Line data Source code
1 : /* Copyright (c) 2013-2021, The Tor Project, Inc. */
2 : /* See LICENSE for licensing information */
3 :
4 : #define CONFIG_PRIVATE
5 : #define POLICIES_PRIVATE
6 :
7 : #include "core/or/or.h"
8 : #include "app/config/config.h"
9 : #include "core/or/circuitbuild.h"
10 : #include "core/or/policies.h"
11 : #include "core/or/extendinfo.h"
12 : #include "feature/dirparse/policy_parse.h"
13 : #include "feature/hs/hs_common.h"
14 : #include "feature/hs/hs_descriptor.h"
15 : #include "feature/relay/router.h"
16 : #include "lib/encoding/confline.h"
17 : #include "test/test.h"
18 : #include "test/log_test_helpers.h"
19 :
20 : #include "core/or/addr_policy_st.h"
21 : #include "core/or/extend_info_st.h"
22 : #include "core/or/port_cfg_st.h"
23 : #include "feature/nodelist/node_st.h"
24 : #include "feature/nodelist/routerinfo_st.h"
25 : #include "feature/nodelist/routerstatus_st.h"
26 :
27 : /* Helper: assert that short_policy parses and writes back out as itself,
28 : or as <b>expected</b> if that's provided. */
29 : static void
30 7 : test_short_policy_parse(const char *input,
31 : const char *expected)
32 : {
33 7 : short_policy_t *short_policy = NULL;
34 7 : char *out = NULL;
35 :
36 7 : if (expected == NULL)
37 0 : expected = input;
38 :
39 7 : short_policy = parse_short_policy(input);
40 7 : tt_assert(short_policy);
41 7 : out = write_short_policy(short_policy);
42 7 : tt_str_op(out, OP_EQ, expected);
43 :
44 7 : done:
45 7 : tor_free(out);
46 7 : short_policy_free(short_policy);
47 7 : }
48 :
49 : /** Helper: Parse the exit policy string in <b>policy_str</b> with
50 : * <b>options</b>, and make sure that policies_summarize() produces the string
51 : * <b>expected_summary</b> from it when called with family. */
52 : static void
53 480 : test_policy_summary_helper_family_flags(const char *policy_str,
54 : const char *expected_summary,
55 : sa_family_t family,
56 : exit_policy_parser_cfg_t options)
57 : {
58 480 : config_line_t line;
59 480 : smartlist_t *policy = smartlist_new();
60 480 : char *summary = NULL;
61 480 : char *summary_after = NULL;
62 480 : int r;
63 480 : short_policy_t *short_policy = NULL;
64 480 : int success = 0;
65 :
66 480 : line.key = (char *) "foo";
67 480 : line.value = (char *) policy_str;
68 480 : line.next = NULL;
69 :
70 480 : r = policies_parse_exit_policy(&line, &policy,
71 : options, NULL);
72 480 : tt_int_op(r,OP_EQ, 0);
73 :
74 480 : summary = policy_summarize(policy, family);
75 :
76 480 : tt_ptr_op(summary, OP_NE, NULL);
77 480 : tt_str_op(summary,OP_EQ, expected_summary);
78 :
79 480 : short_policy = parse_short_policy(summary);
80 480 : tt_assert(short_policy);
81 480 : summary_after = write_short_policy(short_policy);
82 480 : tt_str_op(summary,OP_EQ, summary_after);
83 :
84 : success = 1;
85 480 : done:
86 : /* If we don't print the flags on failure, it's very hard to diagnose bugs */
87 480 : if (!success)
88 0 : TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
89 : family == AF_INET ? 4 : 6, options, policy_str));
90 480 : tor_free(summary_after);
91 480 : tor_free(summary);
92 480 : if (policy)
93 480 : addr_policy_list_free(policy);
94 480 : short_policy_free(short_policy);
95 480 : }
96 :
97 : /** Like test_policy_summary_helper_family_flags, but tries all the different
98 : * flag combinations */
99 : static void
100 40 : test_policy_summary_helper_family(const char *policy_str,
101 : const char *expected_summary,
102 : sa_family_t family)
103 : {
104 40 : for (exit_policy_parser_cfg_t opt = 0;
105 1320 : opt <= EXIT_POLICY_OPTION_ALL;
106 1280 : opt++) {
107 1280 : if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
108 : /* Skip the test: IPv6 addresses need IPv6 enabled */
109 320 : continue;
110 :
111 960 : if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
112 : /* Skip the test: local interfaces are machine-specific */
113 480 : continue;
114 :
115 480 : test_policy_summary_helper_family_flags(policy_str, expected_summary,
116 : family, opt);
117 : }
118 40 : }
119 :
120 : /** Like test_policy_summary_helper_family, but uses expected_summary for
121 : * both IPv4 and IPv6. */
122 : static void
123 19 : test_policy_summary_helper(const char *policy_str,
124 : const char *expected_summary)
125 : {
126 19 : test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
127 19 : test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
128 19 : }
129 :
130 : /** Like test_policy_summary_helper_family, but uses expected_summary4 for
131 : * IPv4 and expected_summary6 for IPv6. */
132 : static void
133 1 : test_policy_summary_helper6(const char *policy_str,
134 : const char *expected_summary4,
135 : const char *expected_summary6)
136 : {
137 1 : test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
138 1 : test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
139 1 : }
140 :
141 : /** Run unit tests for generating summary lines of exit policies */
142 : static void
143 1 : test_policies_general(void *arg)
144 : {
145 1 : int i;
146 1 : smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
147 1 : *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
148 1 : *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
149 1 : *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
150 1 : addr_policy_t *p;
151 1 : tor_addr_t tar, tar2;
152 1 : smartlist_t *addr_list = NULL;
153 1 : config_line_t line;
154 1 : smartlist_t *sm = NULL;
155 1 : char *policy_str = NULL;
156 1 : short_policy_t *short_parsed = NULL;
157 1 : int malformed_list = -1;
158 1 : (void)arg;
159 :
160 1 : policy = smartlist_new();
161 :
162 1 : p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
163 : &malformed_list);
164 1 : tt_ptr_op(p, OP_NE, NULL);
165 1 : tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
166 1 : tor_addr_from_ipv4h(&tar, 0xc0a80000u);
167 1 : tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
168 1 : tt_int_op(16,OP_EQ, p->maskbits);
169 1 : tt_int_op(1,OP_EQ, p->prt_min);
170 1 : tt_int_op(65535,OP_EQ, p->prt_max);
171 :
172 1 : smartlist_add(policy, p);
173 :
174 1 : tor_addr_from_ipv4h(&tar, 0x01020304u);
175 1 : tt_assert(ADDR_POLICY_ACCEPTED ==
176 : compare_tor_addr_to_addr_policy(&tar, 2, policy));
177 1 : tor_addr_make_unspec(&tar);
178 1 : tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
179 : compare_tor_addr_to_addr_policy(&tar, 2, policy));
180 1 : tor_addr_from_ipv4h(&tar, 0xc0a80102);
181 1 : tt_assert(ADDR_POLICY_REJECTED ==
182 : compare_tor_addr_to_addr_policy(&tar, 2, policy));
183 :
184 1 : tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
185 : EXIT_POLICY_IPV6_ENABLED |
186 : EXIT_POLICY_REJECT_PRIVATE |
187 : EXIT_POLICY_ADD_DEFAULT, NULL));
188 :
189 1 : tt_assert(policy2);
190 :
191 1 : tor_addr_from_ipv4h(&tar, 0x0306090cu);
192 1 : tor_addr_parse(&tar2, "[2000::1234]");
193 1 : addr_list = smartlist_new();
194 1 : smartlist_add(addr_list, &tar);
195 1 : smartlist_add(addr_list, &tar2);
196 1 : tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
197 : EXIT_POLICY_IPV6_ENABLED |
198 : EXIT_POLICY_REJECT_PRIVATE |
199 : EXIT_POLICY_ADD_DEFAULT,
200 : addr_list));
201 1 : smartlist_free(addr_list);
202 1 : addr_list = NULL;
203 :
204 1 : tt_assert(policy12);
205 :
206 1 : policy3 = smartlist_new();
207 1 : p = router_parse_addr_policy_item_from_string("reject *:*", -1,
208 : &malformed_list);
209 1 : tt_ptr_op(p, OP_NE, NULL);
210 1 : smartlist_add(policy3, p);
211 1 : p = router_parse_addr_policy_item_from_string("accept *:*", -1,
212 : &malformed_list);
213 1 : tt_ptr_op(p, OP_NE, NULL);
214 1 : smartlist_add(policy3, p);
215 :
216 1 : policy4 = smartlist_new();
217 1 : p = router_parse_addr_policy_item_from_string("accept *:443", -1,
218 : &malformed_list);
219 1 : tt_ptr_op(p, OP_NE, NULL);
220 1 : smartlist_add(policy4, p);
221 1 : p = router_parse_addr_policy_item_from_string("accept *:443", -1,
222 : &malformed_list);
223 1 : tt_ptr_op(p, OP_NE, NULL);
224 1 : smartlist_add(policy4, p);
225 :
226 1 : policy5 = smartlist_new();
227 1 : p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
228 : &malformed_list);
229 1 : tt_ptr_op(p, OP_NE, NULL);
230 1 : smartlist_add(policy5, p);
231 1 : p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
232 : &malformed_list);
233 1 : tt_ptr_op(p, OP_NE, NULL);
234 1 : smartlist_add(policy5, p);
235 1 : p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
236 : &malformed_list);
237 1 : tt_ptr_op(p, OP_NE, NULL);
238 1 : smartlist_add(policy5, p);
239 1 : p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
240 : -1, &malformed_list);
241 1 : tt_ptr_op(p, OP_NE, NULL);
242 1 : smartlist_add(policy5, p);
243 1 : p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
244 : &malformed_list);
245 1 : tt_ptr_op(p, OP_NE, NULL);
246 1 : smartlist_add(policy5, p);
247 1 : p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
248 : &malformed_list);
249 1 : tt_ptr_op(p, OP_NE, NULL);
250 1 : smartlist_add(policy5, p);
251 1 : p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
252 : &malformed_list);
253 1 : tt_ptr_op(p, OP_NE, NULL);
254 1 : smartlist_add(policy5, p);
255 1 : p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
256 : &malformed_list);
257 1 : tt_ptr_op(p, OP_NE, NULL);
258 1 : smartlist_add(policy5, p);
259 1 : p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
260 : &malformed_list);
261 1 : tt_ptr_op(p, OP_NE, NULL);
262 1 : smartlist_add(policy5, p);
263 1 : p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
264 : &malformed_list);
265 1 : tt_ptr_op(p, OP_NE, NULL);
266 1 : smartlist_add(policy5, p);
267 :
268 1 : policy6 = smartlist_new();
269 1 : p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
270 : &malformed_list);
271 1 : tt_ptr_op(p, OP_NE, NULL);
272 1 : smartlist_add(policy6, p);
273 :
274 1 : policy7 = smartlist_new();
275 1 : p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
276 : &malformed_list);
277 1 : tt_ptr_op(p, OP_NE, NULL);
278 1 : smartlist_add(policy7, p);
279 :
280 1 : tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
281 : EXIT_POLICY_IPV6_ENABLED |
282 : EXIT_POLICY_REJECT_PRIVATE |
283 : EXIT_POLICY_ADD_DEFAULT,
284 : NULL));
285 :
286 1 : tt_assert(policy8);
287 :
288 1 : tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
289 : EXIT_POLICY_REJECT_PRIVATE |
290 : EXIT_POLICY_ADD_DEFAULT,
291 : NULL));
292 :
293 1 : tt_assert(policy9);
294 :
295 : /* accept6 * and reject6 * produce IPv6 wildcards only */
296 1 : policy10 = smartlist_new();
297 1 : p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
298 : &malformed_list);
299 1 : tt_ptr_op(p, OP_NE, NULL);
300 1 : smartlist_add(policy10, p);
301 :
302 1 : policy11 = smartlist_new();
303 1 : p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
304 : &malformed_list);
305 1 : tt_ptr_op(p, OP_NE, NULL);
306 1 : smartlist_add(policy11, p);
307 :
308 1 : tt_assert(!exit_policy_is_general_exit(policy));
309 1 : tt_assert(exit_policy_is_general_exit(policy2));
310 1 : tt_assert(!exit_policy_is_general_exit(NULL));
311 1 : tt_assert(!exit_policy_is_general_exit(policy3));
312 1 : tt_assert(!exit_policy_is_general_exit(policy4));
313 1 : tt_assert(!exit_policy_is_general_exit(policy5));
314 1 : tt_assert(!exit_policy_is_general_exit(policy6));
315 1 : tt_assert(!exit_policy_is_general_exit(policy7));
316 1 : tt_assert(exit_policy_is_general_exit(policy8));
317 1 : tt_assert(exit_policy_is_general_exit(policy9));
318 1 : tt_assert(!exit_policy_is_general_exit(policy10));
319 1 : tt_assert(!exit_policy_is_general_exit(policy11));
320 :
321 1 : tt_assert(!addr_policies_eq(policy, policy2));
322 1 : tt_assert(!addr_policies_eq(policy, NULL));
323 1 : tt_assert(addr_policies_eq(policy2, policy2));
324 1 : tt_assert(addr_policies_eq(NULL, NULL));
325 :
326 1 : tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
327 1 : tt_assert(policy_is_reject_star(policy, AF_INET, 1));
