|
@@ -2,6 +2,8 @@
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
|
#include "or.h"
|
|
|
+#define CONFIG_PRIVATE
|
|
|
+#include "config.h"
|
|
|
#include "router.h"
|
|
|
#include "routerparse.h"
|
|
|
#include "policies.h"
|
|
@@ -49,7 +51,7 @@ test_policy_summary_helper(const char *policy_str,
|
|
|
|
|
|
r = policies_parse_exit_policy(&line, &policy,
|
|
|
EXIT_POLICY_IPV6_ENABLED |
|
|
|
- EXIT_POLICY_ADD_DEFAULT, 0, NULL, 0);
|
|
|
+ EXIT_POLICY_ADD_DEFAULT, 0, NULL, NULL, NULL);
|
|
|
tt_int_op(r,OP_EQ, 0);
|
|
|
|
|
|
summary = policy_summarize(policy, AF_INET);
|
|
@@ -116,7 +118,7 @@ test_policies_general(void *arg)
|
|
|
EXIT_POLICY_IPV6_ENABLED |
|
|
|
EXIT_POLICY_REJECT_PRIVATE |
|
|
|
EXIT_POLICY_ADD_DEFAULT, 0,
|
|
|
- NULL, 0));
|
|
|
+ NULL, NULL, NULL));
|
|
|
|
|
|
tt_assert(policy2);
|
|
|
|
|
@@ -125,7 +127,8 @@ test_policies_general(void *arg)
|
|
|
EXIT_POLICY_IPV6_ENABLED |
|
|
|
EXIT_POLICY_REJECT_PRIVATE |
|
|
|
EXIT_POLICY_ADD_DEFAULT,
|
|
|
- 0x0306090cu, &tar, 1));
|
|
|
+ 0x0306090cu, &tar, NULL,
|
|
|
+ NULL));
|
|
|
|
|
|
tt_assert(policy12);
|
|
|
|
|
@@ -207,14 +210,14 @@ test_policies_general(void *arg)
|
|
|
EXIT_POLICY_IPV6_ENABLED |
|
|
|
EXIT_POLICY_REJECT_PRIVATE |
|
|
|
EXIT_POLICY_ADD_DEFAULT, 0,
|
|
|
- NULL, 0));
|
|
|
+ NULL, NULL, NULL));
|
|
|
|
|
|
tt_assert(policy8);
|
|
|
|
|
|
tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
|
|
|
EXIT_POLICY_REJECT_PRIVATE |
|
|
|
EXIT_POLICY_ADD_DEFAULT, 0,
|
|
|
- NULL, 0));
|
|
|
+ NULL, NULL, NULL));
|
|
|
|
|
|
tt_assert(policy9);
|
|
|
|
|
@@ -269,7 +272,7 @@ test_policies_general(void *arg)
|
|
|
tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
|
|
|
EXIT_POLICY_IPV6_ENABLED |
|
|
|
EXIT_POLICY_ADD_DEFAULT, 0,
|
|
|
- NULL, 0));
|
|
|
+ NULL, NULL, NULL));
|
|
|
tt_assert(policy);
|
|
|
|
|
|
//test_streq(policy->string, "accept *:80");
|
|
@@ -530,7 +533,7 @@ test_policies_reject_exit_address(void *arg)
|
|
|
/* test that local_address is interpreted as an IPv4 host-order address and
|
|
|
* rejected on an IPv4-only exit */
|
|
|
policies_parse_exit_policy_reject_private(&policy, 0, TEST_IPV4_ADDR, NULL,
|
|
|
- 0);
|
|
|
+ NULL, NULL, 0, 0);
|
|
|
tt_assert(policy);
|
|
|
tt_assert(smartlist_len(policy) == 1);
|
|
|
tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
@@ -540,7 +543,7 @@ test_policies_reject_exit_address(void *arg)
|
|
|
/* test that local_address is interpreted as an IPv4 host-order address and
|
|
|
* rejected on an IPv4/IPv6 exit */
|
|
|
policies_parse_exit_policy_reject_private(&policy, 1, TEST_IPV4_ADDR, NULL,
|
|
|
- 0);
|
|
|
+ NULL, NULL, 0, 0);
|
|
|
tt_assert(policy);
|
|
|
tt_assert(smartlist_len(policy) == 1);
|
|
|
tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
@@ -548,7 +551,8 @@ test_policies_reject_exit_address(void *arg)
|
|
|
policy = NULL;
|
|
|
|
|
|
/* test that ipv6_local_address is rejected on an IPv4/IPv6 exit */
|
|
|
- policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, 0);
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, NULL,
|
|
|
+ NULL, 0, 0);
|
|
|
tt_assert(policy);
|
|
|
tt_assert(smartlist_len(policy) == 1);
|
|
|
tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
|
|
@@ -559,13 +563,155 @@ test_policies_reject_exit_address(void *arg)
|
|
|
