search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'maint-0.4.5' into release-0.4.5
[tor.git] / src / test / test_policy.c
blob0a0548d1614627f293f1d5c7abefa69736d5f126
1 /* Copyright (c) 2013-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define CONFIG_PRIVATE
5 #define POLICIES_PRIVATE
6
7 #include "core/or/or.h"
8 #include "app/config/config.h"
9 #include "core/or/circuitbuild.h"
10 #include "core/or/policies.h"
11 #include "core/or/extendinfo.h"
12 #include "feature/dirparse/policy_parse.h"
13 #include "feature/hs/hs_common.h"
14 #include "feature/hs/hs_descriptor.h"
15 #include "feature/relay/router.h"
16 #include "lib/encoding/confline.h"
17 #include "test/test.h"
18 #include "test/log_test_helpers.h"
19
20 #include "core/or/addr_policy_st.h"
21 #include "core/or/extend_info_st.h"
22 #include "core/or/port_cfg_st.h"
23 #include "feature/nodelist/node_st.h"
24 #include "feature/nodelist/routerinfo_st.h"
25 #include "feature/nodelist/routerstatus_st.h"
26
27 /* Helper: assert that short_policy parses and writes back out as itself,
28 or as <b>expected</b> if that's provided. */
29 static void
30 test_short_policy_parse(const char *input,
31 const char *expected)
32 {
33 short_policy_t *short_policy = NULL;
34 char *out = NULL;
35
36 if (expected == NULL)
37 expected = input;
38
39 short_policy = parse_short_policy(input);
40 tt_assert(short_policy);
41 out = write_short_policy(short_policy);
42 tt_str_op(out, OP_EQ, expected);
43
44 done:
45 tor_free(out);
46 short_policy_free(short_policy);
47 }
48
49 /** Helper: Parse the exit policy string in <b>policy_str</b> with
50 * <b>options</b>, and make sure that policies_summarize() produces the string
51 * <b>expected_summary</b> from it when called with family. */
52 static void
53 test_policy_summary_helper_family_flags(const char *policy_str,
54 const char *expected_summary,
55 sa_family_t family,
56 exit_policy_parser_cfg_t options)
57 {
58 config_line_t line;
59 smartlist_t *policy = smartlist_new();
60 char *summary = NULL;
61 char *summary_after = NULL;
62 int r;
63 short_policy_t *short_policy = NULL;
64 int success = 0;
65
66 line.key = (char *) "foo";
67 line.value = (char *) policy_str;
68 line.next = NULL;
69
70 r = policies_parse_exit_policy(&line, &policy,
71 options, NULL);
72 tt_int_op(r,OP_EQ, 0);
73
74 summary = policy_summarize(policy, family);
75
76 tt_ptr_op(summary, OP_NE, NULL);
77 tt_str_op(summary,OP_EQ, expected_summary);
78
79 short_policy = parse_short_policy(summary);
80 tt_assert(short_policy);
81 summary_after = write_short_policy(short_policy);
82 tt_str_op(summary,OP_EQ, summary_after);
83
84 success = 1;
85 done:
86 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
87 if (!success)
88 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
89 family == AF_INET ? 4 : 6, options, policy_str));
90 tor_free(summary_after);
91 tor_free(summary);
92 if (policy)
93 addr_policy_list_free(policy);
94 short_policy_free(short_policy);
95 }
96
97 /** Like test_policy_summary_helper_family_flags, but tries all the different
98 * flag combinations */
99 static void
100 test_policy_summary_helper_family(const char *policy_str,
101 const char *expected_summary,
102 sa_family_t family)
103 {
104 for (exit_policy_parser_cfg_t opt = 0;
105 opt <= EXIT_POLICY_OPTION_ALL;
106 opt++) {
107 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
108 /* Skip the test: IPv6 addresses need IPv6 enabled */
109 continue;
110
111 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
112 /* Skip the test: local interfaces are machine-specific */
113 continue;
114
115 test_policy_summary_helper_family_flags(policy_str, expected_summary,
116 family, opt);
117 }
118 }
119
120 /** Like test_policy_summary_helper_family, but uses expected_summary for
121 * both IPv4 and IPv6. */
122 static void
123 test_policy_summary_helper(const char *policy_str,
124 const char *expected_summary)
125 {
126 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
127 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
128 }
129
130 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
131 * IPv4 and expected_summary6 for IPv6. */
132 static void
133 test_policy_summary_helper6(const char *policy_str,
134 const char *expected_summary4,
135 const char *expected_summary6)
136 {
137 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
138 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
139 }
140
141 /** Run unit tests for generating summary lines of exit policies */
142 static void
143 test_policies_general(void *arg)
144 {
145 int i;
146 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
147 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
148 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
149 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
150 addr_policy_t *p;
151 tor_addr_t tar, tar2;
152 smartlist_t *addr_list = NULL;
153 config_line_t line;
154 smartlist_t *sm = NULL;
155 char *policy_str = NULL;
156 short_policy_t *short_parsed = NULL;
157 int malformed_list = -1;
158 (void)arg;
159
160 policy = smartlist_new();
161
162 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
163 &malformed_list);
164 tt_ptr_op(p, OP_NE, NULL);
165 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
166 tor_addr_from_ipv4h(&tar, 0xc0a80000u);
167 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
168 tt_int_op(16,OP_EQ, p->maskbits);
169 tt_int_op(1,OP_EQ, p->prt_min);
170 tt_int_op(65535,OP_EQ, p->prt_max);
171
172 smartlist_add(policy, p);
173
174 tor_addr_from_ipv4h(&tar, 0x01020304u);
175 tt_assert(ADDR_POLICY_ACCEPTED ==
176 compare_tor_addr_to_addr_policy(&tar, 2, policy));
177 tor_addr_make_unspec(&tar);
178 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
179 compare_tor_addr_to_addr_policy(&tar, 2, policy));
180 tor_addr_from_ipv4h(&tar, 0xc0a80102);
181 tt_assert(ADDR_POLICY_REJECTED ==
182 compare_tor_addr_to_addr_policy(&tar, 2, policy));
183
184 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
185 EXIT_POLICY_IPV6_ENABLED |
186 EXIT_POLICY_REJECT_PRIVATE |
187 EXIT_POLICY_ADD_DEFAULT, NULL));
188
189 tt_assert(policy2);
190
191 tor_addr_from_ipv4h(&tar, 0x0306090cu);
192 tor_addr_parse(&tar2, "[2000::1234]");
193 addr_list = smartlist_new();
194 smartlist_add(addr_list, &tar);
195 smartlist_add(addr_list, &tar2);
196 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
197 EXIT_POLICY_IPV6_ENABLED |
198 EXIT_POLICY_REJECT_PRIVATE |
199 EXIT_POLICY_ADD_DEFAULT,
200 addr_list));
201 smartlist_free(addr_list);
202 addr_list = NULL;
203
204 tt_assert(policy12);
205
206 policy3 = smartlist_new();
207 p = router_parse_addr_policy_item_from_string("reject *:*", -1,
208 &malformed_list);
209 tt_ptr_op(p, OP_NE, NULL);
210 smartlist_add(policy3, p);
211 p = router_parse_addr_policy_item_from_string("accept *:*", -1,
212 &malformed_list);
213 tt_ptr_op(p, OP_NE, NULL);
214 smartlist_add(policy3, p);
215
216 policy4 = smartlist_new();
217 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
218 &malformed_list);
219 tt_ptr_op(p, OP_NE, NULL);
220 smartlist_add(policy4, p);
221 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
222 &malformed_list);
223 tt_ptr_op(p, OP_NE, NULL);
224 smartlist_add(policy4, p);
225
226 policy5 = smartlist_new();
227 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
228 &malformed_list);
229 tt_ptr_op(p, OP_NE, NULL);
230 smartlist_add(policy5, p);
231 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
232 &malformed_list);
233 tt_ptr_op(p, OP_NE, NULL);
234 smartlist_add(policy5, p);
235 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
236 &malformed_list);
237 tt_ptr_op(p, OP_NE, NULL);
238 smartlist_add(policy5, p);
239 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
240 -1, &malformed_list);
241 tt_ptr_op(p, OP_NE, NULL);
242 smartlist_add(policy5, p);
243 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
244 &malformed_list);
245 tt_ptr_op(p, OP_NE, NULL);
246 smartlist_add(policy5, p);
247 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
248 &malformed_list);
249 tt_ptr_op(p, OP_NE, NULL);
250 smartlist_add(policy5, p);
251 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
252 &malformed_list);
253 tt_ptr_op(p, OP_NE, NULL);
254 smartlist_add(policy5, p);
255 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
256 &malformed_list);
257 tt_ptr_op(p, OP_NE, NULL);
258 smartlist_add(policy5, p);
259 p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
260 &malformed_list);
261 tt_ptr_op(p, OP_NE, NULL);
262 smartlist_add(policy5, p);
263 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
264 &malformed_list);
265 tt_ptr_op(p, OP_NE, NULL);
266 smartlist_add(policy5, p);
267
268 policy6 = smartlist_new();
269 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
270 &malformed_list);
271 tt_ptr_op(p, OP_NE, NULL);
272 smartlist_add(policy6, p);
273
274 policy7 = smartlist_new();
275 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
276 &malformed_list);
277 tt_ptr_op(p, OP_NE, NULL);
278 smartlist_add(policy7, p);
279
280 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
281 EXIT_POLICY_IPV6_ENABLED |
282 EXIT_POLICY_REJECT_PRIVATE |
283 EXIT_POLICY_ADD_DEFAULT,
284 NULL));
285
286 tt_assert(policy8);
287
288 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
289 EXIT_POLICY_REJECT_PRIVATE |
290 EXIT_POLICY_ADD_DEFAULT,
291 NULL));
292
293 tt_assert(policy9);
294
295 /* accept6 * and reject6 * produce IPv6 wildcards only */
296 policy10 = smartlist_new();
297 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
298 &malformed_list);
299 tt_ptr_op(p, OP_NE, NULL);
300 smartlist_add(policy10, p);
301
302 policy11 = smartlist_new();
303 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
304 &malformed_list);
305 tt_ptr_op(p, OP_NE, NULL);
306 smartlist_add(policy11, p);
307
308 tt_assert(!exit_policy_is_general_exit(policy));
309 tt_assert(exit_policy_is_general_exit(policy2));
310 tt_assert(!exit_policy_is_general_exit(NULL));
311 tt_assert(!exit_policy_is_general_exit(policy3));
312 tt_assert(!exit_policy_is_general_exit(policy4));
313 tt_assert(!exit_policy_is_general_exit(policy5));
314 tt_assert(!exit_policy_is_general_exit(policy6));
315 tt_assert(!exit_policy_is_general_exit(policy7));
316 tt_assert(exit_policy_is_general_exit(policy8));
317 tt_assert(exit_policy_is_general_exit(policy9));
318 tt_assert(!exit_policy_is_general_exit(policy10));
319 tt_assert(!exit_policy_is_general_exit(policy11));
320
321 tt_assert(!addr_policies_eq(policy, policy2));
322 tt_assert(!addr_policies_eq(policy, NULL));
323 tt_assert(addr_policies_eq(policy2, policy2));
324 tt_assert(addr_policies_eq(NULL, NULL));
325
326 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
327 tt_assert(policy_is_reject_star(policy, AF_INET, 1));
328 tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
329 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
330 tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
331 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
332 tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
333 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
334 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
335 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
336
337 addr_policy_list_free(policy);
338 policy = NULL;
339
340 /* make sure assume_action works */
341 malformed_list = 0;
342 p = router_parse_addr_policy_item_from_string("127.0.0.1",
343 ADDR_POLICY_ACCEPT,
344 &malformed_list);
345 tt_assert(p);
346 addr_policy_free(p);
347 tt_assert(!malformed_list);
348
