search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'bug27849_redux'
[tor.git] / src / test / test_policy.c
blobafe608f5f77fadcd92d6c59ead6d62e2f0053e5c
1 /* Copyright (c) 2013-2018, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #define CONFIG_PRIVATE
5 #define POLICIES_PRIVATE
6
7 #include "core/or/or.h"
8 #include "app/config/config.h"
9 #include "core/or/policies.h"
10 #include "feature/dirparse/policy_parse.h"
11 #include "feature/relay/router.h"
12 #include "lib/encoding/confline.h"
13 #include "test/test.h"
14
15 #include "core/or/addr_policy_st.h"
16 #include "core/or/port_cfg_st.h"
17 #include "feature/nodelist/node_st.h"
18 #include "feature/nodelist/routerinfo_st.h"
19 #include "feature/nodelist/routerstatus_st.h"
20
21 /* Helper: assert that short_policy parses and writes back out as itself,
22 or as <b>expected</b> if that's provided. */
23 static void
24 test_short_policy_parse(const char *input,
25 const char *expected)
26 {
27 short_policy_t *short_policy = NULL;
28 char *out = NULL;
29
30 if (expected == NULL)
31 expected = input;
32
33 short_policy = parse_short_policy(input);
34 tt_assert(short_policy);
35 out = write_short_policy(short_policy);
36 tt_str_op(out, OP_EQ, expected);
37
38 done:
39 tor_free(out);
40 short_policy_free(short_policy);
41 }
42
43 /** Helper: Parse the exit policy string in <b>policy_str</b> with
44 * <b>options</b>, and make sure that policies_summarize() produces the string
45 * <b>expected_summary</b> from it when called with family. */
46 static void
47 test_policy_summary_helper_family_flags(const char *policy_str,
48 const char *expected_summary,
49 sa_family_t family,
50 exit_policy_parser_cfg_t options)
51 {
52 config_line_t line;
53 smartlist_t *policy = smartlist_new();
54 char *summary = NULL;
55 char *summary_after = NULL;
56 int r;
57 short_policy_t *short_policy = NULL;
58 int success = 0;
59
60 line.key = (char*)"foo";
61 line.value = (char *)policy_str;
62 line.next = NULL;
63
64 r = policies_parse_exit_policy(&line, &policy,
65 options, NULL);
66 tt_int_op(r,OP_EQ, 0);
67
68 summary = policy_summarize(policy, family);
69
70 tt_ptr_op(summary, OP_NE, NULL);
71 tt_str_op(summary,OP_EQ, expected_summary);
72
73 short_policy = parse_short_policy(summary);
74 tt_assert(short_policy);
75 summary_after = write_short_policy(short_policy);
76 tt_str_op(summary,OP_EQ, summary_after);
77
78 success = 1;
79 done:
80 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
81 if (!success)
82 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
83 family == AF_INET ? 4 : 6, options, policy_str));
84 tor_free(summary_after);
85 tor_free(summary);
86 if (policy)
87 addr_policy_list_free(policy);
88 short_policy_free(short_policy);
89 }
90
91 /** Like test_policy_summary_helper_family_flags, but tries all the different
92 * flag combinations */
93 static void
94 test_policy_summary_helper_family(const char *policy_str,
95 const char *expected_summary,
96 sa_family_t family)
97 {
98 for (exit_policy_parser_cfg_t opt = 0;
99 opt <= EXIT_POLICY_OPTION_ALL;
100 opt++) {
101 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
102 /* Skip the test: IPv6 addresses need IPv6 enabled */
103 continue;
104
105 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
106 /* Skip the test: local interfaces are machine-specific */
107 continue;
108
109 test_policy_summary_helper_family_flags(policy_str, expected_summary,
110 family, opt);
111 }
112 }
113
114 /** Like test_policy_summary_helper_family, but uses expected_summary for
115 * both IPv4 and IPv6. */
116 static void
117 test_policy_summary_helper(const char *policy_str,
118 const char *expected_summary)
119 {
120 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
121 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
122 }
123
124 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
125 * IPv4 and expected_summary6 for IPv6. */
126 static void
127 test_policy_summary_helper6(const char *policy_str,
128 const char *expected_summary4,
129 const char *expected_summary6)
130 {
131 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
132 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
133 }
134
135 /** Run unit tests for generating summary lines of exit policies */
136 static void
137 test_policies_general(void *arg)
138 {
139 int i;
140 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
141 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
142 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
143 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
144 addr_policy_t *p;
145 tor_addr_t tar, tar2;
146 smartlist_t *addr_list = NULL;
147 config_line_t line;
148 smartlist_t *sm = NULL;
149 char *policy_str = NULL;
150 short_policy_t *short_parsed = NULL;
151 int malformed_list = -1;
152 (void)arg;
153
154 policy = smartlist_new();
155
156 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
157 &malformed_list);
158 tt_ptr_op(p, OP_NE, NULL);
159 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
160 tor_addr_from_ipv4h(&tar, 0xc0a80000u);
161 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
162 tt_int_op(16,OP_EQ, p->maskbits);
163 tt_int_op(1,OP_EQ, p->prt_min);
164 tt_int_op(65535,OP_EQ, p->prt_max);
165
166 smartlist_add(policy, p);
167
168 tor_addr_from_ipv4h(&tar, 0x01020304u);
169 tt_assert(ADDR_POLICY_ACCEPTED ==
170 compare_tor_addr_to_addr_policy(&tar, 2, policy));
171 tor_addr_make_unspec(&tar);
172 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
173 compare_tor_addr_to_addr_policy(&tar, 2, policy));
174 tor_addr_from_ipv4h(&tar, 0xc0a80102);
175 tt_assert(ADDR_POLICY_REJECTED ==
176 compare_tor_addr_to_addr_policy(&tar, 2, policy));
177
178 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
179 EXIT_POLICY_IPV6_ENABLED |
180 EXIT_POLICY_REJECT_PRIVATE |
181 EXIT_POLICY_ADD_DEFAULT, NULL));
182
183 tt_assert(policy2);
184
185 tor_addr_from_ipv4h(&tar, 0x0306090cu);
186 tor_addr_parse(&tar2, "[2000::1234]");
187 addr_list = smartlist_new();
188 smartlist_add(addr_list, &tar);
189 smartlist_add(addr_list, &tar2);
190 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
191 EXIT_POLICY_IPV6_ENABLED |
192 EXIT_POLICY_REJECT_PRIVATE |
193 EXIT_POLICY_ADD_DEFAULT,
194 addr_list));
195 smartlist_free(addr_list);
196 addr_list = NULL;
197
198 tt_assert(policy12);
199
200 policy3 = smartlist_new();
201 p = router_parse_addr_policy_item_from_string("reject *:*", -1,
202 &malformed_list);
203 tt_ptr_op(p, OP_NE, NULL);
204 smartlist_add(policy3, p);
205 p = router_parse_addr_policy_item_from_string("accept *:*", -1,
206 &malformed_list);
207 tt_ptr_op(p, OP_NE, NULL);
208 smartlist_add(policy3, p);
209
210 policy4 = smartlist_new();
211 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
212 &malformed_list);
213 tt_ptr_op(p, OP_NE, NULL);
214 smartlist_add(policy4, p);
215 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
216 &malformed_list);
217 tt_ptr_op(p, OP_NE, NULL);
218 smartlist_add(policy4, p);
219
220 policy5 = smartlist_new();
221 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
222 &malformed_list);
223 tt_ptr_op(p, OP_NE, NULL);
224 smartlist_add(policy5, p);
225 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
226 &malformed_list);
227 tt_ptr_op(p, OP_NE, NULL);
228 smartlist_add(policy5, p);
229 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
230 &malformed_list);
231 tt_ptr_op(p, OP_NE, NULL);
232 smartlist_add(policy5, p);
233 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
234 -1, &malformed_list);
235 tt_ptr_op(p, OP_NE, NULL);
236 smartlist_add(policy5, p);
237 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
238 &malformed_list);
239 tt_ptr_op(p, OP_NE, NULL);
240 smartlist_add(policy5, p);
241 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
242 &malformed_list);
243 tt_ptr_op(p, OP_NE, NULL);
244 smartlist_add(policy5, p);
245 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
246 &malformed_list);
247 tt_ptr_op(p, OP_NE, NULL);
248 smartlist_add(policy5, p);
249 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
250 &malformed_list);
251 tt_ptr_op(p, OP_NE, NULL);
252 smartlist_add(policy5, p);
253 p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
254 &malformed_list);
255 tt_ptr_op(p, OP_NE, NULL);
256 smartlist_add(policy5, p);
257 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
258 &malformed_list);
259 tt_ptr_op(p, OP_NE, NULL);
260 smartlist_add(policy5, p);
261
262 policy6 = smartlist_new();
263 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
264 &malformed_list);
265 tt_ptr_op(p, OP_NE, NULL);
266 smartlist_add(policy6, p);
267
268 policy7 = smartlist_new();
269 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
270 &malformed_list);
271 tt_ptr_op(p, OP_NE, NULL);
272 smartlist_add(policy7, p);
273
274 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
275 EXIT_POLICY_IPV6_ENABLED |
276 EXIT_POLICY_REJECT_PRIVATE |
277 EXIT_POLICY_ADD_DEFAULT,
278 NULL));
279
280 tt_assert(policy8);
281
282 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
283 EXIT_POLICY_REJECT_PRIVATE |
284 EXIT_POLICY_ADD_DEFAULT,
285 NULL));
286
287 tt_assert(policy9);
288
289 /* accept6 * and reject6 * produce IPv6 wildcards only */
290 policy10 = smartlist_new();
291 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
292 &malformed_list);
293 tt_ptr_op(p, OP_NE, NULL);
294 smartlist_add(policy10, p);
295
296 policy11 = smartlist_new();
297 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
298 &malformed_list);
299 tt_ptr_op(p, OP_NE, NULL);
300 smartlist_add(policy11, p);
301
302 tt_assert(!exit_policy_is_general_exit(policy));
303 tt_assert(exit_policy_is_general_exit(policy2));
304 tt_assert(!exit_policy_is_general_exit(NULL));
305 tt_assert(!exit_policy_is_general_exit(policy3));
306 tt_assert(!exit_policy_is_general_exit(policy4));
307 tt_assert(!exit_policy_is_general_exit(policy5));