* (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
|
|
|
* on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
|
|
|
* need to do anything) */
|
|
|
- policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, 0);
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, NULL,
|
|
|
+ NULL, 0, 0);
|
|
|
tt_assert(policy == NULL);
|
|
|
|
|
|
done:
|
|
|
addr_policy_list_free(policy);
|
|
|
}
|
|
|
|
|
|
+/** Run unit tests for rejecting outbound connection addresses on this
|
|
|
+ * exit relay using policies_parse_exit_policy_reject_private */
|
|
|
+static void
|
|
|
+test_policies_reject_outbound_address(void *arg)
|
|
|
+{
|
|
|
+ smartlist_t *policy = NULL;
|
|
|
+ tor_addr_t ipv4_addr, ipv6_addr;
|
|
|
+ (void)arg;
|
|
|
+
|
|
|
+ tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
|
|
|
+ tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr,
|
|
|
+ NULL, 0, 0);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 1);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4/IPv6 exit */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr,
|
|
|
+ NULL, 0, 0);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 1);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv6_ is rejected on an IPv4/IPv6 exit */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL,
|
|
|
+ &ipv6_addr, 0, 0);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 1);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv6_ is NOT rejected on an IPv4-only exit
|
|
|
+ * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
|
|
|
+ * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
|
|
|
+ * need to do anything with IPv6 addresses on IPv4-only exits) */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL,
|
|
|
+ &ipv6_addr, 0, 0);
|
|
|
+ tt_assert(policy == NULL);
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit,
|
|
|
+ * but OutboundBindAddressIPv6_ is NOT rejected (all IPv6 addresses are
|
|
|
+ * rejected by policies_parse_exit_policy_internal on IPv4-only exits, so
|
|
|
+ * policies_parse_exit_policy_reject_private doesn't need to do anything
|
|
|
+ * with IPv6 addresses on IPv4-only exits) */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr,
|
|
|
+ &ipv6_addr, 0, 0);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 1);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+ /* test that OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_ are
|
|
|
+ * rejected on an IPv4/IPv6 exit */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr,
|
|
|
+ &ipv6_addr, 0, 0);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 2);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+done:
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+}
|
|
|
+
|
|
|
+static smartlist_t *test_configured_ports = NULL;
|
|
|
+const smartlist_t *mock_get_configured_ports(void);
|
|
|
+
|
|
|
+/** Returns test_configured_ports */
|
|
|
+const smartlist_t *
|
|
|
+mock_get_configured_ports(void)
|
|
|
+{
|
|
|
+ return test_configured_ports;
|
|
|
+}
|
|
|
+
|
|
|
+/** Run unit tests for rejecting publicly routable configured port addresses
|
|
|
+ * on this exit relay using policies_parse_exit_policy_reject_private */
|
|
|
+static void
|
|
|
+test_policies_reject_port_address(void *arg)
|
|
|
+{
|
|
|
+ smartlist_t *policy = NULL;
|
|
|
+ port_cfg_t *ipv4_port = NULL;
|
|
|