328 1 : tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
329 1 : tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
330 1 : tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
331 1 : tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
332 1 : tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
333 1 : tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
334 1 : tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
335 1 : tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
336 :
337 1 : addr_policy_list_free(policy);
338 1 : policy = NULL;
339 :
340 : /* make sure assume_action works */
341 1 : malformed_list = 0;
342 1 : p = router_parse_addr_policy_item_from_string("127.0.0.1",
343 : ADDR_POLICY_ACCEPT,
344 : &malformed_list);
345 1 : tt_assert(p);
346 1 : addr_policy_free(p);
347 1 : tt_assert(!malformed_list);
348 :
349 1 : p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
350 : ADDR_POLICY_ACCEPT,
351 : &malformed_list);
352 1 : tt_assert(p);
353 1 : addr_policy_free(p);
354 1 : tt_assert(!malformed_list);
355 :
356 1 : p = router_parse_addr_policy_item_from_string("[::]",
357 : ADDR_POLICY_ACCEPT,
358 : &malformed_list);
359 1 : tt_assert(p);
360 1 : addr_policy_free(p);
361 1 : tt_assert(!malformed_list);
362 :
363 1 : p = router_parse_addr_policy_item_from_string("[::]:*",
364 : ADDR_POLICY_ACCEPT,
365 : &malformed_list);
366 1 : tt_assert(p);
367 1 : addr_policy_free(p);
368 1 : tt_assert(!malformed_list);
369 :
370 1 : p = router_parse_addr_policy_item_from_string("[face::b]",
371 : ADDR_POLICY_ACCEPT,
372 : &malformed_list);
373 1 : tt_assert(p);
374 1 : addr_policy_free(p);
375 1 : tt_assert(!malformed_list);
376 :
377 1 : p = router_parse_addr_policy_item_from_string("[b::aaaa]",
378 : ADDR_POLICY_ACCEPT,
379 : &malformed_list);
380 1 : tt_assert(p);
381 1 : addr_policy_free(p);
382 1 : tt_assert(!malformed_list);
383 :
384 1 : p = router_parse_addr_policy_item_from_string("*",
385 : ADDR_POLICY_ACCEPT,
386 : &malformed_list);
387 1 : tt_assert(p);
388 1 : addr_policy_free(p);
389 1 : tt_assert(!malformed_list);
390 :
391 1 : p = router_parse_addr_policy_item_from_string("*4",
392 : ADDR_POLICY_ACCEPT,
393 : &malformed_list);
394 1 : tt_assert(p);
395 1 : addr_policy_free(p);
396 1 : tt_assert(!malformed_list);
397 :
398 1 : p = router_parse_addr_policy_item_from_string("*6",
399 : ADDR_POLICY_ACCEPT,
400 : &malformed_list);
401 1 : tt_assert(p);
402 1 : addr_policy_free(p);
403 1 : tt_assert(!malformed_list);
404 :
405 : /* These are all ambiguous IPv6 addresses, it's good that we reject them */
406 1 : p = router_parse_addr_policy_item_from_string("acce::abcd",
407 : ADDR_POLICY_ACCEPT,
408 : &malformed_list);
409 1 : tt_ptr_op(p, OP_EQ, NULL);
410 1 : tt_assert(malformed_list);
411 1 : malformed_list = 0;
412 :
413 1 : p = router_parse_addr_policy_item_from_string("7:1234",
414 : ADDR_POLICY_ACCEPT,
415 : &malformed_list);
416 1 : tt_ptr_op(p, OP_EQ, NULL);
417 1 : tt_assert(malformed_list);
418 1 : malformed_list = 0;
419 :
420 1 : p = router_parse_addr_policy_item_from_string("::",
421 : ADDR_POLICY_ACCEPT,
422 : &malformed_list);
423 1 : tt_ptr_op(p, OP_EQ, NULL);
424 1 : tt_assert(malformed_list);
425 1 : malformed_list = 0;
426 :
427 : /* make sure compacting logic works. */
428 1 : policy = NULL;
429 1 : line.key = (char*)"foo";
430 1 : line.value = (char*)"accept *:80,reject private:*,reject *:*";
431 1 : line.next = NULL;
432 1 : tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
433 : EXIT_POLICY_IPV6_ENABLED |
434 : EXIT_POLICY_ADD_DEFAULT, NULL));
435 1 : tt_assert(policy);
436 :
437 : //test_streq(policy->string, "accept *:80");
438 : //test_streq(policy->next->string, "reject *:*");
439 1 : tt_int_op(smartlist_len(policy),OP_EQ, 4);
440 :
441 : /* test policy summaries */
442 : /* check if we properly ignore private IP addresses */
443 1 : test_policy_summary_helper("reject 192.168.0.0/16:*,"
444 : "reject 0.0.0.0/8:*,"
445 : "reject 10.0.0.0/8:*,"
446 : "accept *:10-30,"
447 : "accept *:90,"
448 : "reject *:*",
449 : "accept 10-30,90");
450 : /* check all accept policies, and proper counting of rejects */
451 1 : test_policy_summary_helper("reject 11.0.0.0/9:80,"
452 : "reject 12.0.0.0/9:80,"
453 : "reject 13.0.0.0/9:80,"
454 : "reject 14.0.0.0/9:80,"
455 : "accept *:*", "accept 1-65535");
456 1 : test_policy_summary_helper("reject 11.0.0.0/9:80,"
457 : "reject 12.0.0.0/9:80,"
458 : "reject 13.0.0.0/9:80,"
459 : "reject 14.0.0.0/9:80,"
460 : "reject 15.0.0.0:81,"
461 : "accept *:*", "accept 1-65535");
462 1 : test_policy_summary_helper6("reject 11.0.0.0/9:80,"
463 : "reject 12.0.0.0/9:80,"
464 : "reject 13.0.0.0/9:80,"
465 : "reject 14.0.0.0/9:80,"
466 : "reject 15.0.0.0:80,"
467 : "accept *:*",
468 : "reject 80",
469 : "accept 1-65535");
470 : /* no exits */
471 1 : test_policy_summary_helper("accept 11.0.0.0/9:80,"
472 : "reject *:*",
473 : "reject 1-65535");
474 : /* port merging */
475 1 : test_policy_summary_helper("accept *:80,"
476 : "accept *:81,"
477 : "accept *:100-110,"
478 : "accept *:111,"
479 : "reject *:*",
480 : "accept 80-81,100-111");
481 : /* border ports */
482 1 : test_policy_summary_helper("accept *:1,"
483 : "accept *:3,"
484 : "accept *:65535,"
485 : "reject *:*",
486 : "accept 1,3,65535");
487 : /* holes */
488 1 : test_policy_summary_helper("accept *:1,"
489 : "accept *:3,"
490 : "accept *:5,"
491 : "accept *:7,"
492 : "reject *:*",
493 : "accept 1,3,5,7");
494 1 : test_policy_summary_helper("reject *:1,"
495 : "reject *:3,"
496 : "reject *:5,"
497 : "reject *:7,"
498 : "accept *:*",
499 : "reject 1,3,5,7");
500 : /* long policies */
501 : /* standard long policy on many exits */
502 1 : test_policy_summary_helper("accept *:20-23,"
503 : "accept *:43,"
504 : "accept *:53,"
505 : "accept *:79-81,"
506 : "accept *:88,"
507 : "accept *:110,"
508 : "accept *:143,"
509 : "accept *:194,"
510 : "accept *:220,"
511 : "accept *:389,"
512 : "accept *:443,"
513 : "accept *:464,"
514 : "accept *:531,"
515 : "accept *:543-544,"
516 : "accept *:554,"
517 : "accept *:563,"
518 : "accept *:636,"
519 : "accept *:706,"
520 : "accept *:749,"
521 : "accept *:873,"
522 : "accept *:902-904,"
523 : "accept *:981,"
524 : "accept *:989-995,"
525 : "accept *:1194,"
526 : "accept *:1220,"
527 : "accept *:1293,"
528 : "accept *:1500,"
529 : "accept *:1533,"
530 : "accept *:1677,"
531 : "accept *:1723,"
532 : "accept *:1755,"
533 : "accept *:1863,"
534 : "accept *:2082,"
535 : "accept *:2083,"
536 : "accept *:2086-2087,"
537 : "accept *:2095-2096,"
538 : "accept *:2102-2104,"
539 : "accept *:3128,"
540 : "accept *:3389,"
541 : "accept *:3690,"
542 : "accept *:4321,"
543 : "accept *:4643,"
544 : "accept *:5050,"
545 : "accept *:5190,"
546 : "accept *:5222-5223,"
547 : "accept *:5228,"
548 : "accept *:5900,"
549 : "accept *:6660-6669,"
550 : "accept *:6679,"
551 : "accept *:6697,"
552 : "accept *:8000,"
553 : "accept *:8008,"
554 : "accept *:8074,"
555 : "accept *:8080,"
556 : "accept *:8087-8088,"
557 : "accept *:8332-8333,"
558 : "accept *:8443,"
559 : "accept *:8888,"
560 : "accept *:9418,"
561 : "accept *:9999,"
562 : "accept *:10000,"
563 : "accept *:11371,"
564 : "accept *:12350,"
565 : "accept *:19294,"
566 : "accept *:19638,"
567 : "accept *:23456,"
568 : "accept *:33033,"
569 : "accept *:64738,"
570 : "reject *:*",
571 : "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
572 : "443,464,531,543-544,554,563,636,706,749,873,"
573 : "902-904,981,989-995,1194,1220,1293,1500,1533,"
574 : "1677,1723,1755,1863,2082-2083,2086-2087,"
575 : "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
576 : "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
577 : "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
578 : "8443,8888,9418,9999-10000,11371,12350,19294,"
579 : "19638,23456,33033,64738");
580 : /* short policy with configured addresses */
581 1 : test_policy_summary_helper("reject 149.56.1.1:*,"
582 : "reject [2607:5300:1:1::1:0]:*,"
583 : "accept *:80,"
584 : "accept *:443,"
585 : "reject *:*",
586 : "accept 80,443");
587 : /* short policy with configured and local interface addresses */
588 1 : test_policy_summary_helper("reject 149.56.1.0:*,"
589 : "reject 149.56.1.1:*,"
590 : "reject 149.56.1.2:*,"
591 : "reject 149.56.1.3:*,"
592 : "reject 149.56.1.4:*,"
593 : "reject 149.56.1.5:*,"
594 : "reject 149.56.1.6:*,"
595 : "reject 149.56.1.7:*,"
596 : "reject [2607:5300:1:1::1:0]:*,"
597 : "reject [2607:5300:1:1::1:1]:*,"
598 : "reject [2607:5300:1:1::1:2]:*,"
599 : "reject [2607:5300:1:1::1:3]:*,"
600 : "reject [2607:5300:1:1::2:0]:*,"
601 : "reject [2607:5300:1:1::2:1]:*,"
602 : "reject [2607:5300:1:1::2:2]:*,"
603 : "reject [2607:5300:1:1::2:3]:*,"
604 : "accept *:80,"
605 : "accept *:443,"
606 : "reject *:*",
607 : "accept 80,443");
608 : /* short policy with configured netblocks */
609 1 : test_policy_summary_helper("reject 149.56.0.0/16,"
610 : "reject6 2607:5300::/32,"
611 : "reject6 2608:5300::/64,"
612 : "reject6 2609:5300::/96,"
613 : "accept *:80,"
614 : "accept *:443,"
615 : "reject *:*",
616 : "accept 80,443");
617 : /* short policy with large netblocks that do not count as a rejection */
618 1 : test_policy_summary_helper("reject 148.0.0.0/7,"
619 : "reject6 2600::/16,"
620 : "accept *:80,"
621 : "accept *:443,"
622 : "reject *:*",
623 : "accept 80,443");
624 : /* short policy with large netblocks that count as a rejection */
625 1 : test_policy_summary_helper("reject 148.0.0.0/6,"
626 : "reject6 2600::/15,"
627 : "accept *:80,"
628 : "accept *:443,"
629 : "reject *:*",
630 : "reject 1-65535");
631 : /* short policy with huge netblocks that count as a rejection */
632 1 : test_policy_summary_helper("reject 128.0.0.0/1,"
633 : "reject6 8000::/1,"
634 : "accept *:80,"
635 : "accept *:443,"
636 : "reject *:*",
637 : "reject 1-65535");
638 : /* short policy which blocks everything using netblocks */
639 1 : test_policy_summary_helper("reject 0.0.0.0/0,"
640 : "reject6 ::/0,"
641 : "accept *:80,"
642 : "accept *:443,"
643 : "reject *:*",
644 : "reject 1-65535");
645 : /* short policy which has repeated redundant netblocks */
646 1 : test_policy_summary_helper("reject 0.0.0.0/0,"
647 : "reject 0.0.0.0/0,"
648 : "reject 0.0.0.0/0,"
649 : "reject 0.0.0.0/0,"
650 : "reject 0.0.0.0/0,"
651 : "reject6 ::/0,"
652 : "reject6 ::/0,"
653 : "reject6 ::/0,"
654 : "reject6 ::/0,"
655 : "reject6 ::/0,"
656 : "accept *:80,"
657 : "accept *:443,"
658 : "reject *:*",
659 : "reject 1-65535");
660 :
661 : /* longest possible policy
662 : * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
663 : * Going all the way to 65535 is incredibly slow, so we just go slightly
664 : * more than the expected length */
665 1 : test_policy_summary_helper("accept *:1,"
666 : "accept *:3,"
667 : "accept *:5,"
668 : "accept *:7,"
669 : "accept *:9,"
670 : "accept *:11,"
671 : "accept *:13,"
672 : "accept *:15,"
673 : "accept *:17,"
674 : "accept *:19,"
675 : "accept *:21,"
676 : "accept *:23,"
677 : "accept *:25,"
678 : "accept *:27,"
679 : "accept *:29,"
680 : "accept *:31,"
681 : "accept *:33,"
682 : "accept *:35,"
683 : "accept *:37,"
684 : "accept *:39,"
685 : "accept *:41,"
686 : "accept *:43,"
687 : "accept *:45,"
688 : "accept *:47,"
689 : "accept *:49,"
690 : "accept *:51,"
691 : "accept *:53,"
692 : "accept *:55,"
693 : "accept *:57,"
694 : "accept *:59,"
695 : "accept *:61,"
696 : "accept *:63,"
697 : "accept *:65,"
698 : "accept *:67,"
699 : "accept *:69,"
700 : "accept *:71,"
701 : "accept *:73,"
702 : "accept *:75,"
703 : "accept *:77,"
704 : "accept *:79,"
705 : "accept *:81,"
706 : "accept *:83,"
707 : "accept *:85,"
708 : "accept *:87,"
709 : "accept *:89,"
710 : "accept *:91,"
711 : "accept *:93,"
712 : "accept *:95,"
713 : "accept *:97,"
714 : "accept *:99,"
715 : "accept *:101,"
716 : "accept *:103,"
717 : "accept *:105,"
718 : "accept *:107,"
719 : "accept *:109,"
720 : "accept *:111,"