308 tt_assert(!exit_policy_is_general_exit(policy6));
309 tt_assert(!exit_policy_is_general_exit(policy7));
310 tt_assert(exit_policy_is_general_exit(policy8));
311 tt_assert(exit_policy_is_general_exit(policy9));
312 tt_assert(!exit_policy_is_general_exit(policy10));
313 tt_assert(!exit_policy_is_general_exit(policy11));
314
315 tt_assert(!addr_policies_eq(policy, policy2));
316 tt_assert(!addr_policies_eq(policy, NULL));
317 tt_assert(addr_policies_eq(policy2, policy2));
318 tt_assert(addr_policies_eq(NULL, NULL));
319
320 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
321 tt_assert(policy_is_reject_star(policy, AF_INET, 1));
322 tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
323 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
324 tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
325 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
326 tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
327 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
328 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
329 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
330
331 addr_policy_list_free(policy);
332 policy = NULL;
333
334 /* make sure assume_action works */
335 malformed_list = 0;
336 p = router_parse_addr_policy_item_from_string("127.0.0.1",
337 ADDR_POLICY_ACCEPT,
338 &malformed_list);
339 tt_assert(p);
340 addr_policy_free(p);
341 tt_assert(!malformed_list);
342
343 p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
344 ADDR_POLICY_ACCEPT,
345 &malformed_list);
346 tt_assert(p);
347 addr_policy_free(p);
348 tt_assert(!malformed_list);
349
350 p = router_parse_addr_policy_item_from_string("[::]",
351 ADDR_POLICY_ACCEPT,
352 &malformed_list);
353 tt_assert(p);
354 addr_policy_free(p);
355 tt_assert(!malformed_list);
356
357 p = router_parse_addr_policy_item_from_string("[::]:*",
358 ADDR_POLICY_ACCEPT,
359 &malformed_list);
360 tt_assert(p);
361 addr_policy_free(p);
362 tt_assert(!malformed_list);
363
364 p = router_parse_addr_policy_item_from_string("[face::b]",
365 ADDR_POLICY_ACCEPT,
366 &malformed_list);
367 tt_assert(p);
368 addr_policy_free(p);
369 tt_assert(!malformed_list);
370
371 p = router_parse_addr_policy_item_from_string("[b::aaaa]",
372 ADDR_POLICY_ACCEPT,
373 &malformed_list);
374 tt_assert(p);
375 addr_policy_free(p);
376 tt_assert(!malformed_list);
377
378 p = router_parse_addr_policy_item_from_string("*",
379 ADDR_POLICY_ACCEPT,
380 &malformed_list);
381 tt_assert(p);
382 addr_policy_free(p);
383 tt_assert(!malformed_list);
384
385 p = router_parse_addr_policy_item_from_string("*4",
386 ADDR_POLICY_ACCEPT,
387 &malformed_list);
388 tt_assert(p);
389 addr_policy_free(p);
390 tt_assert(!malformed_list);
391
392 p = router_parse_addr_policy_item_from_string("*6",
393 ADDR_POLICY_ACCEPT,
394 &malformed_list);
395 tt_assert(p);
396 addr_policy_free(p);
397 tt_assert(!malformed_list);
398
399 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
400 p = router_parse_addr_policy_item_from_string("acce::abcd",
401 ADDR_POLICY_ACCEPT,
402 &malformed_list);
403 tt_ptr_op(p, OP_EQ, NULL);
404 tt_assert(malformed_list);
405 malformed_list = 0;
406
407 p = router_parse_addr_policy_item_from_string("7:1234",
408 ADDR_POLICY_ACCEPT,
409 &malformed_list);
410 tt_ptr_op(p, OP_EQ, NULL);
411 tt_assert(malformed_list);
412 malformed_list = 0;
413
414 p = router_parse_addr_policy_item_from_string("::",
415 ADDR_POLICY_ACCEPT,
416 &malformed_list);
417 tt_ptr_op(p, OP_EQ, NULL);
418 tt_assert(malformed_list);
419 malformed_list = 0;
420
421 /* make sure compacting logic works. */
422 policy = NULL;
423 line.key = (char*)"foo";
424 line.value = (char*)"accept *:80,reject private:*,reject *:*";
425 line.next = NULL;
426 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
427 EXIT_POLICY_IPV6_ENABLED |
428 EXIT_POLICY_ADD_DEFAULT, NULL));
429 tt_assert(policy);
430
431 //test_streq(policy->string, "accept *:80");
432 //test_streq(policy->next->string, "reject *:*");
433 tt_int_op(smartlist_len(policy),OP_EQ, 4);
434
435 /* test policy summaries */
436 /* check if we properly ignore private IP addresses */
437 test_policy_summary_helper("reject 192.168.0.0/16:*,"
438 "reject 0.0.0.0/8:*,"
439 "reject 10.0.0.0/8:*,"
440 "accept *:10-30,"
441 "accept *:90,"
442 "reject *:*",
443 "accept 10-30,90");
444 /* check all accept policies, and proper counting of rejects */
445 test_policy_summary_helper("reject 11.0.0.0/9:80,"
446 "reject 12.0.0.0/9:80,"
447 "reject 13.0.0.0/9:80,"
448 "reject 14.0.0.0/9:80,"
449 "accept *:*", "accept 1-65535");
450 test_policy_summary_helper("reject 11.0.0.0/9:80,"
451 "reject 12.0.0.0/9:80,"
452 "reject 13.0.0.0/9:80,"
453 "reject 14.0.0.0/9:80,"
454 "reject 15.0.0.0:81,"
455 "accept *:*", "accept 1-65535");
456 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
457 "reject 12.0.0.0/9:80,"
458 "reject 13.0.0.0/9:80,"
459 "reject 14.0.0.0/9:80,"
460 "reject 15.0.0.0:80,"
461 "accept *:*",
462 "reject 80",
463 "accept 1-65535");
464 /* no exits */
465 test_policy_summary_helper("accept 11.0.0.0/9:80,"
466 "reject *:*",
467 "reject 1-65535");
468 /* port merging */
469 test_policy_summary_helper("accept *:80,"
470 "accept *:81,"
471 "accept *:100-110,"
472 "accept *:111,"
473 "reject *:*",
474 "accept 80-81,100-111");
475 /* border ports */
476 test_policy_summary_helper("accept *:1,"
477 "accept *:3,"
478 "accept *:65535,"
479 "reject *:*",
480 "accept 1,3,65535");
481 /* holes */
482 test_policy_summary_helper("accept *:1,"
483 "accept *:3,"
484 "accept *:5,"
485 "accept *:7,"
486 "reject *:*",
487 "accept 1,3,5,7");
488 test_policy_summary_helper("reject *:1,"
489 "reject *:3,"
490 "reject *:5,"
491 "reject *:7,"
492 "accept *:*",
493 "reject 1,3,5,7");
494 /* long policies */
495 /* standard long policy on many exits */
496 test_policy_summary_helper("accept *:20-23,"
497 "accept *:43,"
498 "accept *:53,"
499 "accept *:79-81,"
500 "accept *:88,"
501 "accept *:110,"
502 "accept *:143,"
503 "accept *:194,"
504 "accept *:220,"
505 "accept *:389,"
506 "accept *:443,"
507 "accept *:464,"
508 "accept *:531,"
509 "accept *:543-544,"
510 "accept *:554,"
511 "accept *:563,"
512 "accept *:636,"
513 "accept *:706,"
514 "accept *:749,"
515 "accept *:873,"
516 "accept *:902-904,"
517 "accept *:981,"
518 "accept *:989-995,"
519 "accept *:1194,"
520 "accept *:1220,"
521 "accept *:1293,"
522 "accept *:1500,"
523 "accept *:1533,"
524 "accept *:1677,"
525 "accept *:1723,"
526 "accept *:1755,"
527 "accept *:1863,"
528 "accept *:2082,"
529 "accept *:2083,"
530 "accept *:2086-2087,"
531 "accept *:2095-2096,"
532 "accept *:2102-2104,"
533 "accept *:3128,"
534 "accept *:3389,"
535 "accept *:3690,"
536 "accept *:4321,"
537 "accept *:4643,"
538 "accept *:5050,"
539 "accept *:5190,"
540 "accept *:5222-5223,"
541 "accept *:5228,"
542 "accept *:5900,"
543 "accept *:6660-6669,"
544 "accept *:6679,"
545 "accept *:6697,"
546 "accept *:8000,"
547 "accept *:8008,"
548 "accept *:8074,"
549 "accept *:8080,"
550 "accept *:8087-8088,"
551 "accept *:8332-8333,"
552 "accept *:8443,"
553 "accept *:8888,"
554 "accept *:9418,"
555 "accept *:9999,"
556 "accept *:10000,"
557 "accept *:11371,"
558 "accept *:12350,"
559 "accept *:19294,"
560 "accept *:19638,"
561 "accept *:23456,"
562 "accept *:33033,"
563 "accept *:64738,"
564 "reject *:*",
565 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
566 "443,464,531,543-544,554,563,636,706,749,873,"
567 "902-904,981,989-995,1194,1220,1293,1500,1533,"
568 "1677,1723,1755,1863,2082-2083,2086-2087,"
569 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
570 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
571 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
572 "8443,8888,9418,9999-10000,11371,12350,19294,"
573 "19638,23456,33033,64738");
574 /* short policy with configured addresses */
575 test_policy_summary_helper("reject 149.56.1.1:*,"
576 "reject [2607:5300:1:1::1:0]:*,"
577 "accept *:80,"
578 "accept *:443,"
579 "reject *:*",
580 "accept 80,443");
581 /* short policy with configured and local interface addresses */
582 test_policy_summary_helper("reject 149.56.1.0:*,"
583 "reject 149.56.1.1:*,"
584 "reject 149.56.1.2:*,"
585 "reject 149.56.1.3:*,"
586 "reject 149.56.1.4:*,"
587 "reject 149.56.1.5:*,"
588 "reject 149.56.1.6:*,"
589 "reject 149.56.1.7:*,"
590 "reject [2607:5300:1:1::1:0]:*,"
591 "reject [2607:5300:1:1::1:1]:*,"
592 "reject [2607:5300:1:1::1:2]:*,"
593 "reject [2607:5300:1:1::1:3]:*,"
594 "reject [2607:5300:1:1::2:0]:*,"
595 "reject [2607:5300:1:1::2:1]:*,"
596 "reject [2607:5300:1:1::2:2]:*,"
597 "reject [2607:5300:1:1::2:3]:*,"
598 "accept *:80,"
599 "accept *:443,"
600 "reject *:*",
601 "accept 80,443");
602 /* short policy with configured netblocks */
603 test_policy_summary_helper("reject 149.56.0.0/16,"
604 "reject6 2607:5300::/32,"
605 "reject6 2608:5300::/64,"
606 "reject6 2609:5300::/96,"
607 "accept *:80,"
608 "accept *:443,"
609 "reject *:*",
610 "accept 80,443");
611 /* short policy with large netblocks that do not count as a rejection */
612 test_policy_summary_helper("reject 148.0.0.0/7,"
613 "reject6 2600::/16,"
614 "accept *:80,"
615 "accept *:443,"
616 "reject *:*",
617 "accept 80,443");
618 /* short policy with large netblocks that count as a rejection */
619 test_policy_summary_helper("reject 148.0.0.0/6,"
620 "reject6 2600::/15,"
621 "accept *:80,"
622 "accept *:443,"
623 "reject *:*",
624 "reject 1-65535");
625 /* short policy with huge netblocks that count as a rejection */
626 test_policy_summary_helper("reject 128.0.0.0/1,"
627 "reject6 8000::/1,"
628 "accept *:80,"
629 "accept *:443,"
630 "reject *:*",
631 "reject 1-65535");
632 /* short policy which blocks everything using netblocks */
633 test_policy_summary_helper("reject 0.0.0.0/0,"
634 "reject6 ::/0,"
635 "accept *:80,"
636 "accept *:443,"
637 "reject *:*",
638 "reject 1-65535");
639 /* short policy which has repeated redundant netblocks */
