test_policy.c (107608B)
1 /* Copyright (c) 2013-2021, The Tor Project, Inc. */ 2 /* See LICENSE for licensing information */ 3 4 #define CONFIG_PRIVATE 5 #define POLICIES_PRIVATE 6 7 #include "core/or/or.h" 8 #include "app/config/config.h" 9 #include "core/or/circuitbuild.h" 10 #include "core/or/policies.h" 11 #include "core/or/extendinfo.h" 12 #include "feature/dirparse/policy_parse.h" 13 #include "feature/hs/hs_common.h" 14 #include "feature/hs/hs_descriptor.h" 15 #include "feature/relay/router.h" 16 #include "lib/encoding/confline.h" 17 #include "test/test.h" 18 #include "test/log_test_helpers.h" 19 20 #include "core/or/addr_policy_st.h" 21 #include "core/or/extend_info_st.h" 22 #include "core/or/port_cfg_st.h" 23 #include "feature/nodelist/node_st.h" 24 #include "feature/nodelist/routerinfo_st.h" 25 #include "feature/nodelist/routerstatus_st.h" 26 27 /* Helper: assert that short_policy parses and writes back out as itself, 28 or as <b>expected</b> if that's provided. */ 29 static void 30 test_short_policy_parse(const char *input, 31 const char *expected) 32 { 33 short_policy_t *short_policy = NULL; 34 char *out = NULL; 35 36 if (expected == NULL) 37 expected = input; 38 39 short_policy = parse_short_policy(input); 40 tt_assert(short_policy); 41 out = write_short_policy(short_policy); 42 tt_str_op(out, OP_EQ, expected); 43 44 done: 45 tor_free(out); 46 short_policy_free(short_policy); 47 } 48 49 /** Helper: Parse the exit policy string in <b>policy_str</b> with 50 * <b>options</b>, and make sure that policies_summarize() produces the string 51 * <b>expected_summary</b> from it when called with family. */ 52 static void 53 test_policy_summary_helper_family_flags(const char *policy_str, 54 const char *expected_summary, 55 sa_family_t family, 56 exit_policy_parser_cfg_t options) 57 { 58 config_line_t line; 59 smartlist_t *policy = smartlist_new(); 60 char *summary = NULL; 61 char *summary_after = NULL; 62 int r; 63 short_policy_t *short_policy = NULL; 64 int success = 0; 65 66 line.key = (char *) "foo"; 67 line.value = (char *) policy_str; 68 line.next = NULL; 69 70 r = policies_parse_exit_policy(&line, &policy, 71 options, NULL); 72 tt_int_op(r,OP_EQ, 0); 73 74 summary = policy_summarize(policy, family); 75 76 tt_ptr_op(summary, OP_NE, NULL); 77 tt_str_op(summary,OP_EQ, expected_summary); 78 79 short_policy = parse_short_policy(summary); 80 tt_assert(short_policy); 81 summary_after = write_short_policy(short_policy); 82 tt_str_op(summary,OP_EQ, summary_after); 83 84 success = 1; 85 done: 86 /* If we don't print the flags on failure, it's very hard to diagnose bugs */ 87 if (!success) 88 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s", 89 family == AF_INET ? 4 : 6, options, policy_str)); 90 tor_free(summary_after); 91 tor_free(summary); 92 if (policy) 93 addr_policy_list_free(policy); 94 short_policy_free(short_policy); 95 } 96 97 /** Like test_policy_summary_helper_family_flags, but tries all the different 98 * flag combinations */ 99 static void 100 test_policy_summary_helper_family(const char *policy_str, 101 const char *expected_summary, 102 sa_family_t family) 103 { 104 for (exit_policy_parser_cfg_t opt = 0; 105 opt <= EXIT_POLICY_OPTION_ALL; 106 opt++) { 107 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED)) 108 /* Skip the test: IPv6 addresses need IPv6 enabled */ 109 continue; 110 111 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES) 112 /* Skip the test: local interfaces are machine-specific */ 113 continue; 114 115 test_policy_summary_helper_family_flags(policy_str, expected_summary, 116 family, opt); 117 } 118 } 119 120 /** Like test_policy_summary_helper_family, but uses expected_summary for 121 * both IPv4 and IPv6. */ 122 static void 123 test_policy_summary_helper(const char *policy_str, 124 const char *expected_summary) 125 { 126 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET); 127 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6); 128 } 129 130 /** Like test_policy_summary_helper_family, but uses expected_summary4 for 131 * IPv4 and expected_summary6 for IPv6. */ 132 static void 133 test_policy_summary_helper6(const char *policy_str, 134 const char *expected_summary4, 135 const char *expected_summary6) 136 { 137 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET); 138 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6); 139 } 140 141 /** Run unit tests for generating summary lines of exit policies */ 142 static void 143 test_policies_general(void *arg) 144 { 145 int i; 146 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, 147 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, 148 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL, 149 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL; 150 addr_policy_t *p; 151 tor_addr_t tar, tar2; 152 smartlist_t *addr_list = NULL; 153 config_line_t line; 154 smartlist_t *sm = NULL; 155 char *policy_str = NULL; 156 short_policy_t *short_parsed = NULL; 157 int malformed_list = -1; 158 (void)arg; 159 160 policy = smartlist_new(); 161 162 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1, 163 &malformed_list); 164 tt_ptr_op(p, OP_NE, NULL); 165 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type); 166 tor_addr_from_ipv4h(&tar, 0xc0a80000u); 167 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT)); 168 tt_int_op(16,OP_EQ, p->maskbits); 169 tt_int_op(1,OP_EQ, p->prt_min); 170 tt_int_op(65535,OP_EQ, p->prt_max); 171 172 smartlist_add(policy, p); 173 174 tor_addr_from_ipv4h(&tar, 0x01020304u); 175 tt_assert(ADDR_POLICY_ACCEPTED == 176 compare_tor_addr_to_addr_policy(&tar, 2, policy)); 177 tor_addr_make_unspec(&tar); 178 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED == 179 compare_tor_addr_to_addr_policy(&tar, 2, policy)); 180 tor_addr_from_ipv4h(&tar, 0xc0a80102); 181 tt_assert(ADDR_POLICY_REJECTED == 182 compare_tor_addr_to_addr_policy(&tar, 2, policy)); 183 184 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2, 185 EXIT_POLICY_IPV6_ENABLED | 186 EXIT_POLICY_REJECT_PRIVATE | 187 EXIT_POLICY_ADD_DEFAULT, NULL)); 188 189 tt_assert(policy2); 190 191 tor_addr_from_ipv4h(&tar, 0x0306090cu); 192 tor_addr_parse(&tar2, "[2000::1234]"); 193 addr_list = smartlist_new(); 194 smartlist_add(addr_list, &tar); 195 smartlist_add(addr_list, &tar2); 196 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12, 197 EXIT_POLICY_IPV6_ENABLED | 198 EXIT_POLICY_REJECT_PRIVATE | 199 EXIT_POLICY_ADD_DEFAULT, 200 addr_list)); 201 smartlist_free(addr_list); 202 addr_list = NULL; 203 204 tt_assert(policy12); 205 206 policy3 = smartlist_new(); 207 p = router_parse_addr_policy_item_from_string("reject *:*", -1, 208 &malformed_list); 209 tt_ptr_op(p, OP_NE, NULL); 210 smartlist_add(policy3, p); 211 p = router_parse_addr_policy_item_from_string("accept *:*", -1, 212 &malformed_list); 213 tt_ptr_op(p, OP_NE, NULL); 214 smartlist_add(policy3, p); 215 216 policy4 = smartlist_new(); 217 p = router_parse_addr_policy_item_from_string("accept *:443", -1, 218 &malformed_list); 219 tt_ptr_op(p, OP_NE, NULL); 220 smartlist_add(policy4, p); 221 p = router_parse_addr_policy_item_from_string("accept *:443", -1, 222 &malformed_list); 223 tt_ptr_op(p, OP_NE, NULL); 224 smartlist_add(policy4, p); 225 226 policy5 = smartlist_new(); 227 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1, 228 &malformed_list); 229 tt_ptr_op(p, OP_NE, NULL); 230 smartlist_add(policy5, p); 231 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1, 232 &malformed_list); 233 tt_ptr_op(p, OP_NE, NULL); 234 smartlist_add(policy5, p); 235 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1, 236 &malformed_list); 237 tt_ptr_op(p, OP_NE, NULL); 238 smartlist_add(policy5, p); 239 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", 240 -1, &malformed_list); 241 tt_ptr_op(p, OP_NE, NULL); 242 smartlist_add(policy5, p); 243 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1, 244 &malformed_list); 245 tt_ptr_op(p, OP_NE, NULL); 246 smartlist_add(policy5, p); 247 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1, 248 &malformed_list); 249 tt_ptr_op(p, OP_NE, NULL); 250 smartlist_add(policy5, p); 251 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1, 252 &malformed_list); 253 tt_ptr_op(p, OP_NE, NULL); 254 smartlist_add(policy5, p); 255 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1, 256 &malformed_list); 257 tt_ptr_op(p, OP_NE, NULL); 258 smartlist_add(policy5, p); 259 p = router_parse_addr_policy_item_from_string("reject *:65535", -1, 260 &malformed_list); 261 tt_ptr_op(p, OP_NE, NULL); 262 smartlist_add(policy5, p); 263 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1, 264 &malformed_list); 265 tt_ptr_op(p, OP_NE, NULL); 266 smartlist_add(policy5, p); 267 268 policy6 = smartlist_new(); 269 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1, 270 &malformed_list); 271 tt_ptr_op(p, OP_NE, NULL); 272 smartlist_add(policy6, p); 273 274 policy7 = smartlist_new(); 275 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1, 276 &malformed_list); 277 tt_ptr_op(p, OP_NE, NULL); 278 smartlist_add(policy7, p); 279 280 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8, 281 EXIT_POLICY_IPV6_ENABLED | 282 EXIT_POLICY_REJECT_PRIVATE | 283 EXIT_POLICY_ADD_DEFAULT, 284 NULL)); 285 286 tt_assert(policy8); 287 288 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9, 289 EXIT_POLICY_REJECT_PRIVATE | 290 EXIT_POLICY_ADD_DEFAULT, 291 NULL)); 292 293 tt_assert(policy9); 294 295 /* accept6 * and reject6 * produce IPv6 wildcards only */ 296 policy10 = smartlist_new(); 297 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1, 298 &malformed_list); 299 tt_ptr_op(p, OP_NE, NULL); 300 smartlist_add(policy10, p); 301 302 policy11 = smartlist_new(); 303 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1, 304 &malformed_list); 305 tt_ptr_op(p, OP_NE, NULL); 306 smartlist_add(policy11, p); 307 308 tt_assert(!exit_policy_is_general_exit(policy)); 309 tt_assert(exit_policy_is_general_exit(policy2)); 310 tt_assert(!exit_policy_is_general_exit(NULL)); 311 tt_assert(!exit_policy_is_general_exit(policy3)); 312 tt_assert(!exit_policy_is_general_exit(policy4)); 313 tt_assert(!exit_policy_is_general_exit(policy5)); 314 tt_assert(!exit_policy_is_general_exit(policy6)); 315 tt_assert(!exit_policy_is_general_exit(policy7)); 316 tt_assert(exit_policy_is_general_exit(policy8)); 317 tt_assert(exit_policy_is_general_exit(policy9)); 318 tt_assert(!exit_policy_is_general_exit(policy10)); 319 tt_assert(!exit_policy_is_general_exit(policy11)); 320 321 tt_assert(!addr_policies_eq(policy, policy2)); 322 tt_assert(!addr_policies_eq(policy, NULL)); 323 tt_assert(addr_policies_eq(policy2, policy2)); 324 tt_assert(addr_policies_eq(NULL, NULL)); 325 326 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1)); 327 tt_assert(policy_is_reject_star(policy, AF_INET, 1)); 328 tt_assert(policy_is_reject_star(policy10, AF_INET, 1)); 329 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1)); 330 tt_assert(policy_is_reject_star(policy11, AF_INET, 1)); 331 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1)); 332 tt_assert(policy_is_reject_star(NULL, AF_INET, 1)); 333 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1)); 334 