721 : "accept *:113,"
722 : "accept *:115,"
723 : "accept *:117,"
724 : "accept *:119,"
725 : "accept *:121,"
726 : "accept *:123,"
727 : "accept *:125,"
728 : "accept *:127,"
729 : "accept *:129,"
730 : "accept *:131,"
731 : "accept *:133,"
732 : "accept *:135,"
733 : "accept *:137,"
734 : "accept *:139,"
735 : "accept *:141,"
736 : "accept *:143,"
737 : "accept *:145,"
738 : "accept *:147,"
739 : "accept *:149,"
740 : "accept *:151,"
741 : "accept *:153,"
742 : "accept *:155,"
743 : "accept *:157,"
744 : "accept *:159,"
745 : "accept *:161,"
746 : "accept *:163,"
747 : "accept *:165,"
748 : "accept *:167,"
749 : "accept *:169,"
750 : "accept *:171,"
751 : "accept *:173,"
752 : "accept *:175,"
753 : "accept *:177,"
754 : "accept *:179,"
755 : "accept *:181,"
756 : "accept *:183,"
757 : "accept *:185,"
758 : "accept *:187,"
759 : "accept *:189,"
760 : "accept *:191,"
761 : "accept *:193,"
762 : "accept *:195,"
763 : "accept *:197,"
764 : "accept *:199,"
765 : "accept *:201,"
766 : "accept *:203,"
767 : "accept *:205,"
768 : "accept *:207,"
769 : "accept *:209,"
770 : "accept *:211,"
771 : "accept *:213,"
772 : "accept *:215,"
773 : "accept *:217,"
774 : "accept *:219,"
775 : "accept *:221,"
776 : "accept *:223,"
777 : "accept *:225,"
778 : "accept *:227,"
779 : "accept *:229,"
780 : "accept *:231,"
781 : "accept *:233,"
782 : "accept *:235,"
783 : "accept *:237,"
784 : "accept *:239,"
785 : "accept *:241,"
786 : "accept *:243,"
787 : "accept *:245,"
788 : "accept *:247,"
789 : "accept *:249,"
790 : "accept *:251,"
791 : "accept *:253,"
792 : "accept *:255,"
793 : "accept *:257,"
794 : "accept *:259,"
795 : "accept *:261,"
796 : "accept *:263,"
797 : "accept *:265,"
798 : "accept *:267,"
799 : "accept *:269,"
800 : "accept *:271,"
801 : "accept *:273,"
802 : "accept *:275,"
803 : "accept *:277,"
804 : "accept *:279,"
805 : "accept *:281,"
806 : "accept *:283,"
807 : "accept *:285,"
808 : "accept *:287,"
809 : "accept *:289,"
810 : "accept *:291,"
811 : "accept *:293,"
812 : "accept *:295,"
813 : "accept *:297,"
814 : "accept *:299,"
815 : "accept *:301,"
816 : "accept *:303,"
817 : "accept *:305,"
818 : "accept *:307,"
819 : "accept *:309,"
820 : "accept *:311,"
821 : "accept *:313,"
822 : "accept *:315,"
823 : "accept *:317,"
824 : "accept *:319,"
825 : "accept *:321,"
826 : "accept *:323,"
827 : "accept *:325,"
828 : "accept *:327,"
829 : "accept *:329,"
830 : "accept *:331,"
831 : "accept *:333,"
832 : "accept *:335,"
833 : "accept *:337,"
834 : "accept *:339,"
835 : "accept *:341,"
836 : "accept *:343,"
837 : "accept *:345,"
838 : "accept *:347,"
839 : "accept *:349,"
840 : "accept *:351,"
841 : "accept *:353,"
842 : "accept *:355,"
843 : "accept *:357,"
844 : "accept *:359,"
845 : "accept *:361,"
846 : "accept *:363,"
847 : "accept *:365,"
848 : "accept *:367,"
849 : "accept *:369,"
850 : "accept *:371,"
851 : "accept *:373,"
852 : "accept *:375,"
853 : "accept *:377,"
854 : "accept *:379,"
855 : "accept *:381,"
856 : "accept *:383,"
857 : "accept *:385,"
858 : "accept *:387,"
859 : "accept *:389,"
860 : "accept *:391,"
861 : "accept *:393,"
862 : "accept *:395,"
863 : "accept *:397,"
864 : "accept *:399,"
865 : "accept *:401,"
866 : "accept *:403,"
867 : "accept *:405,"
868 : "accept *:407,"
869 : "accept *:409,"
870 : "accept *:411,"
871 : "accept *:413,"
872 : "accept *:415,"
873 : "accept *:417,"
874 : "accept *:419,"
875 : "accept *:421,"
876 : "accept *:423,"
877 : "accept *:425,"
878 : "accept *:427,"
879 : "accept *:429,"
880 : "accept *:431,"
881 : "accept *:433,"
882 : "accept *:435,"
883 : "accept *:437,"
884 : "accept *:439,"
885 : "accept *:441,"
886 : "accept *:443,"
887 : "accept *:445,"
888 : "accept *:447,"
889 : "accept *:449,"
890 : "accept *:451,"
891 : "accept *:453,"
892 : "accept *:455,"
893 : "accept *:457,"
894 : "accept *:459,"
895 : "accept *:461,"
896 : "accept *:463,"
897 : "accept *:465,"
898 : "accept *:467,"
899 : "accept *:469,"
900 : "accept *:471,"
901 : "accept *:473,"
902 : "accept *:475,"
903 : "accept *:477,"
904 : "accept *:479,"
905 : "accept *:481,"
906 : "accept *:483,"
907 : "accept *:485,"
908 : "accept *:487,"
909 : "accept *:489,"
910 : "accept *:491,"
911 : "accept *:493,"
912 : "accept *:495,"
913 : "accept *:497,"
914 : "accept *:499,"
915 : "accept *:501,"
916 : "accept *:503,"
917 : "accept *:505,"
918 : "accept *:507,"
919 : "accept *:509,"
920 : "accept *:511,"
921 : "accept *:513,"
922 : "accept *:515,"
923 : "accept *:517,"
924 : "accept *:519,"
925 : "accept *:521,"
926 : "accept *:523,"
927 : "accept *:525,"
928 : "accept *:527,"
929 : "accept *:529,"
930 : "reject *:*",
931 : "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
932 : "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
933 : "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
934 : "95,97,99,101,103,105,107,109,111,113,115,117,"
935 : "119,121,123,125,127,129,131,133,135,137,139,141,"
936 : "143,145,147,149,151,153,155,157,159,161,163,165,"
937 : "167,169,171,173,175,177,179,181,183,185,187,189,"
938 : "191,193,195,197,199,201,203,205,207,209,211,213,"
939 : "215,217,219,221,223,225,227,229,231,233,235,237,"
940 : "239,241,243,245,247,249,251,253,255,257,259,261,"
941 : "263,265,267,269,271,273,275,277,279,281,283,285,"
942 : "287,289,291,293,295,297,299,301,303,305,307,309,"
943 : "311,313,315,317,319,321,323,325,327,329,331,333,"
944 : "335,337,339,341,343,345,347,349,351,353,355,357,"
945 : "359,361,363,365,367,369,371,373,375,377,379,381,"
946 : "383,385,387,389,391,393,395,397,399,401,403,405,"
947 : "407,409,411,413,415,417,419,421,423,425,427,429,"
948 : "431,433,435,437,439,441,443,445,447,449,451,453,"
949 : "455,457,459,461,463,465,467,469,471,473,475,477,"
950 : "479,481,483,485,487,489,491,493,495,497,499,501,"
951 : "503,505,507,509,511,513,515,517,519,521,523");
952 :
953 : /* Short policies with unrecognized formats should get accepted. */
954 1 : test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
955 1 : test_short_policy_parse("accept 2,fred,3", "accept 2,3");
956 1 : test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
957 1 : test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
958 : /* Short policies with nil entries are accepted too. */
959 1 : test_short_policy_parse("accept 1,,3", "accept 1,3");
960 1 : test_short_policy_parse("accept 100-200,,", "accept 100-200");
961 1 : test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
962 :
963 : /* Try parsing various broken short policies */
964 : #define TT_BAD_SHORT_POLICY(s) \
965 : do { \
966 : tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
967 : } while (0)
968 1 : TT_BAD_SHORT_POLICY("accept 200-199");
969 1 : TT_BAD_SHORT_POLICY("");
970 1 : TT_BAD_SHORT_POLICY("rejekt 1,2,3");
971 1 : TT_BAD_SHORT_POLICY("reject ");
972 1 : TT_BAD_SHORT_POLICY("reject");
973 1 : TT_BAD_SHORT_POLICY("rej");
974 1 : TT_BAD_SHORT_POLICY("accept 2,3,100000");
975 1 : TT_BAD_SHORT_POLICY("accept 2,3x,4");
976 1 : TT_BAD_SHORT_POLICY("accept 2,3x,4");
977 1 : TT_BAD_SHORT_POLICY("accept 2-");
978 1 : TT_BAD_SHORT_POLICY("accept 2-x");
979 1 : TT_BAD_SHORT_POLICY("accept 1-,3");
980 1 : TT_BAD_SHORT_POLICY("accept 1-,3");
981 :
982 : /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
983 1 : p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
984 : &malformed_list);
985 1 : tt_ptr_op(p, OP_EQ, NULL);
986 1 : tt_assert(!malformed_list);
987 :
988 1 : p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
989 : &malformed_list);
990 1 : tt_ptr_op(p, OP_EQ, NULL);
991 1 : tt_assert(!malformed_list);
992 :
993 1 : p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
994 : &malformed_list);
995 1 : tt_ptr_op(p, OP_EQ, NULL);
996 1 : tt_assert(!malformed_list);
997 :
998 : /* Make sure malformed policies are detected as such. */
999 1 : p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
1000 : &malformed_list);
1001 1 : tt_ptr_op(p, OP_EQ, NULL);
1002 1 : tt_assert(malformed_list);
1003 :
1004 1 : p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
1005 : &malformed_list);
1006 1 : tt_ptr_op(p, OP_EQ, NULL);
1007 1 : tt_assert(malformed_list);
1008 :
1009 1 : p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
1010 : &malformed_list);
1011 1 : tt_ptr_op(p, OP_EQ, NULL);
1012 1 : tt_assert(malformed_list);
1013 :
1014 1 : p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1015 : &malformed_list);
1016 1 : tt_ptr_op(p, OP_EQ, NULL);
1017 1 : tt_assert(malformed_list);
1018 :
1019 1 : p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1020 : &malformed_list);
1021 1 : tt_ptr_op(p, OP_EQ, NULL);
1022 1 : tt_assert(malformed_list);
1023 :
1024 1 : p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1025 : &malformed_list);
1026 1 : tt_ptr_op(p, OP_EQ, NULL);
1027 1 : tt_assert(malformed_list);
1028 :
1029 1 : p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1030 : &malformed_list);
1031 1 : tt_ptr_op(p, OP_EQ, NULL);
1032 1 : tt_assert(malformed_list);
1033 :
1034 1 : p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1035 : &malformed_list);
1036 1 : tt_ptr_op(p, OP_EQ, NULL);
1037 1 : tt_assert(malformed_list);
1038 :
1039 1 : p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1040 : &malformed_list);
1041 1 : tt_ptr_op(p, OP_EQ, NULL);
1042 1 : tt_assert(malformed_list);
1043 :
1044 : /* Test a too-long policy. */
1045 : {
1046 1 : char *policy_strng = NULL;
1047 1 : smartlist_t *chunks = smartlist_new();
1048 1 : smartlist_add_strdup(chunks, "accept ");
1049 10001 : for (i=1; i<10000; ++i)
1050 9999 : smartlist_add_asprintf(chunks, "%d,", i);
1051 1 : smartlist_add_strdup(chunks, "20000");
1052 1 : policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1053 10002 : SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1054 1 : smartlist_free(chunks);
1055 1 : short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1056 1 : tor_free(policy_strng);
1057 1 : tt_ptr_op(NULL, OP_EQ, short_parsed);
1058 : }
1059 :
1060 : /* truncation ports */
1061 1 : sm = smartlist_new();
1062 1002 : for (i=1; i<2000; i+=2) {
1063 1000 : char buf[POLICY_BUF_LEN];
1064 1000 : tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1065 1000 : smartlist_add_strdup(sm, buf);
1066 : }
1067 1 : smartlist_add_strdup(sm, "accept *:*");
1068 1 : policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1069 1 : test_policy_summary_helper( policy_str,
1070 : "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1071 : "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1072 : "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1073 : "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1074 : "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1075 : "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1076 : "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1077 : "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1078 : "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1079 : "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1080 : "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1081 : "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1082 : "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1083 : "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1084 :
1085 1 : done:
1086 1 : addr_policy_list_free(policy);
1087 1 : addr_policy_list_free(policy2);
1088 1 : addr_policy_list_free(policy3);
1089 1 : addr_policy_list_free(policy4);
1090 1 : addr_policy_list_free(policy5);
1091 1 : addr_policy_list_free(policy6);
1092 1 : addr_policy_list_free(policy7);
1093 1 : addr_policy_list_free(policy8);
1094 1 : addr_policy_list_free(policy9);
1095 1 : addr_policy_list_free(policy10);
1096 1 : addr_policy_list_free(policy11);
1097 1 : addr_policy_list_free(policy12);
1098 1 : tor_free(policy_str);
1099 1 : if (sm) {
1100 1002 : SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1101 1 : smartlist_free(sm);
1102 : }