640 test_policy_summary_helper("reject 0.0.0.0/0,"
641 "reject 0.0.0.0/0,"
642 "reject 0.0.0.0/0,"
643 "reject 0.0.0.0/0,"
644 "reject 0.0.0.0/0,"
645 "reject6 ::/0,"
646 "reject6 ::/0,"
647 "reject6 ::/0,"
648 "reject6 ::/0,"
649 "reject6 ::/0,"
650 "accept *:80,"
651 "accept *:443,"
652 "reject *:*",
653 "reject 1-65535");
654
655 /* longest possible policy
656 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
657 * Going all the way to 65535 is incredibly slow, so we just go slightly
658 * more than the expected length */
659 test_policy_summary_helper("accept *:1,"
660 "accept *:3,"
661 "accept *:5,"
662 "accept *:7,"
663 "accept *:9,"
664 "accept *:11,"
665 "accept *:13,"
666 "accept *:15,"
667 "accept *:17,"
668 "accept *:19,"
669 "accept *:21,"
670 "accept *:23,"
671 "accept *:25,"
672 "accept *:27,"
673 "accept *:29,"
674 "accept *:31,"
675 "accept *:33,"
676 "accept *:35,"
677 "accept *:37,"
678 "accept *:39,"
679 "accept *:41,"
680 "accept *:43,"
681 "accept *:45,"
682 "accept *:47,"
683 "accept *:49,"
684 "accept *:51,"
685 "accept *:53,"
686 "accept *:55,"
687 "accept *:57,"
688 "accept *:59,"
689 "accept *:61,"
690 "accept *:63,"
691 "accept *:65,"
692 "accept *:67,"
693 "accept *:69,"
694 "accept *:71,"
695 "accept *:73,"
696 "accept *:75,"
697 "accept *:77,"
698 "accept *:79,"
699 "accept *:81,"
700 "accept *:83,"
701 "accept *:85,"
702 "accept *:87,"
703 "accept *:89,"
704 "accept *:91,"
705 "accept *:93,"
706 "accept *:95,"
707 "accept *:97,"
708 "accept *:99,"
709 "accept *:101,"
710 "accept *:103,"
711 "accept *:105,"
712 "accept *:107,"
713 "accept *:109,"
714 "accept *:111,"
715 "accept *:113,"
716 "accept *:115,"
717 "accept *:117,"
718 "accept *:119,"
719 "accept *:121,"
720 "accept *:123,"
721 "accept *:125,"
722 "accept *:127,"
723 "accept *:129,"
724 "accept *:131,"
725 "accept *:133,"
726 "accept *:135,"
727 "accept *:137,"
728 "accept *:139,"
729 "accept *:141,"
730 "accept *:143,"
731 "accept *:145,"
732 "accept *:147,"
733 "accept *:149,"
734 "accept *:151,"
735 "accept *:153,"
736 "accept *:155,"
737 "accept *:157,"
738 "accept *:159,"
739 "accept *:161,"
740 "accept *:163,"
741 "accept *:165,"
742 "accept *:167,"
743 "accept *:169,"
744 "accept *:171,"
745 "accept *:173,"
746 "accept *:175,"
747 "accept *:177,"
748 "accept *:179,"
749 "accept *:181,"
750 "accept *:183,"
751 "accept *:185,"
752 "accept *:187,"
753 "accept *:189,"
754 "accept *:191,"
755 "accept *:193,"
756 "accept *:195,"
757 "accept *:197,"
758 "accept *:199,"
759 "accept *:201,"
760 "accept *:203,"
761 "accept *:205,"
762 "accept *:207,"
763 "accept *:209,"
764 "accept *:211,"
765 "accept *:213,"
766 "accept *:215,"
767 "accept *:217,"
768 "accept *:219,"
769 "accept *:221,"
770 "accept *:223,"
771 "accept *:225,"
772 "accept *:227,"
773 "accept *:229,"
774 "accept *:231,"
775 "accept *:233,"
776 "accept *:235,"
777 "accept *:237,"
778 "accept *:239,"
779 "accept *:241,"
780 "accept *:243,"
781 "accept *:245,"
782 "accept *:247,"
783 "accept *:249,"
784 "accept *:251,"
785 "accept *:253,"
786 "accept *:255,"
787 "accept *:257,"
788 "accept *:259,"
789 "accept *:261,"
790 "accept *:263,"
791 "accept *:265,"
792 "accept *:267,"
793 "accept *:269,"
794 "accept *:271,"
795 "accept *:273,"
796 "accept *:275,"
797 "accept *:277,"
798 "accept *:279,"
799 "accept *:281,"
800 "accept *:283,"
801 "accept *:285,"
802 "accept *:287,"
803 "accept *:289,"
804 "accept *:291,"
805 "accept *:293,"
806 "accept *:295,"
807 "accept *:297,"
808 "accept *:299,"
809 "accept *:301,"
810 "accept *:303,"
811 "accept *:305,"
812 "accept *:307,"
813 "accept *:309,"
814 "accept *:311,"
815 "accept *:313,"
816 "accept *:315,"
817 "accept *:317,"
818 "accept *:319,"
819 "accept *:321,"
820 "accept *:323,"
821 "accept *:325,"
822 "accept *:327,"
823 "accept *:329,"
824 "accept *:331,"
825 "accept *:333,"
826 "accept *:335,"
827 "accept *:337,"
828 "accept *:339,"
829 "accept *:341,"
830 "accept *:343,"
831 "accept *:345,"
832 "accept *:347,"
833 "accept *:349,"
834 "accept *:351,"
835 "accept *:353,"
836 "accept *:355,"
837 "accept *:357,"
838 "accept *:359,"
839 "accept *:361,"
840 "accept *:363,"
841 "accept *:365,"
842 "accept *:367,"
843 "accept *:369,"
844 "accept *:371,"
845 "accept *:373,"
846 "accept *:375,"
847 "accept *:377,"
848 "accept *:379,"
849 "accept *:381,"
850 "accept *:383,"
851 "accept *:385,"
852 "accept *:387,"
853 "accept *:389,"
854 "accept *:391,"
855 "accept *:393,"
856 "accept *:395,"
857 "accept *:397,"
858 "accept *:399,"
859 "accept *:401,"
860 "accept *:403,"
861 "accept *:405,"
862 "accept *:407,"
863 "accept *:409,"
864 "accept *:411,"
865 "accept *:413,"
866 "accept *:415,"
867 "accept *:417,"
868 "accept *:419,"
869 "accept *:421,"
870 "accept *:423,"
871 "accept *:425,"
872 "accept *:427,"
873 "accept *:429,"
874 "accept *:431,"
875 "accept *:433,"
876 "accept *:435,"
877 "accept *:437,"
878 "accept *:439,"
879 "accept *:441,"
880 "accept *:443,"
881 "accept *:445,"
882 "accept *:447,"
883 "accept *:449,"
884 "accept *:451,"
885 "accept *:453,"
886 "accept *:455,"
887 "accept *:457,"
888 "accept *:459,"
889 "accept *:461,"
890 "accept *:463,"
891 "accept *:465,"
892 "accept *:467,"
893 "accept *:469,"
894 "accept *:471,"
895 "accept *:473,"
896 "accept *:475,"
897 "accept *:477,"
898 "accept *:479,"
899 "accept *:481,"
900 "accept *:483,"
901 "accept *:485,"
902 "accept *:487,"
903 "accept *:489,"
904 "accept *:491,"
905 "accept *:493,"
906 "accept *:495,"
907 "accept *:497,"
908 "accept *:499,"
909 "accept *:501,"
910 "accept *:503,"
911 "accept *:505,"
912 "accept *:507,"
913 "accept *:509,"
914 "accept *:511,"
915 "accept *:513,"
916 "accept *:515,"
917 "accept *:517,"
918 "accept *:519,"
919 "accept *:521,"
920 "accept *:523,"
921 "accept *:525,"
922 "accept *:527,"
923 "accept *:529,"
924 "reject *:*",
925 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
926 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
927 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
928 "95,97,99,101,103,105,107,109,111,113,115,117,"
929 "119,121,123,125,127,129,131,133,135,137,139,141,"
930 "143,145,147,149,151,153,155,157,159,161,163,165,"
931 "167,169,171,173,175,177,179,181,183,185,187,189,"
932 "191,193,195,197,199,201,203,205,207,209,211,213,"
933 "215,217,219,221,223,225,227,229,231,233,235,237,"
934 "239,241,243,245,247,249,251,253,255,257,259,261,"
935 "263,265,267,269,271,273,275,277,279,281,283,285,"
936 "287,289,291,293,295,297,299,301,303,305,307,309,"
937 "311,313,315,317,319,321,323,325,327,329,331,333,"
938 "335,337,339,341,343,345,347,349,351,353,355,357,"
939 "359,361,363,365,367,369,371,373,375,377,379,381,"
940 "383,385,387,389,391,393,395,397,399,401,403,405,"
941 "407,409,411,413,415,417,419,421,423,425,427,429,"
942 "431,433,435,437,439,441,443,445,447,449,451,453,"
943 "455,457,459,461,463,465,467,469,471,473,475,477,"
944 "479,481,483,485,487,489,491,493,495,497,499,501,"
945 "503,505,507,509,511,513,515,517,519,521,523");
946
947 /* Short policies with unrecognized formats should get accepted. */
948 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
949 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
950 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
951 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
952 /* Short policies with nil entries are accepted too. */
953 test_short_policy_parse("accept 1,,3", "accept 1,3");
954 test_short_policy_parse("accept 100-200,,", "accept 100-200");
955 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
956
957 /* Try parsing various broken short policies */
958 #define TT_BAD_SHORT_POLICY(s) \
959 do { \
960 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
961 } while (0)
962 TT_BAD_SHORT_POLICY("accept 200-199");
963 TT_BAD_SHORT_POLICY("");
964 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
965 TT_BAD_SHORT_POLICY("reject ");
966 TT_BAD_SHORT_POLICY("reject");
967 TT_BAD_SHORT_POLICY("rej");
968 TT_BAD_SHORT_POLICY("accept 2,3,100000");
969 TT_BAD_SHORT_POLICY("accept 2,3x,4");
970 TT_BAD_SHORT_POLICY("accept 2,3x,4");
971 TT_BAD_SHORT_POLICY("accept 2-");
972 TT_BAD_SHORT_POLICY("accept 2-x");
973 TT_BAD_SHORT_POLICY("accept 1-,3");
974 TT_BAD_SHORT_POLICY("accept 1-,3");
975
976 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
977 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
978 &malformed_list);
979 tt_ptr_op(p, OP_EQ, NULL);
980 tt_assert(!malformed_list);
981
982 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
983 &malformed_list);
984 tt_ptr_op(p, OP_EQ, NULL);
985 tt_assert(!malformed_list);
986
987 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
988 &malformed_list);
989 tt_ptr_op(p, OP_EQ, NULL);
990 tt_assert(!malformed_list);
991
992 /* Make sure malformed policies are detected as such. */
993 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
994 &malformed_list);
995 tt_ptr_op(p, OP_EQ, NULL);
996 tt_assert(malformed_list);
997
998 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
999 &malformed_list);
1000 tt_ptr_op(p, OP_EQ, NULL);
1001 tt_assert(malformed_list);
1002
1003 p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
1004 &malformed_list);
1005 tt_ptr_op(p, OP_EQ, NULL);
1006 tt_assert(malformed_list);
1007
1008 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1009 &malformed_list);
1010 tt_ptr_op(p, OP_EQ, NULL);
1011 tt_assert(malformed_list);
1012
1013 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1014 &malformed_list);
1015 tt_ptr_op(p, OP_EQ, NULL);
1016 tt_assert(malformed_list);
1017
1018 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1019 &malformed_list);
1020 tt_ptr_op(p, OP_EQ, NULL);
1021 tt_assert(malformed_list);
1022
1023 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1024 &malformed_list);
1025 tt_ptr_op(p, OP_EQ, NULL);
1026 tt_assert(malformed_list);
1027
