test_policy.c 99 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505
  1. /* Copyright (c) 2013-2019, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #define CONFIG_PRIVATE
  4. #define POLICIES_PRIVATE
  5. #include "core/or/or.h"
  6. #include "app/config/config.h"
  7. #include "core/or/policies.h"
  8. #include "feature/dirparse/policy_parse.h"
  9. #include "feature/relay/router.h"
  10. #include "lib/encoding/confline.h"
  11. #include "test/test.h"
  12. #include "core/or/addr_policy_st.h"
  13. #include "core/or/port_cfg_st.h"
  14. #include "feature/nodelist/node_st.h"
  15. #include "feature/nodelist/routerinfo_st.h"
  16. #include "feature/nodelist/routerstatus_st.h"
  17. /* Helper: assert that short_policy parses and writes back out as itself,
  18. or as <b>expected</b> if that's provided. */
  19. static void
  20. test_short_policy_parse(const char *input,
  21. const char *expected)
  22. {
  23. short_policy_t *short_policy = NULL;
  24. char *out = NULL;
  25. if (expected == NULL)
  26. expected = input;
  27. short_policy = parse_short_policy(input);
  28. tt_assert(short_policy);
  29. out = write_short_policy(short_policy);
  30. tt_str_op(out, OP_EQ, expected);
  31. done:
  32. tor_free(out);
  33. short_policy_free(short_policy);
  34. }
  35. /** Helper: Parse the exit policy string in <b>policy_str</b> with
  36. * <b>options</b>, and make sure that policies_summarize() produces the string
  37. * <b>expected_summary</b> from it when called with family. */
  38. static void
  39. test_policy_summary_helper_family_flags(const char *policy_str,
  40. const char *expected_summary,
  41. sa_family_t family,
  42. exit_policy_parser_cfg_t options)
  43. {
  44. config_line_t line;
  45. smartlist_t *policy = smartlist_new();
  46. char *summary = NULL;
  47. char *summary_after = NULL;
  48. int r;
  49. short_policy_t *short_policy = NULL;
  50. int success = 0;
  51. line.key = (char*)"foo";
  52. line.value = (char *)policy_str;
  53. line.next = NULL;
  54. r = policies_parse_exit_policy(&line, &policy,
  55. options, NULL);
  56. tt_int_op(r,OP_EQ, 0);
  57. summary = policy_summarize(policy, family);
  58. tt_ptr_op(summary, OP_NE, NULL);
  59. tt_str_op(summary,OP_EQ, expected_summary);
  60. short_policy = parse_short_policy(summary);
  61. tt_assert(short_policy);
  62. summary_after = write_short_policy(short_policy);
  63. tt_str_op(summary,OP_EQ, summary_after);
  64. success = 1;
  65. done:
  66. /* If we don't print the flags on failure, it's very hard to diagnose bugs */
  67. if (!success)
  68. TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
  69. family == AF_INET ? 4 : 6, options, policy_str));
  70. tor_free(summary_after);
  71. tor_free(summary);
  72. if (policy)
  73. addr_policy_list_free(policy);
  74. short_policy_free(short_policy);
  75. }
  76. /** Like test_policy_summary_helper_family_flags, but tries all the different
  77. * flag combinations */
  78. static void
  79. test_policy_summary_helper_family(const char *policy_str,
  80. const char *expected_summary,
  81. sa_family_t family)
  82. {
  83. for (exit_policy_parser_cfg_t opt = 0;
  84. opt <= EXIT_POLICY_OPTION_ALL;
  85. opt++) {
  86. if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
  87. /* Skip the test: IPv6 addresses need IPv6 enabled */
  88. continue;
  89. if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
  90. /* Skip the test: local interfaces are machine-specific */
  91. continue;
  92. test_policy_summary_helper_family_flags(policy_str, expected_summary,
  93. family, opt);
  94. }
  95. }
  96. /** Like test_policy_summary_helper_family, but uses expected_summary for
  97. * both IPv4 and IPv6. */
  98. static void
  99. test_policy_summary_helper(const char *policy_str,
  100. const char *expected_summary)
  101. {
  102. test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
  103. test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
  104. }
  105. /** Like test_policy_summary_helper_family, but uses expected_summary4 for
  106. * IPv4 and expected_summary6 for IPv6. */
  107. static void
  108. test_policy_summary_helper6(const char *policy_str,
  109. const char *expected_summary4,
  110. const char *expected_summary6)
  111. {
  112. test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
  113. test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
  114. }
  115. /** Run unit tests for generating summary lines of exit policies */
  116. static void
  117. test_policies_general(void *arg)
  118. {
  119. int i;
  120. smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
  121. *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
  122. *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
  123. *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
  124. addr_policy_t *p;
  125. tor_addr_t tar, tar2;
  126. smartlist_t *addr_list = NULL;
  127. config_line_t line;
  128. smartlist_t *sm = NULL;
  129. char *policy_str = NULL;
  130. short_policy_t *short_parsed = NULL;
  131. int malformed_list = -1;
  132. (void)arg;
  133. policy = smartlist_new();
  134. p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
  135. &malformed_list);
  136. tt_ptr_op(p, OP_NE, NULL);
  137. tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
  138. tor_addr_from_ipv4h(&tar, 0xc0a80000u);
  139. tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
  140. tt_int_op(16,OP_EQ, p->maskbits);
  141. tt_int_op(1,OP_EQ, p->prt_min);
  142. tt_int_op(65535,OP_EQ, p->prt_max);
  143. smartlist_add(policy, p);
  144. tor_addr_from_ipv4h(&tar, 0x01020304u);
  145. tt_assert(ADDR_POLICY_ACCEPTED ==
  146. compare_tor_addr_to_addr_policy(&tar, 2, policy));
  147. tor_addr_make_unspec(&tar);
  148. tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
  149. compare_tor_addr_to_addr_policy(&tar, 2, policy));
  150. tor_addr_from_ipv4h(&tar, 0xc0a80102);
  151. tt_assert(ADDR_POLICY_REJECTED ==
  152. compare_tor_addr_to_addr_policy(&tar, 2, policy));
  153. tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
  154. EXIT_POLICY_IPV6_ENABLED |
  155. EXIT_POLICY_REJECT_PRIVATE |
  156. EXIT_POLICY_ADD_DEFAULT, NULL));
  157. tt_assert(policy2);
  158. tor_addr_from_ipv4h(&tar, 0x0306090cu);
  159. tor_addr_parse(&tar2, "[2000::1234]");
  160. addr_list = smartlist_new();
  161. smartlist_add(addr_list, &tar);
  162. smartlist_add(addr_list, &tar2);
  163. tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
  164. EXIT_POLICY_IPV6_ENABLED |
  165. EXIT_POLICY_REJECT_PRIVATE |
  166. EXIT_POLICY_ADD_DEFAULT,
  167. addr_list));
  168. smartlist_free(addr_list);
  169. addr_list = NULL;
  170. tt_assert(policy12);
  171. policy3 = smartlist_new();
  172. p = router_parse_addr_policy_item_from_string("reject *:*", -1,
  173. &malformed_list);
  174. tt_ptr_op(p, OP_NE, NULL);
  175. smartlist_add(policy3, p);
  176. p = router_parse_addr_policy_item_from_string("accept *:*", -1,
  177. &malformed_list);
  178. tt_ptr_op(p, OP_NE, NULL);
  179. smartlist_add(policy3, p);
  180. policy4 = smartlist_new();
  181. p = router_parse_addr_policy_item_from_string("accept *:443", -1,
  182. &malformed_list);
  183. tt_ptr_op(p, OP_NE, NULL);
  184. smartlist_add(policy4, p);
  185. p = router_parse_addr_policy_item_from_string("accept *:443", -1,
  186. &malformed_list);
  187. tt_ptr_op(p, OP_NE, NULL);
  188. smartlist_add(policy4, p);
  189. policy5 = smartlist_new();
  190. p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
  191. &malformed_list);
  192. tt_ptr_op(p, OP_NE, NULL);
  193. smartlist_add(policy5, p);
  194. p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
  195. &malformed_list);
  196. tt_ptr_op(p, OP_NE, NULL);
  197. smartlist_add(policy5, p);
  198. p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
  199. &malformed_list);
  200. tt_ptr_op(p, OP_NE, NULL);
  201. smartlist_add(policy5, p);
  202. p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
  203. -1, &malformed_list);
  204. tt_ptr_op(p, OP_NE, NULL);
  205. smartlist_add(policy5, p);
  206. p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
  207. &malformed_list);
  208. tt_ptr_op(p, OP_NE, NULL);
  209. smartlist_add(policy5, p);
  210. p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
  211. &malformed_list);
  212. tt_ptr_op(p, OP_NE, NULL);
  213. smartlist_add(policy5, p);
  214. p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
  215. &malformed_list);
  216. tt_ptr_op(p, OP_NE, NULL);
  217. smartlist_add(policy5, p);
  218. p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
  219. &malformed_list);
  220. tt_ptr_op(p, OP_NE, NULL);
  221. smartlist_add(policy5, p);
  222. p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
  223. &malformed_list);
  224. tt_ptr_op(p, OP_NE, NULL);
  225. smartlist_add(policy5, p);
  226. p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
  227. &malformed_list);
  228. tt_ptr_op(p, OP_NE, NULL);
  229. smartlist_add(policy5, p);
  230. policy6 = smartlist_new();
  231. p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
  232. &malformed_list);
  233. tt_ptr_op(p, OP_NE, NULL);
  234. smartlist_add(policy6, p);
  235. policy7 = smartlist_new();
  236. p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
  237. &malformed_list);
  238. tt_ptr_op(p, OP_NE, NULL);
  239. smartlist_add(policy7, p);
  240. tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
  241. EXIT_POLICY_IPV6_ENABLED |
  242. EXIT_POLICY_REJECT_PRIVATE |
  243. EXIT_POLICY_ADD_DEFAULT,
  244. NULL));
  245. tt_assert(policy8);
  246. tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
  247. EXIT_POLICY_REJECT_PRIVATE |
  248. EXIT_POLICY_ADD_DEFAULT,
  249. NULL));
  250. tt_assert(policy9);
  251. /* accept6 * and reject6 * produce IPv6 wildcards only */
  252. policy10 = smartlist_new();
  253. p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
  254. &malformed_list);
  255. tt_ptr_op(p, OP_NE, NULL);
  256. smartlist_add(policy10, p);
  257. policy11 = smartlist_new();
  258. p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
  259. &malformed_list);
  260. tt_ptr_op(p, OP_NE, NULL);
  261. smartlist_add(policy11, p);
  262. tt_assert(!exit_policy_is_general_exit(policy));
  263. tt_assert(exit_policy_is_general_exit(policy2));
  264. tt_assert(!exit_policy_is_general_exit(NULL));
  265. tt_assert(!exit_policy_is_general_exit(policy3));
  266. tt_assert(!exit_policy_is_general_exit(policy4));
  267. tt_assert(!exit_policy_is_general_exit(policy5));
  268. tt_assert(!exit_policy_is_general_exit(policy6));
