or_options_t));
2051 MOCK(get_options, mock_get_options);
2052
2053 /* Parse the addresses */
2054 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
2055 ipv4_or_ap.port = TEST_IPV4_OR_PORT;
2056 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
2057 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
2058
2059 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
2060 ipv6_or_ap.port = TEST_IPV6_OR_PORT;
2061 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
2062 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
2063
2064 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
2065 n_ipv4_ap.port = 0;
2066 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
2067 n_ipv6_ap.port = 0;
2068
2069 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
2070 memset(&mock_options, 0, sizeof(or_options_t));
2071 mock_options.ClientUseIPv4 = 1;
2072 mock_options.ClientUseIPv6 = 1;
2073 mock_options.UseBridges = 0;
2074
2075 /* Prefer IPv4 */
2076 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2077 FIREWALL_OR_CONNECTION, 0, 0)
2078 == &ipv4_or_ap);
2079 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2080 FIREWALL_OR_CONNECTION, 1, 0)
2081 == &ipv4_or_ap);
2082 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2083 FIREWALL_DIR_CONNECTION, 0, 0)
2084 == &ipv4_dir_ap);
2085 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2086 FIREWALL_DIR_CONNECTION, 1, 0)
2087 == &ipv4_dir_ap);
2088
2089 /* Prefer IPv6 */
2090 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2091 FIREWALL_OR_CONNECTION, 0, 1)
2092 == &ipv6_or_ap);
2093 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2094 FIREWALL_OR_CONNECTION, 1, 1)
2095 == &ipv6_or_ap);
2096 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2097 FIREWALL_DIR_CONNECTION, 0, 1)
2098 == &ipv6_dir_ap);
2099 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2100 FIREWALL_DIR_CONNECTION, 1, 1)
2101 == &ipv6_dir_ap);
2102
2103 /* Unusual inputs */
2104
2105 /* null preferred OR addresses */
2106 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &n_ipv6_ap, 0,
2107 FIREWALL_OR_CONNECTION, 0, 1)
2108 == &ipv4_or_ap);
2109 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_or_ap, 1,
2110 FIREWALL_OR_CONNECTION, 0, 0)
2111 == &ipv6_or_ap);
2112
2113 /* null both OR addresses */
2114 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2115 FIREWALL_OR_CONNECTION, 0, 1),
2116 OP_EQ, NULL);
2117 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2118 FIREWALL_OR_CONNECTION, 0, 0),
2119 OP_EQ, NULL);
2120
2121 /* null preferred Dir addresses */
2122 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &n_ipv6_ap, 0,
2123 FIREWALL_DIR_CONNECTION, 0, 1)
2124 == &ipv4_dir_ap);
2125 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_dir_ap, 1,
2126 FIREWALL_DIR_CONNECTION, 0, 0)
2127 == &ipv6_dir_ap);
2128
2129 /* null both Dir addresses */
2130 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2131 FIREWALL_DIR_CONNECTION, 0, 1),
2132 OP_EQ, NULL);
2133 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2134 FIREWALL_DIR_CONNECTION, 0, 0),
2135 OP_EQ, NULL);
2136
2137 /* Prefer IPv4 but want IPv6 (contradictory) */
2138 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2139 FIREWALL_OR_CONNECTION, 0, 0)
2140 == &ipv4_or_ap);
2141 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2142 FIREWALL_OR_CONNECTION, 1, 0)
2143 == &ipv4_or_ap);
2144
2145 /* Prefer IPv6 but want IPv4 (contradictory) */
2146 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2147 FIREWALL_OR_CONNECTION, 0, 1)
2148 == &ipv6_or_ap);
2149 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2150 FIREWALL_OR_CONNECTION, 1, 1)
2151 == &ipv6_or_ap);
2152
2153 /* Make a fake rs. There will be no corresponding node.