1028 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1029 &malformed_list);
1030 tt_ptr_op(p, OP_EQ, NULL);
1031 tt_assert(malformed_list);
1032
1033 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1034 &malformed_list);
1035 tt_ptr_op(p, OP_EQ, NULL);
1036 tt_assert(malformed_list);
1037
1038 /* Test a too-long policy. */
1039 {
1040 char *policy_strng = NULL;
1041 smartlist_t *chunks = smartlist_new();
1042 smartlist_add_strdup(chunks, "accept ");
1043 for (i=1; i<10000; ++i)
1044 smartlist_add_asprintf(chunks, "%d,", i);
1045 smartlist_add_strdup(chunks, "20000");
1046 policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1047 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1048 smartlist_free(chunks);
1049 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1050 tor_free(policy_strng);
1051 tt_ptr_op(NULL, OP_EQ, short_parsed);
1052 }
1053
1054 /* truncation ports */
1055 sm = smartlist_new();
1056 for (i=1; i<2000; i+=2) {
1057 char buf[POLICY_BUF_LEN];
1058 tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1059 smartlist_add_strdup(sm, buf);
1060 }
1061 smartlist_add_strdup(sm, "accept *:*");
1062 policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1063 test_policy_summary_helper( policy_str,
1064 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1065 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1066 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1067 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1068 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1069 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1070 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1071 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1072 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1073 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1074 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1075 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1076 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1077 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1078
1079 done:
1080 addr_policy_list_free(policy);
1081 addr_policy_list_free(policy2);
1082 addr_policy_list_free(policy3);
1083 addr_policy_list_free(policy4);
1084 addr_policy_list_free(policy5);
1085 addr_policy_list_free(policy6);
1086 addr_policy_list_free(policy7);
1087 addr_policy_list_free(policy8);
1088 addr_policy_list_free(policy9);
1089 addr_policy_list_free(policy10);
1090 addr_policy_list_free(policy11);
1091 addr_policy_list_free(policy12);
1092 tor_free(policy_str);
1093 if (sm) {
1094 SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1095 smartlist_free(sm);
1096 }
1097 short_policy_free(short_parsed);
1098 }
1099
1100 /** Helper: Check that policy_list contains address */
1101 static int
1102 test_policy_has_address_helper(const smartlist_t *policy_list,
1103 const tor_addr_t *addr)
1104 {
1105 int found = 0;
1106
1107 tt_assert(policy_list);
1108 tt_assert(addr);
1109
1110 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1111 if (tor_addr_eq(&p->addr, addr)) {
1112 found = 1;
1113 }
1114 } SMARTLIST_FOREACH_END(p);
1115
1116 return found;
1117
1118 done:
1119 return 0;
1120 }
1121
1122 #define TEST_IPV4_ADDR (0x01020304)
1123 #define TEST_IPV6_ADDR ("2002::abcd")
1124
1125 /** Run unit tests for rejecting the configured addresses on this exit relay
1126 * using policies_parse_exit_policy_reject_private */
1127 static void
1128 test_policies_reject_exit_address(void *arg)
1129 {
1130 smartlist_t *policy = NULL;
1131 tor_addr_t ipv4_addr, ipv6_addr;
1132 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1133 (void)arg;
1134
1135 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1136 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1137
1138 ipv4_list = smartlist_new();
1139 ipv6_list = smartlist_new();
1140 both_list = smartlist_new();
1141 dupl_list = smartlist_new();
1142
1143 smartlist_add(ipv4_list, &ipv4_addr);
1144 smartlist_add(both_list, &ipv4_addr);
1145 smartlist_add(dupl_list, &ipv4_addr);
1146 smartlist_add(dupl_list, &ipv4_addr);
1147 smartlist_add(dupl_list, &ipv4_addr);
1148
1149 smartlist_add(ipv6_list, &ipv6_addr);
1150 smartlist_add(both_list, &ipv6_addr);
1151 smartlist_add(dupl_list, &ipv6_addr);
1152 smartlist_add(dupl_list, &ipv6_addr);
1153
1154 /* IPv4-Only Exits */
1155
1156 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1157 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1158 tt_assert(policy);
1159 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1160 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1161 addr_policy_list_free(policy);
1162 policy = NULL;
1163
1164 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1165 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1166 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1167 * need to do anything) */
1168 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1169 tt_ptr_op(policy, OP_EQ, NULL);
1170
1171 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1172 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1173 tt_assert(policy);
1174 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1175 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1176 addr_policy_list_free(policy);
1177 policy = NULL;
1178
1179 /* Test that lists with duplicate entries produce the same results */
1180 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1181 tt_assert(policy);
1182 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1183 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1184 addr_policy_list_free(policy);
1185 policy = NULL;
1186
1187 /* IPv4/IPv6 Exits */
1188
1189 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1191 tt_assert(policy);
1192 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1193 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1194 addr_policy_list_free(policy);
1195 policy = NULL;
1196
1197 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1199 tt_assert(policy);
1200 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1201 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1202 addr_policy_list_free(policy);
1203 policy = NULL;
1204
1205 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1206 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1207 tt_assert(policy);
1208 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1209 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1210 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1211 addr_policy_list_free(policy);
1212 policy = NULL;
1213
1214 /* Test that lists with duplicate entries produce the same results */
1215 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1216 tt_assert(policy);
1217 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1218 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1219 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1220 addr_policy_list_free(policy);
1221 policy = NULL;
1222
1223 done:
1224 addr_policy_list_free(policy);
1225 smartlist_free(ipv4_list);
1226 smartlist_free(ipv6_list);
1227 smartlist_free(both_list);
1228 smartlist_free(dupl_list);
1229 }
1230
1231 static smartlist_t *test_configured_ports = NULL;
1232
1233 /** Returns test_configured_ports */
1234 static const smartlist_t *
1235 mock_get_configured_ports(void)
1236 {
1237 return test_configured_ports;
1238 }
1239
1240 /** Run unit tests for rejecting publicly routable configured port addresses
1241 * on this exit relay using policies_parse_exit_policy_reject_private */
1242 static void
1243 test_policies_reject_port_address(void *arg)
1244 {
1245 smartlist_t *policy = NULL;
1246 port_cfg_t *ipv4_port = NULL;
1247 port_cfg_t *ipv6_port = NULL;
1248 (void)arg;
1249
1250 test_configured_ports = smartlist_new();
1251
1252 ipv4_port = port_cfg_new(0);
1253 tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
1254 smartlist_add(test_configured_ports, ipv4_port);
1255
1256 ipv6_port = port_cfg_new(0);
1257 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1258 smartlist_add(test_configured_ports, ipv6_port);
1259
1260 MOCK(get_configured_ports, mock_get_configured_ports);
1261
1262 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1263 * is NOT rejected (all IPv6 addresses are rejected by
1264 * policies_parse_exit_policy_internal on IPv4-only exits, so
1265 * policies_parse_exit_policy_reject_private doesn't need to do anything
1266 * with IPv6 addresses on IPv4-only exits) */
1267 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1268 tt_assert(policy);
1269 tt_int_op(smartlist_len(policy), OP_EQ, 1);
1270 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1271 addr_policy_list_free(policy);
1272 policy = NULL;
1273
1274 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1275 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1276 tt_assert(policy);
1277 tt_int_op(smartlist_len(policy), OP_EQ, 2);
1278 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1279 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1280 addr_policy_list_free(policy);
1281 policy = NULL;
1282
1283 done:
1284 addr_policy_list_free(policy);
1285 if (test_configured_ports) {
1286 SMARTLIST_FOREACH(test_configured_ports,
1287 port_cfg_t *, p, port_cfg_free(p));
1288 smartlist_free(test_configured_ports);
1289 test_configured_ports = NULL;
1290 }
1291 UNMOCK(get_configured_ports);
1292 }
1293
1294 static smartlist_t *mock_ipv4_addrs = NULL;
1295 static smartlist_t *mock_ipv6_addrs = NULL;
1296
1297 /* mock get_interface_address6_list, returning a deep copy of the template
1298 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1299 static smartlist_t *
1300 mock_get_interface_address6_list(int severity,
1301 sa_family_t family,
1302 int include_internal)
1303 {
1304 (void)severity;
1305 (void)include_internal;
1306 smartlist_t *clone_list = smartlist_new();
1307 smartlist_t *template_list = NULL;
1308
1309 if (family == AF_INET) {
1310 template_list = mock_ipv4_addrs;
