tor-commits November 2015

tor-commits@lists.torproject.org

20 participants
856 discussions

[tor-messenger-build/master] Rebase preferences.patch
by sukhbir＠torproject.org 20 Nov '15

20 Nov '15

commit a9c422ed3d1ddde30e654dc7eda31d51e1aa8831 Author: Sukhbir Singh <sukhbir(a)torproject.org> Date: Fri Nov 20 16:18:10 2015 -0500 Rebase preferences.patch --- projects/instantbird/preferences.patch | 91 ++++++++++++++++++++++++++++---- 1 file changed, 80 insertions(+), 11 deletions(-) diff --git a/projects/instantbird/preferences.patch b/projects/instantbird/preferences.patch index 72f2ab0..9af290b 100644 --- a/projects/instantbird/preferences.patch +++ b/projects/instantbird/preferences.patch @@ -1,7 +1,12 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird.js --- a/im/app/profile/all-instantbird.js +++ b/im/app/profile/all-instantbird.js -@@ -64,9 +64,6 @@ +@@ -59,19 +59,16 @@ pref("extensions.mintrayr.startMinimized + // For Linux, use single click. + pref("extensions.mintrayr.singleClickRestore", true); + #else + // For Windows, use double click. + pref("extensions.mintrayr.singleClickRestore", false); #endif #endif @@ -11,7 +16,17 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. // Specifies whether each message event should trigger a sound for incoming // and outgoing messages, or when your nickname is mentioned in a chat. pref("messenger.options.playSounds.outgoing", true); -@@ -114,14 +111,6 @@ + pref("messenger.options.playSounds.incoming", true); + pref("messenger.options.playSounds.alert", true); + // Whether contact list related sounds should be played at all. If this is + // enabled then the more specific prefs are checked as well. + pref("messenger.options.playSounds.blist", false); +@@ -109,41 +106,33 @@ pref("browser.preferences.animateFadeIn" + pref("browser.zoom.full", true); + pref("conversation.zoomLevel", "1.0"); + + pref("accessibility.typeaheadfind", false); + pref("accessibility.typeaheadfind.timeout", 5000); pref("accessibility.typeaheadfind.linksonly", false); pref("accessibility.typeaheadfind.flashBar", 1); @@ -26,7 +41,16 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. // Defines how the Application Update Service notifies the user about updates: // // AUM Set to: Minor Releases: Major Releases: -@@ -138,7 +127,7 @@ + // 0 download no prompt download no prompt + // 1 download no prompt download no prompt if no incompatibilities + // 2 download no prompt prompt + // + // See chart in nsUpdateService.js.in for more details + // + pref("app.update.mode", 1); + + // If set to true, the Update Service will present no UI for any event. + pref("app.update.silent", false); // If set to true, the Update Service will apply updates in the background // when it finishes downloading them. @@ -35,28 +59,55 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. // Update service URL: // You do not need to use all the %VAR% parameters. Use what you need, %PRODUCT%,%VERSION%,%BUILD_ID%,%CHANNEL% for example -@@ -198,9 +187,6 @@ + pref("app.update.url", "https://update.instantbird.org/1/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARG…"); + + // URL user can browse to manually if for some reason all update installation + // attempts fail. + pref("app.update.url.manual", "http://www.instantbird.com/download.html"); +@@ -194,17 +183,17 @@ pref("browser.search.defaultenginename", + // disable logging for the search service by default + pref("browser.search.log", false); + + // Ordering of Search Engines in the Engine list. pref("browser.search.order.1", "chrome://instantbird/locale/region.properties"); pref("browser.search.order.2", "chrome://instantbird/locale/region.properties"); --// send ping to the server to update + // send ping to the server to update -pref("browser.search.update", true); -- ++pref("browser.search.update", false); + // disable logging for the search