349 p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
350 ADDR_POLICY_ACCEPT,
351 &malformed_list);
352 tt_assert(p);
353 addr_policy_free(p);
354 tt_assert(!malformed_list);
355
356 p = router_parse_addr_policy_item_from_string("[::]",
357 ADDR_POLICY_ACCEPT,
358 &malformed_list);
359 tt_assert(p);
360 addr_policy_free(p);
361 tt_assert(!malformed_list);
362
363 p = router_parse_addr_policy_item_from_string("[::]:*",
364 ADDR_POLICY_ACCEPT,
365 &malformed_list);
366 tt_assert(p);
367 addr_policy_free(p);
368 tt_assert(!malformed_list);
369
370 p = router_parse_addr_policy_item_from_string("[face::b]",
371 ADDR_POLICY_ACCEPT,
372 &malformed_list);
373 tt_assert(p);
374 addr_policy_free(p);
375 tt_assert(!malformed_list);
376
377 p = router_parse_addr_policy_item_from_string("[b::aaaa]",
378 ADDR_POLICY_ACCEPT,
379 &malformed_list);
380 tt_assert(p);
381 addr_policy_free(p);
382 tt_assert(!malformed_list);
383
384 p = router_parse_addr_policy_item_from_string("*",
385 ADDR_POLICY_ACCEPT,
386 &malformed_list);
387 tt_assert(p);
388 addr_policy_free(p);
389 tt_assert(!malformed_list);
390
391 p = router_parse_addr_policy_item_from_string("*4",
392 ADDR_POLICY_ACCEPT,
393 &malformed_list);
394 tt_assert(p);
395 addr_policy_free(p);
396 tt_assert(!malformed_list);
397
398 p = router_parse_addr_policy_item_from_string("*6",
399 ADDR_POLICY_ACCEPT,
400 &malformed_list);
401 tt_assert(p);
402 addr_policy_free(p);
403 tt_assert(!malformed_list);
404
405 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
406 p = router_parse_addr_policy_item_from_string("acce::abcd",
407 ADDR_POLICY_ACCEPT,
408 &malformed_list);
409 tt_ptr_op(p, OP_EQ, NULL);
410 tt_assert(malformed_list);
411 malformed_list = 0;
412
413 p = router_parse_addr_policy_item_from_string("7:1234",
414 ADDR_POLICY_ACCEPT,
415 &malformed_list);
416 tt_ptr_op(p, OP_EQ, NULL);
417 tt_assert(malformed_list);
418 malformed_list = 0;
419
420 p = router_parse_addr_policy_item_from_string("::",
421 ADDR_POLICY_ACCEPT,
422 &malformed_list);
423 tt_ptr_op(p, OP_EQ, NULL);
424 tt_assert(malformed_list);
425 malformed_list = 0;
426
427 /* make sure compacting logic works. */
428 policy = NULL;
429 line.key = (char*)"foo";
430 line.value = (char*)"accept *:80,reject private:*,reject *:*";
431 line.next = NULL;
432 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
433 EXIT_POLICY_IPV6_ENABLED |
434 EXIT_POLICY_ADD_DEFAULT, NULL));
435 tt_assert(policy);
436
437 //test_streq(policy->string, "accept *:80");
438 //test_streq(policy->next->string, "reject *:*");
439 tt_int_op(smartlist_len(policy),OP_EQ, 4);
440
441 /* test policy summaries */
442 /* check if we properly ignore private IP addresses */
443 test_policy_summary_helper("reject 192.168.0.0/16:*,"
444 "reject 0.0.0.0/8:*,"
445 "reject 10.0.0.0/8:*,"
446 "accept *:10-30,"
447 "accept *:90,"
448 "reject *:*",
449 "accept 10-30,90");
450 /* check all accept policies, and proper counting of rejects */
451 test_policy_summary_helper("reject 11.0.0.0/9:80,"
452 "reject 12.0.0.0/9:80,"
453 "reject 13.0.0.0/9:80,"
454 "reject 14.0.0.0/9:80,"
455 "accept *:*", "accept 1-65535");
456 test_policy_summary_helper("reject 11.0.0.0/9:80,"
457 "reject 12.0.0.0/9:80,"
458 "reject 13.0.0.0/9:80,"
459 "reject 14.0.0.0/9:80,"
460 "reject 15.0.0.0:81,"
461 "accept *:*", "accept 1-65535");
462 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
463 "reject 12.0.0.0/9:80,"
464 "reject 13.0.0.0/9:80,"
465 "reject 14.0.0.0/9:80,"
466 "reject 15.0.0.0:80,"
467 "accept *:*",
468 "reject 80",
469 "accept 1-65535");
470 /* no exits */
471 test_policy_summary_helper("accept 11.0.0.0/9:80,"
472 "reject *:*",
473 "reject 1-65535");
474 /* port merging */
475 test_policy_summary_helper("accept *:80,"
476 "accept *:81,"
477 "accept *:100-110,"
478 "accept *:111,"
479 "reject *:*",
480 "accept 80-81,100-111");
481 /* border ports */
482 test_policy_summary_helper("accept *:1,"
483 "accept *:3,"
484 "accept *:65535,"
485 "reject *:*",
486 "accept 1,3,65535");
487 /* holes */
488 test_policy_summary_helper("accept *:1,"
489 "accept *:3,"
490 "accept *:5,"
491 "accept *:7,"
492 "reject *:*",
493 "accept 1,3,5,7");
494 test_policy_summary_helper("reject *:1,"
495 "reject *:3,"
496 "reject *:5,"
497 "reject *:7,"
498 "accept *:*",
499 "reject 1,3,5,7");
500 /* long policies */
501 /* standard long policy on many exits */
502 test_policy_summary_helper("accept *:20-23,"
503 "accept *:43,"
504 "accept *:53,"
505 "accept *:79-81,"
506 "accept *:88,"
507 "accept *:110,"
508 "accept *:143,"
509 "accept *:194,"
510 "accept *:220,"
511 "accept *:389,"
512 "accept *:443,"
513 "accept *:464,"
514 "accept *:531,"
515 "accept *:543-544,"
516 "accept *:554,"
517 "accept *:563,"
518 "accept *:636,"
519 "accept *:706,"
520 "accept *:749,"
521 "accept *:873,"
522 "accept *:902-904,"
523 "accept *:981,"
524 "accept *:989-995,"
525 "accept *:1194,"
526 "accept *:1220,"
527 "accept *:1293,"
528 "accept *:1500,"
529 "accept *:1533,"
530 "accept *:1677,"
531 "accept *:1723,"
532 "accept *:1755,"
533 "accept *:1863,"
534 "accept *:2082,"
535 "accept *:2083,"
536 "accept *:2086-2087,"
537 "accept *:2095-2096,"
538 "accept *:2102-2104,"
539 "accept *:3128,"
540 "accept *:3389,"
541 "accept *:3690,"
542 "accept *:4321,"
543 "accept *:4643,"
544 "accept *:5050,"
545 "accept *:5190,"
546 "accept *:5222-5223,"
547 "accept *:5228,"
548 "accept *:5900,"
549 "accept *:6660-6669,"
550 "accept *:6679,"
551 "accept *:6697,"
552 "accept *:8000,"
553 "accept *:8008,"
554 "accept *:8074,"
555 "accept *:8080,"
556 "accept *:8087-8088,"
557 "accept *:8332-8333,"
558 "accept *:8443,"
559 "accept *:8888,"
560 "accept *:9418,"
561 "accept *:9999,"
562 "accept *:10000,"
563 "accept *:11371,"
564 "accept *:12350,"
565 "accept *:19294,"
566 "accept *:19638,"
567 "accept *:23456,"
568 "accept *:33033,"
569 "accept *:64738,"
570 "reject *:*",
571 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
572 "443,464,531,543-544,554,563,636,706,749,873,"
573 "902-904,981,989-995,1194,1220,1293,1500,1533,"
574 "1677,1723,1755,1863,2082-2083,2086-2087,"
575 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
576 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
577 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
578 "8443,8888,9418,9999-10000,11371,12350,19294,"
579 "19638,23456,33033,64738");
580 /* short policy with configured addresses */
581 test_policy_summary_helper("reject 149.56.1.1:*,"
582 "reject [2607:5300:1:1::1:0]:*,"
583 "accept *:80,"
584 "accept *:443,"
585 "reject *:*",
586 "accept 80,443");
587 /* short policy with configured and local interface addresses */
588 test_policy_summary_helper("reject 149.56.1.0:*,"
589 "reject 149.56.1.1:*,"
590 "reject 149.56.1.2:*,"
591 "reject 149.56.1.3:*,"
592 "reject 149.56.1.4:*,"
593 "reject 149.56.1.5:*,"
594 "reject 149.56.1.6:*,"
595 "reject 149.56.1.7:*,"
596 "reject [2607:5300:1:1::1:0]:*,"
597 "reject [2607:5300:1:1::1:1]:*,"
598 "reject [2607:5300:1:1::1:2]:*,"
599 "reject [2607:5300:1:1::1:3]:*,"
600 "reject [2607:5300:1:1::2:0]:*,"
601 "reject [2607:5300:1:1::2:1]:*,"
602 "reject [2607:5300:1:1::2:2]:*,"
603 "reject [2607:5300:1:1::2:3]:*,"
604 "accept *:80,"
605 "accept *:443,"
606 "reject *:*",
607 "accept 80,443");
608 /* short policy with configured netblocks */
609 test_policy_summary_helper("reject 149.56.0.0/16,"
610 "reject6 2607:5300::/32,"
611 "reject6 2608:5300::/64,"
612 "reject6 2609:5300::/96,"
613 "accept *:80,"
614 "accept *:443,"
615 "reject *:*",
616 "accept 80,443");
617 /* short policy with large netblocks that do not count as a rejection */
618 test_policy_summary_helper("reject 148.0.0.0/7,"
619 "reject6 2600::/16,"
620 "accept *:80,"
621 "accept *:443,"
622 "reject *:*",
623 "accept 80,443");
624 /* short policy with large netblocks that count as a rejection */
625 test_policy_summary_helper("reject 148.0.0.0/6,"
626 "reject6 2600::/15,"
627 "accept *:80,"
628 "accept *:443,"
629 "reject *:*",
630 "reject 1-65535");
631 /* short policy with huge netblocks that count as a rejection */
632 test_policy_summary_helper("reject 128.0.0.0/1,"
633 "reject6 8000::/1,"
634 "accept *:80,"
635 "accept *:443,"
636 "reject *:*",
637 "reject 1-65535");
638 /* short policy which blocks everything using netblocks */
639 test_policy_summary_helper("reject 0.0.0.0/0,"
640 "reject6 ::/0,"
641 "accept *:80,"
642 "accept *:443,"
643 "reject *:*",
644 "reject 1-65535");
645 /* short policy which has repeated redundant netblocks */
646 test_policy_summary_helper("reject 0.0.0.0/0,"
647 "reject 0.0.0.0/0,"
648 "reject 0.0.0.0/0,"
649 "reject 0.0.0.0/0,"
650 "reject 0.0.0.0/0,"
651 "reject6 ::/0,"
652 "reject6 ::/0,"
653 "reject6 ::/0,"
654 "reject6 ::/0,"
655 "reject6 ::/0,"
656 "accept *:80,"
657 "accept *:443,"
658 "reject *:*",
659 "reject 1-65535");
660
661 /* longest possible policy
662 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
663 * Going all the way to 65535 is incredibly slow, so we just go slightly
664 * more than the expected length */
665 test_policy_summary_helper("accept *:1,"
666 "accept *:3,"
667 "accept *:5,"
668 "accept *:7,"
669 "accept *:9,"
670 "accept *:11,"
671 "accept *:13,"
672 "accept *:15,"
673 "accept *:17,"
674 "accept *:19,"
675 "accept *:21,"
676 "accept *:23,"
677 "accept *:25,"
678 "accept *:27,"
679 "accept *:29,"
680 "accept *:31,"
681 "accept *:33,"
682 "accept *:35,"
683 "accept *:37,"
684 "accept *:39,"
685 "accept *:41,"
686 "accept *:43,"
687 "accept *:45,"
688 "accept *:47,"
689 "accept *:49,"
690 "accept *:51,"
691 "accept *:53,"
692 "accept *:55,"
693 "accept *:57,"
694 "accept *:59,"
695 "accept *:61,"
696 "accept *:63,"
697 "accept *:65,"
698 "accept *:67,"
699 "accept *:69,"
700 "accept *:71,"
701 "accept *:73,"
702 "accept *:75,"
703 "accept *:77,"
704 "accept *:79,"
705 "accept *:81,"
706 "accept *:83,"
707 "accept *:85,"
708 "accept *:87,"
709 "accept *:89,"
710 "accept *:91,"
711 "accept *:93,"
712 "accept *:95,"
713 "accept *:97,"
714 "accept *:99,"
715 "accept *:101,"
716 "accept *:103,"
717 "accept *:105,"
718 "accept *:107,"
719 "accept *:109,"
720 "accept *:111,"
721 "accept *:113,"
722 "accept *:115,"
723 "accept *:117,"
724 "accept *:119,"
725 "accept *:121,"
726 "accept *:123,"
727 "accept *:125,"
728 "accept *:127,"
729 "accept *:129,"
730 "accept *:131,"
731 "accept *:133,"
732 "accept *:135,"
733 "accept *:137,"
734 "accept *:139,"
735 "accept *:141,"
736 "accept *:143,"
737 "accept *:145,"
738 "accept *:147,"
739 "accept *:149,"
740 "accept *:151,"
741 "accept *:153,"
742 "accept *:155,"
743 "accept *:157,"
744 "accept *:159,"
745 "accept *:161,"
746 "accept *:163,"
747 "accept *:165,"
748 "accept *:167,"
749 "accept *:169,"
750 "accept *:171,"
751 "accept *:173,"
752 "accept *:175,"
753 "accept *:177,"
754 "accept *:179,"
755 "accept *:181,"
756 "accept *:183,"
757 "accept *:185,"
758 "accept *:187,"
759 "accept *:189,"
760 "accept *:191,"
761 "accept *:193,"
762 "accept *:195,"
763 "accept *:197,"
764 "accept *:199,"
765 "accept *:201,"
766 "accept *:203,"
767 "accept *:205,"
768 "accept *:207,"
769 "accept *:209,"
770 "accept *:211,"
771 "accept *:213,"
772 "accept *:215,"
773 "accept *:217,"
774 "accept *:219,"
775 "accept *:221,"
776 "accept *:223,"
777 "accept *:225,"
778 "accept *:227,"
779 "accept *:229,"
780 "accept *:231,"
781 "accept *:233,"
782 "accept *:235,"
783 "accept *:237,"
784 "accept *:239,"
785 "accept *:241,"
786 "accept *:243,"
787 "accept *:245,"
788 "accept *:247,"
789 "accept *:249,"
790 "accept *:251,"
791 "accept *:253,"
792 "accept *:255,"
793 "accept *:257,"