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0)); 335 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0)); 336 337 addr_policy_list_free(policy); 338 policy = NULL; 339 340 /* make sure assume_action works */ 341 malformed_list = 0; 342 p = router_parse_addr_policy_item_from_string("127.0.0.1", 343 ADDR_POLICY_ACCEPT, 344 &malformed_list); 345 tt_assert(p); 346 addr_policy_free(p); 347 tt_assert(!malformed_list); 348 349 p = router_parse_addr_policy_item_from_string("127.0.0.1:*", 350 ADDR_POLICY_ACCEPT, 351 &malformed_list); 352 tt_assert(p); 353 addr_policy_free(p); 354 tt_assert(!malformed_list); 355 356 p = router_parse_addr_policy_item_from_string("[::]", 357 ADDR_POLICY_ACCEPT, 358 &malformed_list); 359 tt_assert(p); 360 addr_policy_free(p); 361 tt_assert(!malformed_list); 362 363 p = router_parse_addr_policy_item_from_string("[::]:*", 364 ADDR_POLICY_ACCEPT, 365 &malformed_list); 366 tt_assert(p); 367 addr_policy_free(p); 368 tt_assert(!malformed_list); 369 370 p = router_parse_addr_policy_item_from_string("[face::b]", 371 ADDR_POLICY_ACCEPT, 372 &malformed_list); 373 tt_assert(p); 374 addr_policy_free(p); 375 tt_assert(!malformed_list); 376 377 p = router_parse_addr_policy_item_from_string("[b::aaaa]", 378 ADDR_POLICY_ACCEPT, 379 &malformed_list); 380 tt_assert(p); 381 addr_policy_free(p); 382 tt_assert(!malformed_list); 383 384 p = router_parse_addr_policy_item_from_string("*", 385 ADDR_POLICY_ACCEPT, 386 &malformed_list); 387 tt_assert(p); 388 addr_policy_free(p); 389 tt_assert(!malformed_list); 390 391 p = router_parse_addr_policy_item_from_string("*4", 392 ADDR_POLICY_ACCEPT, 393 &malformed_list); 394 tt_assert(p); 395 addr_policy_free(p); 396 tt_assert(!malformed_list); 397 398 p = router_parse_addr_policy_item_from_string("*6", 399 ADDR_POLICY_ACCEPT, 400 &malformed_list); 401 tt_assert(p); 402 addr_policy_free(p); 403 tt_assert(!malformed_list); 404 405 /* These are all ambiguous IPv6 addresses, it's good that we reject them */ 406 p = router_parse_addr_policy_item_from_string("acce::abcd", 407 ADDR_POLICY_ACCEPT, 408 &malformed_list); 409 tt_ptr_op(p, OP_EQ, NULL); 410 tt_assert(malformed_list); 411 malformed_list = 0; 412 413 p = router_parse_addr_policy_item_from_string("7:1234", 414 ADDR_POLICY_ACCEPT, 415 &malformed_list); 416 tt_ptr_op(p, OP_EQ, NULL); 417 tt_assert(malformed_list); 418 malformed_list = 0; 419 420 p = router_parse_addr_policy_item_from_string("::", 421 ADDR_POLICY_ACCEPT, 422 &malformed_list); 423 tt_ptr_op(p, OP_EQ, NULL); 424 tt_assert(malformed_list); 425 malformed_list = 0; 426 427 /* make sure compacting logic works. */ 428 policy = NULL; 429 line.key = (char*)"foo"; 430 line.value = (char*)"accept *:80,reject private:*,reject *:*"; 431 line.next = NULL; 432 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy, 433 EXIT_POLICY_IPV6_ENABLED | 434 EXIT_POLICY_ADD_DEFAULT, NULL)); 435 tt_assert(policy); 436 437 //test_streq(policy->string, "accept *:80"); 438 //test_streq(policy->next->string, "reject *:*"); 439 tt_int_op(smartlist_len(policy),OP_EQ, 4); 440 441 /* test policy summaries */ 442 /* check if we properly ignore private IP addresses */ 443 test_policy_summary_helper("reject 192.168.0.0/16:*," 444 "reject 0.0.0.0/8:*," 445 "reject 10.0.0.0/8:*," 446 "accept *:10-30," 447 "accept *:90," 448 "reject *:*", 449 "accept 10-30,90"); 450 /* check all accept policies, and proper counting of rejects */ 451 test_policy_summary_helper("reject 11.0.0.0/9:80," 452 "reject 12.0.0.0/9:80," 453 "reject 13.0.0.0/9:80," 454 "reject 14.0.0.0/9:80," 455 "accept *:*", "accept 1-65535"); 456 test_policy_summary_helper("reject 11.0.0.0/9:80," 457 "reject 12.0.0.0/9:80," 458 "reject 13.0.0.0/9:80," 459 "reject 14.0.0.0/9:80," 460 "reject 15.0.0.0:81," 461 "accept *:*", "accept 1-65535"); 462 test_policy_summary_helper6("reject 11.0.0.0/9:80," 463 "reject 12.0.0.0/9:80," 464 "reject 13.0.0.0/9:80," 465 "reject 14.0.0.0/9:80," 466 "reject 15.0.0.0:80," 467 "accept *:*", 468 "reject 80", 469 "accept 1-65535"); 470 /* no exits */ 471 test_policy_summary_helper("accept 11.0.0.0/9:80," 472 "reject *:*", 473 "reject 1-65535"); 474 /* port merging */ 475 test_policy_summary_helper("accept *:80," 476 "accept *:81," 477 "accept *:100-110," 478 "accept *:111," 479 "reject *:*", 480 "accept 80-81,100-111"); 481 /* border ports */ 482 test_policy_summary_helper("accept *:1," 483 "accept *:3," 484 "accept *:65535," 485 "reject *:*", 486 "accept 1,3,65535"); 487 /* holes */ 488 test_policy_summary_helper("accept *:1," 489 "accept *:3," 490 "accept *:5," 491 "accept *:7," 492 "reject *:*", 493 "accept 1,3,5,7"); 494 test_policy_summary_helper("reject *:1," 495 "reject *:3," 496 "reject *:5," 497 "reject *:7," 498 "accept *:*", 499 "reject 1,3,5,7"); 500 /* long policies */ 501 /* standard long policy on many exits */ 502 test_policy_summary_helper("accept *:20-23," 503 "accept *:43," 504 "accept *:53," 505 "accept *:79-81," 506 "accept *:88," 507 "accept *:110," 508 "accept *:143," 509 "accept *:194," 510 "accept *:220," 511 "accept *:389," 512 "accept *:443," 513 "accept *:464," 514 "accept *:531," 515 "accept *:543-544," 516 "accept *:554," 517 "accept *:563," 518 "accept *:636," 519 "accept *:706," 520 "accept *:749," 521 "accept *:873," 522 "accept *:902-904," 523 "accept *:981," 524 "accept *:989-995," 525 "accept *:1194," 526 "accept *:1220," 527 "accept *:1293," 528 "accept *:1500," 529 "accept *:1533," 530 "accept *:1677," 531 "accept *:1723," 532 "accept *:1755," 533 "accept *:1863," 534 "accept *:2082," 535 "accept *:2083," 536 "accept *:2086-2087," 537 "accept *:2095-2096," 538 "accept *:2102-2104," 539 "accept *:3128," 540 "accept *:3389," 541 "accept *:3690," 542 "accept *:4321," 543 "accept *:4643," 544 "accept *:5050," 545 "accept *:5190," 546 "accept *:5222-5223," 547 "accept *:5228," 548 "accept *:5900," 549 "accept *:6660-6669," 550 "accept *:6679," 551 "accept *:6697," 552 "accept *:8000," 553 "accept *:8008," 554 "accept *:8074," 555 "accept *:8080," 556 "accept *:8087-8088," 557 "accept *:8332-8333," 558 "accept *:8443," 559 "accept *:8888," 560 "accept *:9418," 561 "accept *:9999," 562 "accept *:10000," 563 "accept *:11371," 564 "accept *:12350," 565 "accept *:19294," 566 "accept *:19638," 567 "accept *:23456," 568 "accept *:33033," 569 "accept *:64738," 570 "reject *:*", 571 "accept 20-23,43,53,79-81,88,110,143,194,220,389," 572 "443,464,531,543-544,554,563,636,706,749,873," 573 "902-904,981,989-995,1194,1220,1293,1500,1533," 574 "1677,1723,1755,1863,2082-2083,2086-2087," 575 "2095-2096,2102-2104,3128,3389,3690,4321,4643," 576 "5050,5190,5222-5223,5228,5900,6660-6669,6679," 577 "6697,8000,8008,8074,8080,8087-8088,8332-8333," 578 "8443,8888,9418,9999-10000,11371,12350,19294," 579 "19638,23456,33033,64738"); 580 /* short policy with configured addresses */ 581 test_policy_summary_helper("reject 149.56.1.1:*," 582 "reject [2607:5300:1:1::1:0]:*," 583 "accept *:80," 584 "accept *:443," 585 "reject *:*", 586 "accept 80,443"); 587 /* short policy with configured and local interface addresses */ 588 test_policy_summary_helper("reject 149.56.1.0:*," 589 "reject 149.56.1.1:*," 590 "reject 149.56.1.2:*," 591 "reject 149.56.1.3:*," 592 "reject 149.56.1.4:*," 593 "reject 149.56.1.5:*," 594 "reject 149.56.1.6:*," 595 "reject 149.56.1.7:*," 596 "reject [2607:5300:1:1::1:0]:*," 597 "reject [2607:5300:1:1::1:1]:*," 598 "reject [2607:5300:1:1::1:2]:*," 599 "reject [2607:5300:1:1::1:3]:*," 600 "reject [2607:5300:1:1::2:0]:*," 601 "reject [2607:5300:1:1::2:1]:*," 602 "reject [2607:5300:1:1::2:2]:*," 603 "reject [2607:5300:1:1::2:3]:*," 604 "accept *:80," 605 "accept *:443," 606 "reject *:*", 607 "accept 80,443"); 608 /* short policy with configured netblocks */ 609 test_policy_summary_helper("reject 149.56.0.0/16," 610 "reject6 2607:5300::/32," 611 "reject6 2608:5300::/64," 612 "reject6 2609:5300::/96," 613 "accept *:80," 614 "accept *:443," 615 "reject *:*", 616 "accept 80,443"); 617 /* short policy with large netblocks that do not count as a rejection */ 618 test_policy_summary_helper("reject 148.0.0.0/7," 619 "reject6 2600::/16," 620 "accept *:80," 621 "accept *:443," 622 "reject *:*", 623 "accept 80,443"); 624 /* short policy with large netblocks that count as a rejection */ 625 test_policy_summary_helper("reject 148.0.0.0/6," 626 "reject6 2600::/15," 627 "accept *:80," 628 "accept *:443," 629 "reject *:*", 630 "reject 1-65535"); 631 /* short policy with huge netblocks that count as a rejection */ 632 test_policy_summary_helper("reject 128.0.0.0/1," 633 "reject6 8000::/1," 634 "accept *:80," 635 "accept *:443," 636 "reject *:*", 637 "reject 1-65535"); 638 /* short policy which blocks everything using netblocks */ 639 test_policy_summary_helper("reject 0.0.0.0/0," 640 "reject6 ::/0," 641 "accept *:80," 642 "accept *:443," 643 "reject *:*", 644 "reject 1-65535"); 645 /* short policy which has repeated redundant netblocks */ 646 test_policy_summary_helper("reject 0.0.0.0/0," 647 "reject 0.0.0.0/0," 648 "reject 0.0.0.0/0," 649 "reject 0.0.0.0/0," 650 "reject 0.0.0.0/0," 651 "reject6 ::/0," 652 "reject6 ::/0," 653 "reject6 ::/0," 654 "reject6 ::/0," 655 "reject6 ::/0," 656 "accept *:80," 657 "accept *:443," 658 "reject *:*", 659 "reject 1-65535"); 660 661 /* longest possible policy 662 * (1-2,4-5,... is longer, but gets reduced to 3,6,... ) 663 * Going all the way to 65535 is incredibly slow, so we just go slightly 664 * more than the expected length */ 665 test_policy_summary_helper("accept *:1," 666 "accept *:3," 667 "accept *:5," 668 "accept *:7," 669 "accept *:9," 670 "accept *:11," 671 "accept *:13," 672 "accept *:15," 673 "accept *:17," 674 "accept *:19," 675 "accept *:21," 676 "accept *:23," 677 "accept *:25," 678 "accept *:27," 679 "accept *:29," 680 "accept *:31," 681 "accept *:33," 682 "accept *:35," 683 "accept *:37," 684 "accept *:39," 685 "accept *:41," 686 "accept *:43," 687 "accept *:45," 688 "accept *:47," 689 "accept *:49," 690 "accept *:51," 691 "accept *:53," 692 "accept *:55," 693 "accept *:57," 694 "accept *:59," 695 "accept *:61," 696 "accept *:63," 697 "accept *:65," 698 "accept *:67," 699 "accept *:69," 700 "accept *:71," 701 "accept *:73," 702 "accept *:75," 703 "accept *:77," 704 "accept *:79," 705 "accept *:81," 706 "accept *:83," 707 "accept *:85," 708 "accept *:87," 709 "accept *:89," 710 "accept *:91," 711 "accept *:93," 712 "accept *:95," 713 "accept *:97," 714 "accept *:99," 715 "accept *:101," 716 "accept *:103," 717 "accept *:105," 718 "accept *:107," 719 "accept *:109," 720 "accept *:111," 721 "accept *:113," 722 "accept *:115," 723 "accept *:117," 724 "accept *:119," 725 "accept *:121," 726 "accept *:123," 727 "accept *:125," 728 "accept *:127," 729 "accept *:129," 730 "accept *:131," 731 "accept *:133," 732 "accept *:135," 733 "accept *:137," 734 "accept *:139," 735 "accept *:141," 736 "accept *:143," 737 "accept *:145," 738 "accept *:147," 739 "accept *:149," 740 "accept *:151," 741 "accept *:153," 742 "accept *:155," 743 "accept *:157," 744 "accept *:159," 745 "accept *:161," 746 "accept *:163," 747 "accept *:165," 748 "accept *:167," 749 "accept *:169," 750 "accept *:171," 751 "accept *:173," 752 "accept *:175," 753 "accept *:177," 754 "accept *:179," 755 "accept *:181," 756 "accept *:183," 757 "accept *:185," 758 "accept *:187," 759 "accept *:189," 760 "accept *:191," 761 "accept *:193," 762 "accept *:195," 763 "accept *:197," 764 "accept *:199," 765 "accept *:201," 766 "accept *:203," 767 "accept *:205," 768 "accept *:207," 769 "accept *:209," 770 "accept *:211," 771 "accept *:213," 772 "accept *:215," 773 "accept *:217," 774 "accept *:219," 775 "accept *:221," 776 "accept *:223," 777 "accept *:225," 778 "accept *:227," 779 "accept *:229," 780 "accept *:231," 781 "accept *:233," 782 "accept *:235," 783 "accept *:237," 784 "accept *:239," 785 "accept *:241," 786 "accept *:243," 787 "accept *:245," 788 "accept *:247," 789 "accept *:249," 790 "accept *:251," 791 "accept *:253," 792 "accept *:255," 793 "accept *:257," 794 "accept *:259," 795 "accept *:261," 796 "accept *:263," 797 "accept *:265," 798 "accept *:267," 799 "accept *:269," 800 "accept *:271," 801 "accept *:273," 802 "accept *:275," 803 "accept *:277," 804 "accept *:279," 805 "accept *:281," 806 "accept *:283," 807 "accept *:285," 808 "accept *:287," 809 "accept *:289," 810 "accept *:291," 811 "accept *:293," 812 "accept *:295," 813 "accept *:297," 814 "accept *:299," 815 "accept *:301," 816 "accept *:303," 817 "accept *:305," 818 "accept *:307," 819 "accept *:309," 820 "accept *:311," 821 "accept *:313," 822 "accept *:315," 823 "accept *:317," 824 "accept *:319," 825 "accept *:321," 826 "accept *:323," 827 "accept *:325," 828 "accept *:327," 829 "accept *:329," 830 "accept *:331," 831 "accept *:333," 832 "accept *:335," 833 "accept *:337," 834 "accept *:339," 835 "accept *:341," 836 "accept *:343," 837 "accept *:345," 838 "accept *:347," 839 "accept *:349," 840 "accept *:351," 841 "accept *:353," 842 "accept *:355," 843 "accept *:357," 844 "accept *:359," 845 "accept *:361," 846 "accept *:363," 847 "accept *:365," 848 "accept *:367," 849 "accept *:369," 850 "accept *:371," 851 "accept *:373," 852 "accept *:375," 853 "accept *:377," 854 "accept *:379," 855 "accept *:381," 856 "accept *:383," 857 "accept *:385," 858 "accept *:387," 859 "accept *:389," 860 "accept *:391," 861 "accept *:393," 862 "accept *:395," 863 "accept *:397," 864 "accept *:399," 865 "accept *:401," 866 "accept *:403," 867 "accept *:405," 868 "accept *:407," 869 "accept *:409," 870 "accept *:411," 871 "accept *:413," 872 "accept *:415," 873 "accept *:417," 874 "accept *:419," 875 "accept *:421," 876 "accept *:423," 877 "accept *:425," 878 "accept *:427," 879 "accept *:429," 880 "accept *:431," 881 "accept *:433," 882 "accept *:435," 883 "accept *:437," 884 "accept *:439," 885 "accept *:441," 886 "accept *:443," 887 "accept *:445," 888 "accept *:447," 889 "accept *:449," 890 "accept *:451," 891 "accept *:453," 892 "accept *:455," 893 "accept *:457," 894 "accept *:459," 895 "accept *:461," 896 "accept *:463," 897 "accept *:465," 898 "accept *:467," 899 "accept *:469," 900 "accept *:471," 901 "accept *:473," 902 "accept *:475," 903 "accept *:477," 904 "accept *:479," 905 "accept *:481," 906 "accept *:483," 907 "accept *:485," 908 "accept *:487," 909 "accept *:489," 910 "accept *:491," 911 "accept *:493," 912 "accept *:495," 913 "accept *:497," 914 "accept *:499," 915 "accept *:501," 916 "accept *:503," 917 "accept *:505," 918 "accept *:507," 919 "accept *:509," 920 "accept *:511," 921 "accept *:513," 922 "accept *:515," 923 "accept *:517," 924 "accept *:519," 925 "accept *:521," 926 "accept *:523," 927 "accept *:525," 928 "accept *:527," 929 "accept *:529," 930 "reject *:*", 931 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29," 932 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61," 933 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93," 934 "95,97,99,101,103,105,107,109,111,113,115,117," 935 "119,121,123,125,127,129,131,133,135,137,139,141," 936 "143,145,147,149,151,153,155,157,159,161,163,165," 937 "167,169,171,173,175,177,179,181,183,185,187,189," 938 "191,193,195,197,199,201,203,205,207,209,211,213," 939 "215,217,219,221,223,225,227,229,231,233,235,237," 940 "239,241,243,245,247,249,251,253,255,257,259,261," 941 "263,265,267,269,271,273,275,277,279,281,283,285," 942 "287,289,291,293,295,297,299,301,303,305,307,309," 943 "311,313,315,317,319,321,323,325,327,329,331,333," 944 "335,337,339,341,343,345,347,349,351,353,355,357," 945 "359,361,363,365,367,369,371,373,375,377,379,381," 946 "383,385,387,389,391,393,395,397,399,401,403,405," 947 "407,409,411,413,415,417,419,421,423,425,427,429," 948 "431,433,435,437,439,441,443,445,447,449,451,453," 949 "455,457,459,461,463,465,467,469,471,473,475,477," 950 "479,481,483,485,487,489,491,493,495,497,499,501," 951 "503,505,507,509,511,513,515,517,519,521,523"); 952 953 /* Short policies with unrecognized formats should get accepted. */ 954 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5"); 955 test_short_policy_parse("accept 2,fred,3", "accept 2,3"); 956 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3"); 957 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600"); 958 /* Short policies with nil entries are accepted too. */ 959 test_short_policy_parse("accept 1,,3", "accept 1,3"); 960 test_short_policy_parse("accept 100-200,,", "accept 100-200"); 961 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40"); 962 963 /* Try parsing various broken short policies */ 964 #define TT_BAD_SHORT_POLICY(s) \ 965 do { \ 966 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \ 967 } while (0) 968 TT_BAD_SHORT_POLICY("accept 200-199"); 969 TT_BAD_SHORT_POLICY(""); 970 TT_BAD_SHORT_POLICY("rejekt 1,2,3"); 971 TT_BAD_SHORT_POLICY("reject "); 972 TT_BAD_SHORT_POLICY("reject"); 973 TT_BAD_SHORT_POLICY("rej"); 974 TT_BAD_SHORT_POLICY("accept 2,3,100000"); 975 TT_BAD_SHORT_POLICY("accept 2,3x,4"); 976 TT_BAD_SHORT_POLICY("accept 2,3x,4"); 977 TT_BAD_SHORT_POLICY("accept 2-"); 978 TT_BAD_SHORT_POLICY("accept 2-x"); 979 TT_BAD_SHORT_POLICY("accept 1-,3"); 980 TT_BAD_SHORT_POLICY("accept 1-,3"); 981 982 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */ 983 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1, 984 &malformed_list); 985 tt_ptr_op(p, OP_EQ, NULL); 986 tt_assert(!malformed_list); 987 988 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1, 989 &malformed_list); 990 tt_ptr_op(p, OP_EQ, NULL); 991 tt_assert(!malformed_list); 992 993 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1, 994 &malformed_list); 995 tt_ptr_op(p, OP_EQ, NULL); 996 tt_assert(!malformed_list); 997 998 /* Make sure malformed policies are detected as such. */ 999 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1, 1000 &malformed_list); 1001 tt_ptr_op(p, OP_EQ, NULL); 1002 tt_assert(malformed_list); 1003 1004 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1, 1005 &malformed_list); 1006 tt_ptr_op(p, OP_EQ, NULL); 1007 tt_assert(malformed_list); 1008 1009 p = router_parse_addr_policy_item_from_string("accept */15:*", -1, 1010 &malformed_list); 1011 tt_ptr_op(p, OP_EQ, NULL); 1012 tt_assert(malformed_list); 1013 1014 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1, 1015 &malformed_list); 1016 tt_ptr_op(p, OP_EQ, NULL); 1017 tt_assert(malformed_list); 1018 1019 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1, 1020 &malformed_list); 1021 tt_ptr_op(p, OP_EQ, NULL); 1022 tt_assert(malformed_list); 1023 1024 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1, 1025 &malformed_list); 1026 tt_ptr_op(p, OP_EQ, NULL); 1027 tt_assert(malformed_list); 1028 1029 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1, 1030 &malformed_list); 1031 tt_ptr_op(p, OP_EQ, NULL); 1032 tt_assert(malformed_list); 1033 1034 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1, 1035 &malformed_list); 1036 tt_ptr_op(p, OP_EQ, NULL); 1037 tt_assert(malformed_list); 1038 1039 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1, 1040 &malformed_list); 1041 tt_ptr_op(p, OP_EQ, NULL); 1042 tt_assert(malformed_list); 1043 1044 /* Test a too-long policy. */ 1045 { 1046 char *policy_strng = NULL; 1047 smartlist_t *chunks = smartlist_new(); 1048 smartlist_add_strdup(chunks, "accept "); 1049 for (i=1; i<10000; ++i) 1050 smartlist_add_asprintf(chunks, "%d,", i); 1051 smartlist_add_strdup(chunks, "20000"); 1052 policy_strng = smartlist_join_strings(chunks, "", 0, NULL); 1053 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch)); 1054 smartlist_free(chunks); 1055 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */ 1056 tor_free(policy_strng); 1057 tt_ptr_op(NULL, OP_EQ, short_parsed); 1058 } 1059 1060 /* truncation ports */ 1061 sm = smartlist_new(); 1062 for (i=1; i<2000; i+=2) { 1063 char buf[POLICY_BUF_LEN]; 1064 tor_snprintf(buf, sizeof(buf), "reject *:%d", i); 1065 smartlist_add_strdup(sm, buf); 1066 } 1067 smartlist_add_strdup(sm, "accept *:*"); 1068 policy_str = smartlist_join_strings(sm, ",", 0, NULL); 1069 test_policy_summary_helper( policy_str, 1070 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44," 1071 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90," 1072 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128," 1073 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164," 1074 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200," 1075 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236," 1076 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272," 1077 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308," 1078 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344," 1079 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380," 1080 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416," 1081 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452," 1082 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488," 1083 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522"); 1084 1085 done: 1086 addr_policy_list_free(policy); 1087 addr_policy_list_free(policy2); 1088 addr_policy_list_free(policy3); 1089 addr_policy_list_free(policy4); 1090 addr_policy_list_free(policy5); 1091 addr_policy_list_free(policy6); 1092 addr_policy_list_free(policy7); 1093 addr_policy_list_free(policy8); 1094 addr_policy_list_free(policy9); 1095 addr_policy_list_free(policy10); 1096 addr_policy_list_free(policy11); 1097 addr_policy_list_free(policy12); 1098 tor_free(policy_str); 1099 if (sm) { 1100 SMARTLIST_FOREACH(sm, char *, s, tor_free(s)); 1101 smartlist_free(sm); 1102 } 1103 short_policy_free(short_parsed); 1104 } 1105 1106 /** Helper: Check that policy_list contains address */ 1107 static int 1108 test_policy_has_address_helper(const smartlist_t *policy_list, 1109 const tor_addr_t *addr) 1110 { 1111 int found = 0; 1112 1113 tt_assert(policy_list); 1114 tt_assert(addr); 1115 1116 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) { 1117 if (tor_addr_eq(&p->addr, addr)) { 1118 found = 1; 1119 } 1120 } SMARTLIST_FOREACH_END(p); 1121 1122 return found; 1123 1124 done: 1125 return 0; 1126 } 1127 1128 #define TEST_IPV4_ADDR ("1.2.3.4") 1129 #define TEST_IPV6_ADDR ("2002::abcd") 1130 1131 /** Run unit tests for rejecting the configured addresses on this exit relay 1132 * using policies_parse_exit_policy_reject_private */ 1133 static void 1134 test_policies_reject_exit_address(void *arg) 1135 { 1136 smartlist_t *policy = NULL; 1137 tor_addr_t