service update system by default pref("browser.search.update.log", false); -@@ -219,10 +205,8 @@ + // Check whether we need to perform engine updates every 6 hours + pref("browser.search.updateinterval", 6); + + /* Extension manager */ +@@ -214,17 +203,17 @@ pref("xpinstall.dialog.progress.chrome", + pref("xpinstall.dialog.progress.type.skin", "Extension:Manager"); + pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager"); + pref("extensions.dss.enabled", false); + pref("extensions.dss.switchPending", false); + pref("extensions.ignoreMTimeChanges", false); pref("extensions.logging.enabled", false); pref("general.skins.selectedSkin", "classic/1.0"); -pref("extensions.update.enabled", true); ++pref("extensions.update.enabled", false); pref("extensions.update.interval", 86400); pref("extensions.update.url", "https://addons.instantbird.org/services/update.php?reqVersion=%REQ_VERSION%…"); --pref("extensions.update.autoUpdateDefault", true); + pref("extensions.update.autoUpdateDefault", true); // Preferences for the Get Add-ons pane pref("extensions.getAddons.cache.enabled", false); -@@ -242,9 +226,9 @@ + pref("extensions.getAddons.browseAddons", "https://addons.instantbird.org/%LOCALE%/%APP%"); + pref("extensions.getAddons.maxResults", 5); +@@ -237,35 +226,32 @@ pref("extensions.webservice.discoverURL" + pref("extensions.getMoreExtensionsURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/extensions/"); + pref("extensions.getMoreThemesURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/themes/"); + pref("extensions.getMorePluginsURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/plugins/"); + pref("extensions.getMoreMessageStylesURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/messagestyles/"); + pref("extensions.getMoreEmoticonsURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/emoticons/"); pref("extensions.getMoreProtocolsURL", "https://add-ons.instantbird.org/%LOCALE%/%APP%/%VERSION%/protocols/"); // suppress external-load warning for standard browser schemes @@ -69,7 +120,13 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. // don't load links inside Instantbird pref("network.protocol-handler.expose-all", false); -@@ -258,9 +242,6 @@ + // Although we allow these to be exposed internally, there are various places + // (e.g. message pane) where we may divert them out to external applications. + pref("network.protocol-handler.expose.about", true); + pref("network.protocol-handler.expose.http", true); + pref("network.protocol-handler.expose.https", true); + + // expose javascript: so that message themes can use it. // javascript: links inside messages are filtered out. pref("network.protocol-handler.expose.javascript", true); @@ -79,7 +136,17 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. // The breakpad report server to link to in about:crashes pref("breakpad.reportURL", "http://crash-stats.instantbird.com/report/index/"); -@@ -297,14 +278,82 @@ + // We have an Error Console menu item by default so let's display chrome errors + pref("javascript.options.showInConsole", true); + #ifdef DEBUG + // In debug builds, also display warnings by default + pref("javascript.options.strict", true); +@@ -292,19 +278,89 @@ pref("browser.tabs.tabClipWidth", 140); + + // Where to show tab close buttons: + // 0 on active tab only + // 1 on all tabs until tabClipWidth is reached, then active tab only + // 2 no close buttons at all // 3 at the end of the tabstrip pref("browser.tabs.closeButtons", 1); @@ -165,3 +232,5 @@ diff --git a/im/app/profile/all-instantbird.js b/im/app/profile/all-instantbird. +pref("extensions.update.autoUpdateDefault", false); +// Do not send ping to the server to update +pref("browser.search.update", false); ++// Set baseURL to Firefox default to prevent console errors ++pref("app.support.baseURL", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/");