1311 } else if (family == AF_INET6) {
1312 template_list = mock_ipv6_addrs;
1313 } else {
1314 return NULL;
1315 }
1316
1317 tt_assert(template_list);
1318
1319 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1320 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1321 memset(dest_addr, 0, sizeof(*dest_addr));
1322 tor_addr_copy_tight(dest_addr, src_addr);
1323 smartlist_add(clone_list, dest_addr);
1324 } SMARTLIST_FOREACH_END(src_addr);
1325
1326 return clone_list;
1327
1328 done:
1329 interface_address6_list_free(clone_list);
1330 return NULL;
1331 }
1332
1333 /** Run unit tests for rejecting publicly routable interface addresses on this
1334 * exit relay using policies_parse_exit_policy_reject_private */
1335 static void
1336 test_policies_reject_interface_address(void *arg)
1337 {
1338 smartlist_t *policy = NULL;
1339 smartlist_t *public_ipv4_addrs =
1340 get_interface_address6_list(LOG_INFO, AF_INET, 0);
1341 smartlist_t *public_ipv6_addrs =
1342 get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1343 tor_addr_t ipv4_addr, ipv6_addr;
1344 (void)arg;
1345
1346 /* test that no addresses are rejected when none are supplied/requested */
1347 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1348 tt_ptr_op(policy, OP_EQ, NULL);
1349
1350 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1351 * (and allow for duplicates)
1352 */
1353 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1354 if (policy) {
1355 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1356 addr_policy_list_free(policy);
1357 policy = NULL;
1358 }
1359
1360 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1361 * exit (and allow for duplicates) */
1362 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1363 if (policy) {
1364 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1365 + smartlist_len(public_ipv6_addrs)));
1366 addr_policy_list_free(policy);
1367 policy = NULL;
1368 }
1369
1370 /* Now do it all again, but mocked */
1371 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1372 mock_ipv4_addrs = smartlist_new();
1373 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1374
1375 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1376 mock_ipv6_addrs = smartlist_new();
1377 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1378
1379 MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1380
1381 /* test that no addresses are rejected when none are supplied/requested */
1382 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1383 tt_ptr_op(policy, OP_EQ, NULL);
1384
1385 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1386 */
1387 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1388 tt_assert(policy);
1389 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1390 addr_policy_list_free(policy);
1391 policy = NULL;
1392
1393 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1394 * exit */
1395 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1396 tt_assert(policy);
1397 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1398 + smartlist_len(mock_ipv6_addrs)));
1399 addr_policy_list_free(policy);
1400 policy = NULL;
1401
1402 done:
1403 addr_policy_list_free(policy);
1404 interface_address6_list_free(public_ipv4_addrs);
1405 interface_address6_list_free(public_ipv6_addrs);
1406
1407 UNMOCK(get_interface_address6_list);
1408 /* we don't use interface_address6_list_free on these lists because their
1409 * address pointers are stack-based */
1410 smartlist_free(mock_ipv4_addrs);
1411 smartlist_free(mock_ipv6_addrs);
1412 }
1413
1414 #undef TEST_IPV4_ADDR
1415 #undef TEST_IPV6_ADDR
1416
1417 static void
1418 test_dump_exit_policy_to_string(void *arg)
1419 {
1420 char *ep;
1421 addr_policy_t *policy_entry;
1422 int malformed_list = -1;
1423
1424 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1425
1426 (void)arg;
1427
1428 ri->policy_is_reject_star = 1;
1429 ri->exit_policy = NULL; // expecting "reject *:*"
1430 ep = router_dump_exit_policy_to_string(ri,1,1);
1431
1432 tt_str_op("reject *:*",OP_EQ, ep);
1433
1434 tor_free(ep);
1435
1436 ri->exit_policy = smartlist_new();
1437 ri->policy_is_reject_star = 0;
1438
1439 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1440 &malformed_list);
1441
1442 smartlist_add(ri->exit_policy,policy_entry);
1443
1444 ep = router_dump_exit_policy_to_string(ri,1,1);
1445
1446 tt_str_op("accept *:*",OP_EQ, ep);
1447
1448 tor_free(ep);
1449
1450 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1451 &malformed_list);
1452
1453 smartlist_add(ri->exit_policy,policy_entry);
1454
1455 ep = router_dump_exit_policy_to_string(ri,1,1);
1456
1457 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1458
1459 tor_free(ep);
1460
1461 policy_entry =
1462 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1463 &malformed_list);
1464
1465 smartlist_add(ri->exit_policy,policy_entry);
1466
1467 ep = router_dump_exit_policy_to_string(ri,1,1);
1468
1469 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1470 tor_free(ep);
1471
1472 policy_entry =
1473 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1474 &malformed_list);
1475
1476 smartlist_add(ri->exit_policy,policy_entry);
1477
1478 ep = router_dump_exit_policy_to_string(ri,1,1);
1479
1480 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1481 "reject6 [fc00::]/7:*",OP_EQ, ep);
1482 tor_free(ep);
1483
1484 policy_entry =
1485 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1486 &malformed_list);
1487
1488 smartlist_add(ri->exit_policy,policy_entry);
1489
1490 ep = router_dump_exit_policy_to_string(ri,1,1);
1491
1492 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1493 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1494
1495 done:
1496
1497 if (ri->exit_policy) {
1498 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1499 entry, addr_policy_free(entry));
1500 smartlist_free(ri->exit_policy);
1501 }
1502 tor_free(ri);
1503 tor_free(ep);
1504 }
1505
1506 static routerinfo_t *mock_desc_routerinfo = NULL;
1507 static int routerinfo_err;
1508
1509 static const routerinfo_t *
1510 mock_router_get_my_routerinfo_with_err(int *err)
1511 {
1512 if (routerinfo_err) {
1513 if (err)
1514 *err = routerinfo_err;
1515
1516 return NULL;
1517 }
1518
1519 if (err)
1520 *err = 0;
1521
1522 return mock_desc_routerinfo;
1523 }
1524
1525 #define DEFAULT_POLICY_STRING "reject *:*"
1526 #define TEST_IPV4_ADDR (0x02040608)
1527 #define TEST_IPV6_ADDR ("2003::ef01")
1528
1529 static or_options_t mock_options;
1530
1531 static const or_options_t *
1532 mock_get_options(void)
1533 {
1534 return &mock_options;
1535 }
1536
1537 /** Run unit tests for generating summary lines of exit policies */
1538 static void
1539 test_policies_getinfo_helper_policies(void *arg)
1540 {
1541 (void)arg;
1542 int rv = 0;
1543 size_t ipv4_len = 0, ipv6_len = 0;
1544 char *answer = NULL;
1545 const char *errmsg = NULL;
1546 routerinfo_t mock_my_routerinfo;
1547
1548 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1549
1550 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1551 tt_int_op(rv, OP_EQ, 0);
1552 tt_ptr_op(answer, OP_NE, NULL);
1553 tt_assert(strlen(answer) > 0);
1554 tor_free(answer);
1555
1556 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1557 &answer, &errmsg);
1558 tt_int_op(rv, OP_EQ, 0);
1559 tt_ptr_op(answer, OP_NE, NULL);
1560 tt_assert(strlen(answer) > 0);
1561 tor_free(answer);
1562
1563 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1564 MOCK(router_get_my_routerinfo_with_err,
1565 mock_router_get_my_routerinfo_with_err);
1566 mock_my_routerinfo.exit_policy = smartlist_new();
1567 mock_desc_routerinfo = &mock_my_routerinfo;
1568
1569 memset(&mock_options, 0, sizeof(or_options_t));
1570 MOCK(get_options, mock_get_options);
1571
1572 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1573 &answer, &errmsg);
1574 tt_int_op(rv, OP_EQ, 0);
1575 tt_ptr_op(answer, OP_NE, NULL);
1576 tt_assert(strlen(answer) == 0);
1577 tor_free(answer);
1578
1579 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1580 &errmsg);
1581 tt_int_op(rv, OP_EQ, 0);
1582 tt_ptr_op(answer, OP_NE, NULL);
1583 ipv4_len = strlen(answer);
1584 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1585 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1586 tor_free(answer);
1587
1588 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1589 &errmsg);
1590 tt_int_op(rv, OP_EQ, 0);
1591 tt_ptr_op(answer, OP_NE, NULL);
1592 ipv6_len = strlen(answer);
1593 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1594 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1595 tor_free(answer);
1596
1597 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1598 &errmsg);
1599 tt_int_op(rv, OP_EQ, 0);
1600 tt_ptr_op(answer, OP_NE, NULL);
1601 /* It's either empty or it's the default */
1602 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1603 tor_free(answer);
1604
1605 mock_my_routerinfo.addr = TEST_IPV4_ADDR;
1606 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1607 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1608 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1609
1610 mock_options.IPv6Exit = 1;
1611 tor_addr_from_ipv4h(
1612 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
1613 TEST_IPV4_ADDR);
1614 tor_addr_parse(
1615 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
1616 TEST_IPV6_ADDR);
1617
1618 mock_options.ExitPolicyRejectPrivate = 1;
1619 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1620
1621 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1622 &answer, &errmsg);
1623 tt_int_op(rv, OP_EQ, 0);
1624 tt_ptr_op(answer, OP_NE, NULL);
1625 tt_assert(strlen(answer) > 0);
1626 tor_free(answer);
1627
1628 mock_options.ExitPolicyRejectPrivate = 1;
1629 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1630
1631 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1632 &answer, &errmsg);
1633 tt_int_op(rv, OP_EQ, 0);
1634 tt_ptr_op(answer, OP_NE, NULL);