ipv4_addr, ipv6_addr; 1138 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list; 1139 (void)arg; 1140 1141 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR); 1142 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR); 1143 1144 ipv4_list = smartlist_new(); 1145 ipv6_list = smartlist_new(); 1146 both_list = smartlist_new(); 1147 dupl_list = smartlist_new(); 1148 1149 smartlist_add(ipv4_list, &ipv4_addr); 1150 smartlist_add(both_list, &ipv4_addr); 1151 smartlist_add(dupl_list, &ipv4_addr); 1152 smartlist_add(dupl_list, &ipv4_addr); 1153 smartlist_add(dupl_list, &ipv4_addr); 1154 1155 smartlist_add(ipv6_list, &ipv6_addr); 1156 smartlist_add(both_list, &ipv6_addr); 1157 smartlist_add(dupl_list, &ipv6_addr); 1158 smartlist_add(dupl_list, &ipv6_addr); 1159 1160 /* IPv4-Only Exits */ 1161 1162 /* test that IPv4 addresses are rejected on an IPv4-only exit */ 1163 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0); 1164 tt_assert(policy); 1165 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1166 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1167 addr_policy_list_free(policy); 1168 policy = NULL; 1169 1170 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit 1171 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal 1172 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't 1173 * need to do anything) */ 1174 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0); 1175 tt_ptr_op(policy, OP_EQ, NULL); 1176 1177 /* test that only IPv4 addresses are rejected on an IPv4-only exit */ 1178 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0); 1179 tt_assert(policy); 1180 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1181 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1182 addr_policy_list_free(policy); 1183 policy = NULL; 1184 1185 /* Test that lists with duplicate entries produce the same results */ 1186 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0); 1187 tt_assert(policy); 1188 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1189 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1190 addr_policy_list_free(policy); 1191 policy = NULL; 1192 1193 /* IPv4/IPv6 Exits */ 1194 1195 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */ 1196 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0); 1197 tt_assert(policy); 1198 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1199 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1200 addr_policy_list_free(policy); 1201 policy = NULL; 1202 1203 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */ 1204 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0); 1205 tt_assert(policy); 1206 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1207 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); 1208 addr_policy_list_free(policy); 1209 policy = NULL; 1210 1211 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */ 1212 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0); 1213 tt_assert(policy); 1214 tt_int_op(smartlist_len(policy), OP_EQ, 2); 1215 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1216 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); 1217 addr_policy_list_free(policy); 1218 policy = NULL; 1219 1220 /* Test that lists with duplicate entries produce the same results */ 1221 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0); 1222 tt_assert(policy); 1223 tt_int_op(smartlist_len(policy), OP_EQ, 2); 1224 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); 1225 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); 1226 addr_policy_list_free(policy); 1227 policy = NULL; 1228 1229 done: 1230 addr_policy_list_free(policy); 1231 smartlist_free(ipv4_list); 1232 smartlist_free(ipv6_list); 1233 smartlist_free(both_list); 1234 smartlist_free(dupl_list); 1235 } 1236 1237 static smartlist_t *test_configured_ports = NULL; 1238 1239 /** Returns test_configured_ports */ 1240 static const smartlist_t * 1241 mock_get_configured_ports(void) 1242 { 1243 return test_configured_ports; 1244 } 1245 1246 /** Run unit tests for rejecting publicly routable configured port addresses 1247 * on this exit relay using policies_parse_exit_policy_reject_private */ 1248 static void 1249 test_policies_reject_port_address(void *arg) 1250 { 1251 smartlist_t *policy = NULL; 1252 port_cfg_t *ipv4_port = NULL; 1253 port_cfg_t *ipv6_port = NULL; 1254 (void)arg; 1255 1256 test_configured_ports = smartlist_new(); 1257 1258 ipv4_port = port_cfg_new(0); 1259 tor_addr_parse(&ipv4_port->addr, TEST_IPV4_ADDR); 1260 smartlist_add(test_configured_ports, ipv4_port); 1261 1262 ipv6_port = port_cfg_new(0); 1263 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR); 1264 smartlist_add(test_configured_ports, ipv6_port); 1265 1266 MOCK(get_configured_ports, mock_get_configured_ports); 1267 1268 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port 1269 * is NOT rejected (all IPv6 addresses are rejected by 1270 * policies_parse_exit_policy_internal on IPv4-only exits, so 1271 * policies_parse_exit_policy_reject_private doesn't need to do anything 1272 * with IPv6 addresses on IPv4-only exits) */ 1273 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1); 1274 tt_assert(policy); 1275 tt_int_op(smartlist_len(policy), OP_EQ, 1); 1276 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); 1277 addr_policy_list_free(policy); 1278 policy = NULL; 1279 1280 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */ 1281 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1); 1282 tt_assert(policy); 1283 tt_int_op(smartlist_len(policy), OP_EQ, 2); 1284 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); 1285 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr)); 1286 addr_policy_list_free(policy); 1287 policy = NULL; 1288 1289 done: 1290 addr_policy_list_free(policy); 1291 if (test_configured_ports) { 1292 SMARTLIST_FOREACH(test_configured_ports, 1293 port_cfg_t *, p, port_cfg_free(p)); 1294 smartlist_free(test_configured_ports); 1295 test_configured_ports = NULL; 1296 } 1297 UNMOCK(get_configured_ports); 1298 } 1299 1300 static smartlist_t *mock_ipv4_addrs = NULL; 1301 static smartlist_t *mock_ipv6_addrs = NULL; 1302 1303 /* mock get_interface_address6_list, returning a deep copy of the template 1304 * address list ipv4_interface_address_list or ipv6_interface_address_list */ 1305 static smartlist_t * 1306 mock_get_interface_address6_list(int severity, 1307 sa_family_t family, 1308 int include_internal) 1309 { 1310 (void)severity; 1311 (void)include_internal; 1312 smartlist_t *clone_list = smartlist_new(); 1313 smartlist_t *template_list = NULL; 1314 1315 if (family == AF_INET) { 1316 template_list = mock_ipv4_addrs; 1317 } else if (family == AF_INET6) { 1318 template_list = mock_ipv6_addrs; 1319 } else { 1320 return NULL; 1321 } 1322 1323 tt_assert(template_list); 1324 1325 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) { 1326 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t)); 1327 memset(dest_addr, 0, sizeof(*dest_addr)); 1328 tor_addr_copy_tight(dest_addr, src_addr); 1329 smartlist_add(clone_list, dest_addr); 1330 } SMARTLIST_FOREACH_END(src_addr); 1331 1332 return clone_list; 1333 1334 done: 1335 interface_address6_list_free(clone_list); 1336 return NULL; 1337 } 1338 1339 /** Run unit tests for rejecting publicly routable interface addresses on this 1340 * exit relay using policies_parse_exit_policy_reject_private */ 1341 static void 1342 test_policies_reject_interface_address(void *arg) 1343 { 1344 smartlist_t *policy = NULL; 1345 smartlist_t *public_ipv4_addrs = 1346 get_interface_address6_list(LOG_INFO, AF_INET, 0); 1347 smartlist_t *public_ipv6_addrs = 1348 get_interface_address6_list(LOG_INFO, AF_INET6, 0); 1349 tor_addr_t ipv4_addr, ipv6_addr; 1350 (void)arg; 1351 1352 /* test that no addresses are rejected when none are supplied/requested */ 1353 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0); 1354 tt_ptr_op(policy, OP_EQ, NULL); 1355 1356 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit 1357 * (and allow for duplicates) 1358 */ 1359 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0); 1360 if (policy) { 1361 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs)); 1362 addr_policy_list_free(policy); 1363 policy = NULL; 1364 } 1365 1366 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6 1367 * exit (and allow for duplicates) */ 1368 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0); 1369 if (policy) { 1370 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs) 1371 + smartlist_len(public_ipv6_addrs))); 1372 addr_policy_list_free(policy); 1373 policy = NULL; 1374 } 1375 1376 /* Now do it all again, but mocked */ 1377 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR); 1378 mock_ipv4_addrs = smartlist_new(); 1379 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr); 1380 1381 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR); 1382 mock_ipv6_addrs = smartlist_new(); 1383 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr); 1384 1385 MOCK(get_interface_address6_list, mock_get_interface_address6_list); 1386 1387 /* test that no addresses are rejected when none are supplied/requested */ 1388 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0); 1389 tt_ptr_op(policy, OP_EQ, NULL); 1390 1391 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit 1392 */ 1393 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0); 1394 tt_assert(policy); 1395 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs)); 1396 addr_policy_list_free(policy); 1397 policy = NULL; 1398 1399 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6 1400 * exit */ 1401 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0); 1402 tt_assert(policy); 1403 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs) 1404 + smartlist_len(mock_ipv6_addrs))); 1405 addr_policy_list_free(policy); 1406 policy = NULL; 1407 1408 done: 1409 addr_policy_list_free(policy); 1410 interface_address6_list_free(public_ipv4_addrs); 1411 interface_address6_list_free(public_ipv6_addrs); 1412 1413 UNMOCK(get_interface_address6_list); 1414 /* we don't use interface_address6_list_free on these lists because their 1415 * address pointers are stack-based */ 1416 smartlist_free(mock_ipv4_addrs); 1417 smartlist_free(mock_ipv6_addrs); 1418 } 1419 1420 #undef TEST_IPV4_ADDR 1421 #undef TEST_IPV6_ADDR 1422 1423 static void 1424 test_dump_exit_policy_to_string(void *arg) 1425 { 1426 char *ep; 1427 addr_policy_t *policy_entry; 1428 int malformed_list = -1; 1429 1430 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t)); 1431 1432 (void)arg; 1433 1434 ri->policy_is_reject_star = 1; 1435 ri->exit_policy = NULL; // expecting "reject *:*" 1436 ep = router_dump_exit_policy_to_string(ri,1,1); 1437 1438 tt_str_op("reject *:*",OP_EQ, ep); 1439 1440 tor_free(ep); 1441 1442 ri->exit_policy = smartlist_new(); 1443 ri->policy_is_reject_star = 0; 1444 1445 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1, 1446 &malformed_list); 1447 1448 smartlist_add(ri->exit_policy,policy_entry); 1449 1450 ep = router_dump_exit_policy_to_string(ri,1,1); 1451 1452 tt_str_op("accept *:*",OP_EQ, ep); 1453 1454 tor_free(ep); 1455 1456 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1, 1457 &malformed_list); 1458 1459 