  269. tt_assert(!exit_policy_is_general_exit(policy7));
  270. tt_assert(exit_policy_is_general_exit(policy8));
  271. tt_assert(exit_policy_is_general_exit(policy9));
  272. tt_assert(!exit_policy_is_general_exit(policy10));
  273. tt_assert(!exit_policy_is_general_exit(policy11));
  274. tt_assert(!addr_policies_eq(policy, policy2));
  275. tt_assert(!addr_policies_eq(policy, NULL));
  276. tt_assert(addr_policies_eq(policy2, policy2));
  277. tt_assert(addr_policies_eq(NULL, NULL));
  278. tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
  279. tt_assert(policy_is_reject_star(policy, AF_INET, 1));
  280. tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
  281. tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
  282. tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
  283. tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
  284. tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
  285. tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
  286. tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
  287. tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
  288. addr_policy_list_free(policy);
  289. policy = NULL;
  290. /* make sure assume_action works */
  291. malformed_list = 0;
  292. p = router_parse_addr_policy_item_from_string("127.0.0.1",
  293. ADDR_POLICY_ACCEPT,
  294. &malformed_list);
  295. tt_assert(p);
  296. addr_policy_free(p);
  297. tt_assert(!malformed_list);
  298. p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
  299. ADDR_POLICY_ACCEPT,
  300. &malformed_list);
  301. tt_assert(p);
  302. addr_policy_free(p);
  303. tt_assert(!malformed_list);
  304. p = router_parse_addr_policy_item_from_string("[::]",
  305. ADDR_POLICY_ACCEPT,
  306. &malformed_list);
  307. tt_assert(p);
  308. addr_policy_free(p);
  309. tt_assert(!malformed_list);
  310. p = router_parse_addr_policy_item_from_string("[::]:*",
  311. ADDR_POLICY_ACCEPT,
  312. &malformed_list);
  313. tt_assert(p);
  314. addr_policy_free(p);
  315. tt_assert(!malformed_list);
  316. p = router_parse_addr_policy_item_from_string("[face::b]",
  317. ADDR_POLICY_ACCEPT,
  318. &malformed_list);
  319. tt_assert(p);
  320. addr_policy_free(p);
  321. tt_assert(!malformed_list);
  322. p = router_parse_addr_policy_item_from_string("[b::aaaa]",
  323. ADDR_POLICY_ACCEPT,
  324. &malformed_list);
  325. tt_assert(p);
  326. addr_policy_free(p);
  327. tt_assert(!malformed_list);
  328. p = router_parse_addr_policy_item_from_string("*",
  329. ADDR_POLICY_ACCEPT,
  330. &malformed_list);
  331. tt_assert(p);
  332. addr_policy_free(p);
  333. tt_assert(!malformed_list);
  334. p = router_parse_addr_policy_item_from_string("*4",
  335. ADDR_POLICY_ACCEPT,
  336. &malformed_list);
  337. tt_assert(p);
  338. addr_policy_free(p);
  339. tt_assert(!malformed_list);
  340. p = router_parse_addr_policy_item_from_string("*6",
  341. ADDR_POLICY_ACCEPT,
  342. &malformed_list);
  343. tt_assert(p);
  344. addr_policy_free(p);
  345. tt_assert(!malformed_list);
  346. /* These are all ambiguous IPv6 addresses, it's good that we reject them */
  347. p = router_parse_addr_policy_item_from_string("acce::abcd",
  348. ADDR_POLICY_ACCEPT,
  349. &malformed_list);
  350. tt_ptr_op(p, OP_EQ, NULL);
  351. tt_assert(malformed_list);
  352. malformed_list = 0;
  353. p = router_parse_addr_policy_item_from_string("7:1234",
  354. ADDR_POLICY_ACCEPT,
  355. &malformed_list);
  356. tt_ptr_op(p, OP_EQ, NULL);
  357. tt_assert(malformed_list);
  358. malformed_list = 0;
  359. p = router_parse_addr_policy_item_from_string("::",
  360. ADDR_POLICY_ACCEPT,
  361. &malformed_list);
  362. tt_ptr_op(p, OP_EQ, NULL);
  363. tt_assert(malformed_list);
  364. malformed_list = 0;
  365. /* make sure compacting logic works. */
  366. policy = NULL;
  367. line.key = (char*)"foo";
  368. line.value = (char*)"accept *:80,reject private:*,reject *:*";
  369. line.next = NULL;
  370. tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
  371. EXIT_POLICY_IPV6_ENABLED |
  372. EXIT_POLICY_ADD_DEFAULT, NULL));
  373. tt_assert(policy);
  374. //test_streq(policy->string, "accept *:80");
  375. //test_streq(policy->next->string, "reject *:*");
  376. tt_int_op(smartlist_len(policy),OP_EQ, 4);
  377. /* test policy summaries */
  378. /* check if we properly ignore private IP addresses */
  379. test_policy_summary_helper("reject 192.168.0.0/16:*,"
  380. "reject 0.0.0.0/8:*,"
  381. "reject 10.0.0.0/8:*,"
  382. "accept *:10-30,"
  383. "accept *:90,"
  384. "reject *:*",
  385. "accept 10-30,90");
  386. /* check all accept policies, and proper counting of rejects */
  387. test_policy_summary_helper("reject 11.0.0.0/9:80,"
  388. "reject 12.0.0.0/9:80,"
  389. "reject 13.0.0.0/9:80,"
  390. "reject 14.0.0.0/9:80,"
  391. "accept *:*", "accept 1-65535");
  392. test_policy_summary_helper("reject 11.0.0.0/9:80,"
  393. "reject 12.0.0.0/9:80,"
  394. "reject 13.0.0.0/9:80,"
  395. "reject 14.0.0.0/9:80,"
  396. "reject 15.0.0.0:81,"
  397. "accept *:*", "accept 1-65535");
  398. test_policy_summary_helper6("reject 11.0.0.0/9:80,"
  399. "reject 12.0.0.0/9:80,"
  400. "reject 13.0.0.0/9:80,"
  401. "reject 14.0.0.0/9:80,"
  402. "reject 15.0.0.0:80,"
  403. "accept *:*",
  404. "reject 80",
  405. "accept 1-65535");
  406. /* no exits */
  407. test_policy_summary_helper("accept 11.0.0.0/9:80,"
  408. "reject *:*",
  409. "reject 1-65535");
  410. /* port merging */
  411. test_policy_summary_helper("accept *:80,"
  412. "accept *:81,"
  413. "accept *:100-110,"
  414. "accept *:111,"
  415. "reject *:*",
  416. "accept 80-81,100-111");
  417. /* border ports */
  418. test_policy_summary_helper("accept *:1,"
  419. "accept *:3,"
  420. "accept *:65535,"
  421. "reject *:*",
  422. "accept 1,3,65535");
  423. /* holes */
  424. test_policy_summary_helper("accept *:1,"
  425. "accept *:3,"
  426. "accept *:5,"
  427. "accept *:7,"
  428. "reject *:*",
  429. "accept 1,3,5,7");
  430. test_policy_summary_helper("reject *:1,"
  431. "reject *:3,"
  432. "reject *:5,"
  433. "reject *:7,"
  434. "accept *:*",
  435. "reject 1,3,5,7");
  436. /* long policies */
  437. /* standard long policy on many exits */
  438. test_policy_summary_helper("accept *:20-23,"
  439. "accept *:43,"
  440. "accept *:53,"
  441. "accept *:79-81,"
  442. "accept *:88,"
  443. "accept *:110,"
  444. "accept *:143,"
  445. "accept *:194,"
  446. "accept *:220,"
  447. "accept *:389,"
  448. "accept *:443,"
  449. "accept *:464,"
  450. "accept *:531,"
  451. "accept *:543-544,"
  452. "accept *:554,"
  453. "accept *:563,"
  454. "accept *:636,"
  455. "accept *:706,"
  456. "accept *:749,"
  457. "accept *:873,"
  458. "accept *:902-904,"
  459. "accept *:981,"
  460. "accept *:989-995,"
  461. "accept *:1194,"
  462. "accept *:1220,"
  463. "accept *:1293,"
  464. "accept *:1500,"
  465. "accept *:1533,"
  466. "accept *:1677,"
  467. "accept *:1723,"
  468. "accept *:1755,"
  469. "accept *:1863,"
  470. "accept *:2082,"
  471. "accept *:2083,"
  472. "accept *:2086-2087,"
  473. "accept *:2095-2096,"
  474. "accept *:2102-2104,"
  475. "accept *:3128,"
  476. "accept *:3389,"
  477. "accept *:3690,"
  478. "accept *:4321,"
  479. "accept *:4643,"
  480. "accept *:5050,"
  481. "accept *:5190,"
  482. "accept *:5222-5223,"
  483. "accept *:5228,"
  484. "accept *:5900,"
  485. "accept *:6660-6669,"
  486. "accept *:6679,"
  487. "accept *:6697,"
  488. "accept *:8000,"
  489. "accept *:8008,"
  490. "accept *:8074,"
  491. "accept *:8080,"
  492. "accept *:8087-8088,"
  493. "accept *:8332-8333,"
  494. "accept *:8443,"
  495. "accept *:8888,"
  496. "accept *:9418,"
  497. "accept *:9999,"
  498. "accept *:10000,"
  499. "accept *:11371,"
  500. "accept *:12350,"
  501. "accept *:19294,"
  502. "accept *:19638,"
  503. "accept *:23456,"
  504. "accept *:33033,"
  505. "accept *:64738,"
  506. "reject *:*",
  507. "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
  508. "443,464,531,543-544,554,563,636,706,749,873,"
  509. "902-904,981,989-995,1194,1220,1293,1500,1533,"
  510. "1677,1723,1755,1863,2082-2083,2086-2087,"
  511. "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
  512. "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
  513. "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
  514. "8443,8888,9418,9999-10000,11371,12350,19294,"
  515. "19638,23456,33033,64738");
  516. /* short policy with configured addresses */
  517. test_policy_summary_helper("reject 149.56.1.1:*,"
  518. "reject [2607:5300:1:1::1:0]:*,"
  519. "accept *:80,"
  520. "accept *:443,"
  521. "reject *:*",
  522. "accept 80,443");
  523. /* short policy with configured and local interface addresses */
  524. test_policy_summary_helper("reject 149.56.1.0:*,"
  525. "reject 149.56.1.1:*,"
  526. "reject 149.56.1.2:*,"
  527. "reject 149.56.1.3:*,"
  528. "reject 149.56.1.4:*,"
  529. "reject 149.56.1.5:*,"
  530. "reject 149.56.1.6:*,"
  531. "reject 149.56.1.7:*,"
  532. "reject [2607:5300:1:1::1:0]:*,"
  533. "reject [2607:5300:1:1::1:1]:*,"
  534. "reject [2607:5300:1:1::1:2]:*,"
  535. "reject [2607:5300:1:1::1:3]:*,"
  536. "reject [2607:5300:1:1::2:0]:*,"
  537. "reject [2607:5300:1:1::2:1]:*,"
  538. "reject [2607:5300:1:1::2:2]:*,"
  539. "reject [2607:5300:1:1::2:3]:*,"
  540. "accept *:80,"
  541. "accept *:443,"
  542. "reject *:*",
  543. "accept 80,443");
  544. /* short policy with configured netblocks */
  545. test_policy_summary_helper("reject 149.56.0.0/16,"
  546. "reject6 2607:5300::/32,"
  547. "reject6 2608:5300::/64,"
  548. "reject6 2609:5300::/96,"
  549. "accept *:80,"
  550. "accept *:443,"
  551. "reject *:*",
  552. "accept 80,443");
  553. /* short policy with large netblocks that do not count as a rejection */
  554. test_policy_summary_helper("reject 148.0.0.0/7,"
  555. "reject6 2600::/16,"
  556. "accept *:80,"
  557. "accept *:443,"
  558. "reject *:*",
  559. "accept 80,443");
  560. /* short policy with large netblocks that count as a rejection */
  561. test_policy_summary_helper("reject 148.0.0.0/6,"
  562. "reject6 2600::/15,"
  563. "accept *:80,"
  564. "accept *:443,"
  565. "reject *:*",
  566. "reject 1-65535");
  567. /* short policy with huge netblocks that count as a rejection */
  568. test_policy_summary_helper("reject 128.0.0.0/1,"
  569. "reject6 8000::/1,"
  570. "accept *:80,"
  571. "accept *:443,"
  572. "reject *:*",
  573. "reject 1-65535");
  574. /* short policy which blocks everything using netblocks */
  575. test_policy_summary_helper("reject 0.0.0.0/0,"
  576. "reject6 ::/0,"
  577. "accept *:80,"
  578. "accept *:443,"