2154 * This is what happens when there's no consensus and we're bootstrapping
2155 * from authorities / fallbacks. */
2156 routerstatus_t fake_rs;
2157 memset(&fake_rs, 0, sizeof(routerstatus_t));
2158 /* In a routerstatus, the OR and Dir addresses are the same */
2159 fake_rs.addr = tor_addr_to_ipv4h(&ipv4_or_ap.addr);
2160 fake_rs.or_port = ipv4_or_ap.port;
2161 fake_rs.dir_port = ipv4_dir_ap.port;
2162
2163 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2164 fake_rs.ipv6_orport = ipv6_or_ap.port;
2165 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2166 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2167
2168 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2169 * find the node from the rs, because they're not in the hash table. */
2170 node_t fake_node;
2171 memset(&fake_node, 0, sizeof(node_t));
2172 fake_node.rs = &fake_rs;
2173
2174 /* Choose an address with IPv4 and IPv6 on */
2175 memset(&mock_options, 0, sizeof(or_options_t));
2176 mock_options.ClientUseIPv4 = 1;
2177 mock_options.ClientUseIPv6 = 1;
2178 mock_options.UseBridges = 0;
2179
2180 /* Preferring IPv4 */
2181 mock_options.ClientPreferIPv6ORPort = 0;
2182 mock_options.ClientPreferIPv6DirPort = 0;
2183 /* Simulate the initialisation of fake_node.ipv6_preferred */
2184 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2185 &mock_options);
2186
2187 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2188 ipv4_or_ap);
2189 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2190 ipv4_or_ap);
2191 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2192 ipv4_dir_ap);
2193 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2194 ipv4_dir_ap);
2195
2196 /* Auto (Preferring IPv4) */
2197 mock_options.ClientPreferIPv6ORPort = -1;
2198 mock_options.ClientPreferIPv6DirPort = -1;
2199 /* Simulate the initialisation of fake_node.ipv6_preferred */
2200 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2201 &mock_options);
2202
2203 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2204 ipv4_or_ap);
2205 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2206 ipv4_or_ap);
2207 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2208 ipv4_dir_ap);
2209 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2210 ipv4_dir_ap);
2211
2212 /* Preferring IPv6 */
2213 mock_options.ClientPreferIPv6ORPort = 1;
2214 mock_options.ClientPreferIPv6DirPort = 1;
2215 /* Simulate the initialisation of fake_node.ipv6_preferred */
2216 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2217 &mock_options);
2218
2219 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2220 ipv6_or_ap);
2221 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2222 ipv6_or_ap);
2223 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2224 ipv6_dir_ap);
2225 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2226 ipv6_dir_ap);
2227
2228 /* Preferring IPv4 OR / IPv6 Dir */
2229 mock_options.ClientPreferIPv6ORPort = 0;
2230 mock_options.ClientPreferIPv6DirPort = 1;
2231 /* Simulate the initialisation of fake_node.ipv6_preferred */
2232 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2233 &mock_options);
2234
2235 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2236 ipv4_or_ap);
2237 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2238 ipv4_or_ap);
2239 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2240 ipv6_dir_ap);
2241 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2242 ipv6_dir_ap);
2243
2244 /* Preferring IPv6 OR / IPv4 Dir */
2245 mock_options.ClientPreferIPv6ORPort = 1;
2246 mock_options.ClientPreferIPv6DirPort = 0;
2247 /* Simulate the initialisation of fake_node.ipv6_preferred */
2248 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2249 &mock_options);
2250
2251 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2252 ipv6_or_ap);
2253 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2254 ipv6_or_ap);
2255 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2256 ipv4_dir_ap);
2257 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2258 ipv4_dir_ap);
2259
2260 /* Choose an address with UseBridges on */
2261 memset(&mock_options, 0, sizeof(or_options_t));
2262 mock_options.UseBridges = 1;
2263 mock_options.ClientUseIPv4 = 1;
2264 mock_options.ClientUseIPv6 = 1;
2265
2266 /* Preferring IPv4 */
2267 mock_options.ClientPreferIPv6ORPort = 0;
2268 mock_options.ClientPreferIPv6DirPort = 0;
2269 /* Simulate the initialisation of fake_node.ipv6_preferred */
2270 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2271 &mock_options);
2272
2273 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2274 ipv4_or_ap);
2275 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2276 ipv4_or_ap);
2277 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2278 ipv4_dir_ap);
2279 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2280 ipv4_dir_ap);
2281
2282 /* Auto:
2283 * - bridge clients prefer the configured bridge OR address from the node,
2284 * (the configured address family sets node.ipv6_preferred)
2285 * - other clients prefer IPv4 OR by default (see above),
2286 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2287 */
2288 mock_options.ClientPreferIPv6ORPort = -1;
2289 mock_options.ClientPreferIPv6DirPort = -1;
2290
2291 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2292 * configured with an IPv4 address */
2293 fake_node.ipv6_preferred = 0;
2294 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2295 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2296 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2297 ipv4_dir_ap);
2298 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2299 ipv4_dir_ap);
2300
2301 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2302 * configured with an IPv6 address */
2303 fake_node.ipv6_preferred = 1;
2304 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2305 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2306 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2307 ipv4_dir_ap);
2308 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2309 ipv4_dir_ap);
2310
2311 /* When a rs has no node, it defaults to IPv4 under auto. */
2312 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2313 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2314 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2315 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2316
2317 /* Preferring IPv6 */
2318 mock_options.ClientPreferIPv6ORPort = 1;
2319 mock_options.ClientPreferIPv6DirPort = 1;
2320 /* Simulate the initialisation of fake_node.ipv6_preferred */
2321 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2322 &mock_options);
2323
2324 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2325 ipv6_or_ap);
2326 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2327 ipv6_or_ap);
2328 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2329 ipv6_dir_ap);
2330 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2331 ipv6_dir_ap);
2332
2333 /* In the default configuration (Auto / IPv6 off), bridge clients should
2334 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2335 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2336 mock_options.ClientUseIPv6 = 0;
2337 mock_options.ClientPreferIPv6ORPort = -1;
2338 mock_options.ClientPreferIPv6DirPort = -1;
2339 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2340 * configured with an IPv4 address */
2341 fake_node.ipv6_preferred = 0;
2342 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2343 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2344 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2345 ipv4_dir_ap);
2346 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2347 ipv4_dir_ap);
2348
2349 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2350 * configured with an IPv6 address */
2351 fake_node.ipv6_preferred = 1;
2352 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2353 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2354 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2355 ipv4_dir_ap);
2356 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2357 ipv4_dir_ap);
2358
2359 /* When a rs has no node, it defaults to IPv4 under auto. */
2360 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2361 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2362 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2363 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2364
2365 /* Choose an address with IPv4 on */
2366 memset(&mock_options, 0, sizeof(or_options_t));
2367 mock_options.ClientUseIPv4 = 1;
2368 mock_options.ClientUseIPv6 = 0;
2369 /* Simulate the initialisation of fake_node.ipv6_preferred */
2370 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2371 &mock_options);
2372
2373 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2374 ipv4_or_ap);
2375 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2376 ipv4_or_ap);
2377 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2378 ipv4_dir_ap);
2379 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2380 ipv4_dir_ap);
2381
2382 /* Choose an address with IPv6 on */
2383 memset(&mock_options, 0, sizeof(or_options_t));
2384 mock_options.ClientUseIPv4 = 0;
2385 mock_options.ClientUseIPv6 = 1;
2386 /* Simulate the initialisation of fake_node.ipv6_preferred */
2387 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2388 &mock_options);
2389
2390 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2391 ipv6_or_ap);
2392 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2393 ipv6_or_ap);
2394 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2395 ipv6_dir_ap);
2396 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2397 ipv6_dir_ap);
2398
2399 /* Choose an address with ClientUseIPv4 0.
