diff options
author | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-11-16 15:54:57 +1100 |
---|---|---|
committer | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-11-20 10:39:13 +1100 |
commit | 66fac9fbadae529349f00172760688cf3caeb64d (patch) | |
tree | 64f278e70503f13a0cdf8c7cdf8d9afda7063343 /src/test | |
parent | e726ad466445e600b006295a8d2315643d1680da (diff) | |
download | tor-66fac9fbadae529349f00172760688cf3caeb64d.tar.gz tor-66fac9fbadae529349f00172760688cf3caeb64d.zip |
Block OutboundBindAddressIPv[4|6]_ and configured ports on exit relays
Modify policies_parse_exit_policy_reject_private so it also blocks
the addresses configured for OutboundBindAddressIPv4_ and
OutboundBindAddressIPv6_, and any publicly routable port addresses
on exit relays.
Add and update unit tests for these functions.
Diffstat (limited to 'src/test')
-rw-r--r-- | src/test/test_policy.c | 177 |
1 files changed, 164 insertions, 13 deletions
diff --git a/src/test/test_policy.c b/src/test/test_policy.c index cbeb0574ce..18d95940e7 100644 --- a/src/test/test_policy.c +++ b/src/test/test_policy.c @@ -2,6 +2,8 @@ /* See LICENSE for licensing information */ #include "or.h" +#define CONFIG_PRIVATE +#include "config.h" #include "router.h" #include "routerparse.h" #include "policies.h" @@ -49,7 +51,7 @@ test_policy_summary_helper(const char *policy_str, r = policies_parse_exit_policy(&line, &policy, EXIT_POLICY_IPV6_ENABLED | - EXIT_POLICY_ADD_DEFAULT, 0, NULL, 0); + EXIT_POLICY_ADD_DEFAULT, 0, NULL, NULL, NULL); tt_int_op(r,OP_EQ, 0); summary = policy_summarize(policy, AF_INET); @@ -116,7 +118,7 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy2); @@ -125,7 +127,8 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, - 0x0306090cu, &tar, 1)); + 0x0306090cu, &tar, NULL, + NULL)); tt_assert(policy12); @@ -207,14 +210,14 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy8); tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9, EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy9); @@ -269,7 +272,7 @@ test_policies_general(void *arg) tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy, EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy); //test_streq(policy->string, "accept *:80"); @@ -530,7 +533,7 @@ test_policies_reject_exit_address(void *arg) /* test that local_address is interpreted as an IPv4 host-order address and * rejected on an IPv4-only exit */ policies_parse_exit_policy_reject_private(&policy, 0, TEST_IPV4_ADDR, NULL, - 0); + NULL, NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); @@ -540,7 +543,7 @@ test_policies_reject_exit_address(void *arg) /* test that local_address is interpreted as an IPv4 host-order address and * rejected on an IPv4/IPv6 exit */ policies_parse_exit_policy_reject_private(&policy, 1, TEST_IPV4_ADDR, NULL, - 0); + NULL, NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); @@ -548,7 +551,8 @@ test_policies_reject_exit_address(void *arg) policy = NULL; /* test that ipv6_local_address is rejected on an IPv4/IPv6 exit */ - policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, 0); + policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, NULL, + NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); @@ -559,13 +563,155 @@ test_policies_reject_exit_address(void *arg) * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't * need to do anything) */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, 0); + policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, NULL, + NULL, 0, 0); tt_assert(policy == NULL); done: addr_policy_list_free(policy); } +/** Run unit tests for rejecting outbound connection addresses on this + * exit relay using policies_parse_exit_policy_reject_private */ +static void +test_policies_reject_outbound_address(void *arg) +{ + smartlist_t *policy = NULL; + tor_addr_t ipv4_addr, ipv6_addr; + (void)arg; + + tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR); + tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR); + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr, + NULL, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr, + NULL, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv6_ is rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv6_ is NOT rejected on an IPv4-only exit + * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal + * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't + * need to do anything with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, + &ipv6_addr, 0, 0); + tt_assert(policy == NULL); + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit, + * but OutboundBindAddressIPv6_ is NOT rejected (all IPv6 addresses are + * rejected by policies_parse_exit_policy_internal on IPv4-only exits, so + * policies_parse_exit_policy_reject_private doesn't need to do anything + * with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_ are + * rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 2); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); + addr_policy_list_free(policy); + policy = NULL; + +done: + addr_policy_list_free(policy); +} + +static smartlist_t *test_configured_ports = NULL; +const smartlist_t *mock_get_configured_ports(void); + +/** Returns test_configured_ports */ +const smartlist_t * +mock_get_configured_ports(void) +{ + return test_configured_ports; +} + +/** Run unit tests for rejecting publicly routable configured port addresses + * on this exit relay using policies_parse_exit_policy_reject_private */ +static void +test_policies_reject_port_address(void *arg) +{ + smartlist_t *policy = NULL; + port_cfg_t *ipv4_port = NULL; + port_cfg_t *ipv6_port = NULL; + (void)arg; + + test_configured_ports = smartlist_new(); + + ipv4_port = port_cfg_new(0); + tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR); + smartlist_add(test_configured_ports, ipv4_port); + + ipv6_port = port_cfg_new(0); + tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR); + smartlist_add(test_configured_ports, ipv6_port); + + MOCK(get_configured_ports, mock_get_configured_ports); + + /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port + * is NOT rejected (all IPv6 addresses are rejected by + * policies_parse_exit_policy_internal on IPv4-only exits, so + * policies_parse_exit_policy_reject_private doesn't need to do anything + * with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 0, 1); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, NULL, + 0, 1); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 2); + tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); + tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr)); + addr_policy_list_free(policy); + policy = NULL; + +done: + addr_policy_list_free(policy); + if (test_configured_ports) { + SMARTLIST_FOREACH(test_configured_ports, + port_cfg_t *, p, port_cfg_free(p)); + smartlist_free(test_configured_ports); + test_configured_ports = NULL; + } + UNMOCK(get_configured_ports); +} + #undef TEST_IPV4_ADDR #undef TEST_IPV6_ADDR @@ -582,12 +728,14 @@ test_policies_reject_interface_address(void *arg) (void)arg; /* test that no addresses are rejected when none are supplied/requested */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 0); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 0, 0); tt_assert(policy == NULL); /* test that only IPv4 interface addresses are rejected on an IPv4-only exit */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 1, 0); if (policy) { tt_assert(smartlist_len(policy) == smartlist_len(public_ipv4_addrs)); addr_policy_list_free(policy); @@ -596,7 +744,8 @@ test_policies_reject_interface_address(void *arg) /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6 * exit */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 1, 0); if (policy) { tt_assert(smartlist_len(policy) == (smartlist_len(public_ipv4_addrs) + smartlist_len(public_ipv6_addrs))); @@ -705,6 +854,8 @@ struct testcase_t policy_tests[] = { { "general", test_policies_general, 0, NULL, NULL }, { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL }, { "reject_interface_address", test_policies_reject_interface_address, 0, NULL, NULL }, + { "reject_outbound_address", test_policies_reject_outbound_address, 0, NULL, NULL }, + { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL }, END_OF_TESTCASES }; |