aboutsummaryrefslogtreecommitdiff
path: root/src/test
diff options
context:
space:
mode:
authorteor (Tim Wilson-Brown) <teor2345@gmail.com>2015-11-16 15:54:57 +1100
committerteor (Tim Wilson-Brown) <teor2345@gmail.com>2015-11-20 10:39:13 +1100
commit66fac9fbadae529349f00172760688cf3caeb64d (patch)
tree64f278e70503f13a0cdf8c7cdf8d9afda7063343 /src/test
parente726ad466445e600b006295a8d2315643d1680da (diff)
downloadtor-66fac9fbadae529349f00172760688cf3caeb64d.tar.gz
tor-66fac9fbadae529349f00172760688cf3caeb64d.zip
Block OutboundBindAddressIPv[4|6]_ and configured ports on exit relays
Modify policies_parse_exit_policy_reject_private so it also blocks the addresses configured for OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_, and any publicly routable port addresses on exit relays. Add and update unit tests for these functions.
Diffstat (limited to 'src/test')
-rw-r--r--src/test/test_policy.c177
1 files changed, 164 insertions, 13 deletions
diff --git a/src/test/test_policy.c b/src/test/test_policy.c
index cbeb0574ce..18d95940e7 100644
--- a/src/test/test_policy.c
+++ b/src/test/test_policy.c
@@ -2,6 +2,8 @@
/* See LICENSE for licensing information */
#include "or.h"
+#define CONFIG_PRIVATE
+#include "config.h"
#include "router.h"
#include "routerparse.h"
#include "policies.h"
@@ -49,7 +51,7 @@ test_policy_summary_helper(const char *policy_str,
r = policies_parse_exit_policy(&line, &policy,
EXIT_POLICY_IPV6_ENABLED |
- EXIT_POLICY_ADD_DEFAULT, 0, NULL, 0);
+ EXIT_POLICY_ADD_DEFAULT, 0, NULL, NULL, NULL);
tt_int_op(r,OP_EQ, 0);
summary = policy_summarize(policy, AF_INET);
@@ -116,7 +118,7 @@ test_policies_general(void *arg)
EXIT_POLICY_IPV6_ENABLED |
EXIT_POLICY_REJECT_PRIVATE |
EXIT_POLICY_ADD_DEFAULT, 0,
- NULL, 0));
+ NULL, NULL, NULL));
tt_assert(policy2);
@@ -125,7 +127,8 @@ test_policies_general(void *arg)
EXIT_POLICY_IPV6_ENABLED |
EXIT_POLICY_REJECT_PRIVATE |
EXIT_POLICY_ADD_DEFAULT,
- 0x0306090cu, &tar, 1));
+ 0x0306090cu, &tar, NULL,
+ NULL));
tt_assert(policy12);
@@ -207,14 +210,14 @@ test_policies_general(void *arg)
EXIT_POLICY_IPV6_ENABLED |
EXIT_POLICY_REJECT_PRIVATE |
EXIT_POLICY_ADD_DEFAULT, 0,
- NULL, 0));
+ NULL, NULL, NULL));
tt_assert(policy8);
tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
EXIT_POLICY_REJECT_PRIVATE |
EXIT_POLICY_ADD_DEFAULT, 0,
- NULL, 0));
+ NULL, NULL, NULL));
tt_assert(policy9);
@@ -269,7 +272,7 @@ test_policies_general(void *arg)
tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
EXIT_POLICY_IPV6_ENABLED |
EXIT_POLICY_ADD_DEFAULT, 0,
- NULL, 0));
+ NULL, NULL, NULL));
tt_assert(policy);
//test_streq(policy->string, "accept *:80");
@@ -530,7 +533,7 @@ test_policies_reject_exit_address(void *arg)
/* test that local_address is interpreted as an IPv4 host-order address and
* rejected on an IPv4-only exit */
policies_parse_exit_policy_reject_private(&policy, 0, TEST_IPV4_ADDR, NULL,
- 0);
+ NULL, NULL, 0, 0);
tt_assert(policy);
tt_assert(smartlist_len(policy) == 1);
tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
@@ -540,7 +543,7 @@ test_policies_reject_exit_address(void *arg)
/* test that local_address is interpreted as an IPv4 host-order address and
* rejected on an IPv4/IPv6 exit */
policies_parse_exit_policy_reject_private(&policy, 1, TEST_IPV4_ADDR, NULL,
- 0);
+ NULL, NULL, 0, 0);
tt_assert(policy);
tt_assert(smartlist_len(policy) == 1);
tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
@@ -548,7 +551,8 @@ test_policies_reject_exit_address(void *arg)
policy = NULL;
/* test that ipv6_local_address is rejected on an IPv4/IPv6 exit */
- policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, 0);
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, NULL,
+ NULL, 0, 0);
tt_assert(policy);
tt_assert(smartlist_len(policy) == 1);
tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
@@ -559,13 +563,155 @@ test_policies_reject_exit_address(void *arg)
* (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
* on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
* need to do anything) */
- policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, 0);
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, NULL,
+ NULL, 0, 0);
tt_assert(policy == NULL);
done:
addr_policy_list_free(policy);
}
+/** Run unit tests for rejecting outbound connection addresses on this
+ * exit relay using policies_parse_exit_policy_reject_private */
+static void
+test_policies_reject_outbound_address(void *arg)
+{
+ smartlist_t *policy = NULL;
+ tor_addr_t ipv4_addr, ipv6_addr;
+ (void)arg;
+
+ tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
+ tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
+
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit */
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr,
+ NULL, 0, 0);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 1);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4/IPv6 exit */
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr,