1 0

[translation/tor-messenger-fingerdtd] Update translations for tor-messenger-fingerdtd
by translation＠torproject.org 20 Nov '15

20 Nov '15

commit 5f9c9d4049ab1513d6e6a1e26217ff31ce53f338 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Nov 20 20:46:22 2015 +0000 Update translations for tor-messenger-fingerdtd --- ar/finger.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ar/finger.dtd b/ar/finger.dtd index 6189dac..a0f1cc2 100644 --- a/ar/finger.dtd +++ b/ar/finger.dtd @@ -1,7 +1,7 @@ <!ENTITY finger.title "بصمات معروفة"> <!ENTITY finger.screenName "اسم الشاشة"> <!ENTITY finger.status "الحاﻻت"> -<!ENTITY finger.verified "Verified"> +<!ENTITY finger.verified "تم التحقق"> <!ENTITY finger.fingerprint "البصمة"> <!ENTITY finger.account "الحساب"> <!ENTITY finger.protocol "Protocol">

1 0

[tor-launcher/master] Bug 17344: enumerate available langpacks for lang prompt
by brade＠torproject.org 20 Nov '15

20 Nov '15

commit 20f01697b19ce938b894634d3ca4e39218137ea4 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Fri Nov 20 15:26:56 2015 -0500 Bug 17344: enumerate available langpacks for lang prompt Remove the hard-coded list of languages and build the listbox items from the set of installed language packs. --- src/chrome/content/localePicker.xul | 19 +------ src/chrome/content/network-settings.js | 97 +++++++++++++++++++++++++++----- 2 files changed, 85 insertions(+), 31 deletions(-) diff --git a/src/chrome/content/localePicker.xul b/src/chrome/content/localePicker.xul index be82e14..5b93825 100644 --- a/src/chrome/content/localePicker.xul +++ b/src/chrome/content/localePicker.xul @@ -35,24 +35,7 @@ <vbox> <label class="question">&torlauncher.localePicker.prompt;</label> <separator/> - <listbox id="localeList" ondblclick="onLocaleListDoubleClick()"> - <listitem value="en-US" label="English" selected="true" /> - <listitem value="ar" label="العربية" /> - <listitem value="de" label="Deutsch" /> - <listitem value="es-ES" label="Español" /> - <listitem value="fa" label="فارسی" /> - <listitem value="fr" label="Français" /> - <listitem value="it" label="Italiano" /> - <listitem value="ja" label="日本語" /> - <listitem value="ko" label="한국어" /> - <listitem value="nl" label="Nederlands" /> - <listitem value="pl" label="Polski" /> - <listitem value="pt-PT" label="Português (Europeu)" /> - <listitem value="ru" label="Русский" /> - <listitem value="tr" label="Türkçe" /> - <listitem value="vi" label="Tiếng Việt" /> - <listitem value="zh-CN" label="简体字" /> - </listbox> + <listbox id="localeList" ondblclick="onLocaleListDoubleClick()"/> </vbox> </wizardpage> diff --git a/src/chrome/content/network-settings.js b/src/chrome/content/network-settings.js index 2382ea6..9d3cb60 100644 --- a/src/chrome/content/network-settings.js +++ b/src/chrome/content/network-settings.js @@ -247,27 +247,98 @@ function initLocaleDialog() if (nextBtn && doneBtn) doneBtn.label = nextBtn.label; - // Select the current language by default. + let { AddonManager } = Cu.import("resource://gre/modules/AddonManager.jsm"); + AddonManager.getAddonsByTypes(["locale"], function(aLangPackAddons) + { + populateLocaleList(aLangPackAddons); + resizeDialogToFitContent(); + TorLauncherLogger.log(2, "initLocaleDialog done"); + }); +} + + +function populateLocaleList(aLangPackAddons) +{ + let knownLanguages = { + "en-US" : "English", + "ar" : "\u0627\u0644\u0639\u0631\u0628\u064a\u0629", + "de" : "Deutsch", + "es-ES" : "Espa\u00f1ol", + "fa" : "\u0641\u0627\u0631\u0633\u06cc", + "fr" : "Fran\u00e7ais", + "it" : "Italiano", + "ja" : "\u65e5\u672c\u8a9e", + "ko" : "\ud55c\uad6d\uc5b4", + "nl" : "Nederlands", + "pl" : "Polski", + "pt-PT" : "Portugu\u00eas (Europeu)", + "ru" : "\u0420\u0443\u0441\u0441\u043a\u0438\u0439", + "tr" : "T\u00fcrk\u00e7e", + "vi" : "Ti\u1ebfng Vi\u1ec7t", + "zh-CN" : "\u7b80\u4f53\u5b57" + }; + + // Retrieve the current locale so we can select it within the list by default. + let curLocale; try { let chromeRegSvc = Cc["@mozilla.org/chrome/chrome-registry;1"] .getService(Ci.nsIXULChromeRegistry); - let curLocale = chromeRegSvc.getSelectedLocale("global").toLowerCase(); - let localeList = document.getElementById(kLocaleList); - for (let i = 0; i < localeList.itemCount; ++i) + curLocale = chromeRegSvc.getSelectedLocale("global").toLowerCase(); + } catch (e) {} + + // Build a list of language info objects (language code plus friendly name). + let foundCurLocale = false; + let langInfo = []; + for (let addon of aLangPackAddons) + { + let uri = addon.getResourceURI(""); + // The add-on IDs look like langpack-LANGCODE(a)firefox.mozilla.org + let matchResult = addon.id.match(/^langpack-(.*)@.*\.mozilla\.org/); + let code = (matchResult) ? matchResult[1] : addon.id; + if (code == "ja-JP-mac") + code = "ja"; + let name = knownLanguages[code]; + if (!name) { - let item = localeList.getItemAtIndex(i); - if (item.value.toLowerCase() == curLocale) - { - localeList.selectedIndex = i; - break; - } + // We do not have a name for this language pack. Use some heuristics. + name = addon.name; + let idx = name.lastIndexOf(" Language Pack"); + if (idx > 0) + name = name.substring(0, idx); } - } catch (e) {} + let isSelected = (curLocale && (code.toLowerCase() == curLocale)); + langInfo.push({ langCode: code, langName: name, isSelected: isSelected } ); + if (isSelected && !foundCurLocale) + foundCurLocale = true; + } - resizeDialogToFitContent(); + // Sort by language code. + langInfo.sort(function(aObj1, aObj2) { + if (aObj1.langCode == aObj2.langCode) + return 0; + + return (aObj1.langCode < aObj2.langCode) ? -1 : 1; + }); - TorLauncherLogger.log(2, "initLocaleDialog done"); + // Add en-US to the beginning of the list. + let code = "en-US"; + let name = knownLanguages[code]; + let isSelected = !foundCurLocale; // select English if nothing else matched + langInfo.splice(0, 0, + { langCode: code, langName: name, isSelected: isSelected }); + + // Populate the XUL listbox. + let localeList = document.getElementById(kLocaleList); + for (let infoObj of langInfo) + { + let listItem = document.createElement("listitem"); + listItem.setAttribute("value", infoObj.langCode); + listItem.setAttribute("label", infoObj.langName); + localeList.appendChild(listItem); + if (infoObj.isSelected) + localeList.selectedItem = listItem; + } }