  579. "reject *:*",
  580. "reject 1-65535");
  581. /* short policy which has repeated redundant netblocks */
  582. test_policy_summary_helper("reject 0.0.0.0/0,"
  583. "reject 0.0.0.0/0,"
  584. "reject 0.0.0.0/0,"
  585. "reject 0.0.0.0/0,"
  586. "reject 0.0.0.0/0,"
  587. "reject6 ::/0,"
  588. "reject6 ::/0,"
  589. "reject6 ::/0,"
  590. "reject6 ::/0,"
  591. "reject6 ::/0,"
  592. "accept *:80,"
  593. "accept *:443,"
  594. "reject *:*",
  595. "reject 1-65535");
  596. /* longest possible policy
  597. * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
  598. * Going all the way to 65535 is incredibly slow, so we just go slightly
  599. * more than the expected length */
  600. test_policy_summary_helper("accept *:1,"
  601. "accept *:3,"
  602. "accept *:5,"
  603. "accept *:7,"
  604. "accept *:9,"
  605. "accept *:11,"
  606. "accept *:13,"
  607. "accept *:15,"
  608. "accept *:17,"
  609. "accept *:19,"
  610. "accept *:21,"
  611. "accept *:23,"
  612. "accept *:25,"
  613. "accept *:27,"
  614. "accept *:29,"
  615. "accept *:31,"
  616. "accept *:33,"
  617. "accept *:35,"
  618. "accept *:37,"
  619. "accept *:39,"
  620. "accept *:41,"
  621. "accept *:43,"
  622. "accept *:45,"
  623. "accept *:47,"
  624. "accept *:49,"
  625. "accept *:51,"
  626. "accept *:53,"
  627. "accept *:55,"
  628. "accept *:57,"
  629. "accept *:59,"
  630. "accept *:61,"
  631. "accept *:63,"
  632. "accept *:65,"
  633. "accept *:67,"
  634. "accept *:69,"
  635. "accept *:71,"
  636. "accept *:73,"
  637. "accept *:75,"
  638. "accept *:77,"
  639. "accept *:79,"
  640. "accept *:81,"
  641. "accept *:83,"
  642. "accept *:85,"
  643. "accept *:87,"
  644. "accept *:89,"
  645. "accept *:91,"
  646. "accept *:93,"
  647. "accept *:95,"
  648. "accept *:97,"
  649. "accept *:99,"
  650. "accept *:101,"
  651. "accept *:103,"
  652. "accept *:105,"
  653. "accept *:107,"
  654. "accept *:109,"
  655. "accept *:111,"
  656. "accept *:113,"
  657. "accept *:115,"
  658. "accept *:117,"
  659. "accept *:119,"
  660. "accept *:121,"
  661. "accept *:123,"
  662. "accept *:125,"
  663. "accept *:127,"
  664. "accept *:129,"
  665. "accept *:131,"
  666. "accept *:133,"
  667. "accept *:135,"
  668. "accept *:137,"
  669. "accept *:139,"
  670. "accept *:141,"
  671. "accept *:143,"
  672. "accept *:145,"
  673. "accept *:147,"
  674. "accept *:149,"
  675. "accept *:151,"
  676. "accept *:153,"
  677. "accept *:155,"
  678. "accept *:157,"
  679. "accept *:159,"
  680. "accept *:161,"
  681. "accept *:163,"
  682. "accept *:165,"
  683. "accept *:167,"
  684. "accept *:169,"
  685. "accept *:171,"
  686. "accept *:173,"
  687. "accept *:175,"
  688. "accept *:177,"
  689. "accept *:179,"
  690. "accept *:181,"
  691. "accept *:183,"
  692. "accept *:185,"
  693. "accept *:187,"
  694. "accept *:189,"
  695. "accept *:191,"
  696. "accept *:193,"
  697. "accept *:195,"
  698. "accept *:197,"
  699. "accept *:199,"
  700. "accept *:201,"
  701. "accept *:203,"
  702. "accept *:205,"
  703. "accept *:207,"
  704. "accept *:209,"
  705. "accept *:211,"
  706. "accept *:213,"
  707. "accept *:215,"
  708. "accept *:217,"
  709. "accept *:219,"
  710. "accept *:221,"
  711. "accept *:223,"
  712. "accept *:225,"
  713. "accept *:227,"
  714. "accept *:229,"
  715. "accept *:231,"
  716. "accept *:233,"
  717. "accept *:235,"
  718. "accept *:237,"
  719. "accept *:239,"
  720. "accept *:241,"
  721. "accept *:243,"
  722. "accept *:245,"
  723. "accept *:247,"
  724. "accept *:249,"
  725. "accept *:251,"
  726. "accept *:253,"
  727. "accept *:255,"
  728. "accept *:257,"
  729. "accept *:259,"
  730. "accept *:261,"
  731. "accept *:263,"
  732. "accept *:265,"
  733. "accept *:267,"
  734. "accept *:269,"
  735. "accept *:271,"
  736. "accept *:273,"
  737. "accept *:275,"
  738. "accept *:277,"
  739. "accept *:279,"
  740. "accept *:281,"
  741. "accept *:283,"
  742. "accept *:285,"
  743. "accept *:287,"
  744. "accept *:289,"
  745. "accept *:291,"
  746. "accept *:293,"
  747. "accept *:295,"
  748. "accept *:297,"
  749. "accept *:299,"
  750. "accept *:301,"
  751. "accept *:303,"
  752. "accept *:305,"
  753. "accept *:307,"
  754. "accept *:309,"
  755. "accept *:311,"
  756. "accept *:313,"
  757. "accept *:315,"
  758. "accept *:317,"
  759. "accept *:319,"
  760. "accept *:321,"
  761. "accept *:323,"
  762. "accept *:325,"
  763. "accept *:327,"
  764. "accept *:329,"
  765. "accept *:331,"
  766. "accept *:333,"
  767. "accept *:335,"
  768. "accept *:337,"
  769. "accept *:339,"
  770. "accept *:341,"
  771. "accept *:343,"
  772. "accept *:345,"
  773. "accept *:347,"
  774. "accept *:349,"
  775. "accept *:351,"
  776. "accept *:353,"
  777. "accept *:355,"
  778. "accept *:357,"
  779. "accept *:359,"
  780. "accept *:361,"
  781. "accept *:363,"
  782. "accept *:365,"
  783. "accept *:367,"
  784. "accept *:369,"
  785. "accept *:371,"
  786. "accept *:373,"
  787. "accept *:375,"
  788. "accept *:377,"
  789. "accept *:379,"
  790. "accept *:381,"
  791. "accept *:383,"
  792. "accept *:385,"
  793. "accept *:387,"
  794. "accept *:389,"
  795. "accept *:391,"
  796. "accept *:393,"
  797. "accept *:395,"
  798. "accept *:397,"
  799. "accept *:399,"
  800. "accept *:401,"
  801. "accept *:403,"
  802. "accept *:405,"
  803. "accept *:407,"
  804. "accept *:409,"
  805. "accept *:411,"
  806. "accept *:413,"
  807. "accept *:415,"
  808. "accept *:417,"
  809. "accept *:419,"
  810. "accept *:421,"
  811. "accept *:423,"
  812. "accept *:425,"
  813. "accept *:427,"
  814. "accept *:429,"
  815. "accept *:431,"
  816. "accept *:433,"
  817. "accept *:435,"
  818. "accept *:437,"
  819. "accept *:439,"
  820. "accept *:441,"
  821. "accept *:443,"
  822. "accept *:445,"
  823. "accept *:447,"
  824. "accept *:449,"
  825. "accept *:451,"
  826. "accept *:453,"
  827. "accept *:455,"
  828. "accept *:457,"
  829. "accept *:459,"
  830. "accept *:461,"
  831. "accept *:463,"
  832. "accept *:465,"
  833. "accept *:467,"
  834. "accept *:469,"
  835. "accept *:471,"
  836. "accept *:473,"
  837. "accept *:475,"
  838. "accept *:477,"
  839. "accept *:479,"
  840. "accept *:481,"
  841. "accept *:483,"
  842. "accept *:485,"
  843. "accept *:487,"
  844. "accept *:489,"
  845. "accept *:491,"
  846. "accept *:493,"
  847. "accept *:495,"
  848. "accept *:497,"
  849. "accept *:499,"
  850. "accept *:501,"
  851. "accept *:503,"
  852. "accept *:505,"
  853. "accept *:507,"
  854. "accept *:509,"
  855. "accept *:511,"
  856. "accept *:513,"
  857. "accept *:515,"
  858. "accept *:517,"
  859. "accept *:519,"
  860. "accept *:521,"
  861. "accept *:523,"
  862. "accept *:525,"
  863. "accept *:527,"
  864. "accept *:529,"
  865. "reject *:*",
  866. "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
  867. "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
  868. "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
  869. "95,97,99,101,103,105,107,109,111,113,115,117,"
  870. "119,121,123,125,127,129,131,133,135,137,139,141,"
  871. "143,145,147,149,151,153,155,157,159,161,163,165,"
  872. "167,169,171,173,175,177,179,181,183,185,187,189,"
  873. "191,193,195,197,199,201,203,205,207,209,211,213,"
  874. "215,217,219,221,223,225,227,229,231,233,235,237,"
  875. "239,241,243,245,247,249,251,253,255,257,259,261,"
  876. "263,265,267,269,271,273,275,277,279,281,283,285,"
  877. "287,289,291,293,295,297,299,301,303,305,307,309,"
  878. "311,313,315,317,319,321,323,325,327,329,331,333,"
  879. "335,337,339,341,343,345,347,349,351,353,355,357,"
  880. "359,361,363,365,367,369,371,373,375,377,379,381,"
  881. "383,385,387,389,391,393,395,397,399,401,403,405,"
  882. "407,409,411,413,415,417,419,421,423,425,427,429,"
  883. "431,433,435,437,439,441,443,445,447,449,451,453,"
  884. "455,457,459,461,463,465,467,469,471,473,475,477,"
  885. "479,481,483,485,487,489,491,493,495,497,499,501,"
  886. "503,505,507,509,511,513,515,517,519,521,523");
  887. /* Short policies with unrecognized formats should get accepted. */
  888. test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
  889. test_short_policy_parse("accept 2,fred,3", "accept 2,3");
  890. test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
  891. test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
  892. /* Short policies with nil entries are accepted too. */
  893. test_short_policy_parse("accept 1,,3", "accept 1,3");
  894. test_short_policy_parse("accept 100-200,,", "accept 100-200");
  895. test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
  896. /* Try parsing various broken short policies */
  897. #define TT_BAD_SHORT_POLICY(s) \
  898. do { \
  899. tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
  900. } while (0)
  901. TT_BAD_SHORT_POLICY("accept 200-199");
  902. TT_BAD_SHORT_POLICY("");
  903. TT_BAD_SHORT_POLICY("rejekt 1,2,3");
  904. TT_BAD_SHORT_POLICY("reject ");
  905. TT_BAD_SHORT_POLICY("reject");
  906. TT_BAD_SHORT_POLICY("rej");
  907. TT_BAD_SHORT_POLICY("accept 2,3,100000");
  908. TT_BAD_SHORT_POLICY("accept 2,3x,4");
  909. TT_BAD_SHORT_POLICY("accept 2,3x,4");
  910. TT_BAD_SHORT_POLICY("accept 2-");
  911. TT_BAD_SHORT_POLICY("accept 2-x");
  912. TT_BAD_SHORT_POLICY("accept 1-,3");
  913. TT_BAD_SHORT_POLICY("accept 1-,3");
  914. /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
  915. p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
  916. &malformed_list);
  917. tt_ptr_op(p, OP_EQ, NULL);
  918. tt_assert(!malformed_list);
  919. p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
  920. &malformed_list);
  921. tt_ptr_op(p, OP_EQ, NULL);
  922. tt_assert(!malformed_list);
  923. p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
  924. &malformed_list);
  925. tt_ptr_op(p, OP_EQ, NULL);
  926. tt_assert(!malformed_list);
  927. /* Make sure malformed policies are detected as such. */
  928. p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
  929. &malformed_list);
  930. tt_ptr_op(p, OP_EQ, NULL);
  931. tt_assert(malformed_list);
  932. p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
  933. &malformed_list);
  934. tt_ptr_op(p, OP_EQ, NULL);
  935. tt_assert(malformed_list);
  936. p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
  937. &malformed_list);
  938. tt_ptr_op(p, OP_EQ, NULL);
  939. tt_assert(malformed_list);
  940. p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
  941. &malformed_list);
  942. tt_ptr_op(p, OP_EQ, NULL);
  943. tt_assert(malformed_list);
  944. p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
  945. &malformed_list);