smartlist_add(ri->exit_policy,policy_entry); 1460 1461 ep = router_dump_exit_policy_to_string(ri,1,1); 1462 1463 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep); 1464 1465 tor_free(ep); 1466 1467 policy_entry = 1468 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1, 1469 &malformed_list); 1470 1471 smartlist_add(ri->exit_policy,policy_entry); 1472 1473 ep = router_dump_exit_policy_to_string(ri,1,1); 1474 1475 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep); 1476 tor_free(ep); 1477 1478 policy_entry = 1479 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1, 1480 &malformed_list); 1481 1482 smartlist_add(ri->exit_policy,policy_entry); 1483 1484 ep = router_dump_exit_policy_to_string(ri,1,1); 1485 1486 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n" 1487 "reject6 [fc00::]/7:*",OP_EQ, ep); 1488 tor_free(ep); 1489 1490 policy_entry = 1491 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1, 1492 &malformed_list); 1493 1494 smartlist_add(ri->exit_policy,policy_entry); 1495 1496 ep = router_dump_exit_policy_to_string(ri,1,1); 1497 1498 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n" 1499 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep); 1500 1501 done: 1502 1503 if (ri->exit_policy) { 1504 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *, 1505 entry, addr_policy_free(entry)); 1506 smartlist_free(ri->exit_policy); 1507 } 1508 tor_free(ri); 1509 tor_free(ep); 1510 } 1511 1512 static routerinfo_t *mock_desc_routerinfo = NULL; 1513 static int routerinfo_err; 1514 1515 static const routerinfo_t * 1516 mock_router_get_my_routerinfo_with_err(int *err) 1517 { 1518 if (routerinfo_err) { 1519 if (err) 1520 *err = routerinfo_err; 1521 1522 return NULL; 1523 } 1524 1525 if (err) 1526 *err = 0; 1527 1528 return mock_desc_routerinfo; 1529 } 1530 1531 #define DEFAULT_POLICY_STRING "reject *:*" 1532 #define TEST_IPV4_ADDR ("2.4.6.8") 1533 #define TEST_IPV6_ADDR ("2003::ef01") 1534 1535 static or_options_t mock_options; 1536 1537 static const or_options_t * 1538 mock_get_options(void) 1539 { 1540 return &mock_options; 1541 } 1542 1543 /** Run unit tests for generating summary lines of exit policies */ 1544 static void 1545 test_policies_getinfo_helper_policies(void *arg) 1546 { 1547 (void)arg; 1548 int rv = 0; 1549 size_t ipv4_len = 0, ipv6_len = 0; 1550 char *answer = NULL; 1551 const char *errmsg = NULL; 1552 routerinfo_t mock_my_routerinfo; 1553 1554 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo)); 1555 1556 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg); 1557 tt_int_op(rv, OP_EQ, 0); 1558 tt_ptr_op(answer, OP_NE, NULL); 1559 tt_assert(strlen(answer) > 0); 1560 tor_free(answer); 1561 1562 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default", 1563 &answer, &errmsg); 1564 tt_int_op(rv, OP_EQ, 0); 1565 tt_ptr_op(answer, OP_NE, NULL); 1566 tt_assert(strlen(answer) > 0); 1567 tor_free(answer); 1568 1569 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t)); 1570 MOCK(router_get_my_routerinfo_with_err, 1571 mock_router_get_my_routerinfo_with_err); 1572 mock_my_routerinfo.exit_policy = smartlist_new(); 1573 mock_desc_routerinfo = &mock_my_routerinfo; 1574 1575 memset(&mock_options, 0, sizeof(or_options_t)); 1576 MOCK(get_options, mock_get_options); 1577 1578 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay", 1579 &answer, &errmsg); 1580 tt_int_op(rv, OP_EQ, 0); 1581 tt_ptr_op(answer, OP_NE, NULL); 1582 tt_assert(strlen(answer) == 0); 1583 tor_free(answer); 1584 1585 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer, 1586 &errmsg); 1587 tt_int_op(rv, OP_EQ, 0); 1588 tt_ptr_op(answer, OP_NE, NULL); 1589 ipv4_len = strlen(answer); 1590 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING)); 1591 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING)); 1592 tor_free(answer); 1593 1594 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer, 1595 &errmsg); 1596 tt_int_op(rv, OP_EQ, 0); 1597 tt_ptr_op(answer, OP_NE, NULL); 1598 ipv6_len = strlen(answer); 1599 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING)); 1600 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING)); 1601 tor_free(answer); 1602 1603 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1604 &errmsg); 1605 tt_int_op(rv, OP_EQ, 0); 1606 tt_ptr_op(answer, OP_NE, NULL); 1607 /* It's either empty or it's the default */ 1608 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING)); 1609 tor_free(answer); 1610 1611 tor_addr_parse(&mock_my_routerinfo.ipv4_addr, TEST_IPV4_ADDR); 1612 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR); 1613 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*"); 1614 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*"); 1615 1616 mock_options.IPv6Exit = 1; 1617 tor_addr_parse( 1618 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][0], 1619 TEST_IPV4_ADDR); 1620 tor_addr_parse( 1621 &mock_options.OutboundBindAddresses[OUTBOUND_ADDR_EXIT][1], 1622 TEST_IPV6_ADDR); 1623 1624 mock_options.ExitPolicyRejectPrivate = 1; 1625 mock_options.ExitPolicyRejectLocalInterfaces = 1; 1626 1627 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay", 1628 &answer, &errmsg); 1629 tt_int_op(rv, OP_EQ, 0); 1630 tt_ptr_op(answer, OP_NE, NULL); 1631 tt_assert(strlen(answer) > 0); 1632 tor_free(answer); 1633 1634 mock_options.ExitPolicyRejectPrivate = 1; 1635 mock_options.ExitPolicyRejectLocalInterfaces = 0; 1636 1637 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay", 1638 &answer, &errmsg); 1639 tt_int_op(rv, OP_EQ, 0); 1640 tt_ptr_op(answer, OP_NE, NULL); 1641 tt_assert(strlen(answer) > 0); 1642 tor_free(answer); 1643 1644 mock_options.ExitPolicyRejectPrivate = 0; 1645 mock_options.ExitPolicyRejectLocalInterfaces = 1; 1646 1647 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay", 1648 &answer, &errmsg); 1649 tt_int_op(rv, OP_EQ, 0); 1650 tt_ptr_op(answer, OP_NE, NULL); 1651 tt_assert(strlen(answer) > 0); 1652 tor_free(answer); 1653 1654 mock_options.ExitPolicyRejectPrivate = 0; 1655 mock_options.ExitPolicyRejectLocalInterfaces = 0; 1656 1657 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay", 1658 &answer, &errmsg); 1659 tt_int_op(rv, OP_EQ, 0); 1660 tt_ptr_op(answer, OP_NE, NULL); 1661 tt_assert(strlen(answer) == 0); 1662 tor_free(answer); 1663 1664 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer, 1665 &errmsg); 1666 tt_int_op(rv, OP_EQ, 0); 1667 tt_ptr_op(answer, OP_NE, NULL); 1668 ipv4_len = strlen(answer); 1669 tt_assert(ipv4_len > 0); 1670 tor_free(answer); 1671 1672 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer, 1673 &errmsg); 1674 tt_int_op(rv, OP_EQ, 0); 1675 tt_ptr_op(answer, OP_NE, NULL); 1676 ipv6_len = strlen(answer); 1677 tt_assert(ipv6_len > 0); 1678 tor_free(answer); 1679 1680 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1681 &errmsg); 1682 tt_int_op(rv, OP_EQ, 0); 1683 tt_ptr_op(answer, OP_NE, NULL); 1684 tt_assert(strlen(answer) > 0); 1685 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1); 1686 tor_free(answer); 1687 1688 routerinfo_err = TOR_ROUTERINFO_ERROR_NO_EXT_ADDR; 1689 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1690 &errmsg); 1691 tt_int_op(rv, OP_EQ, -1); 1692 tt_ptr_op(answer, OP_EQ, NULL); 1693 tt_ptr_op(errmsg, OP_NE, NULL); 1694 tt_str_op(errmsg, OP_EQ, "No known exit address yet"); 1695 1696 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_PARSE; 1697 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1698 &errmsg); 1699 tt_int_op(rv, OP_EQ, -1); 1700 tt_ptr_op(answer, OP_EQ, NULL); 1701 tt_ptr_op(errmsg, OP_NE, NULL); 1702 tt_str_op(errmsg, OP_EQ, "Cannot parse descriptor"); 1703 1704 routerinfo_err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER; 1705 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1706 &errmsg); 1707 tt_int_op(rv, OP_EQ, 0); 1708 tt_ptr_op(answer, OP_EQ, NULL); 1709 tt_ptr_op(errmsg, OP_NE, NULL); 1710 tt_str_op(errmsg, OP_EQ, "Not running in server mode"); 1711 1712 routerinfo_err = TOR_ROUTERINFO_ERROR_DIGEST_FAILED; 1713 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1714 &errmsg); 1715 1716 tt_int_op(rv, OP_EQ, -1); 1717 tt_ptr_op(answer, OP_EQ, NULL); 1718 tt_ptr_op(errmsg, OP_NE, NULL); 1719 tt_str_op(errmsg, OP_EQ, "Key digest failed"); 1720 1721 routerinfo_err = TOR_ROUTERINFO_ERROR_CANNOT_GENERATE; 1722 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1723 &errmsg); 1724 tt_int_op(rv, OP_EQ, -1); 1725 tt_ptr_op(answer, OP_EQ, NULL); 1726 tt_ptr_op(errmsg, OP_NE, NULL); 1727 tt_str_op(errmsg, OP_EQ, "Cannot generate descriptor"); 1728 1729 routerinfo_err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING; 1730 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer, 1731 &errmsg); 1732 tt_int_op(rv, OP_EQ, -1); 1733 tt_ptr_op(answer, OP_EQ, NULL); 1734 tt_ptr_op(errmsg, OP_NE, NULL); 1735 tt_str_op(errmsg, OP_EQ, "Descriptor still rebuilding - not ready yet"); 1736 1737 done: 1738 tor_free(answer); 1739 UNMOCK(get_options); 1740 UNMOCK(router_get_my_routerinfo); 1741 addr_policy_list_free(mock_my_routerinfo.exit_policy); 1742 } 1743 1744 #undef DEFAULT_POLICY_STRING 1745 #undef TEST_IPV4_ADDR 1746 #undef TEST_IPV6_ADDR 1747 1748 #define TEST_IPV4_ADDR_STR "1.2.3.4" 1749 #define TEST_IPV6_ADDR_STR "[1002::4567]" 1750 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*" 1751 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*" 1752 1753 #define OTHER_IPV4_ADDR_STR "6.7.8.9" 1754 #define OTHER_IPV6_ADDR_STR "[afff::]" 1755 1756 /** Run unit tests for reachable_addr_allows */ 1757 static void 1758 test_policies_fascist_firewall_allows_address(void *arg) 1759 { 1760 (void)arg; 1761 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr; 1762 tor_addr_t n_ipv4_addr, n_ipv6_addr; 1763 const uint16_t port = 1234; 1764 smartlist_t *policy = NULL; 1765 smartlist_t *e_policy = NULL; 1766 addr_policy_t *item = NULL; 1767 int malformed_list = 0; 1768 1769 /* Setup the options and the items in the policies */ 1770 memset(&mock_options, 0, sizeof(or_options_t)); 1771 MOCK(get_options, mock_get_options); 1772 1773 policy = smartlist_new(); 1774 item = router_parse_addr_policy_item_from_string("accept " 1775 TEST_IPV4_ADDR_STR ":*", 1776 ADDR_POLICY_ACCEPT, 1777 &malformed_list); 1778 tt_assert(item); 1779 tt_assert(!malformed_list); 1780 smartlist_add(policy, item); 1781 item = router_parse_addr_policy_item_from_string("accept " 1782 TEST_IPV6_ADDR_STR, 1783 ADDR_POLICY_ACCEPT, 1784 &malformed_list); 1785 tt_assert(item); 1786 tt_assert(!malformed_list); 1787 smartlist_add(policy, item); 1788 /* Normally, policy_expand_unspec would do this for us */ 1789 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR, 1790 ADDR_POLICY_ACCEPT, 1791 &malformed_list); 1792 tt_assert(item); 1793 tt_assert(!malformed_list); 1794 smartlist_add(policy, item); 1795 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR, 1796 ADDR_POLICY_ACCEPT, 1797 &malformed_list); 1798 tt_assert(item); 1799 tt_assert(!malformed_list); 1800 smartlist_add(policy, item); 1801 item = NULL; 1802 1803 e_policy = smartlist_new(); 1804 1805 /* 1806 char *polstr = policy_dump_to_string(policy, 1, 1); 1807 printf("%s\n", polstr); 1808 tor_free(polstr); 1809 */ 1810 1811 /* Parse the addresses */ 1812 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR); 