794 "accept *:259,"
795 "accept *:261,"
796 "accept *:263,"
797 "accept *:265,"
798 "accept *:267,"
799 "accept *:269,"
800 "accept *:271,"
801 "accept *:273,"
802 "accept *:275,"
803 "accept *:277,"
804 "accept *:279,"
805 "accept *:281,"
806 "accept *:283,"
807 "accept *:285,"
808 "accept *:287,"
809 "accept *:289,"
810 "accept *:291,"
811 "accept *:293,"
812 "accept *:295,"
813 "accept *:297,"
814 "accept *:299,"
815 "accept *:301,"
816 "accept *:303,"
817 "accept *:305,"
818 "accept *:307,"
819 "accept *:309,"
820 "accept *:311,"
821 "accept *:313,"
822 "accept *:315,"
823 "accept *:317,"
824 "accept *:319,"
825 "accept *:321,"
826 "accept *:323,"
827 "accept *:325,"
828 "accept *:327,"
829 "accept *:329,"
830 "accept *:331,"
831 "accept *:333,"
832 "accept *:335,"
833 "accept *:337,"
834 "accept *:339,"
835 "accept *:341,"
836 "accept *:343,"
837 "accept *:345,"
838 "accept *:347,"
839 "accept *:349,"
840 "accept *:351,"
841 "accept *:353,"
842 "accept *:355,"
843 "accept *:357,"
844 "accept *:359,"
845 "accept *:361,"
846 "accept *:363,"
847 "accept *:365,"
848 "accept *:367,"
849 "accept *:369,"
850 "accept *:371,"
851 "accept *:373,"
852 "accept *:375,"
853 "accept *:377,"
854 "accept *:379,"
855 "accept *:381,"
856 "accept *:383,"
857 "accept *:385,"
858 "accept *:387,"
859 "accept *:389,"
860 "accept *:391,"
861 "accept *:393,"
862 "accept *:395,"
863 "accept *:397,"
864 "accept *:399,"
865 "accept *:401,"
866 "accept *:403,"
867 "accept *:405,"
868 "accept *:407,"
869 "accept *:409,"
870 "accept *:411,"
871 "accept *:413,"
872 "accept *:415,"
873 "accept *:417,"
874 "accept *:419,"
875 "accept *:421,"
876 "accept *:423,"
877 "accept *:425,"
878 "accept *:427,"
879 "accept *:429,"
880 "accept *:431,"
881 "accept *:433,"
882 "accept *:435,"
883 "accept *:437,"
884 "accept *:439,"
885 "accept *:441,"
886 "accept *:443,"
887 "accept *:445,"
888 "accept *:447,"
889 "accept *:449,"
890 "accept *:451,"
891 "accept *:453,"
892 "accept *:455,"
893 "accept *:457,"
894 "accept *:459,"
895 "accept *:461,"
896 "accept *:463,"
897 "accept *:465,"
898 "accept *:467,"
899 "accept *:469,"
900 "accept *:471,"
901 "accept *:473,"
902 "accept *:475,"
903 "accept *:477,"
904 "accept *:479,"
905 "accept *:481,"
906 "accept *:483,"
907 "accept *:485,"
908 "accept *:487,"
909 "accept *:489,"
910 "accept *:491,"
911 "accept *:493,"
912 "accept *:495,"
913 "accept *:497,"
914 "accept *:499,"
915 "accept *:501,"
916 "accept *:503,"
917 "accept *:505,"
918 "accept *:507,"
919 "accept *:509,"
920 "accept *:511,"
921 "accept *:513,"
922 "accept *:515,"
923 "accept *:517,"
924 "accept *:519,"
925 "accept *:521,"
926 "accept *:523,"
927 "accept *:525,"
928 "accept *:527,"
929 "accept *:529,"
930 "reject *:*",
931 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
932 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
933 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
934 "95,97,99,101,103,105,107,109,111,113,115,117,"
935 "119,121,123,125,127,129,131,133,135,137,139,141,"
936 "143,145,147,149,151,153,155,157,159,161,163,165,"
937 "167,169,171,173,175,177,179,181,183,185,187,189,"
938 "191,193,195,197,199,201,203,205,207,209,211,213,"
939 "215,217,219,221,223,225,227,229,231,233,235,237,"
940 "239,241,243,245,247,249,251,253,255,257,259,261,"
941 "263,265,267,269,271,273,275,277,279,281,283,285,"
942 "287,289,291,293,295,297,299,301,303,305,307,309,"
943 "311,313,315,317,319,321,323,325,327,329,331,333,"
944 "335,337,339,341,343,345,347,349,351,353,355,357,"
945 "359,361,363,365,367,369,371,373,375,377,379,381,"
946 "383,385,387,389,391,393,395,397,399,401,403,405,"
947 "407,409,411,413,415,417,419,421,423,425,427,429,"
948 "431,433,435,437,439,441,443,445,447,449,451,453,"
949 "455,457,459,461,463,465,467,469,471,473,475,477,"
950 "479,481,483,485,487,489,491,493,495,497,499,501,"
951 "503,505,507,509,511,513,515,517,519,521,523");
952
953 /* Short policies with unrecognized formats should get accepted. */
954 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
955 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
956 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
957 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
958 /* Short policies with nil entries are accepted too. */
959 test_short_policy_parse("accept 1,,3", "accept 1,3");
960 test_short_policy_parse("accept 100-200,,", "accept 100-200");
961 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
962
963 /* Try parsing various broken short policies */
964 #define TT_BAD_SHORT_POLICY(s) \
965 do { \
966 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
967 } while (0)
968 TT_BAD_SHORT_POLICY("accept 200-199");
969 TT_BAD_SHORT_POLICY("");
970 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
971 TT_BAD_SHORT_POLICY("reject ");
972 TT_BAD_SHORT_POLICY("reject");
973 TT_BAD_SHORT_POLICY("rej");
974 TT_BAD_SHORT_POLICY("accept 2,3,100000");
975 TT_BAD_SHORT_POLICY("accept 2,3x,4");
976 TT_BAD_SHORT_POLICY("accept 2,3x,4");
977 TT_BAD_SHORT_POLICY("accept 2-");
978 TT_BAD_SHORT_POLICY("accept 2-x");
979 TT_BAD_SHORT_POLICY("accept 1-,3");
980 TT_BAD_SHORT_POLICY("accept 1-,3");
981
982 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
983 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
984 &malformed_list);
985 tt_ptr_op(p, OP_EQ, NULL);
986 tt_assert(!malformed_list);
987
988 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
989 &malformed_list);
990 tt_ptr_op(p, OP_EQ, NULL);
991 tt_assert(!malformed_list);
992
993 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
994 &malformed_list);
995 tt_ptr_op(p, OP_EQ, NULL);
996 tt_assert(!malformed_list);
997
998 /* Make sure malformed policies are detected as such. */
999 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
1000 &malformed_list);
1001 tt_ptr_op(p, OP_EQ, NULL);
1002 tt_assert(malformed_list);
1003
1004 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
1005 &malformed_list);
1006 tt_ptr_op(p, OP_EQ, NULL);
1007 tt_assert(malformed_list);
1008
1009 p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
1010 &malformed_list);
1011 tt_ptr_op(p, OP_EQ, NULL);
1012 tt_assert(malformed_list);
1013
1014 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1015 &malformed_list);
1016 tt_ptr_op(p, OP_EQ, NULL);
1017 tt_assert(malformed_list);
1018
1019 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1020 &malformed_list);
1021 tt_ptr_op(p, OP_EQ, NULL);
1022 tt_assert(malformed_list);
1023
1024 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1025 &malformed_list);
1026 tt_ptr_op(p, OP_EQ, NULL);
1027 tt_assert(malformed_list);
1028
1029 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1030 &malformed_list);
1031 tt_ptr_op(p, OP_EQ, NULL);
1032 tt_assert(malformed_list);
1033
1034 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1035 &malformed_list);
1036 tt_ptr_op(p, OP_EQ, NULL);
1037 tt_assert(malformed_list);
1038
1039 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1040 &malformed_list);
1041 tt_ptr_op(p, OP_EQ, NULL);
1042 tt_assert(malformed_list);
1043
1044 /* Test a too-long policy. */
1045 {
1046 char *policy_strng = NULL;
1047 smartlist_t *chunks = smartlist_new();
1048 smartlist_add_strdup(chunks, "accept ");
1049 for (i=1; i<10000; ++i)
1050 smartlist_add_asprintf(chunks, "%d,", i);
1051 smartlist_add_strdup(chunks, "20000");
1052 policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1053 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1054 smartlist_free(chunks);
1055 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1056 tor_free(policy_strng);
1057 tt_ptr_op(NULL, OP_EQ, short_parsed);
1058 }
1059
1060 /* truncation ports */
1061 sm = smartlist_new();
1062 for (i=1; i<2000; i+=2) {
1063 char buf[POLICY_BUF_LEN];
1064 tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1065 smartlist_add_strdup(sm, buf);
1066 }
1067 smartlist_add_strdup(sm, "accept *:*");
1068 policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1069 test_policy_summary_helper( policy_str,
1070 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1071 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1072 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1073 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1074 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1075 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1076 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1077 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1078 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1079 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1080 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1081 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1082 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1083 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1084
1085 done:
1086 addr_policy_list_free(policy);
1087 addr_policy_list_free(policy2);
1088 addr_policy_list_free(policy3);
1089 addr_policy_list_free(policy4);
1090 addr_policy_list_free(policy5);
1091 addr_policy_list_free(policy6);
1092 addr_policy_list_free(policy7);
1093 addr_policy_list_free(policy8);
1094 addr_policy_list_free(policy9);
1095 addr_policy_list_free(policy10);
1096 addr_policy_list_free(policy11);
1097 addr_policy_list_free(policy12);
1098 tor_free(policy_str);
1099 if (sm) {
1100 SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1101 smartlist_free(sm);
1102 }
1103 short_policy_free(short_parsed);
1104 }
1105
1106 /** Helper: Check that policy_list contains address */
1107 static int
1108 test_policy_has_address_helper(const smartlist_t *policy_list,
1109 const tor_addr_t *addr)
1110 {
1111 int found = 0;
1112
1113 tt_assert(policy_list);
1114 tt_assert(addr);
1115
1116 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1117 if (tor_addr_eq(&p->addr, addr)) {
1118 found = 1;
1119 }
1120 } SMARTLIST_FOREACH_END(p);
1121
1122 return found;
1123
1124 done:
1125 return 0;
1126 }
1127
1128 #define TEST_IPV4_ADDR ("1.2.3.4")
1129 #define TEST_IPV6_ADDR ("2002::abcd")
1130
1131 /** Run unit tests for rejecting the configured addresses on this exit relay
1132 * using policies_parse_exit_policy_reject_private */
1133 static void
1134 test_policies_reject_exit_address(void *arg)
1135 {
1136 smartlist_t *policy = NULL;
1137 tor_addr_t ipv4_addr, ipv6_addr;
1138 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1139 (void)arg;
1140
1141 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR);
1142 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1143
1144 ipv4_list = smartlist_new();
1145 ipv6_list = smartlist_new();
1146 both_list = smartlist_new();
1147 dupl_list = smartlist_new();
1148
1149 smartlist_add(ipv4_list, &ipv4_addr);
1150 smartlist_add(both_list, &ipv4_addr);
1151 smartlist_add(dupl_list, &ipv4_addr);
1152 smartlist_add(dupl_list, &ipv4_addr);
1153 smartlist_add(dupl_list, &ipv4_addr);
1154
1155 smartlist_add(ipv6_list, &ipv6_addr);
1156 smartlist_add(both_list, &ipv6_addr);
1157 smartlist_add(dupl_list, &ipv6_addr);
1158 smartlist_add(dupl_list, &ipv6_addr);
1159
1160 /* IPv4-Only Exits */
1161
1162 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1163 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1164 tt_assert(policy);
1165 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1166 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1167 addr_policy_list_free(policy);
1168 policy = NULL;
1169
1170 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1171 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1172 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1173 * need to do anything) */