1103 1 : short_policy_free(short_parsed);
1104 1 : }
1105 :
1106 : /** Helper: Check that policy_list contains address */
1107 : static int
1108 12 : test_policy_has_address_helper(const smartlist_t *policy_list,
1109 : const tor_addr_t *addr)
1110 : {
1111 12 : int found = 0;
1112 :
1113 12 : tt_assert(policy_list);
1114 12 : tt_assert(addr);
1115 :
1116 30 : SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1117 18 : if (tor_addr_eq(&p->addr, addr)) {
1118 12 : found = 1;
1119 : }
1120 18 : } SMARTLIST_FOREACH_END(p);
1121 :
1122 : return found;
1123 :
1124 : done:
1125 : return 0;
1126 : }
1127 :
1128 : #define TEST_IPV4_ADDR ("1.2.3.4")
1129 : #define TEST_IPV6_ADDR ("2002::abcd")
1130 :
1131 : /** Run unit tests for rejecting the configured addresses on this exit relay
1132 : * using policies_parse_exit_policy_reject_private */
1133 : static void
1134 1 : test_policies_reject_exit_address(void *arg)
1135 : {
1136 1 : smartlist_t *policy = NULL;
1137 1 : tor_addr_t ipv4_addr, ipv6_addr;
1138 1 : smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1139 1 : (void)arg;
1140 :
1141 1 : tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR);
1142 1 : tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1143 :
1144 1 : ipv4_list = smartlist_new();
1145 1 : ipv6_list = smartlist_new();
1146 1 : both_list = smartlist_new();
1147 1 : dupl_list = smartlist_new();
1148 :
1149 1 : smartlist_add(ipv4_list, &ipv4_addr);
1150 1 : smartlist_add(both_list, &ipv4_addr);
1151 1 : smartlist_add(dupl_list, &ipv4_addr);
1152 1 : smartlist_add(dupl_list, &ipv4_addr);
1153 1 : smartlist_add(dupl_list, &ipv4_addr);
1154 :
1155 1 : smartlist_add(ipv6_list, &ipv6_addr);
1156 1 : smartlist_add(both_list, &ipv6_addr);
1157 1 : smartlist_add(dupl_list, &ipv6_addr);
1158 1 : smartlist_add(dupl_list, &ipv6_addr);
1159 :
1160 : /* IPv4-Only Exits */
1161 :
1162 : /* test that IPv4 addresses are rejected on an IPv4-only exit */
1163 1 : policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1164 1 : tt_assert(policy);
1165 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1166 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1167 1 : addr_policy_list_free(policy);
1168 1 : policy = NULL;
1169 :
1170 : /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1171 : * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1172 : * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1173 : * need to do anything) */
1174 1 : policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1175 1 : tt_ptr_op(policy, OP_EQ, NULL);
1176 :
1177 : /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1178 1 : policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1179 1 : tt_assert(policy);
1180 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1181 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1182 1 : addr_policy_list_free(policy);
1183 1 : policy = NULL;
1184 :
1185 : /* Test that lists with duplicate entries produce the same results */
1186 1 : policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1187 1 : tt_assert(policy);
1188 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1189 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1190 1 : addr_policy_list_free(policy);
1191 1 : policy = NULL;
1192 :
1193 : /* IPv4/IPv6 Exits */
1194 :
1195 : /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1196 1 : policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1197 1 : tt_assert(policy);
1198 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1199 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1200 1 : addr_policy_list_free(policy);
1201 1 : policy = NULL;
1202 :
1203 : /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1204 1 : policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1205 1 : tt_assert(policy);
1206 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1207 1 : tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1208 1 : addr_policy_list_free(policy);
1209 1 : policy = NULL;
1210 :
1211 : /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1212 1 : policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1213 1 : tt_assert(policy);
1214 1 : tt_int_op(smartlist_len(policy), OP_EQ, 2);
1215 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1216 1 : tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1217 1 : addr_policy_list_free(policy);
1218 1 : policy = NULL;
1219 :
1220 : /* Test that lists with duplicate entries produce the same results */
1221 1 : policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1222 1 : tt_assert(policy);
1223 1 : tt_int_op(smartlist_len(policy), OP_EQ, 2);
1224 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1225 1 : tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1226 1 : addr_policy_list_free(policy);
1227 1 : policy = NULL;
1228 :
1229 1 : done:
1230 1 : addr_policy_list_free(policy);
1231 1 : smartlist_free(ipv4_list);
1232 1 : smartlist_free(ipv6_list);
1233 1 : smartlist_free(both_list);
1234 1 : smartlist_free(dupl_list);
1235 1 : }
1236 :
1237 : static smartlist_t *test_configured_ports = NULL;
1238 :
1239 : /** Returns test_configured_ports */
1240 : static const smartlist_t *
1241 2 : mock_get_configured_ports(void)
1242 : {
1243 2 : return test_configured_ports;
1244 : }
1245 :
1246 : /** Run unit tests for rejecting publicly routable configured port addresses
1247 : * on this exit relay using policies_parse_exit_policy_reject_private */
1248 : static void
1249 1 : test_policies_reject_port_address(void *arg)
1250 : {
1251 1 : smartlist_t *policy = NULL;
1252 1 : port_cfg_t *ipv4_port = NULL;
1253 1 : port_cfg_t *ipv6_port = NULL;
1254 1 : (void)arg;
1255 :
1256 1 : test_configured_ports = smartlist_new();
1257 :
1258 1 : ipv4_port = port_cfg_new(0);
1259 1 : tor_addr_parse(&ipv4_port->addr, TEST_IPV4_ADDR);
1260 1 : smartlist_add(test_configured_ports, ipv4_port);
1261 :
1262 1 : ipv6_port = port_cfg_new(0);
1263 1 : tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1264 1 : smartlist_add(test_configured_ports, ipv6_port);
1265 :
1266 1 : MOCK(get_configured_ports, mock_get_configured_ports);
1267 :
1268 : /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1269 : * is NOT rejected (all IPv6 addresses are rejected by
1270 : * policies_parse_exit_policy_internal on IPv4-only exits, so
1271 : * policies_parse_exit_policy_reject_private doesn't need to do anything
1272 : * with IPv6 addresses on IPv4-only exits) */
1273 1 : policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1274 1 : tt_assert(policy);
1275 1 : tt_int_op(smartlist_len(policy), OP_EQ, 1);
1276 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1277 1 : addr_policy_list_free(policy);
1278 1 : policy = NULL;
1279 :
1280 : /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1281 1 : policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1282 1 : tt_assert(policy);
1283 1 : tt_int_op(smartlist_len(policy), OP_EQ, 2);
1284 1 : tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1285 1 : tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1286 1 : addr_policy_list_free(policy);
1287 1 : policy = NULL;
1288 :
1289 1 : done:
1290 1 : addr_policy_list_free(policy);
1291 1 : if (test_configured_ports) {
1292 3 : SMARTLIST_FOREACH(test_configured_ports,
1293 : port_cfg_t *, p, port_cfg_free(p));
1294 1 : smartlist_free(test_configured_ports);
1295 1 : test_configured_ports = NULL;
1296 : }
1297 1 : UNMOCK(get_configured_ports);
1298 1 : }
1299 :
1300 : static smartlist_t *mock_ipv4_addrs = NULL;
1301 : static smartlist_t *mock_ipv6_addrs = NULL;
1302 :
1303 : /* mock get_interface_address6_list, returning a deep copy of the template
1304 : * address list ipv4_interface_address_list or ipv6_interface_address_list */
1305 : static smartlist_t *
1306 3 : mock_get_interface_address6_list(int severity,
1307 : sa_family_t family,
1308 : int include_internal)
1309 : {
1310 3 : (void)severity;
1311 3 : (void)include_internal;
1312 3 : smartlist_t *clone_list = smartlist_new();
1313 3 : smartlist_t *template_list = NULL;
1314 :
1315 3 : if (family == AF_INET) {
1316 2 : template_list = mock_ipv4_addrs;
1317 1 : } else if (family == AF_INET6) {
1318 1 : template_list = mock_ipv6_addrs;
1319 : } else {
1320 : return NULL;
1321 : }
1322 :
1323 3 : tt_assert(template_list);
1324 :
1325 6 : SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1326 3 : tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1327 3 : memset(dest_addr, 0, sizeof(*dest_addr));
1328 3 : tor_addr_copy_tight(dest_addr, src_addr);
1329 3 : smartlist_add(clone_list, dest_addr);
1330 3 : } SMARTLIST_FOREACH_END(src_addr);
1331 :
1332 : return clone_list;
1333 :
1334 0 : done:
1335 0 : interface_address6_list_free(clone_list);
1336 0 : return NULL;
1337 : }
1338 :
1339 : /** Run unit tests for rejecting publicly routable interface addresses on this
1340 : * exit relay using policies_parse_exit_policy_reject_private */
1341 : static void
1342 1 : test_policies_reject_interface_address(void *arg)
1343 : {
1344 1 : smartlist_t *policy = NULL;
1345 2 : smartlist_t *public_ipv4_addrs =
1346 1 : get_interface_address6_list(LOG_INFO, AF_INET, 0);
1347 2 : smartlist_t *public_ipv6_addrs =
1348 1 : get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1349 1 : tor_addr_t ipv4_addr, ipv6_addr;
1350 1 : (void)arg;
1351 :
1352 : /* test that no addresses are rejected when none are supplied/requested */
1353 1 : policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1354 1 : tt_ptr_op(policy, OP_EQ, NULL);
1355 :
1356 : /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1357 : * (and allow for duplicates)
1358 : */
1359 1 : policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1360 1 : if (policy) {
1361 0 : tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1362 0 : addr_policy_list_free(policy);
1363 0 : policy = NULL;
1364 : }
1365 :
1366 : /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1367 : * exit (and allow for duplicates) */
1368 1 : policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1369 1 : if (policy) {
1370 0 : tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1371 : + smartlist_len(public_ipv6_addrs)));
1372 0 : addr_policy_list_free(policy);
1373 0 : policy = NULL;
1374 : }
1375 :
1376 : /* Now do it all again, but mocked */
1377 1 : tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR);
1378 1 : mock_ipv4_addrs = smartlist_new();
1379 1 : smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1380 :
1381 1 : tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1382 1 : mock_ipv6_addrs = smartlist_new();
1383 1 : smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1384 :
1385 1 : MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1386 :
1387 : /* test that no addresses are rejected when none are supplied/requested */
1388 1 : policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1389 1 : tt_ptr_op(policy, OP_EQ, NULL);
1390 :
1391 : /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1392 : */
1393 1 : policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1394 1 : tt_assert(policy);
1395 1 : tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1396 1 : addr_policy_list_free(policy);
1397 1 : policy = NULL;
1398 :
1399 : /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1400 : * exit */
1401 1 : policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1402 1 : tt_assert(policy);
1403 1 : tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1404 : + smartlist_len(mock_ipv6_addrs)));
1405 1 : addr_policy_list_free(policy);
1406 1 : policy = NULL;
1407 :
1408 1 : done:
1409 1 : addr_policy_list_free(policy);
1410 1 : interface_address6_list_free(public_ipv4_addrs);
1411 1 : interface_address6_list_free(public_ipv6_addrs);
1412 :
1413 1 : UNMOCK(get_interface_address6_list);
1414 : /* we don't use interface_address6_list_free on these lists because their