1813 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR); 1814 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR); 1815 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR); 1816 tor_addr_make_null(&n_ipv4_addr, AF_INET); 1817 tor_addr_make_null(&n_ipv6_addr, AF_INET6); 1818 1819 /* Test the function's address matching with IPv4 and IPv6 on */ 1820 memset(&mock_options, 0, sizeof(or_options_t)); 1821 mock_options.ClientUseIPv4 = 1; 1822 mock_options.ClientUseIPv6 = 1; 1823 mock_options.UseBridges = 0; 1824 1825 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1826 OP_EQ, 1); 1827 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1828 OP_EQ, 1); 1829 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1830 OP_EQ, 0); 1831 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1832 OP_EQ, 0); 1833 1834 /* Preferring IPv4 */ 1835 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0), 1836 OP_EQ, 1); 1837 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0), 1838 OP_EQ, 0); 1839 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0), 1840 OP_EQ, 0); 1841 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0), 1842 OP_EQ, 0); 1843 1844 /* Preferring IPv6 */ 1845 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1), 1846 OP_EQ, 0); 1847 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1), 1848 OP_EQ, 1); 1849 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1), 1850 OP_EQ, 0); 1851 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1), 1852 OP_EQ, 0); 1853 1854 /* Test the function's address matching with UseBridges on */ 1855 memset(&mock_options, 0, sizeof(or_options_t)); 1856 mock_options.ClientUseIPv4 = 1; 1857 mock_options.ClientUseIPv6 = 1; 1858 mock_options.UseBridges = 1; 1859 1860 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1861 OP_EQ, 1); 1862 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1863 OP_EQ, 1); 1864 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1865 OP_EQ, 0); 1866 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1867 OP_EQ, 0); 1868 1869 /* Preferring IPv4 */ 1870 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 0), 1871 OP_EQ, 1); 1872 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 0), 1873 OP_EQ, 0); 1874 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 0), 1875 OP_EQ, 0); 1876 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 0), 1877 OP_EQ, 0); 1878 1879 /* Preferring IPv6 */ 1880 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 1, 1), 1881 OP_EQ, 0); 1882 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 1, 1), 1883 OP_EQ, 1); 1884 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 1, 1), 1885 OP_EQ, 0); 1886 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 1, 1), 1887 OP_EQ, 0); 1888 1889 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */ 1890 mock_options.ClientUseIPv4 = 1; 1891 mock_options.ClientUseIPv6 = 0; 1892 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1893 OP_EQ, 1); 1894 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1895 OP_EQ, 1); 1896 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1897 OP_EQ, 0); 1898 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1899 OP_EQ, 0); 1900 1901 /* Test the function's address matching with IPv4 on */ 1902 memset(&mock_options, 0, sizeof(or_options_t)); 1903 mock_options.ClientUseIPv4 = 1; 1904 mock_options.ClientUseIPv6 = 0; 1905 mock_options.UseBridges = 0; 1906 1907 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1908 OP_EQ, 1); 1909 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1910 OP_EQ, 0); 1911 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1912 OP_EQ, 0); 1913 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1914 OP_EQ, 0); 1915 1916 /* Test the function's address matching with IPv6 on */ 1917 memset(&mock_options, 0, sizeof(or_options_t)); 1918 mock_options.ClientUseIPv4 = 0; 1919 mock_options.ClientUseIPv6 = 1; 1920 mock_options.UseBridges = 0; 1921 1922 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1923 OP_EQ, 0); 1924 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1925 OP_EQ, 1); 1926 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1927 OP_EQ, 0); 1928 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1929 OP_EQ, 0); 1930 1931 /* Test the function's address matching with ClientUseIPv4 0. 1932 * This means "use IPv6" regardless of the other settings. */ 1933 memset(&mock_options, 0, sizeof(or_options_t)); 1934 mock_options.ClientUseIPv4 = 0; 1935 mock_options.ClientUseIPv6 = 0; 1936 mock_options.UseBridges = 0; 1937 1938 tt_int_op(reachable_addr_allows(&ipv4_addr, port, policy, 0, 0), 1939 OP_EQ, 0); 1940 tt_int_op(reachable_addr_allows(&ipv6_addr, port, policy, 0, 0), 1941 OP_EQ, 1); 1942 tt_int_op(reachable_addr_allows(&r_ipv4_addr, port, policy, 0, 0), 1943 OP_EQ, 0); 1944 tt_int_op(reachable_addr_allows(&r_ipv6_addr, port, policy, 0, 0), 1945 OP_EQ, 0); 1946 1947 /* Test the function's address matching for unusual inputs */ 1948 memset(&mock_options, 0, sizeof(or_options_t)); 1949 mock_options.ClientUseIPv4 = 1; 1950 mock_options.ClientUseIPv6 = 1; 1951 mock_options.UseBridges = 1; 1952 1953 /* NULL and tor_addr_is_null addresses are rejected */ 1954 tt_int_op(reachable_addr_allows(NULL, port, policy, 0, 0), OP_EQ, 1955 0); 1956 tt_int_op(reachable_addr_allows(&n_ipv4_addr, port, policy, 0, 0), 1957 OP_EQ, 0); 1958 tt_int_op(reachable_addr_allows(&n_ipv6_addr, port, policy, 0, 0), 1959 OP_EQ, 0); 1960 1961 /* zero ports are rejected */ 1962 tt_int_op(reachable_addr_allows(&ipv4_addr, 0, policy, 0, 0), 1963 OP_EQ, 0); 1964 tt_int_op(reachable_addr_allows(&ipv6_addr, 0, policy, 0, 0), 1965 OP_EQ, 0); 1966 1967 /* NULL and empty policies accept everything */ 1968 tt_int_op(reachable_addr_allows(&ipv4_addr, port, NULL, 0, 0), 1969 OP_EQ, 1); 1970 tt_int_op(reachable_addr_allows(&ipv6_addr, port, NULL, 0, 0), 1971 OP_EQ, 1); 1972 tt_int_op(reachable_addr_allows(&ipv4_addr, port, e_policy, 0, 0), 1973 OP_EQ, 1); 1974 tt_int_op(reachable_addr_allows(&ipv6_addr, port, e_policy, 0, 0), 1975 OP_EQ, 1); 1976 1977 done: 1978 addr_policy_free(item); 1979 addr_policy_list_free(policy); 1980 addr_policy_list_free(e_policy); 1981 UNMOCK(get_options); 1982 } 1983 1984 #undef REJECT_IPv4_FINAL_STR 1985 #undef REJECT_IPv6_FINAL_STR 1986 #undef OTHER_IPV4_ADDR_STR 1987 #undef OTHER_IPV6_ADDR_STR 1988 1989 #define TEST_IPV4_OR_PORT 1234 1990 #define TEST_IPV4_DIR_PORT 2345 1991 #define TEST_IPV6_OR_PORT 61234 1992 #define TEST_IPV6_DIR_PORT 62345 1993 1994 /* Check that reachable_addr_choose_from_rs() returns the expected 1995 * results. */ 1996 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \ 1997 expect_ap) \ 1998 STMT_BEGIN \ 1999 tor_addr_port_t chosen_rs_ap; \ 2000 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \ 2001 chosen_rs_ap.port = 0; \ 2002 reachable_addr_choose_from_rs(&(fake_rs), (fw_connection), \ 2003 (pref_only), &chosen_rs_ap); \ 2004 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \ 2005 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \ 2006 STMT_END 2007 2008 /* Check that reachable_addr_choose_from_node() returns the expected 2009 * results. */ 2010 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \ 2011 expect_rv, expect_ap) \ 2012 STMT_BEGIN \ 2013 tor_addr_port_t chosen_node_ap; \ 2014 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \ 2015 chosen_node_ap.port = 0; \ 2016 reachable_addr_choose_from_node(&(fake_node),(fw_connection), \ 2017 (pref_only), &chosen_node_ap); \ 2018 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \ 2019 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \ 2020 STMT_END 2021 2022 /* Check that reachable_addr_choose_from_rs and 2023 * reachable_addr_choose_from_node() both return the expected results. */ 2024 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \ 2025 expect_rv, expect_ap) \ 2026 STMT_BEGIN \ 2027 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \ 2028 expect_ap); \ 2029 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \ 2030 expect_ap); \ 2031 STMT_END 2032 2033 /* Check that reachable_addr_choose_from_ls() returns the expected 2034 * results. */ 2035 #define CHECK_CHOSEN_ADDR_NULL_LS() \ 2036 STMT_BEGIN \ 2037 tor_addr_port_t chosen_ls_ap; \ 2038 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \ 2039 chosen_ls_ap.port = 0; \ 2040 setup_full_capture_of_logs(LOG_WARN); \ 2041 reachable_addr_choose_from_ls(NULL, 1, &chosen_ls_ap); \ 2042 expect_single_log_msg("Unknown or missing link specifiers"); \ 2043 teardown_capture_of_logs(); \ 2044 STMT_END 2045 2046 #define CHECK_CHOSEN_ADDR_LS(fake_ls, pref_only, expect_rv, expect_ap) \ 2047 STMT_BEGIN \ 2048 tor_addr_port_t chosen_ls_ap; \ 2049 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \ 2050 chosen_ls_ap.port = 0; \ 2051 setup_full_capture_of_logs(LOG_WARN); \ 2052 reachable_addr_choose_from_ls(fake_ls, pref_only, &chosen_ls_ap); \ 2053 if (smartlist_len(fake_ls) == 0) { \ 2054 expect_single_log_msg("Link specifiers are empty"); \ 2055 } else { \ 2056 expect_no_log_entry(); \ 2057 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_ls_ap.addr)); \ 2058 tt_int_op((expect_ap).port, OP_EQ, chosen_ls_ap.port); \ 2059 } \ 2060 teardown_capture_of_logs(); \ 2061 STMT_END 2062 2063 #define CHECK_LS_LEGACY_ONLY(fake_ls) \ 2064 STMT_BEGIN \ 2065 tor_addr_port_t chosen_ls_ap; \ 2066 tor_addr_make_null(&chosen_ls_ap.addr, AF_UNSPEC); \ 2067 chosen_ls_ap.port = 0; \ 2068 setup_full_capture_of_logs(LOG_WARN); \ 2069 reachable_addr_choose_from_ls(fake_ls, 0, &chosen_ls_ap); \ 2070 expect_single_log_msg("None of our link specifiers have IPv4 or IPv6"); \ 2071 teardown_capture_of_logs(); \ 2072 STMT_END 2073 2074 #define CHECK_HS_EXTEND_INFO_ADDR_LS(fake_ls, direct_conn, expect_ap) \ 2075 STMT_BEGIN \ 2076 curve25519_secret_key_t seckey; \ 2077 curve25519_secret_key_generate(&seckey, 0); \ 2078 curve25519_public_key_t pubkey; \ 2079 curve25519_public_key_generate(&pubkey, &seckey); \ 2080 setup_full_capture_of_logs(LOG_WARN); \ 2081 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \ 2082 direct_conn); \ 2083 if (fake_ls == NULL) { \ 2084 tt_ptr_op(ei, OP_EQ, NULL); \ 2085 expect_single_log_msg("Specified link specifiers is null"); \ 2086 } else { \ 2087 expect_no_log_entry(); \ 2088 tt_assert(tor_addr_eq(&(expect_ap).addr, &ei->orports[0].addr)); \ 2089 tt_int_op((expect_ap).port, OP_EQ, ei->orports[0].port); \ 2090 extend_info_free(ei); \ 2091 } \ 2092 teardown_capture_of_logs(); \ 2093 STMT_END 2094 2095 #define CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(fake_ls) \ 2096 STMT_BEGIN \ 2097 setup_full_capture_of_logs(LOG_WARN); \ 2098 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, NULL, 0); \ 2099 tt_ptr_op(ei, OP_EQ, NULL); \ 2100 expect_single_log_msg("Specified onion key is null"); \ 2101 teardown_capture_of_logs(); \ 2102 STMT_END 2103 2104 #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(fake_ls, direct_conn) \ 2105 STMT_BEGIN \ 2106 curve25519_secret_key_t seckey; \ 2107 curve25519_secret_key_generate(&seckey, 0); \ 2108 curve25519_public_key_t pubkey; \ 2109 curve25519_public_key_generate(&pubkey, &seckey); \ 2110 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, \ 