1 0

[translation/tor-messenger-authproperties_completed] Update translations for tor-messenger-authproperties_completed
by translation＠torproject.org 20 Nov '15

20 Nov '15

commit d2e3703383a09e47906f0fc0571e01b3b5be4fa7 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Nov 20 20:16:15 2015 +0000 Update translations for tor-messenger-authproperties_completed --- ar/auth.properties | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ar/auth.properties b/ar/auth.properties new file mode 100644 index 0000000..dd4a21f --- /dev/null +++ b/ar/auth.properties @@ -0,0 +1,12 @@ +auth.title=مصادقة هوية S's% +auth.yourFingerprint=بصمتك، %S:\n%S +auth.theirFingerprint=البصمة المزعومة لـ %S:\n%S +auth.help=مصادقة جهة إتصال معينة تساعدك علي التأكد من أن الشخص المراد التحدث معه هو بفعل وليس محتال. +auth.helpTitle=مساعدة التصادق +auth.question=مساعدة التصادقهذا هو السؤال الذي يطرحه جهة الإتصال:\n\n%S\n\nأدخل الحل هنا (الحروف يجب أن تكون كما هي): +auth.secret=أدخل السر هنا: +auth.error=حدث خطأ أثناء المصادقة. +auth.success=تمت المصادقة بنجاح. +auth.successThem=تمت عملية المصادقة بنجاح مع صديقك. يستحسن أن ترسل له سؤال مختلف حتي يجاوب عليه وتصادقه. +auth.fail=عملية المصادقة فشلت. +auth.done=تم