1635 tt_assert(strlen(answer) > 0);
1636 tor_free(answer);
1637
1638 mock_options.ExitPolicyRejectPrivate = 0;
1639 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1640
1641 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1642 &answer, &errmsg);
1643 tt_int_op(rv, OP_EQ, 0);
1644 tt_ptr_op(answer, OP_NE, NULL);
1645 tt_assert(strlen(answer) > 0);
1646 tor_free(answer);
1647
1648 mock_options.ExitPolicyRejectPrivate = 0;
1649 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1650
1651 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1652 &answer, &errmsg);
1653 tt_int_op(rv, OP_EQ, 0);
1654 tt_ptr_op(answer, OP_NE, NULL);
1655 tt_assert(strlen(answer) == 0);
1656 tor_free(answer);
1657
1658 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1659 &errmsg);
1660 tt_int_op(rv, OP_EQ, 0);
1661 tt_ptr_op(answer, OP_NE, NULL);
1662 ipv4_len = strlen(answer);
1663 tt_assert(ipv4_len > 0);
1664 tor_free(answer);
1665
1666 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1667 &errmsg);
1668 tt_int_op(rv, OP_EQ, 0);
1669 tt_ptr_op(answer, OP_NE, NULL);
1670 ipv6_len = strlen(answer);
1671 tt_assert(ipv6_len > 0);
1672 tor_free(answer);
1673
1674 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1675 &errmsg);
1676 tt_int_op(rv, OP_EQ, 0);
1677 tt_ptr_op(answer, OP_NE, NULL);
1678 tt_assert(strlen(answer) > 0);
1679 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1680 tor_free(answer);
1681
1682 routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
1683 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1684 &errmsg);
1685 tt_int_op(rv, OP_EQ, -1);
1686 tt_ptr_op(answer, OP_EQ, NULL);
1687 tt_ptr_op(errmsg, OP_NE, NULL);
1688 tt_str_op(errmsg, OP_EQ, "No known exit address yet");
1689
1690 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE;
1691 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1692 &errmsg);
1693 tt_int_op(rv, OP_EQ, -1);
1694 tt_ptr_op(answer, OP_EQ, NULL);
1695 tt_ptr_op(errmsg, OP_NE, NULL);
1696 tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor");
1697
1698 routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
1699 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1700 &errmsg);
1701 tt_int_op(rv, OP_EQ, 0);
1702 tt_ptr_op(answer, OP_EQ, NULL);
1703 tt_ptr_op(errmsg, OP_NE, NULL);
1704 tt_str_op(errmsg, OP_EQ, "Not running in server mode");
1705
1706 routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
1707 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1708 &errmsg);
1709
1710 tt_int_op(rv, OP_EQ, -1);
1711 tt_ptr_op(answer, OP_EQ, NULL);
1712 tt_ptr_op(errmsg, OP_NE, NULL);
1713 tt_str_op(errmsg, OP_EQ, "Key digest failed");
1714
1715 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
1716 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1717 &errmsg);
1718 tt_int_op(rv, OP_EQ, -1);
1719 tt_ptr_op(answer, OP_EQ, NULL);
1720 tt_ptr_op(errmsg, OP_NE, NULL);
1721 tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor");
1722
1723 routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
1724 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1725 &errmsg);
1726 tt_int_op(rv, OP_EQ, -1);
1727 tt_ptr_op(answer, OP_EQ, NULL);
1728 tt_ptr_op(errmsg, OP_NE, NULL);
1729 tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet");
1730
1731 done:
1732 tor_free(answer);
1733 UNMOCK(get_options);
1734 UNMOCK(router_get_my_routerinfo);
1735 addr_policy_list_free(mock_my_routerinfo.exit_policy);
1736 }
1737
1738 #undef DEFAULT_POLICY_STRING
1739 #undef TEST_IPV4_ADDR
1740 #undef TEST_IPV6_ADDR
1741
1742 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1743 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1744 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1745 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1746
1747 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1748 #define OTHER_IPV6_ADDR_STR "[afff::]"
1749
1750 /** Run unit tests for fascist_firewall_allows_address */
1751 static void
1752 test_policies_fascist_firewall_allows_address(void *arg)
1753 {
1754 (void)arg;
1755 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1756 tor_addr_t n_ipv4_addr, n_ipv6_addr;
1757 const uint16_t port = 1234;
1758 smartlist_t *policy = NULL;
1759 smartlist_t *e_policy = NULL;
1760 addr_policy_t *item = NULL;
1761 int malformed_list = 0;
1762
1763 /* Setup the options and the items in the policies */
1764 memset(&mock_options, 0, sizeof(or_options_t));
1765 MOCK(get_options, mock_get_options);
1766
1767 policy = smartlist_new();
1768 item = router_parse_addr_policy_item_from_string("accept "
1769 TEST_IPV4_ADDR_STR ":*",
1770 ADDR_POLICY_ACCEPT,
1771 &malformed_list);
1772 tt_assert(item);
1773 tt_assert(!malformed_list);
1774 smartlist_add(policy, item);
1775 item = router_parse_addr_policy_item_from_string("accept "
1776 TEST_IPV6_ADDR_STR,
1777 ADDR_POLICY_ACCEPT,
1778 &malformed_list);
1779 tt_assert(item);
1780 tt_assert(!malformed_list);
1781 smartlist_add(policy, item);
1782 /* Normally, policy_expand_unspec would do this for us */
1783 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1784 ADDR_POLICY_ACCEPT,
1785 &malformed_list);
1786 tt_assert(item);
1787 tt_assert(!malformed_list);
1788 smartlist_add(policy, item);
1789 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1790 ADDR_POLICY_ACCEPT,
1791 &malformed_list);
1792 tt_assert(item);
1793 tt_assert(!malformed_list);
1794 smartlist_add(policy, item);
1795 item = NULL;
1796
1797 e_policy = smartlist_new();
1798
1799 /*
1800 char *polstr = policy_dump_to_string(policy, 1, 1);
1801 printf("%s\n", polstr);
1802 tor_free(polstr);
1803 */
1804
1805 /* Parse the addresses */
1806 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1807 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1808 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1809 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1810 tor_addr_make_null(&n_ipv4_addr, AF_INET);
1811 tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1812
1813 /* Test the function's address matching with IPv4 and IPv6 on */
1814 memset(&mock_options, 0, sizeof(or_options_t));
1815 mock_options.ClientUseIPv4 = 1;
1816 mock_options.ClientUseIPv6 = 1;
1817 mock_options.UseBridges = 0;
1818
1819 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1820 OP_EQ, 1);
1821 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1822 OP_EQ, 1);
1823 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1824 OP_EQ, 0);
1825 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1826 OP_EQ, 0);
1827
1828 /* Preferring IPv4 */
1829 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1830 OP_EQ, 1);
1831 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1832 OP_EQ, 0);
1833 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1834 OP_EQ, 0);
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1836 OP_EQ, 0);
1837
1838 /* Preferring IPv6 */
1839 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1840 OP_EQ, 0);
1841 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1842 OP_EQ, 1);
1843 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1844 OP_EQ, 0);
1845 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1846 OP_EQ, 0);
1847
1848 /* Test the function's address matching with UseBridges on */
1849 memset(&mock_options, 0, sizeof(or_options_t));
1850 mock_options.ClientUseIPv4 = 1;
1851 mock_options.ClientUseIPv6 = 1;
1852 mock_options.UseBridges = 1;
1853
1854 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1855 OP_EQ, 1);
1856 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1857 OP_EQ, 1);
1858 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1859 OP_EQ, 0);
1860 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1861 OP_EQ, 0);
1862
1863 /* Preferring IPv4 */
1864 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
1865 OP_EQ, 1);
1866 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
1867 OP_EQ, 0);
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
1869 OP_EQ, 0);
1870 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
1871 OP_EQ, 0);
1872
1873 /* Preferring IPv6 */
1874 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
1875 OP_EQ, 0);
1876 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
1877 OP_EQ, 1);
1878 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
1879 OP_EQ, 0);
1880 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
1881 OP_EQ, 0);
1882
1883 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1884 mock_options.ClientUseIPv4 = 1;
1885 mock_options.ClientUseIPv6 = 0;
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1887 OP_EQ, 1);
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1889 OP_EQ, 1);
1890 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1891 OP_EQ, 0);
1892 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1893 OP_EQ, 0);
1894
1895 /* Test the function's address matching with IPv4 on */
1896 memset(&mock_options, 0, sizeof(or_options_t));
1897 mock_options.ClientUseIPv4 = 1;
1898 mock_options.ClientUseIPv6 = 0;
1899 mock_options.UseBridges = 0;
1900
1901 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1902 OP_EQ, 1);
1903 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1904 OP_EQ, 0);
1905 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1906 OP_EQ, 0);
1907 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1908 OP_EQ, 0);
1909
1910 /* Test the function's address matching with IPv6 on */
1911 memset(&mock_options, 0, sizeof(or_options_t));
1912 mock_options.ClientUseIPv4 = 0;
1913 mock_options.ClientUseIPv6 = 1;
1914 mock_options.UseBridges = 0;
1915
1916 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1917 OP_EQ, 0);
1918 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1919 OP_EQ, 1);
1920 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1921 OP_EQ, 0);
1922 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1923 OP_EQ, 0);
1924
1925 /* Test the function's address matching with ClientUseIPv4 0.