1174 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1175 tt_ptr_op(policy, OP_EQ, NULL);
1176
1177 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1178 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1179 tt_assert(policy);
1180 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1181 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1182 addr_policy_list_free(policy);
1183 policy = NULL;
1184
1185 /* Test that lists with duplicate entries produce the same results */
1186 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1187 tt_assert(policy);
1188 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1189 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1190 addr_policy_list_free(policy);
1191 policy = NULL;
1192
1193 /* IPv4/IPv6 Exits */
1194
1195 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1196 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1197 tt_assert(policy);
1198 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1199 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1200 addr_policy_list_free(policy);
1201 policy = NULL;
1202
1203 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1204 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1205 tt_assert(policy);
1206 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1207 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1208 addr_policy_list_free(policy);
1209 policy = NULL;
1210
1211 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1212 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1213 tt_assert(policy);
1214 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1215 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1216 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1217 addr_policy_list_free(policy);
1218 policy = NULL;
1219
1220 /* Test that lists with duplicate entries produce the same results */
1221 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1222 tt_assert(policy);
1223 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1224 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1225 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1226 addr_policy_list_free(policy);
1227 policy = NULL;
1228
1229 done:
1230 addr_policy_list_free(policy);
1231 smartlist_free(ipv4_list);
1232 smartlist_free(ipv6_list);
1233 smartlist_free(both_list);
1234 smartlist_free(dupl_list);
1235 }
1236
1237 static smartlist_t *test_configured_ports = NULL;
1238
1239 /** Returns test_configured_ports */
1240 static const smartlist_t *
1241 mock_get_configured_ports(void)
1242 {
1243 return test_configured_ports;
1244 }
1245
1246 /** Run unit tests for rejecting publicly routable configured port addresses
1247 * on this exit relay using policies_parse_exit_policy_reject_private */
1248 static void
1249 test_policies_reject_port_address(void *arg)
1250 {
1251 smartlist_t *policy = NULL;
1252 port_cfg_t *ipv4_port = NULL;
1253 port_cfg_t *ipv6_port = NULL;
1254 (void)arg;
1255
1256 test_configured_ports = smartlist_new();
1257
1258 ipv4_port = port_cfg_new(0);
1259 tor_addr_parse(&ipv4_port->addr, TEST_IPV4_ADDR);
1260 smartlist_add(test_configured_ports, ipv4_port);
1261
1262 ipv6_port = port_cfg_new(0);
1263 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1264 smartlist_add(test_configured_ports, ipv6_port);
1265
1266 MOCK(get_configured_ports, mock_get_configured_ports);
1267
1268 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1269 * is NOT rejected (all IPv6 addresses are rejected by
1270 * policies_parse_exit_policy_internal on IPv4-only exits, so
1271 * policies_parse_exit_policy_reject_private doesn't need to do anything
1272 * with IPv6 addresses on IPv4-only exits) */
1273 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1274 tt_assert(policy);
1275 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1276 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1277 addr_policy_list_free(policy);
1278 policy = NULL;
1279
1280 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1281 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1282 tt_assert(policy);
1283 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1284 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1285 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1286 addr_policy_list_free(policy);
1287 policy = NULL;
1288
1289 done:
1290 addr_policy_list_free(policy);
1291 if (test_configured_ports) {
1292 SMARTLIST_FOREACH(test_configured_ports,
1293 port_cfg_t *, p, port_cfg_free(p));
1294 smartlist_free(test_configured_ports);
1295 test_configured_ports = NULL;
1296 }
1297 UNMOCK(get_configured_ports);
1298 }
1299
1300 static smartlist_t *mock_ipv4_addrs = NULL;
1301 static smartlist_t *mock_ipv6_addrs = NULL;
1302
1303 /* mock get_interface_address6_list, returning a deep copy of the template
1304 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1305 static smartlist_t *
1306 mock_get_interface_address6_list(int severity,
1307 sa_family_t family,
1308 int include_internal)
1309 {
1310 (void)severity;
1311 (void)include_internal;
1312 smartlist_t *clone_list = smartlist_new();
1313 smartlist_t *template_list = NULL;
1314
1315 if (family == AF_INET) {
1316 template_list = mock_ipv4_addrs;
1317 } else if (family == AF_INET6) {
1318 template_list = mock_ipv6_addrs;
1319 } else {
1320 return NULL;
1321 }
1322
1323 tt_assert(template_list);
1324
1325 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1326 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1327 memset(dest_addr, 0, sizeof(*dest_addr));
1328 tor_addr_copy_tight(dest_addr, src_addr);
1329 smartlist_add(clone_list, dest_addr);
1330 } SMARTLIST_FOREACH_END(src_addr);
1331
1332 return clone_list;
1333
1334 done:
1335 interface_address6_list_free(clone_list);
1336 return NULL;
1337 }
1338
1339 /** Run unit tests for rejecting publicly routable interface addresses on this
1340 * exit relay using policies_parse_exit_policy_reject_private */
1341 static void
1342 test_policies_reject_interface_address(void *arg)
1343 {
1344 smartlist_t *policy = NULL;
1345 smartlist_t *public_ipv4_addrs =
1346 get_interface_address6_list(LOG_INFO, AF_INET, 0);
1347 smartlist_t *public_ipv6_addrs =
1348 get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1349 tor_addr_t ipv4_addr, ipv6_addr;
1350 (void)arg;
1351
1352 /* test that no addresses are rejected when none are supplied/requested */
1353 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1354 tt_ptr_op(policy, OP_EQ, NULL);
1355
1356 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1357 * (and allow for duplicates)
1358 */
1359 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1360 if (policy) {
1361 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1362 addr_policy_list_free(policy);
1363 policy = NULL;
1364 }
1365
1366 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1367 * exit (and allow for duplicates) */
1368 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1369 if (policy) {
1370 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1371 + smartlist_len(public_ipv6_addrs)));
1372 addr_policy_list_free(policy);
1373 policy = NULL;
1374 }
1375
1376 /* Now do it all again, but mocked */
1377 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR);
1378 mock_ipv4_addrs = smartlist_new();
1379 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1380
1381 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1382 mock_ipv6_addrs = smartlist_new();
1383 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1384
1385 MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1386
1387 /* test that no addresses are rejected when none are supplied/requested */
1388 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1389 tt_ptr_op(policy, OP_EQ, NULL);
1390
1391 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1392 */
1393 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1394 tt_assert(policy);
1395 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1396 addr_policy_list_free(policy);
1397 policy = NULL;
1398
1399 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1400 * exit */
1401 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1402 tt_assert(policy);
1403 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1404 + smartlist_len(mock_ipv6_addrs)));
1405 addr_policy_list_free(policy);
1406 policy = NULL;
1407
1408 done:
1409 addr_policy_list_free(policy);
1410 interface_address6_list_free(public_ipv4_addrs);
1411 interface_address6_list_free(public_ipv6_addrs);
1412
1413 UNMOCK(get_interface_address6_list);
1414 /* we don't use interface_address6_list_free on these lists because their
1415 * address pointers are stack-based */
1416 smartlist_free(mock_ipv4_addrs);
1417 smartlist_free(mock_ipv6_addrs);
1418 }
1419
1420 #undef TEST_IPV4_ADDR
1421 #undef TEST_IPV6_ADDR
1422
1423 static void
1424 test_dump_exit_policy_to_string(void *arg)
1425 {
1426 char *ep;
1427 addr_policy_t *policy_entry;
1428 int malformed_list = -1;
1429
1430 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1431
1432 (void)arg;
1433
1434 ri->policy_is_reject_star = 1;
1435 ri->exit_policy = NULL; // expecting "reject *:*"
1436 ep = router_dump_exit_policy_to_string(ri,1,1);
1437
1438 tt_str_op("reject *:*",OP_EQ, ep);
1439
1440 tor_free(ep);
1441
1442 ri->exit_policy = smartlist_new();
1443 ri->policy_is_reject_star = 0;
1444
1445 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1446 &malformed_list);
1447
1448 smartlist_add(ri->exit_policy,policy_entry);
1449
1450 ep = router_dump_exit_policy_to_string(ri,1,1);
1451
1452 tt_str_op("accept *:*",OP_EQ, ep);
1453
1454 tor_free(ep);
1455
1456 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1457 &malformed_list);
1458
1459 smartlist_add(ri->exit_policy,policy_entry);
1460
1461 ep = router_dump_exit_policy_to_string(ri,1,1);
1462
1463 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1464
1465 tor_free(ep);
1466
1467 policy_entry =
1468 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1469 &malformed_list);
1470
1471 smartlist_add(ri->exit_policy,policy_entry);
1472
1473 ep = router_dump_exit_policy_to_string(ri,1,1);
1474
1475 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1476 tor_free(ep);
1477
1478 policy_entry =
1479 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1480 &malformed_list);
1481
1482 smartlist_add(ri->exit_policy,policy_entry);
1483
1484 ep = router_dump_exit_policy_to_string(ri,1,1);
1485
1486 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1487 "reject6 [fc00::]/7:*",OP_EQ, ep);
1488 tor_free(ep);
1489
1490 policy_entry =
1491 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1492 &malformed_list);
1493
1494 smartlist_add(ri->exit_policy,policy_entry);
1495
1496 ep = router_dump_exit_policy_to_string(ri,1,1);
1497
1498 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1499 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1500
1501 done:
1502
1503 if (ri->exit_policy) {
1504 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1505 entry, addr_policy_free(entry));
1506 smartlist_free(ri->exit_policy);
1507 }
1508 tor_free(ri);
1509 tor_free(ep);
1510 }
1511
1512 static routerinfo_t *mock_desc_routerinfo = NULL;
1513 static int routerinfo_err;
1514
1515 static const routerinfo_t *
1516 mock_router_get_my_routerinfo_with_err(int *err)
1517 {
1518 if (routerinfo_err) {
1519 if (err)
1520 *err = routerinfo_err;
1521
1522 return NULL;
1523 }
1524
1525 if (err)
1526 *err = 0;
1527
1528 return mock_desc_routerinfo;
1529 }
1530
1531 #define DEFAULT_POLICY_STRING "reject *:*"
1532 #define TEST_IPV4_ADDR ("2.4.6.8")