2400 * This means "use IPv6" regardless of the other settings. */
2401 memset(&mock_options, 0, sizeof(or_options_t));
2402 mock_options.ClientUseIPv4 = 0;
2403 mock_options.ClientUseIPv6 = 0;
2404 /* Simulate the initialisation of fake_node.ipv6_preferred */
2405 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2406 &mock_options);
2407
2408 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2409 ipv6_or_ap);
2410 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2411 ipv6_or_ap);
2412 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2413 ipv6_dir_ap);
2414 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2415 ipv6_dir_ap);
2416
2417 /* Choose an address with ORPort_set 1 (server mode).
2418 * This means "use IPv4" regardless of the other settings. */
2419 memset(&mock_options, 0, sizeof(or_options_t));
2420 mock_options.ORPort_set = 1;
2421 mock_options.ClientUseIPv4 = 0;
2422 mock_options.ClientUseIPv6 = 1;
2423 mock_options.ClientPreferIPv6ORPort = 1;
2424 mock_options.ClientPreferIPv6DirPort = 1;
2425
2426 /* Simulate the initialisation of fake_node.ipv6_preferred */
2427 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2428 &mock_options);
2429
2430 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2431 ipv4_or_ap);
2432 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2433 ipv4_or_ap);
2434 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2435 ipv4_dir_ap);
2436 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2437 ipv4_dir_ap);
2438
2439 /* Test ClientAutoIPv6ORPort and pretend we prefer IPv4. */
2440 memset(&mock_options, 0, sizeof(or_options_t));
2441 mock_options.ClientAutoIPv6ORPort = 1;
2442 mock_options.ClientUseIPv4 = 1;
2443 mock_options.ClientUseIPv6 = 1;
2444 MOCK(fascist_firewall_rand_prefer_ipv6_addr,
2445 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4);
2446 /* Simulate the initialisation of fake_node.ipv6_preferred */
2447 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2448 &mock_options);
2449
2450 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2451 ipv4_or_ap);
2452 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2453 ipv4_or_ap);
2454
2455 UNMOCK(fascist_firewall_rand_prefer_ipv6_addr);
2456
2457 /* Test ClientAutoIPv6ORPort and pretend we prefer IPv6. */
2458 memset(&mock_options, 0, sizeof(or_options_t));
2459 mock_options.ClientAutoIPv6ORPort = 1;
2460 mock_options.ClientUseIPv4 = 1;
2461 mock_options.ClientUseIPv6 = 1;
2462 MOCK(fascist_firewall_rand_prefer_ipv6_addr,
2463 mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6);
2464 /* Simulate the initialisation of fake_node.ipv6_preferred */
2465 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2466 &mock_options);
2467
2468 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2469 ipv6_or_ap);
2470 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2471 ipv6_or_ap);
2472
2473 UNMOCK(fascist_firewall_rand_prefer_ipv6_addr);
2474
2475 done:
2476 UNMOCK(get_options);
2477 }
2478
2479 #undef TEST_IPV4_ADDR_STR
2480 #undef TEST_IPV6_ADDR_STR
2481 #undef TEST_IPV4_OR_PORT
2482 #undef TEST_IPV4_DIR_PORT
2483 #undef TEST_IPV6_OR_PORT
2484 #undef TEST_IPV6_DIR_PORT
2485
2486 #undef CHECK_CHOSEN_ADDR_RS
2487 #undef CHECK_CHOSEN_ADDR_NODE
2488 #undef CHECK_CHOSEN_ADDR_RN
2489
2490 struct testcase_t policy_tests[] = {
2491 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2492 NULL, NULL },
2493 { "general", test_policies_general, 0, NULL, NULL },
2494 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2495 NULL },
2496 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2497 { "reject_interface_address", test_policies_reject_interface_address, 0,
2498 NULL, NULL },
2499 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2500 { "fascist_firewall_allows_address",
2501 test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2502 { "fascist_firewall_choose_address",
2503 test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2504 END_OF_TESTCASES
2505 };
The Onion Router