1 0

[translation/tor-messenger-authproperties] Update translations for tor-messenger-authproperties
by translation＠torproject.org 20 Nov '15

20 Nov '15

commit 684321bf53c56db109ffeb1f0bc35720fa99b8c9 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Nov 20 20:16:10 2015 +0000 Update translations for tor-messenger-authproperties --- ar/auth.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ar/auth.properties b/ar/auth.properties index 268fc6b..dd4a21f 100644 --- a/ar/auth.properties +++ b/ar/auth.properties @@ -1,4 +1,4 @@ -auth.title=Verify %S's identity +auth.title=مصادقة هوية S's% auth.yourFingerprint=بصمتك، %S:\n%S auth.theirFingerprint=البصمة المزعومة لـ %S:\n%S auth.help=مصادقة جهة إتصال معينة تساعدك علي التأكد من أن الشخص المراد التحدث معه هو بفعل وليس محتال.

1 0

[webwml/staging] Fix donate redirect rules
by sebastian＠torproject.org 20 Nov '15

20 Nov '15

commit ac94eb4d8356daf484b7f925cd2d5d7e2d472d7d Author: Sebastian Hahn <sebastian(a)torproject.org> Date: Fri Nov 20 17:42:16 2015 +0100 Fix donate redirect rules --- .htaccess | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.htaccess b/.htaccess index 1b40159..a051529 100644 --- a/.htaccess +++ b/.htaccess @@ -52,8 +52,9 @@ RewriteRule ^easy-download(.*) /download/download-easy$1 [R=301,L] RewriteRule ^relays(.*) /getinvolved/relays [R=301,L] # Donation campagin -RewriteRule ^donate-twitter(.*) /donate/donate$1 [R=302,L] -RewriteRule ^donate-hp(.*) /donate/donate$1 [R=302,L] -RewriteRule ^donate-tbb(.*) /donate/donate$1 [R=302,L] -RewriteRule ^donate-banner(.*) /donate/donate$1 [R=302,L] -RewriteRule ^donate-download(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-twitter(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-hp(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-tbb(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-banner(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-download(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate/donate-button(.*) /donate/donate$1 [R=302,L]

1 0

[webwml/staging] One more redirect page
by sebastian＠torproject.org 20 Nov '15

20 Nov '15

commit 3e3228912f9e0644ce1daed0f3450779dc9c61ea Author: Sebastian Hahn <sebastian(a)torproject.org> Date: Fri Nov 20 17:25:01 2015 +0100 One more redirect page --- 0 files changed diff --git a/donate/en/donate-button.wml b/donate/en/donate-button.wml new file mode 100644 index 0000000..e69de29

1 0

[webwml/staging] Try the donation redirect hack
by sebastian＠torproject.org 20 Nov '15

20 Nov '15

commit 1c3f8602692fd0baea1b335c83b3a0b31ce255df Author: Sebastian Hahn <sebastian(a)torproject.org> Date: Fri Nov 20 17:13:31 2015 +0100 Try the donation redirect hack --- .htaccess | 7 +++++++ en/navigation.wmi | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.htaccess b/.htaccess index 6cdca66..1b40159 100644 --- a/.htaccess +++ b/.htaccess @@ -50,3 +50,10 @@ RewriteRule ^easy-download(.*) /download/download-easy$1 [R=301,L] # Relays RewriteRule ^relays(.*) /getinvolved/relays [R=301,L] + +# Donation campagin +RewriteRule ^donate-twitter(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate-hp(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate-tbb(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate-banner(.*) /donate/donate$1 [R=302,L] +RewriteRule ^donate-download(.*) /donate/donate$1 [R=302,L] diff --git a/donate/en/donate-banner.wml b/donate/en/donate-banner.wml new file mode 100644 index 0000000..e69de29 diff --git a/donate/en/donate-download.wml b/donate/en/donate-download.wml new file mode 100644 index 0000000..e69de29 diff --git a/donate/en/donate-hp.wml b/donate/en/donate-hp.wml new file mode 100644 index 0000000..e69de29 diff --git a/donate/en/donate-tbb.wml b/donate/en/donate-tbb.wml new file mode 100644 index 0000000..e69de29 diff --git a/donate/en/donate-twitter.wml b/donate/en/donate-twitter.wml new file mode 100644 index 0000000..e69de29 diff --git a/en/navigation.wmi b/en/navigation.wmi index ce8b001..504f29d 100644 --- a/en/navigation.wmi +++ b/en/navigation.wmi @@ -22,7 +22,7 @@ my @calltoaction = ( 'download/download-easy' , 'Download', 'getinvolved/volunteer' , 'Volunteer', - 'donate/donate' , 'Donate', + 'donate/donate-button' , 'Donate', ); :>