1415 : * address pointers are stack-based */
1416 1 : smartlist_free(mock_ipv4_addrs);
1417 1 : smartlist_free(mock_ipv6_addrs);
1418 1 : }
1419 :
1420 : #undef TEST_IPV4_ADDR
1421 : #undef TEST_IPV6_ADDR
1422 :
1423 : static void
1424 1 : test_dump_exit_policy_to_string(void *arg)
1425 : {
1426 1 : char *ep;
1427 1 : addr_policy_t *policy_entry;
1428 1 : int malformed_list = -1;
1429 :
1430 1 : routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1431 :
1432 1 : (void)arg;
1433 :
1434 1 : ri->policy_is_reject_star = 1;
1435 1 : ri->exit_policy = NULL; // expecting "reject *:*"
1436 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1437 :
1438 1 : tt_str_op("reject *:*",OP_EQ, ep);
1439 :
1440 1 : tor_free(ep);
1441 :
1442 1 : ri->exit_policy = smartlist_new();
1443 1 : ri->policy_is_reject_star = 0;
1444 :
1445 1 : policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1446 : &malformed_list);
1447 :
1448 1 : smartlist_add(ri->exit_policy,policy_entry);
1449 :
1450 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1451 :
1452 1 : tt_str_op("accept *:*",OP_EQ, ep);
1453 :
1454 1 : tor_free(ep);
1455 :
1456 1 : policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1457 : &malformed_list);
1458 :
1459 1 : smartlist_add(ri->exit_policy,policy_entry);
1460 :
1461 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1462 :
1463 1 : tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1464 :
1465 1 : tor_free(ep);
1466 :
1467 1 : policy_entry =
1468 1 : router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1469 : &malformed_list);
1470 :
1471 1 : smartlist_add(ri->exit_policy,policy_entry);
1472 :
1473 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1474 :
1475 1 : tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1476 1 : tor_free(ep);
1477 :
1478 1 : policy_entry =
1479 1 : router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1480 : &malformed_list);
1481 :
1482 1 : smartlist_add(ri->exit_policy,policy_entry);
1483 :
1484 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1485 :
1486 1 : tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1487 : "reject6 [fc00::]/7:*",OP_EQ, ep);
1488 1 : tor_free(ep);
1489 :
1490 1 : policy_entry =
1491 1 : router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1492 : &malformed_list);
1493 :
1494 1 : smartlist_add(ri->exit_policy,policy_entry);
1495 :
1496 1 : ep = router_dump_exit_policy_to_string(ri,1,1);
1497 :
1498 1 : tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1499 : "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1500 :
1501 1 : done:
1502 :
1503 1 : if (ri->exit_policy) {
1504 6 : SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1505 : entry, addr_policy_free(entry));
1506 1 : smartlist_free(ri->exit_policy);
1507 : }
1508 1 : tor_free(ri);
1509 1 : tor_free(ep);
1510 1 : }
1511 :
1512 : static routerinfo_t *mock_desc_routerinfo = NULL;
1513 : static int routerinfo_err;
1514 :
1515 : static const routerinfo_t *
1516 17 : mock_router_get_my_routerinfo_with_err(int *err)
1517 : {
1518 17 : if (routerinfo_err) {
1519 6 : if (err)
1520 6 : *err = routerinfo_err;
1521 :
1522 6 : return NULL;
1523 : }
1524 :
1525 11 : if (err)
1526 11 : *err = 0;
1527 :
1528 11 : return mock_desc_routerinfo;
1529 : }
1530 :
1531 : #define DEFAULT_POLICY_STRING "reject *:*"
1532 : #define TEST_IPV4_ADDR ("2.4.6.8")
1533 : #define TEST_IPV6_ADDR ("2003::ef01")
1534 :
1535 : static or_options_t mock_options;
1536 :
1537 : static const or_options_t *
1538 530 : mock_get_options(void)
1539 : {
1540 530 : return &mock_options;
1541 : }
1542 :
1543 : /** Run unit tests for generating summary lines of exit policies */
1544 : static void
1545 1 : test_policies_getinfo_helper_policies(void *arg)
1546 : {
1547 1 : (void)arg;
1548 1 : int rv = 0;
1549 1 : size_t ipv4_len = 0, ipv6_len = 0;
1550 1 : char *answer = NULL;
1551 1 : const char *errmsg = NULL;
1552 1 : routerinfo_t mock_my_routerinfo;
1553 :
1554 1 : memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1555 :
1556 1 : rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1557 1 : tt_int_op(rv, OP_EQ, 0);
1558 1 : tt_ptr_op(answer, OP_NE, NULL);
1559 1 : tt_assert(strlen(answer) > 0);
1560 1 : tor_free(answer);
1561 :
1562 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1563 : &answer, &errmsg);
1564 1 : tt_int_op(rv, OP_EQ, 0);
1565 1 : tt_ptr_op(answer, OP_NE, NULL);
1566 1 : tt_assert(strlen(answer) > 0);
1567 1 : tor_free(answer);
1568 :
1569 1 : memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1570 1 : MOCK(router_get_my_routerinfo_with_err,
1571 : mock_router_get_my_routerinfo_with_err);
1572 1 : mock_my_routerinfo.exit_policy = smartlist_new();
1573 1 : mock_desc_routerinfo = &mock_my_routerinfo;
1574 :
1575 1 : memset(&mock_options, 0, sizeof(or_options_t));
1576 1 : MOCK(get_options, mock_get_options);
1577 :
1578 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1579 : &answer, &errmsg);
1580 1 : tt_int_op(rv, OP_EQ, 0);
1581 1 : tt_ptr_op(answer, OP_NE, NULL);
1582 1 : tt_assert(strlen(answer) == 0);
1583 1 : tor_free(answer);
1584 :
1585 1 : rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1586 : &errmsg);
1587 1 : tt_int_op(rv, OP_EQ, 0);
1588 1 : tt_ptr_op(answer, OP_NE, NULL);
1589 1 : ipv4_len = strlen(answer);
1590 1 : tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1591 1 : tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1592 1 : tor_free(answer);
1593 :
1594 1 : rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1595 : &errmsg);
1596 1 : tt_int_op(rv, OP_EQ, 0);
1597 1 : tt_ptr_op(answer, OP_NE, NULL);
1598 1 : ipv6_len = strlen(answer);
1599 1 : tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1600 1 : tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1601 1 : tor_free(answer);
1602 :
1603 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1604 : &errmsg);
1605 1 : tt_int_op(rv, OP_EQ, 0);
1606 1 : tt_ptr_op(answer, OP_NE, NULL);
1607 : /* It's either empty or it's the default */
1608 1 : tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1609 1 : tor_free(answer);
1610 :
1611 1 : tor_addr_parse(&mock_my_routerinfo.ipv4_addr, TEST_IPV4_ADDR);
1612 1 : tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1613 1 : append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1614 1 : append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1615 :
1616 1 : mock_options.IPv6Exit = 1;
1617 1 : tor_addr_parse(
1618 : &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0],
1619 : TEST_IPV4_ADDR);
1620 1 : tor_addr_parse(
1621 : &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1],
1622 : TEST_IPV6_ADDR);
1623 :
1624 1 : mock_options.ExitPolicyRejectPrivate = 1;
1625 1 : mock_options.ExitPolicyRejectLocalInterfaces = 1;
1626 :
1627 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1628 : &answer, &errmsg);
1629 1 : tt_int_op(rv, OP_EQ, 0);
1630 1 : tt_ptr_op(answer, OP_NE, NULL);
1631 1 : tt_assert(strlen(answer) > 0);
1632 1 : tor_free(answer);
1633 :
1634 1 : mock_options.ExitPolicyRejectPrivate = 1;
1635 1 : mock_options.ExitPolicyRejectLocalInterfaces = 0;
1636 :
1637 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1638 : &answer, &errmsg);
1639 1 : tt_int_op(rv, OP_EQ, 0);
1640 1 : tt_ptr_op(answer, OP_NE, NULL);
1641 1 : tt_assert(strlen(answer) > 0);
1642 1 : tor_free(answer);
1643 :
1644 1 : mock_options.ExitPolicyRejectPrivate = 0;
1645 1 : mock_options.ExitPolicyRejectLocalInterfaces = 1;
1646 :
1647 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1648 : &answer, &errmsg);
1649 1 : tt_int_op(rv, OP_EQ, 0);
1650 1 : tt_ptr_op(answer, OP_NE, NULL);
1651 1 : tt_assert(strlen(answer) > 0);
1652 1 : tor_free(answer);
1653 :
1654 1 : mock_options.ExitPolicyRejectPrivate = 0;
1655 1 : mock_options.ExitPolicyRejectLocalInterfaces = 0;
1656 :
1657 1 : rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1658 : &answer, &errmsg);
1659 1 : tt_int_op(rv, OP_EQ, 0);
1660 1 : tt_ptr_op(answer, OP_NE, NULL);
1661 1 : tt_assert(strlen(answer) == 0);
1662 1 : tor_free(answer);
1663 :
1664 1 : rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1665 : &errmsg);
1666 1 : tt_int_op(rv, OP_EQ, 0);
1667 1 : tt_ptr_op(answer, OP_NE, NULL);
1668 1 : ipv4_len = strlen(answer);
1669 1 : tt_assert(ipv4_len > 0);
1670 1 : tor_free(answer);
1671 :
1672 1 : rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1673 : &errmsg);
1674 1 : tt_int_op(rv, OP_EQ, 0);
1675 1 : tt_ptr_op(answer, OP_NE, NULL);
1676 1 : ipv6_len = strlen(answer);
1677 1 : tt_assert(ipv6_len > 0);
1678 1 : tor_free(answer);
1679 :
1680 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1681 : &errmsg);
1682 1 : tt_int_op(rv, OP_EQ, 0);
1683 1 : tt_ptr_op(answer, OP_NE, NULL);
1684 1 : tt_assert(strlen(answer) > 0);
1685 1 : tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1686 1 : tor_free(answer);
1687 :
1688 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
1689 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1690 : &errmsg);
1691 1 : tt_int_op(rv, OP_EQ, -1);
1692 1 : tt_ptr_op(answer, OP_EQ, NULL);
1693 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1694 1 : tt_str_op(errmsg, OP_EQ, "No known exit address yet");
1695 :
1696 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE;
1697 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1698 : &errmsg);
1699 1 : tt_int_op(rv, OP_EQ, -1);
1700 1 : tt_ptr_op(answer, OP_EQ, NULL);
1701 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1702 1 : tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor");
1703 :
1704 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
1705 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1706 : &errmsg);
1707 1 : tt_int_op(rv, OP_EQ, 0);
1708 1 : tt_ptr_op(answer, OP_EQ, NULL);
1709 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1710 1 : tt_str_op(errmsg, OP_EQ, "Not running in server mode");
1711 :
1712 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
1713 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1714 : &errmsg);
1715 :
1716 1 : tt_int_op(rv, OP_EQ, -1);
1717 1 : tt_ptr_op(answer, OP_EQ, NULL);
1718 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1719 1 : tt_str_op(errmsg, OP_EQ, "Key digest failed");
1720 :
1721 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
1722 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1723 : &errmsg);
1724 1 : tt_int_op(rv, OP_EQ, -1);
1725 1 : tt_ptr_op(answer, OP_EQ, NULL);
1726 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1727 1 : tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor");
1728 :
1729 1 : routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
1730 1 : rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1731 : &errmsg);
1732 1 : tt_int_op(rv, OP_EQ, -1);
1733 1 : tt_ptr_op(answer, OP_EQ, NULL);
1734 1 : tt_ptr_op(errmsg, OP_NE, NULL);
1735 1 : tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet");
1736 :
1737 1 : done:
1738 1 : tor_free(answer);
1739 1 : UNMOCK(get_options);
1740 1 : UNMOCK(router_get_my_routerinfo);
1741 1 : addr_policy_list_free(mock_my_routerinfo.exit_policy);
1742 1 : }
1743 :
1744 : #undef DEFAULT_POLICY_STRING
1745 : #undef TEST_IPV4_ADDR
1746 : #undef TEST_IPV6_ADDR
1747 :
1748 : #define TEST_IPV4_ADDR_STR "1.2.3.4"
1749 : #define TEST_IPV6_ADDR_STR "[1002::4567]"
1750 : #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1751 : #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1752 :
1753 : #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1754 : #define OTHER_IPV6_ADDR_STR "[afff::]"
1755 :
1756 : /** Run unit tests for reachable_addr_allows */
1757 : static void
1758 1 : test_policies_fascist_firewall_allows_address(void *arg)
1759 : {
1760 1 : (void)arg;
1761 1 : tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1762 1 : tor_addr_t n_ipv4_addr, n_ipv6_addr;
1763 1 : const uint16_t port = 1234;
1764 1 : smartlist_t *policy = NULL;
1765 1 : smartlist_t *e_policy = NULL;