  946. tt_ptr_op(p, OP_EQ, NULL);
  947. tt_assert(malformed_list);
  948. p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
  949. &malformed_list);
  950. tt_ptr_op(p, OP_EQ, NULL);
  951. tt_assert(malformed_list);
  952. p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
  953. &malformed_list);
  954. tt_ptr_op(p, OP_EQ, NULL);
  955. tt_assert(malformed_list);
  956. p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
  957. &malformed_list);
  958. tt_ptr_op(p, OP_EQ, NULL);
  959. tt_assert(malformed_list);
  960. p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
  961. &malformed_list);
  962. tt_ptr_op(p, OP_EQ, NULL);
  963. tt_assert(malformed_list);
  964. /* Test a too-long policy. */
  965. {
  966. char *policy_strng = NULL;
  967. smartlist_t *chunks = smartlist_new();
  968. smartlist_add_strdup(chunks, "accept ");
  969. for (i=1; i<10000; ++i)
  970. smartlist_add_asprintf(chunks, "%d,", i);
  971. smartlist_add_strdup(chunks, "20000");
  972. policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
  973. SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
  974. smartlist_free(chunks);
  975. short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
  976. tor_free(policy_strng);
  977. tt_ptr_op(NULL, OP_EQ, short_parsed);
  978. }
  979. /* truncation ports */
  980. sm = smartlist_new();
  981. for (i=1; i<2000; i+=2) {
  982. char buf[POLICY_BUF_LEN];
  983. tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
  984. smartlist_add_strdup(sm, buf);
  985. }
  986. smartlist_add_strdup(sm, "accept *:*");
  987. policy_str = smartlist_join_strings(sm, ",", 0, NULL);
  988. test_policy_summary_helper( policy_str,
  989. "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
  990. "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
  991. "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
  992. "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
  993. "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
  994. "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
  995. "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
  996. "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
  997. "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
  998. "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
  999. "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
  1000. "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
  1001. "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
  1002. "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
  1003. done:
  1004. addr_policy_list_free(policy);
  1005. addr_policy_list_free(policy2);
  1006. addr_policy_list_free(policy3);
  1007. addr_policy_list_free(policy4);
  1008. addr_policy_list_free(policy5);
  1009. addr_policy_list_free(policy6);
  1010. addr_policy_list_free(policy7);
  1011. addr_policy_list_free(policy8);
  1012. addr_policy_list_free(policy9);
  1013. addr_policy_list_free(policy10);
  1014. addr_policy_list_free(policy11);
  1015. addr_policy_list_free(policy12);
  1016. tor_free(policy_str);
  1017. if (sm) {
  1018. SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
  1019. smartlist_free(sm);
  1020. }
  1021. short_policy_free(short_parsed);
  1022. }
  1023. /** Helper: Check that policy_list contains address */
  1024. static int
  1025. test_policy_has_address_helper(const smartlist_t *policy_list,
  1026. const tor_addr_t *addr)
  1027. {
  1028. int found = 0;
  1029. tt_assert(policy_list);
  1030. tt_assert(addr);
  1031. SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
  1032. if (tor_addr_eq(&p->addr, addr)) {
  1033. found = 1;
  1034. }
  1035. } SMARTLIST_FOREACH_END(p);
  1036. return found;
  1037. done:
  1038. return 0;
  1039. }
  1040. #define TEST_IPV4_ADDR (0x01020304)
  1041. #define TEST_IPV6_ADDR ("2002::abcd")
  1042. /** Run unit tests for rejecting the configured addresses on this exit relay
  1043. * using policies_parse_exit_policy_reject_private */
  1044. static void
  1045. test_policies_reject_exit_address(void *arg)
  1046. {
  1047. smartlist_t *policy = NULL;
  1048. tor_addr_t ipv4_addr, ipv6_addr;
  1049. smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
  1050. (void)arg;
  1051. tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
  1052. tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
  1053. ipv4_list = smartlist_new();
  1054. ipv6_list = smartlist_new();
  1055. both_list = smartlist_new();
  1056. dupl_list = smartlist_new();
  1057. smartlist_add(ipv4_list, &ipv4_addr);
  1058. smartlist_add(both_list, &ipv4_addr);
  1059. smartlist_add(dupl_list, &ipv4_addr);
  1060. smartlist_add(dupl_list, &ipv4_addr);
  1061. smartlist_add(dupl_list, &ipv4_addr);
  1062. smartlist_add(ipv6_list, &ipv6_addr);
  1063. smartlist_add(both_list, &ipv6_addr);
  1064. smartlist_add(dupl_list, &ipv6_addr);
  1065. smartlist_add(dupl_list, &ipv6_addr);
  1066. /* IPv4-Only Exits */
  1067. /* test that IPv4 addresses are rejected on an IPv4-only exit */
  1068. policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
  1069. tt_assert(policy);
  1070. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1071. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1072. addr_policy_list_free(policy);
  1073. policy = NULL;
  1074. /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
  1075. * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
  1076. * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
  1077. * need to do anything) */
  1078. policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
  1079. tt_ptr_op(policy, OP_EQ, NULL);
  1080. /* test that only IPv4 addresses are rejected on an IPv4-only exit */
  1081. policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
  1082. tt_assert(policy);
  1083. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1084. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1085. addr_policy_list_free(policy);
  1086. policy = NULL;
  1087. /* Test that lists with duplicate entries produce the same results */
  1088. policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
  1089. tt_assert(policy);
  1090. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1091. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1092. addr_policy_list_free(policy);
  1093. policy = NULL;
  1094. /* IPv4/IPv6 Exits */
  1095. /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
  1096. policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
  1097. tt_assert(policy);
  1098. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1099. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1100. addr_policy_list_free(policy);
  1101. policy = NULL;
  1102. /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
  1103. policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
  1104. tt_assert(policy);
  1105. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1106. tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
  1107. addr_policy_list_free(policy);
  1108. policy = NULL;
  1109. /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
  1110. policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
  1111. tt_assert(policy);
  1112. tt_int_op(smartlist_len(policy), OP_EQ, 2);
  1113. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1114. tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
  1115. addr_policy_list_free(policy);
  1116. policy = NULL;
  1117. /* Test that lists with duplicate entries produce the same results */
  1118. policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
  1119. tt_assert(policy);
  1120. tt_int_op(smartlist_len(policy), OP_EQ, 2);
  1121. tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
  1122. tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
  1123. addr_policy_list_free(policy);
  1124. policy = NULL;
  1125. done:
  1126. addr_policy_list_free(policy);
  1127. smartlist_free(ipv4_list);
  1128. smartlist_free(ipv6_list);
  1129. smartlist_free(both_list);
  1130. smartlist_free(dupl_list);
  1131. }
  1132. static smartlist_t *test_configured_ports = NULL;
  1133. /** Returns test_configured_ports */
  1134. static const smartlist_t *
  1135. mock_get_configured_ports(void)
  1136. {
  1137. return test_configured_ports;
  1138. }
  1139. /** Run unit tests for rejecting publicly routable configured port addresses
  1140. * on this exit relay using policies_parse_exit_policy_reject_private */
  1141. static void
  1142. test_policies_reject_port_address(void *arg)
  1143. {
  1144. smartlist_t *policy = NULL;
  1145. port_cfg_t *ipv4_port = NULL;
  1146. port_cfg_t *ipv6_port = NULL;
  1147. (void)arg;
  1148. test_configured_ports = smartlist_new();
  1149. ipv4_port = port_cfg_new(0);
  1150. tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
  1151. smartlist_add(test_configured_ports, ipv4_port);
  1152. ipv6_port = port_cfg_new(0);
  1153. tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
  1154. smartlist_add(test_configured_ports, ipv6_port);
  1155. MOCK(get_configured_ports, mock_get_configured_ports);
  1156. /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
  1157. * is NOT rejected (all IPv6 addresses are rejected by
  1158. * policies_parse_exit_policy_internal on IPv4-only exits, so
  1159. * policies_parse_exit_policy_reject_private doesn't need to do anything
  1160. * with IPv6 addresses on IPv4-only exits) */
  1161. policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
  1162. tt_assert(policy);
  1163. tt_int_op(smartlist_len(policy), OP_EQ, 1);
  1164. tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
  1165. addr_policy_list_free(policy);
  1166. policy = NULL;
  1167. /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
  1168. policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
  1169. tt_assert(policy);
  1170. tt_int_op(smartlist_len(policy), OP_EQ, 2);
  1171. tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
  1172. tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
  1173. addr_policy_list_free(policy);
  1174. policy = NULL;
  1175. done:
  1176. addr_policy_list_free(policy);
  1177. if (test_configured_ports) {
  1178. SMARTLIST_FOREACH(test_configured_ports,
  1179. port_cfg_t *, p, port_cfg_free(p));
  1180. smartlist_free(test_configured_ports);
  1181. test_configured_ports = NULL;
  1182. }
  1183. UNMOCK(get_configured_ports);
  1184. }
  1185. static smartlist_t *mock_ipv4_addrs = NULL;
  1186. static smartlist_t *mock_ipv6_addrs = NULL;
  1187. /* mock get_interface_address6_list, returning a deep copy of the template