+ NULL, 0, 0);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 1);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+ /* test that OutboundBindAddressIPv6_ is rejected on an IPv4/IPv6 exit */
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL,
+ &ipv6_addr, 0, 0);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 1);
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+ /* test that OutboundBindAddressIPv6_ is NOT rejected on an IPv4-only exit
+ * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
+ * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
+ * need to do anything with IPv6 addresses on IPv4-only exits) */
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL,
+ &ipv6_addr, 0, 0);
+ tt_assert(policy == NULL);
+
+ /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit,
+ * but OutboundBindAddressIPv6_ is NOT rejected (all IPv6 addresses are
+ * rejected by policies_parse_exit_policy_internal on IPv4-only exits, so
+ * policies_parse_exit_policy_reject_private doesn't need to do anything
+ * with IPv6 addresses on IPv4-only exits) */
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr,
+ &ipv6_addr, 0, 0);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 1);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+ /* test that OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_ are
+ * rejected on an IPv4/IPv6 exit */
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr,
+ &ipv6_addr, 0, 0);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 2);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+done:
+ addr_policy_list_free(policy);
+}
+
+static smartlist_t *test_configured_ports = NULL;
+const smartlist_t *mock_get_configured_ports(void);
+
+/** Returns test_configured_ports */
+const smartlist_t *
+mock_get_configured_ports(void)
+{
+ return test_configured_ports;
+}
+
+/** Run unit tests for rejecting publicly routable configured port addresses
+ * on this exit relay using policies_parse_exit_policy_reject_private */
+static void
+test_policies_reject_port_address(void *arg)
+{
+ smartlist_t *policy = NULL;
+ port_cfg_t *ipv4_port = NULL;
+ port_cfg_t *ipv6_port = NULL;
+ (void)arg;
+
+ test_configured_ports = smartlist_new();
+
+ ipv4_port = port_cfg_new(0);
+ tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
+ smartlist_add(test_configured_ports, ipv4_port);
+
+ ipv6_port = port_cfg_new(0);
+ tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
+ smartlist_add(test_configured_ports, ipv6_port);
+
+ MOCK(get_configured_ports, mock_get_configured_ports);
+
+ /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
+ * is NOT rejected (all IPv6 addresses are rejected by
+ * policies_parse_exit_policy_internal on IPv4-only exits, so
+ * policies_parse_exit_policy_reject_private doesn't need to do anything
+ * with IPv6 addresses on IPv4-only exits) */
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
+ 0, 1);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 1);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+ /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
+ policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, NULL,
+ 0, 1);
+ tt_assert(policy);
+ tt_assert(smartlist_len(policy) == 2);
+ tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
+ tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
+ addr_policy_list_free(policy);
+ policy = NULL;
+
+done:
+ addr_policy_list_free(policy);
+ if (test_configured_ports) {
+ SMARTLIST_FOREACH(test_configured_ports,
+ port_cfg_t *, p, port_cfg_free(p));
+ smartlist_free(test_configured_ports);
+ test_configured_ports = NULL;
+ }
+ UNMOCK(get_configured_ports);
+}
+
#undef TEST_IPV4_ADDR
#undef TEST_IPV6_ADDR
@@ -582,12 +728,14 @@ test_policies_reject_interface_address(void *arg)
(void)arg;
/* test that no addresses are rejected when none are supplied/requested */
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 0);
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
+ 0, 0);
tt_assert(policy == NULL);
/* test that only IPv4 interface addresses are rejected on an IPv4-only exit
*/
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1);
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
+ 1, 0);
if (policy) {
tt_assert(smartlist_len(policy) == smartlist_len(public_ipv4_addrs));
addr_policy_list_free(policy);
@@ -596,7 +744,8 @@ test_policies_reject_interface_address(void *arg)
/* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
* exit */
- policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1);
+ policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL,
+ 1, 0);
if (policy) {
tt_assert(smartlist_len(policy) == (smartlist_len(public_ipv4_addrs)
+ smartlist_len(public_ipv6_addrs)));
@@ -705,6 +854,8 @@ struct testcase_t policy_tests[] = {
{ "general", test_policies_general, 0, NULL, NULL },
{ "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
{ "reject_interface_address", test_policies_reject_interface_address, 0, NULL, NULL },
+ { "reject_outbound_address", test_policies_reject_outbound_address, 0, NULL, NULL },
+ { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
END_OF_TESTCASES
};