1766 1 : addr_policy_t *item = NULL;
1767 1 : int malformed_list = 0;
1768 :
1769 : /* Setup the options and the items in the policies */
1770 1 : memset(&mock_options, 0, sizeof(or_options_t));
1771 1 : MOCK(get_options, mock_get_options);
1772 :
1773 1 : policy = smartlist_new();
1774 1 : item = router_parse_addr_policy_item_from_string("accept "
1775 : TEST_IPV4_ADDR_STR ":*",
1776 : ADDR_POLICY_ACCEPT,
1777 : &malformed_list);
1778 1 : tt_assert(item);
1779 1 : tt_assert(!malformed_list);
1780 1 : smartlist_add(policy, item);
1781 1 : item = router_parse_addr_policy_item_from_string("accept "
1782 : TEST_IPV6_ADDR_STR,
1783 : ADDR_POLICY_ACCEPT,
1784 : &malformed_list);
1785 1 : tt_assert(item);
1786 1 : tt_assert(!malformed_list);
1787 1 : smartlist_add(policy, item);
1788 : /* Normally, policy_expand_unspec would do this for us */
1789 1 : item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1790 : ADDR_POLICY_ACCEPT,
1791 : &malformed_list);
1792 1 : tt_assert(item);
1793 1 : tt_assert(!malformed_list);
1794 1 : smartlist_add(policy, item);
1795 1 : item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1796 : ADDR_POLICY_ACCEPT,
1797 : &malformed_list);
1798 1 : tt_assert(item);
1799 1 : tt_assert(!malformed_list);
1800 1 : smartlist_add(policy, item);
1801 1 : item = NULL;
1802 :
1803 1 : e_policy = smartlist_new();
1804 :
1805 : /*
1806 : char *polstr = policy_dump_to_string(policy, 1, 1);
1807 : printf("%s\n", polstr);
1808 : tor_free(polstr);
1809 : */
1810 :
1811 : /* Parse the addresses */
1812 1 : tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1813 1 : tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1814 1 : tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1815 1 : tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1816 1 : tor_addr_make_null(&n_ipv4_addr, AF_INET);
1817 1 : tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1818 :
1819 : /* Test the function's address matching with IPv4 and IPv6 on */
1820 1 : memset(&mock_options, 0, sizeof(or_options_t));
1821 1 : mock_options.ClientUseIPv4 = 1;
1822 1 : mock_options.ClientUseIPv6 = 1;
1823 1 : mock_options.UseBridges = 0;
1824 :
1825 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1826 : OP_EQ, 1);
1827 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1828 : OP_EQ, 1);
1829 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1830 : OP_EQ, 0);
1831 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1832 : OP_EQ, 0);
1833 :
1834 : /* Preferring IPv4 */
1835 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0),
1836 : OP_EQ, 1);
1837 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0),
1838 : OP_EQ, 0);
1839 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0),
1840 : OP_EQ, 0);
1841 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0),
1842 : OP_EQ, 0);
1843 :
1844 : /* Preferring IPv6 */
1845 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1),
1846 : OP_EQ, 0);
1847 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1),
1848 : OP_EQ, 1);
1849 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1),
1850 : OP_EQ, 0);
1851 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1),
1852 : OP_EQ, 0);
1853 :
1854 : /* Test the function's address matching with UseBridges on */
1855 1 : memset(&mock_options, 0, sizeof(or_options_t));
1856 1 : mock_options.ClientUseIPv4 = 1;
1857 1 : mock_options.ClientUseIPv6 = 1;
1858 1 : mock_options.UseBridges = 1;
1859 :
1860 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1861 : OP_EQ, 1);
1862 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1863 : OP_EQ, 1);
1864 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1865 : OP_EQ, 0);
1866 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1867 : OP_EQ, 0);
1868 :
1869 : /* Preferring IPv4 */
1870 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0),
1871 : OP_EQ, 1);
1872 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0),
1873 : OP_EQ, 0);
1874 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0),
1875 : OP_EQ, 0);
1876 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0),
1877 : OP_EQ, 0);
1878 :
1879 : /* Preferring IPv6 */
1880 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1),
1881 : OP_EQ, 0);
1882 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1),
1883 : OP_EQ, 1);
1884 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1),
1885 : OP_EQ, 0);
1886 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1),
1887 : OP_EQ, 0);
1888 :
1889 : /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1890 1 : mock_options.ClientUseIPv4 = 1;
1891 1 : mock_options.ClientUseIPv6 = 0;
1892 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1893 : OP_EQ, 1);
1894 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1895 : OP_EQ, 1);
1896 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1897 : OP_EQ, 0);
1898 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1899 : OP_EQ, 0);
1900 :
1901 : /* Test the function's address matching with IPv4 on */
1902 1 : memset(&mock_options, 0, sizeof(or_options_t));
1903 1 : mock_options.ClientUseIPv4 = 1;
1904 1 : mock_options.ClientUseIPv6 = 0;
1905 1 : mock_options.UseBridges = 0;
1906 :
1907 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1908 : OP_EQ, 1);
1909 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1910 : OP_EQ, 0);
1911 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1912 : OP_EQ, 0);
1913 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1914 : OP_EQ, 0);
1915 :
1916 : /* Test the function's address matching with IPv6 on */
1917 1 : memset(&mock_options, 0, sizeof(or_options_t));
1918 1 : mock_options.ClientUseIPv4 = 0;
1919 1 : mock_options.ClientUseIPv6 = 1;
1920 1 : mock_options.UseBridges = 0;
1921 :
1922 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1923 : OP_EQ, 0);
1924 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1925 : OP_EQ, 1);
1926 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1927 : OP_EQ, 0);
1928 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1929 : OP_EQ, 0);
1930 :
1931 : /* Test the function's address matching with ClientUseIPv4 0.
1932 : * This means "use IPv6" regardless of the other settings. */
1933 1 : memset(&mock_options, 0, sizeof(or_options_t));
1934 1 : mock_options.ClientUseIPv4 = 0;
1935 1 : mock_options.ClientUseIPv6 = 0;
1936 1 : mock_options.UseBridges = 0;
1937 :
1938 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0),
1939 : OP_EQ, 0);
1940 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0),
1941 : OP_EQ, 1);
1942 1 : tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0),
1943 : OP_EQ, 0);
1944 1 : tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0),
1945 : OP_EQ, 0);
1946 :
1947 : /* Test the function's address matching for unusual inputs */
1948 1 : memset(&mock_options, 0, sizeof(or_options_t));
1949 1 : mock_options.ClientUseIPv4 = 1;
1950 1 : mock_options.ClientUseIPv6 = 1;
1951 1 : mock_options.UseBridges = 1;
1952 :
1953 : /* NULL and tor_addr_is_null addresses are rejected */
1954 1 : tt_int_op(reachable_addr_allows(NULL, port, policy, 0, 0), OP_EQ,
1955 : 0);
1956 1 : tt_int_op(reachable_addr_allows(&n_ipv4_addr, port, policy, 0, 0),
1957 : OP_EQ, 0);
1958 1 : tt_int_op(reachable_addr_allows(&n_ipv6_addr, port, policy, 0, 0),
1959 : OP_EQ, 0);
1960 :
1961 : /* zero ports are rejected */
1962 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, 0, policy, 0, 0),
1963 : OP_EQ, 0);
1964 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, 0, policy, 0, 0),
1965 : OP_EQ, 0);
1966 :
1967 : /* NULL and empty policies accept everything */
1968 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, NULL, 0, 0),
1969 : OP_EQ, 1);
1970 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, NULL, 0, 0),
1971 : OP_EQ, 1);
1972 1 : tt_int_op(reachable_addr_allows(&ipv4_addr, port, e_policy, 0, 0),
1973 : OP_EQ, 1);
1974 1 : tt_int_op(reachable_addr_allows(&ipv6_addr, port, e_policy, 0, 0),
1975 : OP_EQ, 1);
1976 :
1977 1 : done:
1978 1 : addr_policy_free(item);
1979 1 : addr_policy_list_free(policy);
1980 1 : addr_policy_list_free(e_policy);
1981 1 : UNMOCK(get_options);
1982 1 : }
1983 :
1984 : #undef REJECT_IPv4_FINAL_STR
1985 : #undef REJECT_IPv6_FINAL_STR
1986 : #undef OTHER_IPV4_ADDR_STR
1987 : #undef OTHER_IPV6_ADDR_STR
1988 :
1989 : #define TEST_IPV4_OR_PORT 1234
1990 : #define TEST_IPV4_DIR_PORT 2345
1991 : #define TEST_IPV6_OR_PORT 61234
1992 : #define TEST_IPV6_DIR_PORT 62345
1993 :
1994 : /* Check that reachable_addr_choose_from_rs() returns the expected
1995 : * results. */
1996 : #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1997 : expect_ap) \
1998 : STMT_BEGIN \
1999 : tor_addr_port_t chosen_rs_ap; \
2000 : tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
2001 : chosen_rs_ap.port = 0; \
2002 : reachable_addr_choose_from_rs(&(fake_rs), (fw_connection), \
2003 : (pref_only), &chosen_rs_ap); \
2004 : tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
2005 : tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2006 : STMT_END
2007 :
2008 : /* Check that reachable_addr_choose_from_node() returns the expected
2009 : * results. */
2010 : #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2011 : expect_rv, expect_ap) \
2012 : STMT_BEGIN \
2013 : tor_addr_port_t chosen_node_ap; \
2014 : tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2015 : chosen_node_ap.port = 0; \
2016 : reachable_addr_choose_from_node(&(fake_node),(fw_connection), \
2017 : (pref_only), &chosen_node_ap); \
2018 : tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2019 : tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2020 : STMT_END
2021 :
2022 : /* Check that reachable_addr_choose_from_rs and
2023 : * reachable_addr_choose_from_node() both return the expected results. */
2024 : #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2025 : expect_rv, expect_ap) \
2026 : STMT_BEGIN \
2027 : CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2028 : expect_ap); \
2029 : CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2030 : expect_ap); \
2031 : STMT_END
2032 :
2033 : /* Check that reachable_addr_choose_from_ls() returns the expected
2034 : * results. */
2035 : #define CHECK_CHOSEN_ADDR_NULL_LS() \
2036 : STMT_BEGIN \
2037 : tor_addr_port_t chosen_ls_ap; \
2038 : tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2039 : chosen_ls_ap.port = 0; \
2040 : setup_full_capture_of_logs(LOG_WARN); \
2041 : reachable_addr_choose_from_ls(NULL, 1, &chosen_ls_ap); \
2042 : expect_single_log_msg("Unknown or missing link specifiers"); \
2043 : teardown_capture_of_logs(); \
2044 : STMT_END
2045 :
2046 : #define CHECK_CHOSEN_ADDR_LS(fake_ls, pref_only, expect_rv, expect_ap) \
2047 : STMT_BEGIN \
2048 : tor_addr_port_t chosen_ls_ap; \
2049 : tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2050 : chosen_ls_ap.port = 0; \
2051 : setup_full_capture_of_logs(LOG_WARN); \
2052 : reachable_addr_choose_from_ls(fake_ls, pref_only, &chosen_ls_ap); \
2053 : if (smartlist_len(fake_ls) == 0) { \
2054 : expect_single_log_msg("Link specifiers are empty"); \
2055 : } else { \
2056 : expect_no_log_entry(); \
2057 : tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_ls_ap.addr)); \
2058 : tt_int_op((expect_ap).port, OP_EQ, chosen_ls_ap.port); \
2059 : } \
2060 : teardown_capture_of_logs(); \
2061 : STMT_END
2062 :
2063 : #define CHECK_LS_LEGACY_ONLY(fake_ls) \
2064 : STMT_BEGIN \
2065 : tor_addr_port_t chosen_ls_ap; \
2066 : tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \
2067 : chosen_ls_ap.port = 0; \
2068 : setup_full_capture_of_logs(LOG_WARN); \
2069 : reachable_addr_choose_from_ls(fake_ls, 0, &chosen_ls_ap); \
2070 : expect_single_log_msg("None of our link specifiers have IPv4 or IPv6"); \
2071 : teardown_capture_of_logs(); \
2072 : STMT_END
2073 :
2074 : #define CHECK_HS_EXTEND_INFO_ADDR_LS(fake_ls, direct_conn, expect_ap) \
2075 : STMT_BEGIN \