2111 direct_conn); \ 2112 tt_ptr_op(ei, OP_EQ, NULL); \ 2113 STMT_END 2114 2115 #define CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(fake_ls, msg_level, msg) \ 2116 STMT_BEGIN \ 2117 curve25519_secret_key_t seckey; \ 2118 curve25519_secret_key_generate(&seckey, 0); \ 2119 curve25519_public_key_t pubkey; \ 2120 curve25519_public_key_generate(&pubkey, &seckey); \ 2121 setup_full_capture_of_logs(msg_level); \ 2122 extend_info_t *ei = hs_get_extend_info_from_lspecs(fake_ls, &pubkey, 0); \ 2123 tt_ptr_op(ei, OP_EQ, NULL); \ 2124 expect_single_log_msg(msg); \ 2125 teardown_capture_of_logs(); \ 2126 STMT_END 2127 2128 /** Run unit tests for reachable_addr_choose */ 2129 static void 2130 test_policies_fascist_firewall_choose_address(void *arg) 2131 { 2132 (void)arg; 2133 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap; 2134 tor_addr_port_t n_ipv4_ap, n_ipv6_ap; 2135 2136 /* Setup the options */ 2137 memset(&mock_options, 0, sizeof(or_options_t)); 2138 MOCK(get_options, mock_get_options); 2139 2140 /* Parse the addresses */ 2141 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR); 2142 ipv4_or_ap.port = TEST_IPV4_OR_PORT; 2143 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR); 2144 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT; 2145 2146 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR); 2147 ipv6_or_ap.port = TEST_IPV6_OR_PORT; 2148 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR); 2149 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT; 2150 2151 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET); 2152 n_ipv4_ap.port = 0; 2153 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6); 2154 n_ipv6_ap.port = 0; 2155 2156 /* Sanity check reachable_addr_choose with IPv4 and IPv6 on */ 2157 memset(&mock_options, 0, sizeof(or_options_t)); 2158 mock_options.ClientUseIPv4 = 1; 2159 mock_options.ClientUseIPv6 = 1; 2160 mock_options.UseBridges = 0; 2161 2162 /* Prefer IPv4 */ 2163 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1, 2164 FIREWALL_OR_CONNECTION, 0, 0) 2165 == &ipv4_or_ap); 2166 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1, 2167 FIREWALL_OR_CONNECTION, 1, 0) 2168 == &ipv4_or_ap); 2169 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1, 2170 FIREWALL_DIR_CONNECTION, 0, 0) 2171 == &ipv4_dir_ap); 2172 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 1, 2173 FIREWALL_DIR_CONNECTION, 1, 0) 2174 == &ipv4_dir_ap); 2175 2176 /* Prefer IPv6 */ 2177 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0, 2178 FIREWALL_OR_CONNECTION, 0, 1) 2179 == &ipv6_or_ap); 2180 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0, 2181 FIREWALL_OR_CONNECTION, 1, 1) 2182 == &ipv6_or_ap); 2183 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0, 2184 FIREWALL_DIR_CONNECTION, 0, 1) 2185 == &ipv6_dir_ap); 2186 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &ipv6_dir_ap, 0, 2187 FIREWALL_DIR_CONNECTION, 1, 1) 2188 == &ipv6_dir_ap); 2189 2190 /* Unusual inputs */ 2191 2192 /* null preferred OR addresses */ 2193 tt_assert(reachable_addr_choose(&ipv4_or_ap, &n_ipv6_ap, 0, 2194 FIREWALL_OR_CONNECTION, 0, 1) 2195 == &ipv4_or_ap); 2196 tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_or_ap, 1, 2197 FIREWALL_OR_CONNECTION, 0, 0) 2198 == &ipv6_or_ap); 2199 2200 /* null both OR addresses */ 2201 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0, 2202 FIREWALL_OR_CONNECTION, 0, 1), 2203 OP_EQ, NULL); 2204 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1, 2205 FIREWALL_OR_CONNECTION, 0, 0), 2206 OP_EQ, NULL); 2207 2208 /* null preferred Dir addresses */ 2209 tt_assert(reachable_addr_choose(&ipv4_dir_ap, &n_ipv6_ap, 0, 2210 FIREWALL_DIR_CONNECTION, 0, 1) 2211 == &ipv4_dir_ap); 2212 tt_assert(reachable_addr_choose(&n_ipv4_ap, &ipv6_dir_ap, 1, 2213 FIREWALL_DIR_CONNECTION, 0, 0) 2214 == &ipv6_dir_ap); 2215 2216 /* null both Dir addresses */ 2217 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 0, 2218 FIREWALL_DIR_CONNECTION, 0, 1), 2219 OP_EQ, NULL); 2220 tt_ptr_op(reachable_addr_choose(&n_ipv4_ap, &n_ipv6_ap, 1, 2221 FIREWALL_DIR_CONNECTION, 0, 0), 2222 OP_EQ, NULL); 2223 2224 /* Prefer IPv4 but want IPv6 (contradictory) */ 2225 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0, 2226 FIREWALL_OR_CONNECTION, 0, 0) 2227 == &ipv4_or_ap); 2228 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 0, 2229 FIREWALL_OR_CONNECTION, 1, 0) 2230 == &ipv4_or_ap); 2231 2232 /* Prefer IPv6 but want IPv4 (contradictory) */ 2233 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1, 2234 FIREWALL_OR_CONNECTION, 0, 1) 2235 == &ipv6_or_ap); 2236 tt_assert(reachable_addr_choose(&ipv4_or_ap, &ipv6_or_ap, 1, 2237 FIREWALL_OR_CONNECTION, 1, 1) 2238 == &ipv6_or_ap); 2239 2240 /* Make a fake rs. There will be no corresponding node. 2241 * This is what happens when there's no consensus and we're bootstrapping 2242 * from authorities / fallbacks. */ 2243 routerstatus_t fake_rs; 2244 memset(&fake_rs, 0, sizeof(routerstatus_t)); 2245 /* In a routerstatus, the OR and Dir addresses are the same */ 2246 tor_addr_copy(&fake_rs.ipv4_addr, &ipv4_or_ap.addr); 2247 fake_rs.ipv4_orport = ipv4_or_ap.port; 2248 fake_rs.ipv4_dirport = ipv4_dir_ap.port; 2249 2250 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr); 2251 fake_rs.ipv6_orport = ipv6_or_ap.port; 2252 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/ 2253 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT; 2254 2255 /* Make a fake node. Even though it contains the fake_rs, a lookup won't 2256 * find the node from the rs, because they're not in the hash table. */ 2257 node_t fake_node; 2258 memset(&fake_node, 0, sizeof(node_t)); 2259 fake_node.rs = &fake_rs; 2260 2261 /* Choose an address with IPv4 and IPv6 on */ 2262 memset(&mock_options, 0, sizeof(or_options_t)); 2263 mock_options.ClientUseIPv4 = 1; 2264 mock_options.ClientUseIPv6 = 1; 2265 mock_options.UseBridges = 0; 2266 2267 /* Preferring IPv4 */ 2268 mock_options.ClientPreferIPv6ORPort = 0; 2269 mock_options.ClientPreferIPv6DirPort = 0; 2270 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2271 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2272 &mock_options); 2273 2274 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2275 ipv4_or_ap); 2276 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2277 ipv4_or_ap); 2278 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2279 ipv4_dir_ap); 2280 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2281 ipv4_dir_ap); 2282 2283 /* Auto (Preferring IPv4) */ 2284 mock_options.ClientPreferIPv6ORPort = -1; 2285 mock_options.ClientPreferIPv6DirPort = -1; 2286 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2287 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2288 &mock_options); 2289 2290 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2291 ipv4_or_ap); 2292 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2293 ipv4_or_ap); 2294 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2295 ipv4_dir_ap); 2296 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2297 ipv4_dir_ap); 2298 2299 /* Preferring IPv6 */ 2300 mock_options.ClientPreferIPv6ORPort = 1; 2301 mock_options.ClientPreferIPv6DirPort = 1; 2302 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2303 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2304 &mock_options); 2305 2306 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2307 ipv6_or_ap); 2308 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2309 ipv6_or_ap); 2310 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2311 ipv6_dir_ap); 2312 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2313 ipv6_dir_ap); 2314 2315 /* Preferring IPv4 OR / IPv6 Dir */ 2316 mock_options.ClientPreferIPv6ORPort = 0; 2317 mock_options.ClientPreferIPv6DirPort = 1; 2318 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2319 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2320 &mock_options); 2321 2322 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2323 ipv4_or_ap); 2324 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2325 ipv4_or_ap); 2326 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2327 ipv6_dir_ap); 2328 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2329 ipv6_dir_ap); 2330 2331 /* Preferring IPv6 OR / IPv4 Dir */ 2332 mock_options.ClientPreferIPv6ORPort = 1; 2333 mock_options.ClientPreferIPv6DirPort = 0; 2334 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2335 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2336 &mock_options); 2337 2338 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2339 ipv6_or_ap); 2340 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2341 ipv6_or_ap); 2342 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2343 ipv4_dir_ap); 2344 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2345 ipv4_dir_ap); 2346 2347 /* Choose an address with UseBridges on */ 2348 memset(&mock_options, 0, sizeof(or_options_t)); 2349 mock_options.UseBridges = 1; 2350 mock_options.ClientUseIPv4 = 1; 2351 mock_options.ClientUseIPv6 = 1; 2352 2353 /* Preferring IPv4 */ 2354 mock_options.ClientPreferIPv6ORPort = 0; 2355 mock_options.ClientPreferIPv6DirPort = 0; 2356 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2357 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2358 &mock_options); 2359 2360 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2361 ipv4_or_ap); 2362 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2363 ipv4_or_ap); 2364 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2365 ipv4_dir_ap); 2366 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2367 ipv4_dir_ap); 2368 2369 /* Auto: 2370 * - bridge clients prefer the configured bridge OR address from the node, 2371 * (the configured address family sets node.ipv6_preferred) 2372 * - other clients prefer IPv4 OR by default (see above), 2373 * - all clients, including bridge clients, prefer IPv4 Dir by default. 