1926 * This means "use IPv6" regardless of the other settings. */
1927 memset(&mock_options, 0, sizeof(or_options_t));
1928 mock_options.ClientUseIPv4 = 0;
1929 mock_options.ClientUseIPv6 = 0;
1930 mock_options.UseBridges = 0;
1931
1932 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
1933 OP_EQ, 0);
1934 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
1935 OP_EQ, 1);
1936 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
1937 OP_EQ, 0);
1938 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
1939 OP_EQ, 0);
1940
1941 /* Test the function's address matching for unusual inputs */
1942 memset(&mock_options, 0, sizeof(or_options_t));
1943 mock_options.ClientUseIPv4 = 1;
1944 mock_options.ClientUseIPv6 = 1;
1945 mock_options.UseBridges = 1;
1946
1947 /* NULL and tor_addr_is_null addresses are rejected */
1948 tt_int_op(fascist_firewall_allows_address(NULL, port, policy, 0, 0), OP_EQ,
1949 0);
1950 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr, port, policy, 0, 0),
1951 OP_EQ, 0);
1952 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr, port, policy, 0, 0),
1953 OP_EQ, 0);
1954
1955 /* zero ports are rejected */
1956 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, 0, policy, 0, 0),
1957 OP_EQ, 0);
1958 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, 0, policy, 0, 0),
1959 OP_EQ, 0);
1960
1961 /* NULL and empty policies accept everything */
1962 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, NULL, 0, 0),
1963 OP_EQ, 1);
1964 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, NULL, 0, 0),
1965 OP_EQ, 1);
1966 tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, e_policy, 0, 0),
1967 OP_EQ, 1);
1968 tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, e_policy, 0, 0),
1969 OP_EQ, 1);
1970
1971 done:
1972 addr_policy_free(item);
1973 addr_policy_list_free(policy);
1974 addr_policy_list_free(e_policy);
1975 UNMOCK(get_options);
1976 }
1977
1978 #undef REJECT_IPv4_FINAL_STR
1979 #undef REJECT_IPv6_FINAL_STR
1980 #undef OTHER_IPV4_ADDR_STR
1981 #undef OTHER_IPV6_ADDR_STR
1982
1983 #define TEST_IPV4_OR_PORT 1234
1984 #define TEST_IPV4_DIR_PORT 2345
1985 #define TEST_IPV6_OR_PORT 61234
1986 #define TEST_IPV6_DIR_PORT 62345
1987
1988 /* Check that fascist_firewall_choose_address_rs() returns the expected
1989 * results. */
1990 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1991 expect_ap) \
1992 STMT_BEGIN \
1993 tor_addr_port_t chosen_rs_ap; \
1994 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1995 chosen_rs_ap.port = 0; \
1996 fascist_firewall_choose_address_rs(&(fake_rs), (fw_connection), \
1997 (pref_only), &chosen_rs_ap); \
1998 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1999 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2000 STMT_END
2001
2002 /* Check that fascist_firewall_choose_address_node() returns the expected
2003 * results. */
2004 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2005 expect_rv, expect_ap) \
2006 STMT_BEGIN \
2007 tor_addr_port_t chosen_node_ap; \
2008 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2009 chosen_node_ap.port = 0; \
2010 fascist_firewall_choose_address_node(&(fake_node),(fw_connection), \
2011 (pref_only), &chosen_node_ap); \
2012 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2013 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2014 STMT_END
2015
2016 /* Check that fascist_firewall_choose_address_rs and
2017 * fascist_firewall_choose_address_node() both return the expected results. */
2018 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2019 expect_rv, expect_ap) \
2020 STMT_BEGIN \
2021 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2022 expect_ap); \
2023 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2024 expect_ap); \
2025 STMT_END
2026
2027 /** Run unit tests for fascist_firewall_choose_address */
2028 static void
2029 test_policies_fascist_firewall_choose_address(void *arg)
2030 {
2031 (void)arg;
2032 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
2033 tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
2034
2035 /* Setup the options */
2036 memset(&mock_options, 0, sizeof(or_options_t));
2037 MOCK(get_options, mock_get_options);
2038
2039 /* Parse the addresses */
2040 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
2041 ipv4_or_ap.port = TEST_IPV4_OR_PORT;
2042 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
2043 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
2044
2045 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
2046 ipv6_or_ap.port = TEST_IPV6_OR_PORT;
2047 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
2048 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
2049
2050 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
2051 n_ipv4_ap.port = 0;
2052 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
2053 n_ipv6_ap.port = 0;
2054
2055 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
2056 memset(&mock_options, 0, sizeof(or_options_t));
2057 mock_options.ClientUseIPv4 = 1;
2058 mock_options.ClientUseIPv6 = 1;
2059 mock_options.UseBridges = 0;
2060
2061 /* Prefer IPv4 */
2062 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2063 FIREWALL_OR_CONNECTION, 0, 0)
2064 == &ipv4_or_ap);
2065 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2066 FIREWALL_OR_CONNECTION, 1, 0)
2067 == &ipv4_or_ap);
2068 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2069 FIREWALL_DIR_CONNECTION, 0, 0)
2070 == &ipv4_dir_ap);
2071 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2072 FIREWALL_DIR_CONNECTION, 1, 0)
2073 == &ipv4_dir_ap);
2074
2075 /* Prefer IPv6 */
2076 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2077 FIREWALL_OR_CONNECTION, 0, 1)
2078 == &ipv6_or_ap);
2079 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2080 FIREWALL_OR_CONNECTION, 1, 1)
2081 == &ipv6_or_ap);
2082 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2083 FIREWALL_DIR_CONNECTION, 0, 1)
2084 == &ipv6_dir_ap);
2085 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2086 FIREWALL_DIR_CONNECTION, 1, 1)
2087 == &ipv6_dir_ap);
2088
2089 /* Unusual inputs */
2090
2091 /* null preferred OR addresses */
2092 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &n_ipv6_ap, 0,
2093 FIREWALL_OR_CONNECTION, 0, 1)
2094 == &ipv4_or_ap);
2095 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_or_ap, 1,
2096 FIREWALL_OR_CONNECTION, 0, 0)
2097 == &ipv6_or_ap);
2098
2099 /* null both OR addresses */
2100 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2101 FIREWALL_OR_CONNECTION, 0, 1),
2102 OP_EQ, NULL);
2103 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2104 FIREWALL_OR_CONNECTION, 0, 0),
2105 OP_EQ, NULL);
2106
2107 /* null preferred Dir addresses */
2108 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &n_ipv6_ap, 0,
2109 FIREWALL_DIR_CONNECTION, 0, 1)
2110 == &ipv4_dir_ap);
2111 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_dir_ap, 1,
2112 FIREWALL_DIR_CONNECTION, 0, 0)
2113 == &ipv6_dir_ap);
2114
2115 /* null both Dir addresses */
2116 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2117 FIREWALL_DIR_CONNECTION, 0, 1),
2118 OP_EQ, NULL);
2119 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2120 FIREWALL_DIR_CONNECTION, 0, 0),
2121 OP_EQ, NULL);
2122
2123 /* Prefer IPv4 but want IPv6 (contradictory) */
2124 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2125 FIREWALL_OR_CONNECTION, 0, 0)
2126 == &ipv4_or_ap);
2127 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2128 FIREWALL_OR_CONNECTION, 1, 0)
2129 == &ipv4_or_ap);
2130
2131 /* Prefer IPv6 but want IPv4 (contradictory) */
2132 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2133 FIREWALL_OR_CONNECTION, 0, 1)
2134 == &ipv6_or_ap);
2135 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2136 FIREWALL_OR_CONNECTION, 1, 1)
2137 == &ipv6_or_ap);
2138
2139 /* Make a fake rs. There will be no corresponding node.