2076 : curve25519_secret_key_t seckey; \
2077 : curve25519_secret_key_generate(&seckey, 0); \
2078 : curve25519_public_key_t pubkey; \
2079 : curve25519_public_key_generate(&pubkey, &seckey); \
2080 : setup_full_capture_of_logs(LOG_WARN); \
2081 : extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \
2082 : direct_conn); \
2083 : if (fake_ls == NULL) { \
2084 : tt_ptr_op(ei, OP_EQ, NULL); \
2085 : expect_single_log_msg("Specified link specifiers is null"); \
2086 : } else { \
2087 : expect_no_log_entry(); \
2088 : tt_assert(tor_addr_eq(&(expect_ap).addr, &ei->orports[0].addr)); \
2089 : tt_int_op((expect_ap).port, OP_EQ, ei->orports[0].port); \
2090 : extend_info_free(ei); \
2091 : } \
2092 : teardown_capture_of_logs(); \
2093 : STMT_END
2094 :
2095 : #define CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(fake_ls) \
2096 : STMT_BEGIN \
2097 : setup_full_capture_of_logs(LOG_WARN); \
2098 : extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, NULL, 0); \
2099 : tt_ptr_op(ei, OP_EQ, NULL); \
2100 : expect_single_log_msg("Specified onion key is null"); \
2101 : teardown_capture_of_logs(); \
2102 : STMT_END
2103 :
2104 : #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(fake_ls, direct_conn) \
2105 : STMT_BEGIN \
2106 : curve25519_secret_key_t seckey; \
2107 : curve25519_secret_key_generate(&seckey, 0); \
2108 : curve25519_public_key_t pubkey; \
2109 : curve25519_public_key_generate(&pubkey, &seckey); \
2110 : extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \
2111 : direct_conn); \
2112 : tt_ptr_op(ei, OP_EQ, NULL); \
2113 : STMT_END
2114 :
2115 : #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(fake_ls, msg_level, msg) \
2116 : STMT_BEGIN \
2117 : curve25519_secret_key_t seckey; \
2118 : curve25519_secret_key_generate(&seckey, 0); \
2119 : curve25519_public_key_t pubkey; \
2120 : curve25519_public_key_generate(&pubkey, &seckey); \
2121 : setup_full_capture_of_logs(msg_level); \
2122 : extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, 0); \
2123 : tt_ptr_op(ei, OP_EQ, NULL); \
2124 : expect_single_log_msg(msg); \
2125 : teardown_capture_of_logs(); \
2126 : STMT_END
2127 :
2128 : /** Run unit tests for reachable_addr_choose */
2129 : static void
2130 1 : test_policies_fascist_firewall_choose_address(void *arg)
2131 : {
2132 1 : (void)arg;
2133 1 : tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
2134 1 : tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
2135 :
2136 : /* Setup the options */
2137 1 : memset(&mock_options, 0, sizeof(or_options_t));
2138 1 : MOCK(get_options, mock_get_options);
2139 :
2140 : /* Parse the addresses */
2141 1 : tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
2142 1 : ipv4_or_ap.port = TEST_IPV4_OR_PORT;
2143 1 : tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
2144 1 : ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
2145 :
2146 1 : tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
2147 1 : ipv6_or_ap.port = TEST_IPV6_OR_PORT;
2148 1 : tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
2149 1 : ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
2150 :
2151 1 : tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
2152 1 : n_ipv4_ap.port = 0;
2153 1 : tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
2154 1 : n_ipv6_ap.port = 0;
2155 :
2156 : /* Sanity check reachable_addr_choose with IPv4 and IPv6 on */
2157 1 : memset(&mock_options, 0, sizeof(or_options_t));
2158 1 : mock_options.ClientUseIPv4 = 1;
2159 1 : mock_options.ClientUseIPv6 = 1;
2160 1 : mock_options.UseBridges = 0;
2161 :
2162 : /* Prefer IPv4 */
2163 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2164 : FIREWALL_OR_CONNECTION, 0, 0)
2165 : == &ipv4_or_ap);
2166 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2167 : FIREWALL_OR_CONNECTION, 1, 0)
2168 : == &ipv4_or_ap);
2169 1 : tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2170 : FIREWALL_DIR_CONNECTION, 0, 0)
2171 : == &ipv4_dir_ap);
2172 1 : tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1,
2173 : FIREWALL_DIR_CONNECTION, 1, 0)
2174 : == &ipv4_dir_ap);
2175 :
2176 : /* Prefer IPv6 */
2177 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2178 : FIREWALL_OR_CONNECTION, 0, 1)
2179 : == &ipv6_or_ap);
2180 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2181 : FIREWALL_OR_CONNECTION, 1, 1)
2182 : == &ipv6_or_ap);
2183 1 : tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2184 : FIREWALL_DIR_CONNECTION, 0, 1)
2185 : == &ipv6_dir_ap);
2186 1 : tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0,
2187 : FIREWALL_DIR_CONNECTION, 1, 1)
2188 : == &ipv6_dir_ap);
2189 :
2190 : /* Unusual inputs */
2191 :
2192 : /* null preferred OR addresses */
2193 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &n_ipv6_ap, 0,
2194 : FIREWALL_OR_CONNECTION, 0, 1)
2195 : == &ipv4_or_ap);
2196 1 : tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_or_ap, 1,
2197 : FIREWALL_OR_CONNECTION, 0, 0)
2198 : == &ipv6_or_ap);
2199 :
2200 : /* null both OR addresses */
2201 1 : tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0,
2202 : FIREWALL_OR_CONNECTION, 0, 1),
2203 : OP_EQ, NULL);
2204 1 : tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1,
2205 : FIREWALL_OR_CONNECTION, 0, 0),
2206 : OP_EQ, NULL);
2207 :
2208 : /* null preferred Dir addresses */
2209 1 : tt_assert(reachable_addr_choose(&ipv4_dir_ap, &n_ipv6_ap, 0,
2210 : FIREWALL_DIR_CONNECTION, 0, 1)
2211 : == &ipv4_dir_ap);
2212 1 : tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_dir_ap, 1,
2213 : FIREWALL_DIR_CONNECTION, 0, 0)
2214 : == &ipv6_dir_ap);
2215 :
2216 : /* null both Dir addresses */
2217 1 : tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0,
2218 : FIREWALL_DIR_CONNECTION, 0, 1),
2219 : OP_EQ, NULL);
2220 1 : tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1,
2221 : FIREWALL_DIR_CONNECTION, 0, 0),
2222 : OP_EQ, NULL);
2223 :
2224 : /* Prefer IPv4 but want IPv6 (contradictory) */
2225 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2226 : FIREWALL_OR_CONNECTION, 0, 0)
2227 : == &ipv4_or_ap);
2228 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0,
2229 : FIREWALL_OR_CONNECTION, 1, 0)
2230 : == &ipv4_or_ap);
2231 :
2232 : /* Prefer IPv6 but want IPv4 (contradictory) */
2233 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2234 : FIREWALL_OR_CONNECTION, 0, 1)
2235 : == &ipv6_or_ap);
2236 1 : tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1,
2237 : FIREWALL_OR_CONNECTION, 1, 1)
2238 : == &ipv6_or_ap);
2239 :
2240 : /* Make a fake rs. There will be no corresponding node.
2241 : * This is what happens when there's no consensus and we're bootstrapping
2242 : * from authorities / fallbacks. */
2243 1 : routerstatus_t fake_rs;
2244 1 : memset(&fake_rs, 0, sizeof(routerstatus_t));
2245 : /* In a routerstatus, the OR and Dir addresses are the same */
2246 1 : tor_addr_copy(&fake_rs.ipv4_addr, &ipv4_or_ap.addr);
2247 1 : fake_rs.ipv4_orport = ipv4_or_ap.port;
2248 1 : fake_rs.ipv4_dirport = ipv4_dir_ap.port;
2249 :
2250 1 : tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2251 1 : fake_rs.ipv6_orport = ipv6_or_ap.port;
2252 : /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2253 1 : ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2254 :
2255 : /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2256 : * find the node from the rs, because they're not in the hash table. */
2257 1 : node_t fake_node;
2258 1 : memset(&fake_node, 0, sizeof(node_t));
2259 1 : fake_node.rs = &fake_rs;
2260 :
2261 : /* Choose an address with IPv4 and IPv6 on */
2262 1 : memset(&mock_options, 0, sizeof(or_options_t));
2263 1 : mock_options.ClientUseIPv4 = 1;
2264 1 : mock_options.ClientUseIPv6 = 1;
2265 1 : mock_options.UseBridges = 0;
2266 :
2267 : /* Preferring IPv4 */
2268 1 : mock_options.ClientPreferIPv6ORPort = 0;
2269 1 : mock_options.ClientPreferIPv6DirPort = 0;
2270 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2271 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2272 : &mock_options);
2273 :
2274 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2275 : ipv4_or_ap);
2276 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2277 : ipv4_or_ap);
2278 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2279 : ipv4_dir_ap);
2280 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2281 : ipv4_dir_ap);
2282 :
2283 : /* Auto (Preferring IPv4) */
2284 1 : mock_options.ClientPreferIPv6ORPort = -1;
2285 1 : mock_options.ClientPreferIPv6DirPort = -1;
2286 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2287 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2288 : &mock_options);
2289 :
2290 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2291 : ipv4_or_ap);
2292 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2293 : ipv4_or_ap);
2294 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2295 : ipv4_dir_ap);
2296 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2297 : ipv4_dir_ap);
2298 :
2299 : /* Preferring IPv6 */
2300 1 : mock_options.ClientPreferIPv6ORPort = 1;
2301 1 : mock_options.ClientPreferIPv6DirPort = 1;
2302 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2303 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2304 : &mock_options);
2305 :
2306 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2307 : ipv6_or_ap);
2308 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2309 : ipv6_or_ap);
2310 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2311 : ipv6_dir_ap);
2312 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2313 : ipv6_dir_ap);
2314 :
2315 : /* Preferring IPv4 OR / IPv6 Dir */
2316 1 : mock_options.ClientPreferIPv6ORPort = 0;
2317 1 : mock_options.ClientPreferIPv6DirPort = 1;
2318 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2319 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2320 : &mock_options);
2321 :
2322 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2323 : ipv4_or_ap);
2324 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2325 : ipv4_or_ap);
2326 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2327 : ipv6_dir_ap);
2328 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2329 : ipv6_dir_ap);
2330 :
2331 : /* Preferring IPv6 OR / IPv4 Dir */
2332 1 : mock_options.ClientPreferIPv6ORPort = 1;
2333 1 : mock_options.ClientPreferIPv6DirPort = 0;
2334 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2335 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2336 : &mock_options);
2337 :
2338 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2339 : ipv6_or_ap);
2340 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2341 : ipv6_or_ap);
2342 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2343 : ipv4_dir_ap);
2344 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2345 : ipv4_dir_ap);
2346 :
2347 : /* Choose an address with UseBridges on */
2348 1 : memset(&mock_options, 0, sizeof(or_options_t));
2349 1 : mock_options.UseBridges = 1;
2350 1 : mock_options.ClientUseIPv4 = 1;
2351 1 : mock_options.ClientUseIPv6 = 1;
2352 :
2353 : /* Preferring IPv4 */
2354 1 : mock_options.ClientPreferIPv6ORPort = 0;
2355 1 : mock_options.ClientPreferIPv6DirPort = 0;
2356 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2357 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2358 : &mock_options);
2359 :
2360 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2361 : ipv4_or_ap);
2362 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2363 : ipv4_or_ap);
2364 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2365 : ipv4_dir_ap);
2366 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2367 : ipv4_dir_ap);
2368 :
2369 : /* Auto:
2370 : * - bridge clients prefer the configured bridge OR address from the node,
2371 : * (the configured address family sets node.ipv6_preferred)
2372 : * - other clients prefer IPv4 OR by default (see above),
2373 : * - all clients, including bridge clients, prefer IPv4 Dir by default.