2374 */ 2375 mock_options.ClientPreferIPv6ORPort = -1; 2376 mock_options.ClientPreferIPv6DirPort = -1; 2377 2378 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge 2379 * configured with an IPv4 address */ 2380 fake_node.ipv6_preferred = 0; 2381 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap); 2382 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap); 2383 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2384 ipv4_dir_ap); 2385 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2386 ipv4_dir_ap); 2387 2388 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge 2389 * configured with an IPv6 address */ 2390 fake_node.ipv6_preferred = 1; 2391 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap); 2392 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap); 2393 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2394 ipv4_dir_ap); 2395 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2396 ipv4_dir_ap); 2397 2398 /* When a rs has no node, it defaults to IPv4 under auto. */ 2399 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap); 2400 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap); 2401 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap); 2402 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap); 2403 2404 /* Preferring IPv6 */ 2405 mock_options.ClientPreferIPv6ORPort = 1; 2406 mock_options.ClientPreferIPv6DirPort = 1; 2407 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2408 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2409 &mock_options); 2410 2411 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2412 ipv6_or_ap); 2413 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2414 ipv6_or_ap); 2415 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2416 ipv6_dir_ap); 2417 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2418 ipv6_dir_ap); 2419 2420 /* In the default configuration (Auto / IPv6 off), bridge clients should 2421 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with 2422 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */ 2423 mock_options.ClientUseIPv6 = 0; 2424 mock_options.ClientPreferIPv6ORPort = -1; 2425 mock_options.ClientPreferIPv6DirPort = -1; 2426 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge 2427 * configured with an IPv4 address */ 2428 fake_node.ipv6_preferred = 0; 2429 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap); 2430 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap); 2431 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2432 ipv4_dir_ap); 2433 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2434 ipv4_dir_ap); 2435 2436 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge 2437 * configured with an IPv6 address */ 2438 fake_node.ipv6_preferred = 1; 2439 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap); 2440 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap); 2441 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2442 ipv4_dir_ap); 2443 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2444 ipv4_dir_ap); 2445 2446 /* When a rs has no node, it defaults to IPv4 under auto. */ 2447 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap); 2448 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap); 2449 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap); 2450 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap); 2451 2452 /* Choose an address with IPv4 on */ 2453 memset(&mock_options, 0, sizeof(or_options_t)); 2454 mock_options.ClientUseIPv4 = 1; 2455 mock_options.ClientUseIPv6 = 0; 2456 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2457 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2458 &mock_options); 2459 2460 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2461 ipv4_or_ap); 2462 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2463 ipv4_or_ap); 2464 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2465 ipv4_dir_ap); 2466 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2467 ipv4_dir_ap); 2468 2469 /* Choose an address with IPv6 on */ 2470 memset(&mock_options, 0, sizeof(or_options_t)); 2471 mock_options.ClientUseIPv4 = 0; 2472 mock_options.ClientUseIPv6 = 1; 2473 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2474 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2475 &mock_options); 2476 2477 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2478 ipv6_or_ap); 2479 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2480 ipv6_or_ap); 2481 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2482 ipv6_dir_ap); 2483 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2484 ipv6_dir_ap); 2485 2486 /* Choose an address with ClientUseIPv4 0. 2487 * This means "use IPv6" regardless of the other settings. */ 2488 memset(&mock_options, 0, sizeof(or_options_t)); 2489 mock_options.ClientUseIPv4 = 0; 2490 mock_options.ClientUseIPv6 = 0; 2491 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2492 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2493 &mock_options); 2494 2495 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2496 ipv6_or_ap); 2497 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2498 ipv6_or_ap); 2499 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2500 ipv6_dir_ap); 2501 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2502 ipv6_dir_ap); 2503 2504 /* Choose an address with ORPort_set 1 (server mode). 2505 * This means "use IPv4" regardless of the other settings. */ 2506 memset(&mock_options, 0, sizeof(or_options_t)); 2507 mock_options.ORPort_set = 1; 2508 mock_options.ClientUseIPv4 = 0; 2509 mock_options.ClientUseIPv6 = 1; 2510 mock_options.ClientPreferIPv6ORPort = 1; 2511 mock_options.ClientPreferIPv6DirPort = 1; 2512 2513 /* Simulate the initialisation of fake_node.ipv6_preferred */ 2514 fake_node.ipv6_preferred = reachable_addr_prefer_ipv6_orport( 2515 &mock_options); 2516 2517 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1, 2518 ipv4_or_ap); 2519 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1, 2520 ipv4_or_ap); 2521 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1, 2522 ipv4_dir_ap); 2523 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1, 2524 ipv4_dir_ap); 2525 2526 /* Test firewall_choose_address_ls(). To do this, we make a fake link 2527 * specifier. */ 2528 smartlist_t *lspecs = smartlist_new(), 2529 *lspecs_blank = smartlist_new(), 2530 *lspecs_v4 = smartlist_new(), 2531 *lspecs_v6 = smartlist_new(), 2532 *lspecs_no_legacy = smartlist_new(), 2533 *lspecs_legacy_only = smartlist_new(); 2534 link_specifier_t *fake_ls; 2535 2536 /* IPv4 link specifier */ 2537 fake_ls = link_specifier_new(); 2538 link_specifier_set_ls_type(fake_ls, LS_IPV4); 2539 link_specifier_set_un_ipv4_addr(fake_ls, 2540 tor_addr_to_ipv4h(&ipv4_or_ap.addr)); 2541 link_specifier_set_un_ipv4_port(fake_ls, ipv4_or_ap.port); 2542 link_specifier_set_ls_len(fake_ls, sizeof(ipv4_or_ap.addr.addr.in_addr) + 2543 sizeof(ipv4_or_ap.port)); 2544 smartlist_add(lspecs, fake_ls); 2545 smartlist_add(lspecs_v4, fake_ls); 2546 smartlist_add(lspecs_no_legacy, fake_ls); 2547 2548 /* IPv6 link specifier */ 2549 fake_ls = link_specifier_new(); 2550 link_specifier_set_ls_type(fake_ls, LS_IPV6); 2551 size_t addr_len = link_specifier_getlen_un_ipv6_addr(fake_ls); 2552 const uint8_t *in6_addr = tor_addr_to_in6_addr8(&ipv6_or_ap.addr); 2553 uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(fake_ls); 2554 memcpy(ipv6_array, in6_addr, addr_len); 2555 link_specifier_set_un_ipv6_port(fake_ls, ipv6_or_ap.port); 2556 link_specifier_set_ls_len(fake_ls, addr_len + sizeof(ipv6_or_ap.port)); 2557 smartlist_add(lspecs, fake_ls); 2558 smartlist_add(lspecs_v6, fake_ls); 2559 2560 /* Legacy ID link specifier */ 2561 fake_ls = link_specifier_new(); 2562 link_specifier_set_ls_type(fake_ls, LS_LEGACY_ID); 2563 uint8_t *legacy_id = link_specifier_getarray_un_legacy_id(fake_ls); 2564 memset(legacy_id, 'A', sizeof(*legacy_id)); 2565 link_specifier_set_ls_len(fake_ls, 2566 link_specifier_getlen_un_legacy_id(fake_ls)); 2567 smartlist_add(lspecs, fake_ls); 2568 smartlist_add(lspecs_legacy_only, fake_ls); 2569 smartlist_add(lspecs_v4, fake_ls); 2570 smartlist_add(lspecs_v6, fake_ls); 2571 2572 /* Check with bogus requests. */ 2573 tor_addr_port_t null_ap; \ 2574 tor_addr_make_null(&null_ap.addr, AF_UNSPEC); \ 2575 null_ap.port = 0; \ 2576 2577 /* Check for a null link state. */ 2578 CHECK_CHOSEN_ADDR_NULL_LS(); 2579 CHECK_HS_EXTEND_INFO_ADDR_LS(NULL, 1, null_ap); 2580 2581 /* Check for a blank link state. */ 2582 CHECK_CHOSEN_ADDR_LS(lspecs_blank, 0, 0, null_ap); 2583 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_blank, 0); 2584 2585 /* Check for a link state with only a Legacy ID. */ 2586 CHECK_LS_LEGACY_ONLY(lspecs_legacy_only); 2587 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_legacy_only, 0); 2588 smartlist_free(lspecs_legacy_only); 2589 2590 /* Check with a null onion_key. */ 2591 CHECK_HS_EXTEND_INFO_ADDR_LS_NULL_KEY(lspecs_blank); 2592 smartlist_free(lspecs_blank); 2593 2594 /* Check with a null onion_key. */ 2595 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_MSG(lspecs_no_legacy, LOG_WARN, 2596 "Missing Legacy ID in link state"); 2597 smartlist_free(lspecs_no_legacy); 2598 2599 /* Enable both IPv4 and IPv6. */ 2600 memset(&mock_options, 0, sizeof(or_options_t)); 2601 mock_options.ClientUseIPv4 = 1; 2602 mock_options.ClientUseIPv6 = 1; 2603 2604 /* Prefer IPv4, enable both IPv4 and IPv6. */ 2605 mock_options.ClientPreferIPv6ORPort = 0; 2606 2607 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap); 2608 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap); 2609 2610 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap); 2611 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap); 2612 2613 /* Prefer IPv6, enable both IPv4 and IPv6. */ 2614 mock_options.ClientPreferIPv6ORPort = 1; 2615 2616 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap); 2617 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap); 2618 2619 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap); 2620 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap); 2621 2622 /* IPv4-only. */ 2623 memset(&mock_options, 0, sizeof(or_options_t)); 2624 mock_options.ClientUseIPv4 = 1; 2625 mock_options.ClientUseIPv6 = 0; 2626 2627 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv4_or_ap); 2628 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv4_or_ap); 2629 2630 CHECK_CHOSEN_ADDR_LS(lspecs_v6, 0, 0, null_ap); 2631 2632 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv4_or_ap); 2633 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap); 2634 2635 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0); 2636 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 1); 2637 2638 /* IPv6-only. */ 2639 memset(&mock_options, 0, sizeof(or_options_t)); 2640 mock_options.ClientUseIPv4 = 0; 2641 mock_options.ClientUseIPv6 = 1; 2642 2643 CHECK_CHOSEN_ADDR_LS(lspecs, 0, 1, ipv6_or_ap); 2644 CHECK_CHOSEN_ADDR_LS(lspecs, 1, 1, ipv6_or_ap); 2645 2646 CHECK_CHOSEN_ADDR_LS(lspecs_v4, 0, 0, null_ap); 2647 2648 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 1, ipv6_or_ap); 2649 CHECK_HS_EXTEND_INFO_ADDR_LS(lspecs, 0, ipv4_or_ap); 2650 2651 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v4, 1); 2652 CHECK_HS_EXTEND_INFO_ADDR_LS_EXPECT_NULL(lspecs_v6, 0); 2653 2654 smartlist_free(lspecs_v4); 2655 smartlist_free(lspecs_v6); 2656 2657 SMARTLIST_FOREACH(lspecs, link_specifier_t *, lspec, \ 2658 link_specifier_free(lspec)); \ 2659 smartlist_free(lspecs); 2660 2661 done: 2662 UNMOCK(get_options); 2663 } 2664 2665 #undef TEST_IPV4_ADDR_STR 2666 #undef TEST_IPV6_ADDR_STR 2667 #undef TEST_IPV4_OR_PORT 2668 #undef TEST_IPV4_DIR_PORT 2669 #undef TEST_IPV6_OR_PORT 2670 #undef TEST_IPV6_DIR_PORT 2671 2672 #undef CHECK_CHOSEN_ADDR_RS 2673 #undef CHECK_CHOSEN_ADDR_NODE 2674 #undef CHECK_CHOSEN_ADDR_RN 2675 2676 struct testcase_t policy_tests[] = { 2677 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0, 2678 NULL, NULL }, 2679 { "general", test_policies_general, 0, NULL, NULL }, 2680 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL, 2681 NULL }, 2682 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL }, 2683 { "reject_interface_address", test_policies_reject_interface_address, 0, 2684 NULL, NULL }, 2685 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL }, 2686 { "reachable_addr_allows", 2687 test_policies_fascist_firewall_allows_address, 0, NULL, NULL }, 2688 { "reachable_addr_choose", 2689 test_policies_fascist_firewall_choose_address, 0, NULL, NULL }, 2690 END_OF_TESTCASES 2691 };