  1188. * address list ipv4_interface_address_list or ipv6_interface_address_list */
  1189. static smartlist_t *
  1190. mock_get_interface_address6_list(int severity,
  1191. sa_family_t family,
  1192. int include_internal)
  1193. {
  1194. (void)severity;
  1195. (void)include_internal;
  1196. smartlist_t *clone_list = smartlist_new();
  1197. smartlist_t *template_list = NULL;
  1198. if (family == AF_INET) {
  1199. template_list = mock_ipv4_addrs;
  1200. } else if (family == AF_INET6) {
  1201. template_list = mock_ipv6_addrs;
  1202. } else {
  1203. return NULL;
  1204. }
  1205. tt_assert(template_list);
  1206. SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
  1207. tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
  1208. memset(dest_addr, 0, sizeof(*dest_addr));
  1209. tor_addr_copy_tight(dest_addr, src_addr);
  1210. smartlist_add(clone_list, dest_addr);
  1211. } SMARTLIST_FOREACH_END(src_addr);
  1212. return clone_list;
  1213. done:
  1214. interface_address6_list_free(clone_list);
  1215. return NULL;
  1216. }
  1217. /** Run unit tests for rejecting publicly routable interface addresses on this
  1218. * exit relay using policies_parse_exit_policy_reject_private */
  1219. static void
  1220. test_policies_reject_interface_address(void *arg)
  1221. {
  1222. smartlist_t *policy = NULL;
  1223. smartlist_t *public_ipv4_addrs =
  1224. get_interface_address6_list(LOG_INFO, AF_INET, 0);
  1225. smartlist_t *public_ipv6_addrs =
  1226. get_interface_address6_list(LOG_INFO, AF_INET6, 0);
  1227. tor_addr_t ipv4_addr, ipv6_addr;
  1228. (void)arg;
  1229. /* test that no addresses are rejected when none are supplied/requested */
  1230. policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
  1231. tt_ptr_op(policy, OP_EQ, NULL);
  1232. /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
  1233. * (and allow for duplicates)
  1234. */
  1235. policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
  1236. if (policy) {
  1237. tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
  1238. addr_policy_list_free(policy);
  1239. policy = NULL;
  1240. }
  1241. /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
  1242. * exit (and allow for duplicates) */
  1243. policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
  1244. if (policy) {
  1245. tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
  1246. + smartlist_len(public_ipv6_addrs)));
  1247. addr_policy_list_free(policy);
  1248. policy = NULL;
  1249. }
  1250. /* Now do it all again, but mocked */
  1251. tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
  1252. mock_ipv4_addrs = smartlist_new();
  1253. smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
  1254. tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
  1255. mock_ipv6_addrs = smartlist_new();
  1256. smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
  1257. MOCK(get_interface_address6_list, mock_get_interface_address6_list);
  1258. /* test that no addresses are rejected when none are supplied/requested */
  1259. policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
  1260. tt_ptr_op(policy, OP_EQ, NULL);
  1261. /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
  1262. */
  1263. policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
  1264. tt_assert(policy);
  1265. tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
  1266. addr_policy_list_free(policy);
  1267. policy = NULL;
  1268. /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
  1269. * exit */
  1270. policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
  1271. tt_assert(policy);
  1272. tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
  1273. + smartlist_len(mock_ipv6_addrs)));
  1274. addr_policy_list_free(policy);
  1275. policy = NULL;
  1276. done:
  1277. addr_policy_list_free(policy);
  1278. interface_address6_list_free(public_ipv4_addrs);
  1279. interface_address6_list_free(public_ipv6_addrs);
  1280. UNMOCK(get_interface_address6_list);
  1281. /* we don't use interface_address6_list_free on these lists because their
  1282. * address pointers are stack-based */
  1283. smartlist_free(mock_ipv4_addrs);
  1284. smartlist_free(mock_ipv6_addrs);
  1285. }
  1286. #undef TEST_IPV4_ADDR
  1287. #undef TEST_IPV6_ADDR
  1288. static void
  1289. test_dump_exit_policy_to_string(void *arg)
  1290. {
  1291. char *ep;
  1292. addr_policy_t *policy_entry;
  1293. int malformed_list = -1;
  1294. routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
  1295. (void)arg;
  1296. ri->policy_is_reject_star = 1;
  1297. ri->exit_policy = NULL; // expecting "reject *:*"
  1298. ep = router_dump_exit_policy_to_string(ri,1,1);
  1299. tt_str_op("reject *:*",OP_EQ, ep);
  1300. tor_free(ep);
  1301. ri->exit_policy = smartlist_new();
  1302. ri->policy_is_reject_star = 0;
  1303. policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
  1304. &malformed_list);
  1305. smartlist_add(ri->exit_policy,policy_entry);
  1306. ep = router_dump_exit_policy_to_string(ri,1,1);
  1307. tt_str_op("accept *:*",OP_EQ, ep);
  1308. tor_free(ep);
  1309. policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
  1310. &malformed_list);
  1311. smartlist_add(ri->exit_policy,policy_entry);
  1312. ep = router_dump_exit_policy_to_string(ri,1,1);
  1313. tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
  1314. tor_free(ep);
  1315. policy_entry =
  1316. router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
  1317. &malformed_list);
  1318. smartlist_add(ri->exit_policy,policy_entry);
  1319. ep = router_dump_exit_policy_to_string(ri,1,1);
  1320. tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
  1321. tor_free(ep);
  1322. policy_entry =
  1323. router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
  1324. &malformed_list);
  1325. smartlist_add(ri->exit_policy,policy_entry);
  1326. ep = router_dump_exit_policy_to_string(ri,1,1);
  1327. tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
  1328. "reject6 [fc00::]/7:*",OP_EQ, ep);
  1329. tor_free(ep);
  1330. policy_entry =
  1331. router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
  1332. &malformed_list);
  1333. smartlist_add(ri->exit_policy,policy_entry);
  1334. ep = router_dump_exit_policy_to_string(ri,1,1);
  1335. tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
  1336. "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
  1337. done:
  1338. if (ri->exit_policy) {
  1339. SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
  1340. entry, addr_policy_free(entry));
  1341. smartlist_free(ri->exit_policy);
  1342. }
  1343. tor_free(ri);
  1344. tor_free(ep);
  1345. }
  1346. static routerinfo_t *mock_desc_routerinfo = NULL;
  1347. static int routerinfo_err;
  1348. static const routerinfo_t *
  1349. mock_router_get_my_routerinfo_with_err(int *err)
  1350. {
  1351. if (routerinfo_err) {
  1352. if (err)
  1353. *err = routerinfo_err;
  1354. return NULL;
  1355. }
  1356. if (err)
  1357. *err = 0;
  1358. return mock_desc_routerinfo;
  1359. }
  1360. #define DEFAULT_POLICY_STRING "reject *:*"
  1361. #define TEST_IPV4_ADDR (0x02040608)
  1362. #define TEST_IPV6_ADDR ("2003::ef01")
  1363. static or_options_t mock_options;
  1364. static const or_options_t *
  1365. mock_get_options(void)
  1366. {
  1367. return &mock_options;
  1368. }
  1369. /** Run unit tests for generating summary lines of exit policies */
  1370. static void
  1371. test_policies_getinfo_helper_policies(void *arg)
  1372. {
  1373. (void)arg;
  1374. int rv = 0;
  1375. size_t ipv4_len = 0, ipv6_len = 0;
  1376. char *answer = NULL;
  1377. const char *errmsg = NULL;
  1378. routerinfo_t mock_my_routerinfo;
  1379. memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
  1380. rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
  1381. tt_int_op(rv, OP_EQ, 0);
  1382. tt_ptr_op(answer, OP_NE, NULL);
  1383. tt_assert(strlen(answer) > 0);
  1384. tor_free(answer);
  1385. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
  1386. &answer, &errmsg);
  1387. tt_int_op(rv, OP_EQ, 0);
  1388. tt_ptr_op(answer, OP_NE, NULL);
  1389. tt_assert(strlen(answer) > 0);
  1390. tor_free(answer);
  1391. memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
  1392. MOCK(router_get_my_routerinfo_with_err,
  1393. mock_router_get_my_routerinfo_with_err);
  1394. mock_my_routerinfo.exit_policy = smartlist_new();
  1395. mock_desc_routerinfo = &mock_my_routerinfo;
  1396. memset(&mock_options, 0, sizeof(or_options_t));
  1397. MOCK(get_options, mock_get_options);
  1398. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
  1399. &answer, &errmsg);
  1400. tt_int_op(rv, OP_EQ, 0);
  1401. tt_ptr_op(answer, OP_NE, NULL);
  1402. tt_assert(strlen(answer) == 0);
  1403. tor_free(answer);
  1404. rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
  1405. &errmsg);
  1406. tt_int_op(rv, OP_EQ, 0);
  1407. tt_ptr_op(answer, OP_NE, NULL);
  1408. ipv4_len = strlen(answer);
  1409. tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
  1410. tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
  1411. tor_free(answer);
  1412. rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
  1413. &errmsg);
  1414. tt_int_op(rv, OP_EQ, 0);
  1415. tt_ptr_op(answer, OP_NE, NULL);
  1416. ipv6_len = strlen(answer);
  1417. tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
  1418. tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
  1419. tor_free(answer);
  1420. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1421. &errmsg);
  1422. tt_int_op(rv, OP_EQ, 0);
  1423. tt_ptr_op(answer, OP_NE, NULL);
  1424. /* It's either empty or it's the default */
  1425. tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
  1426. tor_free(answer);
  1427. mock_my_routerinfo.addr = TEST_IPV4_ADDR;
  1428. tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
  1429. append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
  1430. append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
  1431. mock_options.IPv6Exit = 1;
  1432. tor_addr_from_ipv4h(
  1433. &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
  1434. TEST_IPV4_ADDR);
  1435. tor_addr_parse(
  1436. &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
  1437. TEST_IPV6_ADDR);
  1438. mock_options.ExitPolicyRejectPrivate = 1;
  1439. mock_options.ExitPolicyRejectLocalInterfaces = 1;
  1440. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
  1441. &answer, &errmsg);
  1442. tt_int_op(rv, OP_EQ, 0);
  1443. tt_ptr_op(answer, OP_NE, NULL);
  1444. tt_assert(strlen(answer) > 0);
  1445. tor_free(answer);
  1446. mock_options.ExitPolicyRejectPrivate = 1;