2374 : */
2375 1 : mock_options.ClientPreferIPv6ORPort = -1;
2376 1 : mock_options.ClientPreferIPv6DirPort = -1;
2377 :
2378 : /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2379 : * configured with an IPv4 address */
2380 1 : fake_node.ipv6_preferred = 0;
2381 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2382 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2383 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2384 : ipv4_dir_ap);
2385 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2386 : ipv4_dir_ap);
2387 :
2388 : /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2389 : * configured with an IPv6 address */
2390 1 : fake_node.ipv6_preferred = 1;
2391 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2392 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2393 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2394 : ipv4_dir_ap);
2395 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2396 : ipv4_dir_ap);
2397 :
2398 : /* When a rs has no node, it defaults to IPv4 under auto. */
2399 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2400 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2401 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2402 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2403 :
2404 : /* Preferring IPv6 */
2405 1 : mock_options.ClientPreferIPv6ORPort = 1;
2406 1 : mock_options.ClientPreferIPv6DirPort = 1;
2407 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2408 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2409 : &mock_options);
2410 :
2411 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2412 : ipv6_or_ap);
2413 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2414 : ipv6_or_ap);
2415 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2416 : ipv6_dir_ap);
2417 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2418 : ipv6_dir_ap);
2419 :
2420 : /* In the default configuration (Auto / IPv6 off), bridge clients should
2421 : * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2422 : * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2423 1 : mock_options.ClientUseIPv6 = 0;
2424 1 : mock_options.ClientPreferIPv6ORPort = -1;
2425 1 : mock_options.ClientPreferIPv6DirPort = -1;
2426 : /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2427 : * configured with an IPv4 address */
2428 1 : fake_node.ipv6_preferred = 0;
2429 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2430 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2431 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2432 : ipv4_dir_ap);
2433 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2434 : ipv4_dir_ap);
2435 :
2436 : /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2437 : * configured with an IPv6 address */
2438 1 : fake_node.ipv6_preferred = 1;
2439 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2440 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2441 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2442 : ipv4_dir_ap);
2443 1 : CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2444 : ipv4_dir_ap);
2445 :
2446 : /* When a rs has no node, it defaults to IPv4 under auto. */
2447 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2448 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2449 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2450 1 : CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2451 :
2452 : /* Choose an address with IPv4 on */
2453 1 : memset(&mock_options, 0, sizeof(or_options_t));
2454 1 : mock_options.ClientUseIPv4 = 1;
2455 1 : mock_options.ClientUseIPv6 = 0;
2456 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2457 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2458 : &mock_options);
2459 :
2460 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2461 : ipv4_or_ap);
2462 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2463 : ipv4_or_ap);
2464 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2465 : ipv4_dir_ap);
2466 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2467 : ipv4_dir_ap);
2468 :
2469 : /* Choose an address with IPv6 on */
2470 1 : memset(&mock_options, 0, sizeof(or_options_t));
2471 1 : mock_options.ClientUseIPv4 = 0;
2472 1 : mock_options.ClientUseIPv6 = 1;
2473 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2474 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2475 : &mock_options);
2476 :
2477 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2478 : ipv6_or_ap);
2479 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2480 : ipv6_or_ap);
2481 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2482 : ipv6_dir_ap);
2483 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2484 : ipv6_dir_ap);
2485 :
2486 : /* Choose an address with ClientUseIPv4 0.
2487 : * This means "use IPv6" regardless of the other settings. */
2488 1 : memset(&mock_options, 0, sizeof(or_options_t));
2489 1 : mock_options.ClientUseIPv4 = 0;
2490 1 : mock_options.ClientUseIPv6 = 0;
2491 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2492 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2493 : &mock_options);
2494 :
2495 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2496 : ipv6_or_ap);
2497 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2498 : ipv6_or_ap);
2499 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2500 : ipv6_dir_ap);
2501 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2502 : ipv6_dir_ap);
2503 :
2504 : /* Choose an address with ORPort_set 1 (server mode).
2505 : * This means "use IPv4" regardless of the other settings. */
2506 1 : memset(&mock_options, 0, sizeof(or_options_t));
2507 1 : mock_options.ORPort_set = 1;
2508 1 : mock_options.ClientUseIPv4 = 0;
2509 1 : mock_options.ClientUseIPv6 = 1;
2510 1 : mock_options.ClientPreferIPv6ORPort = 1;
2511 1 : mock_options.ClientPreferIPv6DirPort = 1;
2512 :
2513 : /* Simulate the initialisation of fake_node.ipv6_preferred */
2514 1 : fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport(
2515 : &mock_options);
2516 :
2517 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2518 : ipv4_or_ap);
2519 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2520 : ipv4_or_ap);
2521 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2522 : ipv4_dir_ap);
2523 1 : CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2524 : ipv4_dir_ap);
2525 :
2526 : /* Test firewall_choose_address_ls(). To do this, we make a fake link
2527 : * specifier. */
2528 1 : smartlist_t *lspecs = smartlist_new(),
2529 1 : *lspecs_blank = smartlist_new(),
2530 1 : *lspecs_v4 = smartlist_new(),
2531 1 : *lspecs_v6 = smartlist_new(),
2532 1 : *lspecs_no_legacy = smartlist_new(),
2533 1 : *lspecs_legacy_only = smartlist_new();
2534 1 : link_specifier_t *fake_ls;
2535 :
2536 : /* IPv4 link specifier */
2537 1 : fake_ls = link_specifier_new();
2538 1 : link_specifier_set_ls_type(fake_ls, LS_IPV4);
2539 1 : link_specifier_set_un_ipv4_addr(fake_ls,
2540 : tor_addr_to_ipv4h(&ipv4_or_ap.addr));
2541 1 : link_specifier_set_un_ipv4_port(fake_ls, ipv4_or_ap.port);
2542 1 : link_specifier_set_ls_len(fake_ls, sizeof(ipv4_or_ap.addr.addr.in_addr) +
2543 : sizeof(ipv4_or_ap.port));
2544 1 : smartlist_add(lspecs, fake_ls);
2545 1 : smartlist_add(lspecs_v4, fake_ls);
2546 1 : smartlist_add(lspecs_no_legacy, fake_ls);
2547 :
2548 : /* IPv6 link specifier */
2549 1 : fake_ls = link_specifier_new();
2550 1 : link_specifier_set_ls_type(fake_ls, LS_IPV6);
2551 1 : size_t addr_len = link_specifier_getlen_un_ipv6_addr(fake_ls);
2552 1 : const uint8_t *in6_addr = tor_addr_to_in6_addr8(&ipv6_or_ap.addr);
2553 1 : uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(fake_ls);
2554 1 : memcpy(ipv6_array, in6_addr, addr_len);
2555 1 : link_specifier_set_un_ipv6_port(fake_ls, ipv6_or_ap.port);
2556 1 : link_specifier_set_ls_len(fake_ls, addr_len + sizeof(ipv6_or_ap.port));
2557 1 : smartlist_add(lspecs, fake_ls);
2558 1 : smartlist_add(lspecs_v6, fake_ls);
2559 :
2560 : /* Legacy ID link specifier */
2561 1 : fake_ls = link_specifier_new();
2562 1 : link_specifier_set_ls_type(fake_ls, LS_LEGACY_ID);
2563 1 : uint8_t *legacy_id = link_specifier_getarray_un_legacy_id(fake_ls);
2564 1 : memset(legacy_id, 'A', sizeof(*legacy_id));
2565 1 : link_specifier_set_ls_len(fake_ls,
2566 1 : link_specifier_getlen_un_legacy_id(fake_ls));
2567 1 : smartlist_add(lspecs, fake_ls);
2568 1 : smartlist_add(lspecs_legacy_only, fake_ls);
2569 1 : smartlist_add(lspecs_v4, fake_ls);
2570 1 : smartlist_add(lspecs_v6, fake_ls);
2571 :
2572 : /* Check with bogus requests. */
2573 1 : tor_addr_port_t null_ap; \
2574 1 : tor_addr_make_null(&null_ap.addr, AF_UNSPEC); \
2575 1 : null_ap.port = 0; \
2576 :
2577 : /* Check for a null link state. */
2578 1 : CHECK_CHOSEN_ADDR_NULL_LS();
2579 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(NULL, 1, null_ap);
2580 :
2581 : /* Check for a blank link state. */
2582 1 : CHECK_CHOSEN_ADDR_LS(lspecs_blank, 0, 0, null_ap);
2583 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_blank, 0);
2584 :
2585 : /* Check for a link state with only a Legacy ID. */
2586 1 : CHECK_LS_LEGACY_ONLY(lspecs_legacy_only);
2587 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_legacy_only, 0);
2588 1 : smartlist_free(lspecs_legacy_only);
2589 :
2590 : /* Check with a null onion_key. */
2591 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(lspecs_blank);
2592 1 : smartlist_free(lspecs_blank);
2593 :
2594 : /* Check with a null onion_key. */
2595 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(lspecs_no_legacy, LOG_WARN,
2596 : "Missing Legacy ID in link state");
2597 1 : smartlist_free(lspecs_no_legacy);
2598 :
2599 : /* Enable both IPv4 and IPv6. */
2600 1 : memset(&mock_options, 0, sizeof(or_options_t));
2601 1 : mock_options.ClientUseIPv4 = 1;
2602 1 : mock_options.ClientUseIPv6 = 1;
2603 :
2604 : /* Prefer IPv4, enable both IPv4 and IPv6. */
2605 1 : mock_options.ClientPreferIPv6ORPort = 0;
2606 :
2607 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap);
2608 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap);
2609 :
2610 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap);
2611 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2612 :
2613 : /* Prefer IPv6, enable both IPv4 and IPv6. */
2614 1 : mock_options.ClientPreferIPv6ORPort = 1;
2615 :
2616 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap);
2617 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap);
2618 :
2619 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap);
2620 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2621 :
2622 : /* IPv4-only. */
2623 1 : memset(&mock_options, 0, sizeof(or_options_t));
2624 1 : mock_options.ClientUseIPv4 = 1;
2625 1 : mock_options.ClientUseIPv6 = 0;
2626 :
2627 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap);
2628 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap);
2629 :
2630 1 : CHECK_CHOSEN_ADDR_LS(lspecs_v6, 0, 0, null_ap);
2631 :
2632 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap);
2633 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2634 :
2635 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0);
2636 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 1);
2637 :
2638 : /* IPv6-only. */
2639 1 : memset(&mock_options, 0, sizeof(or_options_t));
2640 1 : mock_options.ClientUseIPv4 = 0;
2641 1 : mock_options.ClientUseIPv6 = 1;
2642 :
2643 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap);
2644 1 : CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap);
2645 :
2646 1 : CHECK_CHOSEN_ADDR_LS(lspecs_v4, 0, 0, null_ap);
2647 :
2648 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap);
2649 1 : CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap);
2650 :
2651 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v4, 1);
2652 1 : CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0);
2653 :
2654 1 : smartlist_free(lspecs_v4);
2655 1 : smartlist_free(lspecs_v6);
2656 :
2657 4 : SMARTLIST_FOREACH(lspecs, link_specifier_t *, lspec, \
2658 : link_specifier_free(lspec)); \
2659 1 : smartlist_free(lspecs);
2660 :
2661 1 : done:
2662 1 : UNMOCK(get_options);
2663 1 : }
2664 :
2665 : #undef TEST_IPV4_ADDR_STR
2666 : #undef TEST_IPV6_ADDR_STR
2667 : #undef TEST_IPV4_OR_PORT
2668 : #undef TEST_IPV4_DIR_PORT
2669 : #undef TEST_IPV6_OR_PORT
2670 : #undef TEST_IPV6_DIR_PORT
2671 :
2672 : #undef CHECK_CHOSEN_ADDR_RS
2673 : #undef CHECK_CHOSEN_ADDR_NODE
2674 : #undef CHECK_CHOSEN_ADDR_RN
2675 :
2676 : struct testcase_t policy_tests[] = {
2677 : { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2678 : NULL, NULL },
2679 : { "general", test_policies_general, 0, NULL, NULL },
2680 : { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2681 : NULL },
2682 : { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2683 : { "reject_interface_address", test_policies_reject_interface_address, 0,
2684 : NULL, NULL },
2685 : { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2686 : { "reachable_addr_allows",
2687 : test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2688 : { "reachable_addr_choose",
2689 : test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2690 : END_OF_TESTCASES
2691 : };
|