1533 #define TEST_IPV6_ADDR ("2003::ef01")
1534
1535 static or_options_t mock_options;
1536
1537 static const or_options_t *
1538 mock_get_options(void)
1539 {
1540 return &mock_options;
1541 }
1542
1543 /** Run unit tests for generating summary lines of exit policies */
1544 static void
1545 test_policies_getinfo_helper_policies(void *arg)
1546 {
1547 (void)arg;
1548 int rv = 0;
1549 size_t ipv4_len = 0, ipv6_len = 0;
1550 char *answer = NULL;
1551 const char *errmsg = NULL;
1552 routerinfo_t mock_my_routerinfo;
1553
1554 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1555
1556 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1557 tt_int_op(rv, OP_EQ, 0);
1558 tt_ptr_op(answer, OP_NE, NULL);
1559 tt_assert(strlen(answer) > 0);
1560 tor_free(answer);
1561
1562 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1563 &answer, &errmsg);
1564 tt_int_op(rv, OP_EQ, 0);
1565 tt_ptr_op(answer, OP_NE, NULL);
1566 tt_assert(strlen(answer) > 0);
1567 tor_free(answer);
1568
1569 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1570 MOCK(router_get_my_routerinfo_with_err,
1571 mock_router_get_my_routerinfo_with_err);
1572 mock_my_routerinfo.exit_policy = smartlist_new();
1573 mock_desc_routerinfo = &mock_my_routerinfo;
1574
1575 memset(&mock_options, 0, sizeof(or_options_t));
1576 MOCK(get_options, mock_get_options);
1577
1578 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1579 &answer, &errmsg);
1580 tt_int_op(rv, OP_EQ, 0);
1581 tt_ptr_op(answer, OP_NE, NULL);
1582 tt_assert(strlen(answer) == 0);
1583 tor_free(answer);
1584
1585 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1586 &errmsg);
1587 tt_int_op(rv, OP_EQ, 0);
1588 tt_ptr_op(answer, OP_NE, NULL);
1589 ipv4_len = strlen(answer);
1590 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1591 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1592 tor_free(answer);
1593
1594 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1595 &errmsg);
1596 tt_int_op(rv, OP_EQ, 0);
1597 tt_ptr_op(answer, OP_NE, NULL);
1598 ipv6_len = strlen(answer);
1599 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1600 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1601 tor_free(answer);
1602
1603 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1604 &errmsg);
1605 tt_int_op(rv, OP_EQ, 0);
1606 tt_ptr_op(answer, OP_NE, NULL);
1607 /* It's either empty or it's the default */
1608 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1609 tor_free(answer);
1610
1611 tor_addr_parse(&mock_my_routerinfo.ipv4_addr, TEST_IPV4_ADDR);
1612 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1613 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1614 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1615
1616 mock_options.IPv6Exit = 1;
1617 tor_addr_parse(
1618 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
1619 TEST_IPV4_ADDR);
1620 tor_addr_parse(
1621 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
1622 TEST_IPV6_ADDR);
1623
1624 mock_options.ExitPolicyRejectPrivate = 1;
1625 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1626
1627 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1628 &answer, &errmsg);
1629 tt_int_op(rv, OP_EQ, 0);
1630 tt_ptr_op(answer, OP_NE, NULL);
1631 tt_assert(strlen(answer) > 0);
1632 tor_free(answer);
1633
1634 mock_options.ExitPolicyRejectPrivate = 1;
1635 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1636
1637 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1638 &answer, &errmsg);
1639 tt_int_op(rv, OP_EQ, 0);
1640 tt_ptr_op(answer, OP_NE, NULL);
1641 tt_assert(strlen(answer) > 0);
1642 tor_free(answer);
1643
1644 mock_options.ExitPolicyRejectPrivate = 0;
1645 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1646
1647 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1648 &answer, &errmsg);
1649 tt_int_op(rv, OP_EQ, 0);
1650 tt_ptr_op(answer, OP_NE, NULL);
1651 tt_assert(strlen(answer) > 0);
1652 tor_free(answer);
1653
1654 mock_options.ExitPolicyRejectPrivate = 0;
1655 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1656
1657 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1658 &answer, &errmsg);
1659 tt_int_op(rv, OP_EQ, 0);
1660 tt_ptr_op(answer, OP_NE, NULL);
1661 tt_assert(strlen(answer) == 0);
1662 tor_free(answer);
1663
1664 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1665 &errmsg);
1666 tt_int_op(rv, OP_EQ, 0);
1667 tt_ptr_op(answer, OP_NE, NULL);
1668 ipv4_len = strlen(answer);
1669 tt_assert(ipv4_len > 0);
1670 tor_free(answer);
1671
1672 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1673 &errmsg);
1674 tt_int_op(rv, OP_EQ, 0);
1675 tt_ptr_op(answer, OP_NE, NULL);
1676 ipv6_len = strlen(answer);
1677 tt_assert(ipv6_len > 0);
1678 tor_free(answer);
1679
1680 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1681 &errmsg);
1682 tt_int_op(rv, OP_EQ, 0);
1683 tt_ptr_op(answer, OP_NE, NULL);
1684 tt_assert(strlen(answer) > 0);
1685 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1686 tor_free(answer);
1687
1688 routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
1689 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1690 &errmsg);
1691 tt_int_op(rv, OP_EQ, -1);
1692 tt_ptr_op(answer, OP_EQ, NULL);
1693 tt_ptr_op(errmsg, OP_NE, NULL);
1694 tt_str_op(errmsg, OP_EQ, "No known exit address yet");
1695
1696 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE;
1697 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1698 &errmsg);
1699 tt_int_op(rv, OP_EQ, -1);
1700 tt_ptr_op(answer, OP_EQ, NULL);
1701 tt_ptr_op(errmsg, OP_NE, NULL);
1702 tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor");
1703
1704 routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
1705 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1706 &errmsg);
1707 tt_int_op(rv, OP_EQ, 0);
1708 tt_ptr_op(answer, OP_EQ, NULL);
1709 tt_ptr_op(errmsg, OP_NE, NULL);
1710 tt_str_op(errmsg, OP_EQ, "Not running in server mode");
1711
1712 routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
1713 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1714 &errmsg);
1715
1716 tt_int_op(rv, OP_EQ, -1);
1717 tt_ptr_op(answer, OP_EQ, NULL);
1718 tt_ptr_op(errmsg, OP_NE, NULL);
1719 tt_str_op(errmsg, OP_EQ, "Key digest failed");
1720
1721 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
1722 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1723 &errmsg);
1724 tt_int_op(rv, OP_EQ, -1);
1725 tt_ptr_op(answer, OP_EQ, NULL);
1726 tt_ptr_op(errmsg, OP_NE, NULL);
1727 tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor");
1728
1729 routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
1730 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1731 &errmsg);
1732 tt_int_op(rv, OP_EQ, -1);
1733 tt_ptr_op(answer, OP_EQ, NULL);
1734 tt_ptr_op(errmsg, OP_NE, NULL);
1735 tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet");
1736
1737 done:
1738 tor_free(answer);
1739 UNMOCK(get_options);
1740 UNMOCK(router_get_my_routerinfo);
1741 addr_policy_list_free(mock_my_routerinfo.exit_policy);
1742 }
1743
1744 #undef DEFAULT_POLICY_STRING
1745 #undef TEST_IPV4_ADDR
1746 #undef TEST_IPV6_ADDR
1747
1748 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1749 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1750 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1751 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1752
1753 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1754 #define OTHER_IPV6_ADDR_STR "[afff::]"
1755
1756 /** Run unit tests for reachable_addr_allows */
1757 static void
1758 test_policies_fascist_firewall_allows_address(void *arg)
1759 {
1760 (void)arg;
1761 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1762 tor_addr_t n_ipv4_addr, n_ipv6_addr;
1763 const uint16_t port = 1234;
1764 smartlist_t *policy = NULL;
1765 smartlist_t *e_policy = NULL;
1766 addr_policy_t *item = NULL;
1767 int malformed_list = 0;
1768
1769 /* Setup the options and the items in the policies */
1770 memset(&mock_options, 0, sizeof(or_options_t));
1771 MOCK(get_options, mock_get_options);
1772
1773 policy = smartlist_new();
1774 item = router_parse_addr_policy_item_from_string("accept "
1775 TEST_IPV4_ADDR_STR ":*",
1776 ADDR_POLICY_ACCEPT,
1777 &malformed_list);
1778 tt_assert(item);
1779 tt_assert(!malformed_list);
1780 smartlist_add(policy, item);
1781 item = router_parse_addr_policy_item_from_string("accept "
1782 TEST_IPV6_ADDR_STR,
1783 ADDR_POLICY_ACCEPT,
1784 &malformed_list);
1785 tt_assert(item);
1786 tt_assert(!malformed_list);
1787 smartlist_add(policy, item);
1788 /* Normally, policy_expand_unspec would do this for us */
1789 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1790 ADDR_POLICY_ACCEPT,
1791 &malformed_list);
1792 tt_assert(item);
1793 tt_assert(!malformed_list);
1794 smartlist_add(policy, item);
1795 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1796 ADDR_POLICY_ACCEPT,
1797 &malformed_list);
1798 tt_assert(item);
1799 tt_assert(!malformed_list);
1800 smartlist_add(policy, item);
1801 item = NULL;
1802
1803 e_policy = smartlist_new();
1804
1805 /*
1806 char *polstr = policy_dump_to_string(policy, 1, 1);
1807 printf("%s\n", polstr);
1808 tor_free(polstr);
1809 */
1810
1811 /* Parse the addresses */
1812 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1813 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1814 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1815 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1816 tor_addr_make_null(&n_ipv4_addr, AF_INET);
1817 tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1818
1819 /* Test the function's address matching with IPv4 and IPv6 on */
1820 memset(&mock_options, 0, sizeof(or_options_t));
1821 mock_options.ClientUseIPv4 = 1;
1822 mock_options.ClientUseIPv6 = 1;
1823 mock_options.UseBridges = 0;
1824
1825 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1826 OP_EQ, 1);
1827 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1828 OP_EQ, 1);
1829 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1830 OP_EQ, 0);
1831 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1832 OP_EQ, 0);
1833
1834 /* Preferring IPv4 */
1835 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0),
1836 OP_EQ, 1);
1837 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0),
1838 OP_EQ, 0);
1839 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0),
1840 OP_EQ, 0);
1841 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0),
1842 OP_EQ, 0);
1843
1844 /* Preferring IPv6 */
1845 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1),
1846 OP_EQ, 0);
1847 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1),
1848 OP_EQ, 1);
1849 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1),
1850 OP_EQ, 0);
1851 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1),
1852 OP_EQ, 0);
1853
1854 /* Test the function's address matching with UseBridges on */
1855 memset(&mock_options, 0, sizeof(or_options_t));
1856 mock_options.ClientUseIPv4 = 1;
1857 mock_options.ClientUseIPv6 = 1;
1858 mock_options.UseBridges = 1;
1859
1860 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1861 OP_EQ, 1);
1862 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1863 OP_EQ, 1);
1864 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1865 OP_EQ, 0);
1866 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1867 OP_EQ, 0);
1868
1869 /* Preferring IPv4 */
1870 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0),
1871 OP_EQ, 1);
1872 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0),
1873 OP_EQ, 0);
1874 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0),
1875 OP_EQ, 0);