  1447. mock_options.ExitPolicyRejectLocalInterfaces = 0;
  1448. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
  1449. &answer, &errmsg);
  1450. tt_int_op(rv, OP_EQ, 0);
  1451. tt_ptr_op(answer, OP_NE, NULL);
  1452. tt_assert(strlen(answer) > 0);
  1453. tor_free(answer);
  1454. mock_options.ExitPolicyRejectPrivate = 0;
  1455. mock_options.ExitPolicyRejectLocalInterfaces = 1;
  1456. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
  1457. &answer, &errmsg);
  1458. tt_int_op(rv, OP_EQ, 0);
  1459. tt_ptr_op(answer, OP_NE, NULL);
  1460. tt_assert(strlen(answer) > 0);
  1461. tor_free(answer);
  1462. mock_options.ExitPolicyRejectPrivate = 0;
  1463. mock_options.ExitPolicyRejectLocalInterfaces = 0;
  1464. rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
  1465. &answer, &errmsg);
  1466. tt_int_op(rv, OP_EQ, 0);
  1467. tt_ptr_op(answer, OP_NE, NULL);
  1468. tt_assert(strlen(answer) == 0);
  1469. tor_free(answer);
  1470. rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
  1471. &errmsg);
  1472. tt_int_op(rv, OP_EQ, 0);
  1473. tt_ptr_op(answer, OP_NE, NULL);
  1474. ipv4_len = strlen(answer);
  1475. tt_assert(ipv4_len > 0);
  1476. tor_free(answer);
  1477. rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
  1478. &errmsg);
  1479. tt_int_op(rv, OP_EQ, 0);
  1480. tt_ptr_op(answer, OP_NE, NULL);
  1481. ipv6_len = strlen(answer);
  1482. tt_assert(ipv6_len > 0);
  1483. tor_free(answer);
  1484. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1485. &errmsg);
  1486. tt_int_op(rv, OP_EQ, 0);
  1487. tt_ptr_op(answer, OP_NE, NULL);
  1488. tt_assert(strlen(answer) > 0);
  1489. tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
  1490. tor_free(answer);
  1491. routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
  1492. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1493. &errmsg);
  1494. tt_int_op(rv, OP_EQ, -1);
  1495. tt_ptr_op(answer, OP_EQ, NULL);
  1496. tt_ptr_op(errmsg, OP_NE, NULL);
  1497. tt_str_op(errmsg, OP_EQ, "No known exit address yet");
  1498. routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE;
  1499. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1500. &errmsg);
  1501. tt_int_op(rv, OP_EQ, -1);
  1502. tt_ptr_op(answer, OP_EQ, NULL);
  1503. tt_ptr_op(errmsg, OP_NE, NULL);
  1504. tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor");
  1505. routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
  1506. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1507. &errmsg);
  1508. tt_int_op(rv, OP_EQ, 0);
  1509. tt_ptr_op(answer, OP_EQ, NULL);
  1510. tt_ptr_op(errmsg, OP_NE, NULL);
  1511. tt_str_op(errmsg, OP_EQ, "Not running in server mode");
  1512. routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
  1513. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1514. &errmsg);
  1515. tt_int_op(rv, OP_EQ, -1);
  1516. tt_ptr_op(answer, OP_EQ, NULL);
  1517. tt_ptr_op(errmsg, OP_NE, NULL);
  1518. tt_str_op(errmsg, OP_EQ, "Key digest failed");
  1519. routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
  1520. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1521. &errmsg);
  1522. tt_int_op(rv, OP_EQ, -1);
  1523. tt_ptr_op(answer, OP_EQ, NULL);
  1524. tt_ptr_op(errmsg, OP_NE, NULL);
  1525. tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor");
  1526. routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
  1527. rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
  1528. &errmsg);
  1529. tt_int_op(rv, OP_EQ, -1);
  1530. tt_ptr_op(answer, OP_EQ, NULL);
  1531. tt_ptr_op(errmsg, OP_NE, NULL);
  1532. tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet");
  1533. done:
  1534. tor_free(answer);
  1535. UNMOCK(get_options);
  1536. UNMOCK(router_get_my_routerinfo);
  1537. addr_policy_list_free(mock_my_routerinfo.exit_policy);
  1538. }
  1539. #undef DEFAULT_POLICY_STRING
  1540. #undef TEST_IPV4_ADDR
  1541. #undef TEST_IPV6_ADDR
  1542. #define TEST_IPV4_ADDR_STR "1.2.3.4"
  1543. #define TEST_IPV6_ADDR_STR "[1002::4567]"
  1544. #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
  1545. #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
  1546. #define OTHER_IPV4_ADDR_STR "6.7.8.9"
  1547. #define OTHER_IPV6_ADDR_STR "[afff::]"
  1548. /** Run unit tests for fascist_firewall_allows_address */
  1549. static void
  1550. test_policies_fascist_firewall_allows_address(void *arg)
  1551. {
  1552. (void)arg;
  1553. tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
  1554. tor_addr_t n_ipv4_addr, n_ipv6_addr;
  1555. const uint16_t port = 1234;
  1556. smartlist_t *policy = NULL;
  1557. smartlist_t *e_policy = NULL;
  1558. addr_policy_t *item = NULL;
  1559. int malformed_list = 0;
  1560. /* Setup the options and the items in the policies */
  1561. memset(&mock_options, 0, sizeof(or_options_t));
  1562. MOCK(get_options, mock_get_options);
  1563. policy = smartlist_new();
  1564. item = router_parse_addr_policy_item_from_string("accept "
  1565. TEST_IPV4_ADDR_STR ":*",
  1566. ADDR_POLICY_ACCEPT,
  1567. &malformed_list);
  1568. tt_assert(item);
  1569. tt_assert(!malformed_list);
  1570. smartlist_add(policy, item);
  1571. item = router_parse_addr_policy_item_from_string("accept "
  1572. TEST_IPV6_ADDR_STR,
  1573. ADDR_POLICY_ACCEPT,
  1574. &malformed_list);
  1575. tt_assert(item);
  1576. tt_assert(!malformed_list);
  1577. smartlist_add(policy, item);
  1578. /* Normally, policy_expand_unspec would do this for us */
  1579. item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
  1580. ADDR_POLICY_ACCEPT,
  1581. &malformed_list);
  1582. tt_assert(item);
  1583. tt_assert(!malformed_list);
  1584. smartlist_add(policy, item);
  1585. item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
  1586. ADDR_POLICY_ACCEPT,
  1587. &malformed_list);
  1588. tt_assert(item);
  1589. tt_assert(!malformed_list);
  1590. smartlist_add(policy, item);
  1591. item = NULL;
  1592. e_policy = smartlist_new();
  1593. /*
  1594. char *polstr = policy_dump_to_string(policy, 1, 1);
  1595. printf("%s\n", polstr);
  1596. tor_free(polstr);
  1597. */
  1598. /* Parse the addresses */
  1599. tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
  1600. tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
  1601. tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
  1602. tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
  1603. tor_addr_make_null(&n_ipv4_addr, AF_INET);
  1604. tor_addr_make_null(&n_ipv6_addr, AF_INET6);
  1605. /* Test the function's address matching with IPv4 and IPv6 on */
  1606. memset(&mock_options, 0, sizeof(or_options_t));
  1607. mock_options.ClientUseIPv4 = 1;
  1608. mock_options.ClientUseIPv6 = 1;
  1609. mock_options.UseBridges = 0;
  1610. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1611. OP_EQ, 1);
  1612. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1613. OP_EQ, 1);
  1614. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1615. OP_EQ, 0);
  1616. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1617. OP_EQ, 0);
  1618. /* Preferring IPv4 */
  1619. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
  1620. OP_EQ, 1);
  1621. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
  1622. OP_EQ, 0);
  1623. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
  1624. OP_EQ, 0);
  1625. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
  1626. OP_EQ, 0);
  1627. /* Preferring IPv6 */
  1628. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
  1629. OP_EQ, 0);
  1630. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
  1631. OP_EQ, 1);
  1632. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
  1633. OP_EQ, 0);
  1634. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
  1635. OP_EQ, 0);
  1636. /* Test the function's address matching with UseBridges on */
  1637. memset(&mock_options, 0, sizeof(or_options_t));
  1638. mock_options.ClientUseIPv4 = 1;
  1639. mock_options.ClientUseIPv6 = 1;
  1640. mock_options.UseBridges = 1;
  1641. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1642. OP_EQ, 1);
  1643. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1644. OP_EQ, 1);
  1645. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1646. OP_EQ, 0);
  1647. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1648. OP_EQ, 0);
  1649. /* Preferring IPv4 */
  1650. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0),
  1651. OP_EQ, 1);
  1652. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0),
  1653. OP_EQ, 0);
  1654. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0),
  1655. OP_EQ, 0);
  1656. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0),
  1657. OP_EQ, 0);
  1658. /* Preferring IPv6 */
  1659. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1),
  1660. OP_EQ, 0);
  1661. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1),
  1662. OP_EQ, 1);
  1663. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1),
  1664. OP_EQ, 0);
  1665. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1),
  1666. OP_EQ, 0);
  1667. /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
  1668. mock_options.ClientUseIPv4 = 1;
  1669. mock_options.ClientUseIPv6 = 0;
  1670. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1671. OP_EQ, 1);
  1672. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1673. OP_EQ, 1);
  1674. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1675. OP_EQ, 0);
  1676. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1677. OP_EQ, 0);
  1678. /* Test the function's address matching with IPv4 on */
  1679. memset(&mock_options, 0, sizeof(or_options_t));
  1680. mock_options.ClientUseIPv4 = 1;
  1681. mock_options.ClientUseIPv6 = 0;
  1682. mock_options.UseBridges = 0;
  1683. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1684. OP_EQ, 1);
  1685. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1686. OP_EQ, 0);
  1687. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1688. OP_EQ, 0);
  1689. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1690. OP_EQ, 0);
  1691. /* Test the function's address matching with IPv6 on */
  1692. memset(&mock_options, 0, sizeof(or_options_t));
  1693. mock_options.ClientUseIPv4 = 0;
  1694. mock_options.ClientUseIPv6 = 1;
  1695. mock_options.UseBridges = 0;
  1696. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1697. OP_EQ, 0);
  1698. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1699. OP_EQ, 1);
  1700. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1701. OP_EQ, 0);
  1702. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1703. OP_EQ, 0);
  1704. /* Test the function's address matching with ClientUseIPv4 0.