+ port_cfg_t *ipv6_port = NULL;
|
|
|
+ (void)arg;
|
|
|
+
|
|
|
+ test_configured_ports = smartlist_new();
|
|
|
+
|
|
|
+ ipv4_port = port_cfg_new(0);
|
|
|
+ tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
|
|
|
+ smartlist_add(test_configured_ports, ipv4_port);
|
|
|
+
|
|
|
+ ipv6_port = port_cfg_new(0);
|
|
|
+ tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
|
|
|
+ smartlist_add(test_configured_ports, ipv6_port);
|
|
|
+
|
|
|
+ MOCK(get_configured_ports, mock_get_configured_ports);
|
|
|
+
|
|
|
+ /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
|
|
|
+ * is NOT rejected (all IPv6 addresses are rejected by
|
|
|
+ * policies_parse_exit_policy_internal on IPv4-only exits, so
|
|
|
+ * policies_parse_exit_policy_reject_private doesn't need to do anything
|
|
|
+ * with IPv6 addresses on IPv4-only exits) */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
|
|
|
+ 0, 1);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 1);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+ /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, NULL,
|
|
|
+ 0, 1);
|
|
|
+ tt_assert(policy);
|
|
|
+ tt_assert(smartlist_len(policy) == 2);
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
|
|
|
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ policy = NULL;
|
|
|
+
|
|
|
+done:
|
|
|
+ addr_policy_list_free(policy);
|
|
|
+ if (test_configured_ports) {
|
|
|
+ SMARTLIST_FOREACH(test_configured_ports,
|
|
|
+ port_cfg_t *, p, port_cfg_free(p));
|
|
|
+ smartlist_free(test_configured_ports);
|
|
|
+ test_configured_ports = NULL;
|
|
|
+ }
|
|
|
+ UNMOCK(get_configured_ports);
|
|
|
+}
|
|
|
+
|
|
|
#undef TEST_IPV4_ADDR
|
|
|
#undef TEST_IPV6_ADDR
|
|
|
|
|
@@ -582,12 +728,14 @@ test_policies_reject_interface_address(void *arg)
|
|
|
(void)arg;
|
|
|
|
|
|
/* test that no addresses are rejected when none are supplied/requested */
|
|
|
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 0);
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
|
|
|
+ 0, 0);
|
|
|
tt_assert(policy == NULL);
|
|
|
|
|
|
/* test that only IPv4 interface addresses are rejected on an IPv4-only exit
|
|
|
*/
|
|
|
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1);
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
|
|
|
+ 1, 0);
|
|
|
if (policy) {
|
|
|
tt_assert(smartlist_len(policy) == smartlist_len(public_ipv4_addrs));
|
|
|
addr_policy_list_free(policy);
|
|
@@ -596,7 +744,8 @@ test_policies_reject_interface_address(void *arg)
|
|
|
|
|
|
/* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
|
|
|
* exit */
|
|
|
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1);
|
|
|
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
|
|
|
+ 1, 0);
|
|
|
if (policy) {
|
|
|
tt_assert(smartlist_len(policy) == (smartlist_len(public_ipv4_addrs)
|
|
|
+ smartlist_len(public_ipv6_addrs)));
|
|
@@ -705,6 +854,8 @@ struct testcase_t policy_tests[] = {
|
|
|
{ "general", test_policies_general, 0, NULL, NULL },
|
|
|
{ "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
|
|
|
{ "reject_interface_address", test_policies_reject_interface_address, 0, NULL, NULL },
|
|
|
+ { "reject_outbound_address", test_policies_reject_outbound_address, 0, NULL, NULL },
|
|
|
+ { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
|
|
|
END_OF_TESTCASES
|
|
|
};
|
|
|
|