1876 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0),
1877 OP_EQ, 0);
1878
1879 /* Preferring IPv6 */
1880 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1),
1881 OP_EQ, 0);
1882 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1),
1883 OP_EQ, 1);
1884 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1),
1885 OP_EQ, 0);
1886 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1),
1887 OP_EQ, 0);
1888
1889 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1890 mock_options.ClientUseIPv4 = 1;
1891 mock_options.ClientUseIPv6 = 0;
1892 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1893 OP_EQ, 1);
1894 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1895 OP_EQ, 1);
1896 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1897 OP_EQ, 0);
1898 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1899 OP_EQ, 0);
1900
1901 /* Test the function's address matching with IPv4 on */
1902 memset(&mock_options, 0, sizeof(or_options_t));
1903 mock_options.ClientUseIPv4 = 1;
1904 mock_options.ClientUseIPv6 = 0;
1905 mock_options.UseBridges = 0;
1906
1907 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1908 OP_EQ, 1);
1909 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1910 OP_EQ, 0);
1911 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1912 OP_EQ, 0);
1913 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1914 OP_EQ, 0);
1915
1916 /* Test the function's address matching with IPv6 on */
1917 memset(&mock_options, 0, sizeof(or_options_t));
1918 mock_options.ClientUseIPv4 = 0;
1919 mock_options.ClientUseIPv6 = 1;
1920 mock_options.UseBridges = 0;
1921
1922 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1923 OP_EQ, 0);
1924 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1925 OP_EQ, 1);
1926 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1927 OP_EQ, 0);
1928 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1929 OP_EQ, 0);
1930
1931 /* Test the function's address matching with ClientUseIPv4 0.
1932 * This means "use IPv6" regardless of the other settings. */
1933 memset(&mock_options, 0, sizeof(or_options_t));
1934 mock_options.ClientUseIPv4 = 0;
1935 mock_options.ClientUseIPv6 = 0;
1936 mock_options.UseBridges = 0;
1937
1938 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1939 OP_EQ, 0);
1940 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1941 OP_EQ, 1);
1942 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1943 OP_EQ, 0);
1944 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1945 OP_EQ, 0);
1946
1947 /* Test the function's address matching for unusual inputs */
1948 memset(&mock_options, 0, sizeof(or_options_t));
1949 mock_options.ClientUseIPv4 = 1;
1950 mock_options.ClientUseIPv6 = 1;
1951 mock_options.UseBridges = 1;
1952
1953 /* NULL and tor_addr_is_null addresses are rejected */
1954 tt_int_op(reachable_addr_allows(NULL, port, policy, 0, 0), OP_EQ,
1955 0);
1956 tt_int_op(reachable_addr_allows(&n_ipv4_addr, port, policy, 0, 0),
1957 OP_EQ, 0);
1958 tt_int_op(reachable_addr_allows(&n_ipv6_addr, port, policy, 0, 0),
1959 OP_EQ, 0);
1960
1961 /* zero ports are rejected */
1962 tt_int_op(reachable_addr_allows(&ipv4_addr, 0, policy, 0, 0),
1963 OP_EQ, 0);
1964 tt_int_op(reachable_addr_allows(&ipv6_addr, 0, policy, 0, 0),
1965 OP_EQ, 0);
1966
1967 /* NULL and empty policies accept everything */
1968 tt_int_op(reachable_addr_allows(&ipv4_addr, port, NULL, 0, 0),
1969 OP_EQ, 1);
1970 tt_int_op(reachable_addr_allows(&ipv6_addr, port, NULL, 0, 0),
1971 OP_EQ, 1);
1972 tt_int_op(reachable_addr_allows(&ipv4_addr, port, e_policy, 0, 0),
1973 OP_EQ, 1);
1974 tt_int_op(reachable_addr_allows(&ipv6_addr, port, e_policy, 0, 0),
1975 OP_EQ, 1);
1976
1977 done:
1978 addr_policy_free(item);
1979 addr_policy_list_free(policy);
1980 addr_policy_list_free(e_policy);
1981 UNMOCK(get_options);
1982 }
1983
1984 #undef REJECT_IPv4_FINAL_STR
1985 #undef REJECT_IPv6_FINAL_STR
1986 #undef OTHER_IPV4_ADDR_STR
1987 #undef OTHER_IPV6_ADDR_STR
1988
1989 #define TEST_IPV4_OR_PORT 1234
1990 #define TEST_IPV4_DIR_PORT 2345
1991 #define TEST_IPV6_OR_PORT 61234
1992 #define TEST_IPV6_DIR_PORT 62345
1993
1994 /* Check that reachable_addr_choose_from_rs() returns the expected
1995 * results. */
1996 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1997 expect_ap) \
1998 STMT_BEGIN \
1999 tor_addr_port_t chosen_rs_ap; \
2000 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
2001 chosen_rs_ap.port = 0; \
2002 reachable_addr_choose_from_rs(&(fake_rs), (fw_connection), \
2003 (pref_only), &chosen_rs_ap); \
2004 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
2005 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2006 STMT_END
2007
2008 /* Check that reachable_addr_choose_from_node() returns the expected
2009 * results. */
2010 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2011 expect_rv, expect_ap) \
2012 STMT_BEGIN \
2013 tor_addr_port_t chosen_node_ap; \
2014 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2015 chosen_node_ap.port = 0; \
2016 reachable_addr_choose_from_node(&(fake_node),(fw_connection), \
2017 (pref_only), &chosen_node_ap); \
2018 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2019 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2020 STMT_END
2021
2022 /* Check that reachable_addr_choose_from_rs and
2023 * reachable_addr_choose_from_node() both return the expected results. */
2024 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2025 expect_rv, expect_ap) \
2026 STMT_BEGIN \
2027 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2028 expect_ap); \
2029 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2030 expect_ap); \
2031 STMT_END
2032
2033 /* Check that reachable_addr_choose_from_ls() returns the expected
2034 * results. */
2035 #define CHECK_CHOSEN_ADDR_NULL_LS() \
2036 STMT_BEGIN \
2037 tor_addr_port_t chosen_ls_ap; \
2038 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2039 chosen_ls_ap.port = 0; \
2040 setup_full_capture_of_logs(LOG_WARN); \
2041 reachable_addr_choose_from_ls(NULL, 1, &chosen_ls_ap); \
2042 expect_single_log_msg("Unknown or missing link specifiers"); \
2043 teardown_capture_of_logs(); \
2044 STMT_END
2045
2046 #define CHECK_CHOSEN_ADDR_LS(fake_ls, pref_only, expect_rv, expect_ap) \
2047 STMT_BEGIN \
2048 tor_addr_port_t chosen_ls_ap; \
2049 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2050 chosen_ls_ap.port = 0; \
2051 setup_full_capture_of_logs(LOG_WARN); \
2052 reachable_addr_choose_from_ls(fake_ls, pref_only, &chosen_ls_ap); \
2053 if (smartlist_len(fake_ls) == 0) { \
2054 expect_single_log_msg("Link specifiers are empty"); \
2055 } else { \
2056 expect_no_log_entry(); \
2057 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_ls_ap.addr)); \
2058 tt_int_op((expect_ap).port, OP_EQ, chosen_ls_ap.port); \
2059 } \
2060 teardown_capture_of_logs(); \
2061 STMT_END
2062
2063 #define CHECK_LS_LEGACY_ONLY(fake_ls) \
2064 STMT_BEGIN \
2065 tor_addr_port_t chosen_ls_ap; \
2066 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2067 chosen_ls_ap.port = 0; \
2068 setup_full_capture_of_logs(LOG_WARN); \
2069 reachable_addr_choose_from_ls(fake_ls, 0, &chosen_ls_ap); \
2070 expect_single_log_msg("None of our link specifiers have IPv4 or IPv6"); \
2071 teardown_capture_of_logs(); \
2072 STMT_END
2073
2074 #define CHECK_HS_EXTEND_INFO_ADDR_LS(fake_ls, direct_conn, expect_ap) \
2075 STMT_BEGIN \
2076 curve25519_secret_key_t seckey; \
2077 curve25519_secret_key_generate(&seckey, 0); \
2078 curve25519_public_key_t pubkey; \
2079 curve25519_public_key_generate(&pubkey, &seckey); \
2080 setup_full_capture_of_logs(LOG_WARN); \
2081 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \
2082 direct_conn); \
2083 if (fake_ls == NULL) { \
2084 tt_ptr_op(ei, OP_EQ, NULL); \
2085 expect_single_log_msg("Specified link specifiers is null"); \
2086 } else { \
2087 expect_no_log_entry(); \
2088 tt_assert(tor_addr_eq(&(expect_ap).addr, &ei->orports[0].addr)); \
2089 tt_int_op((expect_ap).port, OP_EQ, ei->orports[0].port); \
2090 extend_info_free(ei); \
2091 } \
2092 teardown_capture_of_logs(); \
2093 STMT_END
2094
2095 #define CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(fake_ls) \
2096 STMT_BEGIN \
2097 setup_full_capture_of_logs(LOG_WARN); \
2098 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, NULL, 0); \
2099 tt_ptr_op(ei, OP_EQ, NULL); \
2100 expect_single_log_msg("Specified onion key is null"); \
2101 teardown_capture_of_logs(); \
2102 STMT_END
2103
2104 #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(fake_ls, direct_conn) \
2105 STMT_BEGIN \
2106 curve25519_secret_key_t seckey; \
2107 curve25519_secret_key_generate(&seckey, 0); \
2108 curve25519_public_key_t pubkey; \
2109 curve25519_public_key_generate(&pubkey, &seckey); \
2110 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \
2111 direct_conn); \
2112 tt_ptr_op(ei, OP_EQ, NULL); \
2113 STMT_END
2114
2115 #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(fake_ls, msg_level, msg) \
2116 STMT_BEGIN \
2117 curve25519_secret_key_t seckey; \
2118 curve25519_secret_key_generate(&seckey, 0); \
2119 curve25519_public_key_t pubkey; \
2120 curve25519_public_key_generate(&pubkey, &seckey); \
2121 setup_full_capture_of_logs(msg_level); \
2122 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, 0); \
2123 tt_ptr_op(ei, OP_EQ, NULL); \
2124 expect_single_log_msg(msg); \
2125 teardown_capture_of_logs(); \
2126 STMT_END
2127
2128 /** Run unit tests for reachable_addr_choose */
2129 static void
2130 test_policies_fascist_firewall_choose_address(void *arg)
2131 {
2132 (void)arg;
2133 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
2134 tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
2135
2136 /* Setup the options */
2137 memset(&mock_options, 0, sizeof(or_options_t));
2138 MOCK(get_options, mock_get_options);
2139
2140 /* Parse the addresses */
2141 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
2142 ipv4_or_ap.port = TEST_IPV4_OR_PORT;
2143 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
2144 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
2145
2146 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
2147 ipv6_or_ap.port = TEST_IPV6_OR_PORT;
2148 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
2149 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
2150
2151 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
2152 n_ipv4_ap.port = 0;
2153 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
2154 n_ipv6_ap.port = 0;
2155
2156 /* Sanity check reachable_addr_choose with IPv4 and IPv6 on */
2157 memset(&mock_options, 0, sizeof(or_options_t));
2158 mock_options.ClientUseIPv4 = 1;
2159 mock_options.ClientUseIPv6 = 1;
2160 mock_options.UseBridges = 0;
2161
2162 /* Prefer IPv4 */
2163 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2164 FIREWALL_OR_CONNECTION, 0, 0)
2165 == &ipv4_or_ap);
2166 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2167 FIREWALL_OR_CONNECTION, 1, 0)
2168 == &ipv4_or_ap);
2169 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2170 FIREWALL_DIR_CONNECTION, 0, 0)
2171 == &ipv4_dir_ap);
2172 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2173 FIREWALL_DIR_CONNECTION, 1, 0)
2174 == &ipv4_dir_ap);
2175
2176 /* Prefer IPv6 */
2177 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2178 FIREWALL_OR_CONNECTION, 0, 1)
2179 == &ipv6_or_ap);
2180 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2181 FIREWALL_OR_CONNECTION, 1, 1)
2182 == &ipv6_or_ap);
2183 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2184 FIREWALL_DIR_CONNECTION, 0, 1)
2185 == &ipv6_dir_ap);
2186 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2187 FIREWALL_DIR_CONNECTION, 1, 1)