  1705. * This means "use IPv6" regardless of the other settings. */
  1706. memset(&mock_options, 0, sizeof(or_options_t));
  1707. mock_options.ClientUseIPv4 = 0;
  1708. mock_options.ClientUseIPv6 = 0;
  1709. mock_options.UseBridges = 0;
  1710. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0),
  1711. OP_EQ, 0);
  1712. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0),
  1713. OP_EQ, 1);
  1714. tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0),
  1715. OP_EQ, 0);
  1716. tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0),
  1717. OP_EQ, 0);
  1718. /* Test the function's address matching for unusual inputs */
  1719. memset(&mock_options, 0, sizeof(or_options_t));
  1720. mock_options.ClientUseIPv4 = 1;
  1721. mock_options.ClientUseIPv6 = 1;
  1722. mock_options.UseBridges = 1;
  1723. /* NULL and tor_addr_is_null addresses are rejected */
  1724. tt_int_op(fascist_firewall_allows_address(NULL, port, policy, 0, 0), OP_EQ,
  1725. 0);
  1726. tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr, port, policy, 0, 0),
  1727. OP_EQ, 0);
  1728. tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr, port, policy, 0, 0),
  1729. OP_EQ, 0);
  1730. /* zero ports are rejected */
  1731. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, 0, policy, 0, 0),
  1732. OP_EQ, 0);
  1733. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, 0, policy, 0, 0),
  1734. OP_EQ, 0);
  1735. /* NULL and empty policies accept everything */
  1736. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, NULL, 0, 0),
  1737. OP_EQ, 1);
  1738. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, NULL, 0, 0),
  1739. OP_EQ, 1);
  1740. tt_int_op(fascist_firewall_allows_address(&ipv4_addr, port, e_policy, 0, 0),
  1741. OP_EQ, 1);
  1742. tt_int_op(fascist_firewall_allows_address(&ipv6_addr, port, e_policy, 0, 0),
  1743. OP_EQ, 1);
  1744. done:
  1745. addr_policy_free(item);
  1746. addr_policy_list_free(policy);
  1747. addr_policy_list_free(e_policy);
  1748. UNMOCK(get_options);
  1749. }
  1750. #undef REJECT_IPv4_FINAL_STR
  1751. #undef REJECT_IPv6_FINAL_STR
  1752. #undef OTHER_IPV4_ADDR_STR
  1753. #undef OTHER_IPV6_ADDR_STR
  1754. #define TEST_IPV4_OR_PORT 1234
  1755. #define TEST_IPV4_DIR_PORT 2345
  1756. #define TEST_IPV6_OR_PORT 61234
  1757. #define TEST_IPV6_DIR_PORT 62345
  1758. /* Check that fascist_firewall_choose_address_rs() returns the expected
  1759. * results. */
  1760. #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
  1761. expect_ap) \
  1762. STMT_BEGIN \
  1763. tor_addr_port_t chosen_rs_ap; \
  1764. tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
  1765. chosen_rs_ap.port = 0; \
  1766. fascist_firewall_choose_address_rs(&(fake_rs), (fw_connection), \
  1767. (pref_only), &chosen_rs_ap); \
  1768. tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
  1769. tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
  1770. STMT_END
  1771. /* Check that fascist_firewall_choose_address_node() returns the expected
  1772. * results. */
  1773. #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
  1774. expect_rv, expect_ap) \
  1775. STMT_BEGIN \
  1776. tor_addr_port_t chosen_node_ap; \
  1777. tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
  1778. chosen_node_ap.port = 0; \
  1779. fascist_firewall_choose_address_node(&(fake_node),(fw_connection), \
  1780. (pref_only), &chosen_node_ap); \
  1781. tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
  1782. tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
  1783. STMT_END
  1784. /* Check that fascist_firewall_choose_address_rs and
  1785. * fascist_firewall_choose_address_node() both return the expected results. */
  1786. #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
  1787. expect_rv, expect_ap) \
  1788. STMT_BEGIN \
  1789. CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
  1790. expect_ap); \
  1791. CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
  1792. expect_ap); \
  1793. STMT_END
  1794. /** Mock the preferred address function to return zero (prefer IPv4). */
  1795. static int
  1796. mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4(void)
  1797. {
  1798. return 0;
  1799. }
  1800. /** Mock the preferred address function to return one (prefer IPv6). */
  1801. static int
  1802. mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6(void)
  1803. {
  1804. return 1;
  1805. }
  1806. /** Run unit tests for fascist_firewall_choose_address */
  1807. static void
  1808. test_policies_fascist_firewall_choose_address(void *arg)
  1809. {
  1810. (void)arg;
  1811. tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
  1812. tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
  1813. /* Setup the options */
  1814. memset(&mock_options, 0, sizeof(or_options_t));
  1815. MOCK(get_options, mock_get_options);
  1816. /* Parse the addresses */
  1817. tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
  1818. ipv4_or_ap.port = TEST_IPV4_OR_PORT;
  1819. tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
  1820. ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
  1821. tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
  1822. ipv6_or_ap.port = TEST_IPV6_OR_PORT;
  1823. tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
  1824. ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
  1825. tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
  1826. n_ipv4_ap.port = 0;
  1827. tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
  1828. n_ipv6_ap.port = 0;
  1829. /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
  1830. memset(&mock_options, 0, sizeof(or_options_t));
  1831. mock_options.ClientUseIPv4 = 1;
  1832. mock_options.ClientUseIPv6 = 1;
  1833. mock_options.UseBridges = 0;
  1834. /* Prefer IPv4 */
  1835. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
  1836. FIREWALL_OR_CONNECTION, 0, 0)
  1837. == &ipv4_or_ap);
  1838. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
  1839. FIREWALL_OR_CONNECTION, 1, 0)
  1840. == &ipv4_or_ap);
  1841. tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
  1842. FIREWALL_DIR_CONNECTION, 0, 0)
  1843. == &ipv4_dir_ap);
  1844. tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
  1845. FIREWALL_DIR_CONNECTION, 1, 0)
  1846. == &ipv4_dir_ap);
  1847. /* Prefer IPv6 */
  1848. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
  1849. FIREWALL_OR_CONNECTION, 0, 1)
  1850. == &ipv6_or_ap);
  1851. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
  1852. FIREWALL_OR_CONNECTION, 1, 1)
  1853. == &ipv6_or_ap);
  1854. tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
  1855. FIREWALL_DIR_CONNECTION, 0, 1)
  1856. == &ipv6_dir_ap);
  1857. tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
  1858. FIREWALL_DIR_CONNECTION, 1, 1)
  1859. == &ipv6_dir_ap);
  1860. /* Unusual inputs */
  1861. /* null preferred OR addresses */
  1862. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &n_ipv6_ap, 0,
  1863. FIREWALL_OR_CONNECTION, 0, 1)
  1864. == &ipv4_or_ap);
  1865. tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_or_ap, 1,
  1866. FIREWALL_OR_CONNECTION, 0, 0)
  1867. == &ipv6_or_ap);
  1868. /* null both OR addresses */
  1869. tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
  1870. FIREWALL_OR_CONNECTION, 0, 1),
  1871. OP_EQ, NULL);
  1872. tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
  1873. FIREWALL_OR_CONNECTION, 0, 0),
  1874. OP_EQ, NULL);
  1875. /* null preferred Dir addresses */
  1876. tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &n_ipv6_ap, 0,
  1877. FIREWALL_DIR_CONNECTION, 0, 1)
  1878. == &ipv4_dir_ap);
  1879. tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_dir_ap, 1,
  1880. FIREWALL_DIR_CONNECTION, 0, 0)
  1881. == &ipv6_dir_ap);
  1882. /* null both Dir addresses */
  1883. tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
  1884. FIREWALL_DIR_CONNECTION, 0, 1),
  1885. OP_EQ, NULL);
  1886. tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
  1887. FIREWALL_DIR_CONNECTION, 0, 0),
  1888. OP_EQ, NULL);
  1889. /* Prefer IPv4 but want IPv6 (contradictory) */
  1890. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
  1891. FIREWALL_OR_CONNECTION, 0, 0)
  1892. == &ipv4_or_ap);
  1893. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
  1894. FIREWALL_OR_CONNECTION, 1, 0)
  1895. == &ipv4_or_ap);
  1896. /* Prefer IPv6 but want IPv4 (contradictory) */
  1897. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
  1898. FIREWALL_OR_CONNECTION, 0, 1)
  1899. == &ipv6_or_ap);
  1900. tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
  1901. FIREWALL_OR_CONNECTION, 1, 1)
  1902. == &ipv6_or_ap);
  1903. /* Make a fake rs. There will be no corresponding node.