2140 * This is what happens when there's no consensus and we're bootstrapping
2141 * from authorities / fallbacks. */
2142 routerstatus_t fake_rs;
2143 memset(&fake_rs, 0, sizeof(routerstatus_t));
2144 /* In a routerstatus, the OR and Dir addresses are the same */
2145 fake_rs.addr = tor_addr_to_ipv4h(&ipv4_or_ap.addr);
2146 fake_rs.or_port = ipv4_or_ap.port;
2147 fake_rs.dir_port = ipv4_dir_ap.port;
2148
2149 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2150 fake_rs.ipv6_orport = ipv6_or_ap.port;
2151 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2152 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2153
2154 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2155 * find the node from the rs, because they're not in the hash table. */
2156 node_t fake_node;
2157 memset(&fake_node, 0, sizeof(node_t));
2158 fake_node.rs = &fake_rs;
2159
2160 /* Choose an address with IPv4 and IPv6 on */
2161 memset(&mock_options, 0, sizeof(or_options_t));
2162 mock_options.ClientUseIPv4 = 1;
2163 mock_options.ClientUseIPv6 = 1;
2164 mock_options.UseBridges = 0;
2165
2166 /* Preferring IPv4 */
2167 mock_options.ClientPreferIPv6ORPort = 0;
2168 mock_options.ClientPreferIPv6DirPort = 0;
2169 /* Simulate the initialisation of fake_node.ipv6_preferred */
2170 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2171 &mock_options);
2172
2173 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2174 ipv4_or_ap);
2175 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2176 ipv4_or_ap);
2177 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2178 ipv4_dir_ap);
2179 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2180 ipv4_dir_ap);
2181
2182 /* Auto (Preferring IPv4) */
2183 mock_options.ClientPreferIPv6ORPort = -1;
2184 mock_options.ClientPreferIPv6DirPort = -1;
2185 /* Simulate the initialisation of fake_node.ipv6_preferred */
2186 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2187 &mock_options);
2188
2189 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2190 ipv4_or_ap);
2191 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2192 ipv4_or_ap);
2193 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2194 ipv4_dir_ap);
2195 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2196 ipv4_dir_ap);
2197
2198 /* Preferring IPv6 */
2199 mock_options.ClientPreferIPv6ORPort = 1;
2200 mock_options.ClientPreferIPv6DirPort = 1;
2201 /* Simulate the initialisation of fake_node.ipv6_preferred */
2202 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2203 &mock_options);
2204
2205 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2206 ipv6_or_ap);
2207 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2208 ipv6_or_ap);
2209 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2210 ipv6_dir_ap);
2211 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2212 ipv6_dir_ap);
2213
2214 /* Preferring IPv4 OR / IPv6 Dir */
2215 mock_options.ClientPreferIPv6ORPort = 0;
2216 mock_options.ClientPreferIPv6DirPort = 1;
2217 /* Simulate the initialisation of fake_node.ipv6_preferred */
2218 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2219 &mock_options);
2220
2221 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2222 ipv4_or_ap);
2223 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2224 ipv4_or_ap);
2225 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2226 ipv6_dir_ap);
2227 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2228 ipv6_dir_ap);
2229
2230 /* Preferring IPv6 OR / IPv4 Dir */
2231 mock_options.ClientPreferIPv6ORPort = 1;
2232 mock_options.ClientPreferIPv6DirPort = 0;
2233 /* Simulate the initialisation of fake_node.ipv6_preferred */
2234 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2235 &mock_options);
2236
2237 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2238 ipv6_or_ap);
2239 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2240 ipv6_or_ap);
2241 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2242 ipv4_dir_ap);
2243 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2244 ipv4_dir_ap);
2245
2246 /* Choose an address with UseBridges on */
2247 memset(&mock_options, 0, sizeof(or_options_t));
2248 mock_options.UseBridges = 1;
2249 mock_options.ClientUseIPv4 = 1;
2250 mock_options.ClientUseIPv6 = 1;
2251
2252 /* Preferring IPv4 */
2253 mock_options.ClientPreferIPv6ORPort = 0;
2254 mock_options.ClientPreferIPv6DirPort = 0;
2255 /* Simulate the initialisation of fake_node.ipv6_preferred */
2256 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2257 &mock_options);
2258
2259 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2260 ipv4_or_ap);
2261 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2262 ipv4_or_ap);
2263 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2264 ipv4_dir_ap);
2265 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2266 ipv4_dir_ap);
2267
2268 /* Auto:
2269 * - bridge clients prefer the configured bridge OR address from the node,
2270 * (the configured address family sets node.ipv6_preferred)
2271 * - other clients prefer IPv4 OR by default (see above),
2272 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2273 */
2274 mock_options.ClientPreferIPv6ORPort = -1;
2275 mock_options.ClientPreferIPv6DirPort = -1;
2276
2277 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2278 * configured with an IPv4 address */
2279 fake_node.ipv6_preferred = 0;
2280 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2281 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2282 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2283 ipv4_dir_ap);
2284 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2285 ipv4_dir_ap);
2286
2287 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2288 * configured with an IPv6 address */
2289 fake_node.ipv6_preferred = 1;
2290 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2291 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2292 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2293 ipv4_dir_ap);
2294 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2295 ipv4_dir_ap);
2296
2297 /* When a rs has no node, it defaults to IPv4 under auto. */
2298 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2299 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2300 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2301 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2302
2303 /* Preferring IPv6 */
2304 mock_options.ClientPreferIPv6ORPort = 1;
2305 mock_options.ClientPreferIPv6DirPort = 1;
2306 /* Simulate the initialisation of fake_node.ipv6_preferred */
2307 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2308 &mock_options);
2309
2310 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2311 ipv6_or_ap);
2312 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2313 ipv6_or_ap);
2314 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2315 ipv6_dir_ap);
2316 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2317 ipv6_dir_ap);
2318
2319 /* In the default configuration (Auto / IPv6 off), bridge clients should
2320 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2321 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2322 mock_options.ClientUseIPv6 = 0;
2323 mock_options.ClientPreferIPv6ORPort = -1;
2324 mock_options.ClientPreferIPv6DirPort = -1;
2325 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2326 * configured with an IPv4 address */
2327 fake_node.ipv6_preferred = 0;
2328 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2329 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2330 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2331 ipv4_dir_ap);
2332 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2333 ipv4_dir_ap);
2334
2335 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2336 * configured with an IPv6 address */
2337 fake_node.ipv6_preferred = 1;
2338 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2339 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2340 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2341 ipv4_dir_ap);
2342 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2343 ipv4_dir_ap);
2344
2345 /* When a rs has no node, it defaults to IPv4 under auto. */
2346 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2347 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2348 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2349 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2350
2351 /* Choose an address with IPv4 on */
2352 memset(&mock_options, 0, sizeof(or_options_t));
2353 mock_options.ClientUseIPv4 = 1;
2354 mock_options.ClientUseIPv6 = 0;
2355 /* Simulate the initialisation of fake_node.ipv6_preferred */
2356 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2357 &mock_options);
2358
2359 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2360 ipv4_or_ap);
2361 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2362 ipv4_or_ap);
2363 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2364 ipv4_dir_ap);
2365 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2366 ipv4_dir_ap);
2367
2368 /* Choose an address with IPv6 on */
2369 memset(&mock_options, 0, sizeof(or_options_t));
2370 mock_options.ClientUseIPv4 = 0;
2371 mock_options.ClientUseIPv6 = 1;
2372 /* Simulate the initialisation of fake_node.ipv6_preferred */
2373 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2374 &mock_options);
2375
2376 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2377 ipv6_or_ap);
2378 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2379 ipv6_or_ap);
2380 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2381 ipv6_dir_ap);
2382 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2383 ipv6_dir_ap);
2384
2385 /* Choose an address with ClientUseIPv4 0.
2386 * This means "use IPv6" regardless of the other settings. */
2387 memset(&mock_options, 0, sizeof(or_options_t));
2388 mock_options.ClientUseIPv4 = 0;
2389 mock_options.ClientUseIPv6 = 0;
2390 /* Simulate the initialisation of fake_node.ipv6_preferred */
2391 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2392 &mock_options);
2393
2394 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2395 ipv6_or_ap);
2396 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2397 ipv6_or_ap);
2398 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2399 ipv6_dir_ap);
2400 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2401 ipv6_dir_ap);
2402
2403 /* Choose an address with ORPort_set 1 (server mode).
2404 * This means "use IPv4" regardless of the other settings. */
2405 memset(&mock_options, 0, sizeof(or_options_t));
2406 mock_options.ORPort_set = 1;
2407 mock_options.ClientUseIPv4 = 0;
2408 mock_options.ClientUseIPv6 = 1;
2409 mock_options.ClientPreferIPv6ORPort = 1;
2410 mock_options.ClientPreferIPv6DirPort = 1;
2411
2412 /* Simulate the initialisation of fake_node.ipv6_preferred */
2413 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2414 &mock_options);
2415
2416 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2417 ipv4_or_ap);
2418 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2419 ipv4_or_ap);
2420 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2421 ipv4_dir_ap);
2422 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2423 ipv4_dir_ap);
2424
2425 done:
2426 UNMOCK(get_options);
2427 }
2428
2429 #undef TEST_IPV4_ADDR_STR
2430 #undef TEST_IPV6_ADDR_STR
2431 #undef TEST_IPV4_OR_PORT
2432 #undef TEST_IPV4_DIR_PORT
2433 #undef TEST_IPV6_OR_PORT
2434 #undef TEST_IPV6_DIR_PORT
2435
2436 #undef CHECK_CHOSEN_ADDR_RS
2437 #undef CHECK_CHOSEN_ADDR_NODE
2438 #undef CHECK_CHOSEN_ADDR_RN
2439
2440 struct testcase_t policy_tests[] = {
2441 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2442 NULL, NULL },
2443 { "general", test_policies_general, 0, NULL, NULL },
2444 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2445 NULL },
2446 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2447 { "reject_interface_address", test_policies_reject_interface_address, 0,
2448 NULL, NULL },
2449 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2450 { "fascist_firewall_allows_address",
2451 test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2452 { "fascist_firewall_choose_address",
2453 test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2454 END_OF_TESTCASES
2455 };
The Onion Router