2188 == &ipv6_dir_ap);
2189
2190 /* Unusual inputs */
2191
2192 /* null preferred OR addresses */
2193 tt_assert(reachable_addr_choose(&ipv4_or_ap, &n_ipv6_ap, 0,
2194 FIREWALL_OR_CONNECTION, 0, 1)
2195 == &ipv4_or_ap);
2196 tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_or_ap, 1,
2197 FIREWALL_OR_CONNECTION, 0, 0)
2198 == &ipv6_or_ap);
2199
2200 /* null both OR addresses */
2201 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0,
2202 FIREWALL_OR_CONNECTION, 0, 1),
2203 OP_EQ, NULL);
2204 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1,
2205 FIREWALL_OR_CONNECTION, 0, 0),
2206 OP_EQ, NULL);
2207
2208 /* null preferred Dir addresses */
2209 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &n_ipv6_ap, 0,
2210 FIREWALL_DIR_CONNECTION, 0, 1)
2211 == &ipv4_dir_ap);
2212 tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_dir_ap, 1,
2213 FIREWALL_DIR_CONNECTION, 0, 0)
2214 == &ipv6_dir_ap);
2215
2216 /* null both Dir addresses */
2217 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0,
2218 FIREWALL_DIR_CONNECTION, 0, 1),
2219 OP_EQ, NULL);
2220 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1,
2221 FIREWALL_DIR_CONNECTION, 0, 0),
2222 OP_EQ, NULL);
2223
2224 /* Prefer IPv4 but want IPv6 (contradictory) */
2225 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2226 FIREWALL_OR_CONNECTION, 0, 0)
2227 == &ipv4_or_ap);
2228 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2229 FIREWALL_OR_CONNECTION, 1, 0)
2230 == &ipv4_or_ap);
2231
2232 /* Prefer IPv6 but want IPv4 (contradictory) */
2233 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2234 FIREWALL_OR_CONNECTION, 0, 1)
2235 == &ipv6_or_ap);
2236 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2237 FIREWALL_OR_CONNECTION, 1, 1)
2238 == &ipv6_or_ap);
2239
2240 /* Make a fake rs. There will be no corresponding node.
2241 * This is what happens when there's no consensus and we're bootstrapping
2242 * from authorities / fallbacks. */
2243 routerstatus_t fake_rs;
2244 memset(&fake_rs, 0, sizeof(routerstatus_t));
2245 /* In a routerstatus, the OR and Dir addresses are the same */
2246 tor_addr_copy(&fake_rs.ipv4_addr, &ipv4_or_ap.addr);
2247 fake_rs.ipv4_orport = ipv4_or_ap.port;
2248 fake_rs.ipv4_dirport = ipv4_dir_ap.port;
2249
2250 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2251 fake_rs.ipv6_orport = ipv6_or_ap.port;
2252 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2253 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2254
2255 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2256 * find the node from the rs, because they're not in the hash table. */
2257 node_t fake_node;
2258 memset(&fake_node, 0, sizeof(node_t));
2259 fake_node.rs = &fake_rs;
2260
2261 /* Choose an address with IPv4 and IPv6 on */
2262 memset(&mock_options, 0, sizeof(or_options_t));
2263 mock_options.ClientUseIPv4 = 1;
2264 mock_options.ClientUseIPv6 = 1;
2265 mock_options.UseBridges = 0;
2266
2267 /* Preferring IPv4 */
2268 mock_options.ClientPreferIPv6ORPort = 0;
2269 mock_options.ClientPreferIPv6DirPort = 0;
2270 /* Simulate the initialisation of fake_node.ipv6_preferred */
2271 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2272 &mock_options);
2273
2274 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2275 ipv4_or_ap);
2276 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2277 ipv4_or_ap);
2278 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2279 ipv4_dir_ap);
2280 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2281 ipv4_dir_ap);
2282
2283 /* Auto (Preferring IPv4) */
2284 mock_options.ClientPreferIPv6ORPort = -1;
2285 mock_options.ClientPreferIPv6DirPort = -1;
2286 /* Simulate the initialisation of fake_node.ipv6_preferred */
2287 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2288 &mock_options);
2289
2290 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2291 ipv4_or_ap);
2292 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2293 ipv4_or_ap);
2294 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2295 ipv4_dir_ap);
2296 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2297 ipv4_dir_ap);
2298
2299 /* Preferring IPv6 */
2300 mock_options.ClientPreferIPv6ORPort = 1;
2301 mock_options.ClientPreferIPv6DirPort = 1;
2302 /* Simulate the initialisation of fake_node.ipv6_preferred */
2303 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2304 &mock_options);
2305
2306 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2307 ipv6_or_ap);
2308 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2309 ipv6_or_ap);
2310 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2311 ipv6_dir_ap);
2312 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2313 ipv6_dir_ap);
2314
2315 /* Preferring IPv4 OR / IPv6 Dir */
2316 mock_options.ClientPreferIPv6ORPort = 0;
2317 mock_options.ClientPreferIPv6DirPort = 1;
2318 /* Simulate the initialisation of fake_node.ipv6_preferred */
2319 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2320 &mock_options);
2321
2322 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2323 ipv4_or_ap);
2324 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2325 ipv4_or_ap);
2326 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2327 ipv6_dir_ap);
2328 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2329 ipv6_dir_ap);
2330
2331 /* Preferring IPv6 OR / IPv4 Dir */
2332 mock_options.ClientPreferIPv6ORPort = 1;
2333 mock_options.ClientPreferIPv6DirPort = 0;
2334 /* Simulate the initialisation of fake_node.ipv6_preferred */
2335 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2336 &mock_options);
2337
2338 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2339 ipv6_or_ap);
2340 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2341 ipv6_or_ap);
2342 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2343 ipv4_dir_ap);
2344 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2345 ipv4_dir_ap);
2346
2347 /* Choose an address with UseBridges on */
2348 memset(&mock_options, 0, sizeof(or_options_t));
2349 mock_options.UseBridges = 1;
2350 mock_options.ClientUseIPv4 = 1;
2351 mock_options.ClientUseIPv6 = 1;
2352
2353 /* Preferring IPv4 */
2354 mock_options.ClientPreferIPv6ORPort = 0;
2355 mock_options.ClientPreferIPv6DirPort = 0;
2356 /* Simulate the initialisation of fake_node.ipv6_preferred */
2357 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2358 &mock_options);
2359
2360 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2361 ipv4_or_ap);
2362 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2363 ipv4_or_ap);
2364 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2365 ipv4_dir_ap);
2366 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2367 ipv4_dir_ap);
2368
2369 /* Auto:
2370 * - bridge clients prefer the configured bridge OR address from the node,
2371 * (the configured address family sets node.ipv6_preferred)
2372 * - other clients prefer IPv4 OR by default (see above),
2373 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2374 */
2375 mock_options.ClientPreferIPv6ORPort = -1;
2376 mock_options.ClientPreferIPv6DirPort = -1;
2377
2378 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2379 * configured with an IPv4 address */
2380 fake_node.ipv6_preferred = 0;
2381 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2382 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2383 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2384 ipv4_dir_ap);
2385 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2386 ipv4_dir_ap);
2387
2388 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2389 * configured with an IPv6 address */
2390 fake_node.ipv6_preferred = 1;
2391 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2392 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2393 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2394 ipv4_dir_ap);
2395 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2396 ipv4_dir_ap);
2397
2398 /* When a rs has no node, it defaults to IPv4 under auto. */
2399 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2400 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2401 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2402 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2403
2404 /* Preferring IPv6 */
2405 mock_options.ClientPreferIPv6ORPort = 1;
2406 mock_options.ClientPreferIPv6DirPort = 1;
2407 /* Simulate the initialisation of fake_node.ipv6_preferred */
2408 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2409 &mock_options);
2410
2411 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2412 ipv6_or_ap);
2413 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2414 ipv6_or_ap);
2415 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2416 ipv6_dir_ap);
2417 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2418 ipv6_dir_ap);
2419
2420 /* In the default configuration (Auto / IPv6 off), bridge clients should
2421 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2422 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2423 mock_options.ClientUseIPv6 = 0;
2424 mock_options.ClientPreferIPv6ORPort = -1;
2425 mock_options.ClientPreferIPv6DirPort = -1;
2426 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2427 * configured with an IPv4 address */
2428 fake_node.ipv6_preferred = 0;
2429 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2430 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2431 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2432 ipv4_dir_ap);
2433 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2434 ipv4_dir_ap);
2435
2436 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2437 * configured with an IPv6 address */
2438 fake_node.ipv6_preferred = 1;
2439 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2440 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2441 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2442 ipv4_dir_ap);
2443 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2444 ipv4_dir_ap);
2445
2446 /* When a rs has no node, it defaults to IPv4 under auto. */
2447 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2448 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2449 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2450 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2451
2452 /* Choose an address with IPv4 on */
2453 memset(&mock_options, 0, sizeof(or_options_t));
2454 mock_options.ClientUseIPv4 = 1;
2455 mock_options.ClientUseIPv6 = 0;
2456 /* Simulate the initialisation of fake_node.ipv6_preferred */
2457 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2458 &mock_options);
2459
2460 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2461 ipv4_or_ap);
2462 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2463 ipv4_or_ap);
2464 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2465 ipv4_dir_ap);
2466 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2467 ipv4_dir_ap);
2468
2469 /* Choose an address with IPv6 on */
2470 memset(&mock_options, 0, sizeof(or_options_t));
2471 mock_options.ClientUseIPv4 = 0;
2472 mock_options.ClientUseIPv6 = 1;
2473 /* Simulate the initialisation of fake_node.ipv6_preferred */
2474 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2475 &mock_options);
2476
2477 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2478 ipv6_or_ap);
2479 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2480 ipv6_or_ap);
2481 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2482 ipv6_dir_ap);
2483 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2484 ipv6_dir_ap);
2485
2486 /* Choose an address with ClientUseIPv4 0.