  1904. * This is what happens when there's no consensus and we're bootstrapping
  1905. * from authorities / fallbacks. */
  1906. routerstatus_t fake_rs;
  1907. memset(&fake_rs, 0, sizeof(routerstatus_t));
  1908. /* In a routerstatus, the OR and Dir addresses are the same */
  1909. fake_rs.addr = tor_addr_to_ipv4h(&ipv4_or_ap.addr);
  1910. fake_rs.or_port = ipv4_or_ap.port;
  1911. fake_rs.dir_port = ipv4_dir_ap.port;
  1912. tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
  1913. fake_rs.ipv6_orport = ipv6_or_ap.port;
  1914. /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
  1915. ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
  1916. /* Make a fake node. Even though it contains the fake_rs, a lookup won't
  1917. * find the node from the rs, because they're not in the hash table. */
  1918. node_t fake_node;
  1919. memset(&fake_node, 0, sizeof(node_t));
  1920. fake_node.rs = &fake_rs;
  1921. /* Choose an address with IPv4 and IPv6 on */
  1922. memset(&mock_options, 0, sizeof(or_options_t));
  1923. mock_options.ClientUseIPv4 = 1;
  1924. mock_options.ClientUseIPv6 = 1;
  1925. mock_options.UseBridges = 0;
  1926. /* Preferring IPv4 */
  1927. mock_options.ClientPreferIPv6ORPort = 0;
  1928. mock_options.ClientPreferIPv6DirPort = 0;
  1929. /* Simulate the initialisation of fake_node.ipv6_preferred */
  1930. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  1931. &mock_options);
  1932. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  1933. ipv4_or_ap);
  1934. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  1935. ipv4_or_ap);
  1936. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  1937. ipv4_dir_ap);
  1938. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  1939. ipv4_dir_ap);
  1940. /* Auto (Preferring IPv4) */
  1941. mock_options.ClientPreferIPv6ORPort = -1;
  1942. mock_options.ClientPreferIPv6DirPort = -1;
  1943. /* Simulate the initialisation of fake_node.ipv6_preferred */
  1944. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  1945. &mock_options);
  1946. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  1947. ipv4_or_ap);
  1948. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  1949. ipv4_or_ap);
  1950. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  1951. ipv4_dir_ap);
  1952. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  1953. ipv4_dir_ap);
  1954. /* Preferring IPv6 */
  1955. mock_options.ClientPreferIPv6ORPort = 1;
  1956. mock_options.ClientPreferIPv6DirPort = 1;
  1957. /* Simulate the initialisation of fake_node.ipv6_preferred */
  1958. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  1959. &mock_options);
  1960. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  1961. ipv6_or_ap);
  1962. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  1963. ipv6_or_ap);
  1964. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  1965. ipv6_dir_ap);
  1966. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  1967. ipv6_dir_ap);
  1968. /* Preferring IPv4 OR / IPv6 Dir */
  1969. mock_options.ClientPreferIPv6ORPort = 0;
  1970. mock_options.ClientPreferIPv6DirPort = 1;
  1971. /* Simulate the initialisation of fake_node.ipv6_preferred */
  1972. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  1973. &mock_options);
  1974. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  1975. ipv4_or_ap);
  1976. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  1977. ipv4_or_ap);
  1978. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  1979. ipv6_dir_ap);
  1980. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  1981. ipv6_dir_ap);
  1982. /* Preferring IPv6 OR / IPv4 Dir */
  1983. mock_options.ClientPreferIPv6ORPort = 1;
  1984. mock_options.ClientPreferIPv6DirPort = 0;
  1985. /* Simulate the initialisation of fake_node.ipv6_preferred */
  1986. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  1987. &mock_options);
  1988. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  1989. ipv6_or_ap);
  1990. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  1991. ipv6_or_ap);
  1992. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  1993. ipv4_dir_ap);
  1994. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  1995. ipv4_dir_ap);
  1996. /* Choose an address with UseBridges on */
  1997. memset(&mock_options, 0, sizeof(or_options_t));
  1998. mock_options.UseBridges = 1;
  1999. mock_options.ClientUseIPv4 = 1;
  2000. mock_options.ClientUseIPv6 = 1;
  2001. /* Preferring IPv4 */
  2002. mock_options.ClientPreferIPv6ORPort = 0;
  2003. mock_options.ClientPreferIPv6DirPort = 0;
  2004. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2005. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2006. &mock_options);
  2007. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2008. ipv4_or_ap);
  2009. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2010. ipv4_or_ap);
  2011. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2012. ipv4_dir_ap);
  2013. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2014. ipv4_dir_ap);
  2015. /* Auto:
  2016. * - bridge clients prefer the configured bridge OR address from the node,
  2017. * (the configured address family sets node.ipv6_preferred)
  2018. * - other clients prefer IPv4 OR by default (see above),
  2019. * - all clients, including bridge clients, prefer IPv4 Dir by default.
  2020. */
  2021. mock_options.ClientPreferIPv6ORPort = -1;
  2022. mock_options.ClientPreferIPv6DirPort = -1;
  2023. /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
  2024. * configured with an IPv4 address */
  2025. fake_node.ipv6_preferred = 0;
  2026. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
  2027. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
  2028. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2029. ipv4_dir_ap);
  2030. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2031. ipv4_dir_ap);
  2032. /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
  2033. * configured with an IPv6 address */
  2034. fake_node.ipv6_preferred = 1;
  2035. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
  2036. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
  2037. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2038. ipv4_dir_ap);
  2039. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2040. ipv4_dir_ap);
  2041. /* When a rs has no node, it defaults to IPv4 under auto. */
  2042. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
  2043. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
  2044. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
  2045. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
  2046. /* Preferring IPv6 */
  2047. mock_options.ClientPreferIPv6ORPort = 1;
  2048. mock_options.ClientPreferIPv6DirPort = 1;
  2049. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2050. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2051. &mock_options);
  2052. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2053. ipv6_or_ap);
  2054. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2055. ipv6_or_ap);
  2056. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2057. ipv6_dir_ap);
  2058. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2059. ipv6_dir_ap);
  2060. /* In the default configuration (Auto / IPv6 off), bridge clients should
  2061. * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
  2062. * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
  2063. mock_options.ClientUseIPv6 = 0;
  2064. mock_options.ClientPreferIPv6ORPort = -1;
  2065. mock_options.ClientPreferIPv6DirPort = -1;
  2066. /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
  2067. * configured with an IPv4 address */
  2068. fake_node.ipv6_preferred = 0;
  2069. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
  2070. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
  2071. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2072. ipv4_dir_ap);
  2073. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2074. ipv4_dir_ap);
  2075. /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
  2076. * configured with an IPv6 address */
  2077. fake_node.ipv6_preferred = 1;
  2078. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
  2079. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
  2080. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2081. ipv4_dir_ap);
  2082. CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2083. ipv4_dir_ap);
  2084. /* When a rs has no node, it defaults to IPv4 under auto. */
  2085. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
  2086. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
  2087. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
  2088. CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
  2089. /* Choose an address with IPv4 on */
  2090. memset(&mock_options, 0, sizeof(or_options_t));
  2091. mock_options.ClientUseIPv4 = 1;
  2092. mock_options.ClientUseIPv6 = 0;
  2093. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2094. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2095. &mock_options);
  2096. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2097. ipv4_or_ap);
  2098. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2099. ipv4_or_ap);
  2100. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2101. ipv4_dir_ap);
  2102. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2103. ipv4_dir_ap);
  2104. /* Choose an address with IPv6 on */
  2105. memset(&mock_options, 0, sizeof(or_options_t));
  2106. mock_options.ClientUseIPv4 = 0;
  2107. mock_options.ClientUseIPv6 = 1;
  2108. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2109. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2110. &mock_options);
  2111. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2112. ipv6_or_ap);
  2113. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2114. ipv6_or_ap);
  2115. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2116. ipv6_dir_ap);
  2117. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2118. ipv6_dir_ap);
  2119. /* Choose an address with ClientUseIPv4 0.
  2120. * This means "use IPv6" regardless of the other settings. */
  2121. memset(&mock_options, 0, sizeof(or_options_t));
  2122. mock_options.ClientUseIPv4 = 0;
  2123. mock_options.ClientUseIPv6 = 0;
  2124. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2125. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2126. &mock_options);
  2127. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2128. ipv6_or_ap);
  2129. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2130. ipv6_or_ap);
  2131. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2132. ipv6_dir_ap);
  2133. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2134. ipv6_dir_ap);
  2135. /* Choose an address with ORPort_set 1 (server mode).
  2136. * This means "use IPv4" regardless of the other settings. */
  2137. memset(&mock_options, 0, sizeof(or_options_t));
  2138. mock_options.ORPort_set = 1;
  2139. mock_options.ClientUseIPv4 = 0;
  2140. mock_options.ClientUseIPv6 = 1;
  2141. mock_options.ClientPreferIPv6ORPort = 1;
  2142. mock_options.ClientPreferIPv6DirPort = 1;
  2143. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2144. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2145. &mock_options);
  2146. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2147. ipv4_or_ap);
  2148. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2149. ipv4_or_ap);
  2150. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
  2151. ipv4_dir_ap);
  2152. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
  2153. ipv4_dir_ap);
  2154. /* Test ClientAutoIPv6ORPort and pretend we prefer IPv4. */
  2155. memset(&mock_options, 0, sizeof(or_options_t));
  2156. mock_options.ClientAutoIPv6ORPort = 1;
  2157. mock_options.ClientUseIPv4 = 1;
  2158. mock_options.ClientUseIPv6 = 1;
  2159. MOCK(fascist_firewall_rand_prefer_ipv6_addr,
  2160. mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv4);
  2161. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2162. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2163. &mock_options);
  2164. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2165. ipv4_or_ap);
  2166. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2167. ipv4_or_ap);
  2168. UNMOCK(fascist_firewall_rand_prefer_ipv6_addr);
  2169. /* Test ClientAutoIPv6ORPort and pretend we prefer IPv6. */
  2170. memset(&mock_options, 0, sizeof(or_options_t));
  2171. mock_options.ClientAutoIPv6ORPort = 1;
  2172. mock_options.ClientUseIPv4 = 1;
  2173. mock_options.ClientUseIPv6 = 1;
  2174. MOCK(fascist_firewall_rand_prefer_ipv6_addr,
  2175. mock_fascist_firewall_rand_prefer_ipv6_addr_use_ipv6);
  2176. /* Simulate the initialisation of fake_node.ipv6_preferred */
  2177. fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
  2178. &mock_options);
  2179. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
  2180. ipv6_or_ap);
  2181. CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
  2182. ipv6_or_ap);
  2183. UNMOCK(fascist_firewall_rand_prefer_ipv6_addr);
  2184. done:
  2185. UNMOCK(get_options);
  2186. }
  2187. #undef TEST_IPV4_ADDR_STR
  2188. #undef TEST_IPV6_ADDR_STR
  2189. #undef TEST_IPV4_OR_PORT
  2190. #undef TEST_IPV4_DIR_PORT
  2191. #undef TEST_IPV6_OR_PORT
  2192. #undef TEST_IPV6_DIR_PORT
  2193. #undef CHECK_CHOSEN_ADDR_RS
  2194. #undef CHECK_CHOSEN_ADDR_NODE
  2195. #undef CHECK_CHOSEN_ADDR_RN
  2196. struct testcase_t policy_tests[] = {
  2197. { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
  2198. NULL, NULL },
  2199. { "general", test_policies_general, 0, NULL, NULL },
  2200. { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
  2201. NULL },
  2202. { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
  2203. { "reject_interface_address", test_policies_reject_interface_address, 0,
  2204. NULL, NULL },
  2205. { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
  2206. { "fascist_firewall_allows_address",
  2207. test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
  2208. { "fascist_firewall_choose_address",
  2209. test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
  2210. END_OF_TESTCASES
  2211. };