2487 * This means "use IPv6" regardless of the other settings. */
2488 memset(&mock_options, 0, sizeof(or_options_t));
2489 mock_options.ClientUseIPv4 = 0;
2490 mock_options.ClientUseIPv6 = 0;
2491 /* Simulate the initialisation of fake_node.ipv6_preferred */
2492 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2493 &mock_options);
2494
2495 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2496 ipv6_or_ap);
2497 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2498 ipv6_or_ap);
2499 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2500 ipv6_dir_ap);
2501 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2502 ipv6_dir_ap);
2503
2504 /* Choose an address with ORPort_set 1 (server mode).
2505 * This means "use IPv4" regardless of the other settings. */
2506 memset(&mock_options, 0, sizeof(or_options_t));
2507 mock_options.ORPort_set = 1;
2508 mock_options.ClientUseIPv4 = 0;
2509 mock_options.ClientUseIPv6 = 1;
2510 mock_options.ClientPreferIPv6ORPort = 1;
2511 mock_options.ClientPreferIPv6DirPort = 1;
2512
2513 /* Simulate the initialisation of fake_node.ipv6_preferred */
2514 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2515 &mock_options);
2516
2517 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2518 ipv4_or_ap);
2519 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2520 ipv4_or_ap);
2521 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2522 ipv4_dir_ap);
2523 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2524 ipv4_dir_ap);
2525
2526 /* Test firewall_choose_address_ls(). To do this, we make a fake link
2527 * specifier. */
2528 smartlist_t *lspecs = smartlist_new(),
2529 *lspecs_blank = smartlist_new(),
2530 *lspecs_v4 = smartlist_new(),
2531 *lspecs_v6 = smartlist_new(),
2532 *lspecs_no_legacy = smartlist_new(),
2533 *lspecs_legacy_only = smartlist_new();
2534 link_specifier_t *fake_ls;
2535
2536 /* IPv4 link specifier */
2537 fake_ls = link_specifier_new();
2538 link_specifier_set_ls_type(fake_ls, LS_IPV4);
2539 link_specifier_set_un_ipv4_addr(fake_ls,
2540 tor_addr_to_ipv4h(&ipv4_or_ap.addr));
2541 link_specifier_set_un_ipv4_port(fake_ls, ipv4_or_ap.port);
2542 link_specifier_set_ls_len(fake_ls, sizeof(ipv4_or_ap.addr.addr.in_addr) +
2543 sizeof(ipv4_or_ap.port));
2544 smartlist_add(lspecs, fake_ls);
2545 smartlist_add(lspecs_v4, fake_ls);
2546 smartlist_add(lspecs_no_legacy, fake_ls);
2547
2548 /* IPv6 link specifier */
2549 fake_ls = link_specifier_new();
2550 link_specifier_set_ls_type(fake_ls, LS_IPV6);
2551 size_t addr_len = link_specifier_getlen_un_ipv6_addr(fake_ls);
2552 const uint8_t *in6_addr = tor_addr_to_in6_addr8(&ipv6_or_ap.addr);
2553 uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(fake_ls);
2554 memcpy(ipv6_array, in6_addr, addr_len);
2555 link_specifier_set_un_ipv6_port(fake_ls, ipv6_or_ap.port);
2556 link_specifier_set_ls_len(fake_ls, addr_len + sizeof(ipv6_or_ap.port));
2557 smartlist_add(lspecs, fake_ls);
2558 smartlist_add(lspecs_v6, fake_ls);
2559
2560 /* Legacy ID link specifier */
2561 fake_ls = link_specifier_new();
2562 link_specifier_set_ls_type(fake_ls, LS_LEGACY_ID);
2563 uint8_t *legacy_id = link_specifier_getarray_un_legacy_id(fake_ls);
2564 memset(legacy_id, 'A', sizeof(*legacy_id));
2565 link_specifier_set_ls_len(fake_ls,
2566 link_specifier_getlen_un_legacy_id(fake_ls));
2567 smartlist_add(lspecs, fake_ls);
2568 smartlist_add(lspecs_legacy_only, fake_ls);
2569 smartlist_add(lspecs_v4, fake_ls);
2570 smartlist_add(lspecs_v6, fake_ls);
2571
2572 /* Check with bogus requests. */
2573 tor_addr_port_t null_ap; \
2574 tor_addr_make_null(&null_ap.addr, AF_UNSPEC); \
2575 null_ap.port = 0; \
2576
2577 /* Check for a null link state. */
2578 CHECK_CHOSEN_ADDR_NULL_LS();
2579 CHECK_HS_EXTEND_INFO_ADDR_LS(NULL, 1, null_ap);
2580
2581 /* Check for a blank link state. */
2582 CHECK_CHOSEN_ADDR_LS(lspecs_blank, 0, 0, null_ap);
2583 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_blank, 0);
2584
2585 /* Check for a link state with only a Legacy ID. */
2586 CHECK_LS_LEGACY_ONLY(lspecs_legacy_only);
2587 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_legacy_only, 0);
2588 smartlist_free(lspecs_legacy_only);
2589
2590 /* Check with a null onion_key. */
2591 CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(lspecs_blank);
2592 smartlist_free(lspecs_blank);
2593
2594 /* Check with a null onion_key. */
2595 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(lspecs_no_legacy, LOG_WARN,
2596 "Missing Legacy ID in link state");
2597 smartlist_free(lspecs_no_legacy);
2598
2599 /* Enable both IPv4 and IPv6. */
2600 memset(&mock_options, 0, sizeof(or_options_t));
2601 mock_options.ClientUseIPv4 = 1;
2602 mock_options.ClientUseIPv6 = 1;
2603
2604 /* Prefer IPv4, enable both IPv4 and IPv6. */
2605 mock_options.ClientPreferIPv6ORPort = 0;
2606
2607 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap);
2608 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap);
2609
2610 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap);
2611 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2612
2613 /* Prefer IPv6, enable both IPv4 and IPv6. */
2614 mock_options.ClientPreferIPv6ORPort = 1;
2615
2616 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap);
2617 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap);
2618
2619 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap);
2620 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2621
2622 /* IPv4-only. */
2623 memset(&mock_options, 0, sizeof(or_options_t));
2624 mock_options.ClientUseIPv4 = 1;
2625 mock_options.ClientUseIPv6 = 0;
2626
2627 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap);
2628 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap);
2629
2630 CHECK_CHOSEN_ADDR_LS(lspecs_v6, 0, 0, null_ap);
2631
2632 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap);
2633 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2634
2635 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0);
2636 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 1);
2637
2638 /* IPv6-only. */
2639 memset(&mock_options, 0, sizeof(or_options_t));
2640 mock_options.ClientUseIPv4 = 0;
2641 mock_options.ClientUseIPv6 = 1;
2642
2643 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap);
2644 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap);
2645
2646 CHECK_CHOSEN_ADDR_LS(lspecs_v4, 0, 0, null_ap);
2647
2648 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap);
2649 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2650
2651 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v4, 1);
2652 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0);
2653
2654 smartlist_free(lspecs_v4);
2655 smartlist_free(lspecs_v6);
2656
2657 SMARTLIST_FOREACH(lspecs, link_specifier_t *, lspec, \
2658 link_specifier_free(lspec)); \
2659 smartlist_free(lspecs);
2660
2661 done:
2662 UNMOCK(get_options);
2663 }
2664
2665 #undef TEST_IPV4_ADDR_STR
2666 #undef TEST_IPV6_ADDR_STR
2667 #undef TEST_IPV4_OR_PORT
2668 #undef TEST_IPV4_DIR_PORT
2669 #undef TEST_IPV6_OR_PORT
2670 #undef TEST_IPV6_DIR_PORT
2671
2672 #undef CHECK_CHOSEN_ADDR_RS
2673 #undef CHECK_CHOSEN_ADDR_NODE
2674 #undef CHECK_CHOSEN_ADDR_RN
2675
2676 struct testcase_t policy_tests[] = {
2677 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2678 NULL, NULL },
2679 { "general", test_policies_general, 0, NULL, NULL },
2680 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2681 NULL },
2682 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2683 { "reject_interface_address", test_policies_reject_interface_address, 0,
2684 NULL, NULL },
2685 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2686 { "reachable_addr_allows",
2687 test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2688 { "reachable_addr_choose",
2689 test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2690 END_OF_TESTCASES
2691 };
The Onion Router