1 0

[tor/master] Refactor policies_parse_exit_policy_internal
by nickm＠torproject.org 20 Nov '15

20 Nov '15

commit c73c5a293f645c9d5a15b3f17946e4d44245a58e Author: teor (Tim Wilson-Brown) <teor2345(a)gmail.com> Date: Mon Nov 16 13:58:26 2015 +1100 Refactor policies_parse_exit_policy_internal Move the code that rejects publicly routable exit relay addresses to policies_parse_exit_policy_reject_private. Add addr_policy_append_reject_addr_list and use it to reject interface addresses. This removes the duplicate reject checks on local_address and ipv6_local_address, but duplicates will be removed by exit_policy_remove_redundancies at the end of the function. This also removes the info-level logging on rejected interface addresses. Instead, log a debug-level message in addr_policy_append_reject_addr. This simplifies policies_parse_exit_policy_internal and prepares for reporting these addresses over the control port in #17183. --- src/or/policies.c | 161 ++++++++++++++++++++++++++++++----------------------- src/or/policies.h | 7 +++ 2 files changed, 98 insertions(+), 70 deletions(-) diff --git a/src/or/policies.c b/src/or/policies.c index 9c858ec..f534632 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -893,6 +893,20 @@ addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr) if (!*dest) *dest = smartlist_new(); smartlist_add(*dest, add); + log_debug(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*'", + fmt_addr(addr)); + +} + +/** Add "reject addr:*" to dest, for each addr in addrs, creating the + * list as needed. */ +void +addr_policy_append_reject_addr_list(smartlist_t **dest, + const smartlist_t *addrs) +{ + SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) { + addr_policy_append_reject_addr(dest, addr); + } SMARTLIST_FOREACH_END(addr); } /** Detect and excise "dead code" from the policy *dest. */ @@ -979,6 +993,76 @@ exit_policy_remove_redundancies(smartlist_t *dest) } } +/** Reject private helper for policies_parse_exit_policy_internal: rejects + * publicly routable addresses on this exit relay. + * + * Add reject entries to the linked list *dest: + * - if local_address is non-zero, treat it as a host-order IPv4 address, + * and prepend an entry that rejects it as a destination. + * - if ipv6_local_address is non-NULL, prepend an entry that rejects it as + * a destination. + * - if reject_interface_addresses is true, prepend entries that reject each + * public IPv4 and IPv6 address of each interface on this machine. + * + * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are + * already blocked by policies_parse_exit_policy_internal if ipv6_exit is + * false.) + * + * The list *dest is created as needed. + */ +void +policies_parse_exit_policy_reject_private(smartlist_t **dest, + int ipv6_exit, + uint32_t local_address, + tor_addr_t *ipv6_local_address, + int reject_interface_addresses) +{ + tor_assert(dest); + + /* Reject our local IPv4 address */ + if (local_address) { + tor_addr_t v4_local; + tor_addr_from_ipv4h(&v4_local, local_address); + addr_policy_append_reject_addr(dest, &v4_local); + log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*' for our " + "published IPv4 address", fmt_addr32(local_address)); + } + + /* Reject our local IPv6 address */ + if (ipv6_exit && ipv6_local_address != NULL) { + if (tor_addr_is_v4(ipv6_local_address)) { + log_warn(LD_CONFIG, "IPv4 address '%s' provided as our IPv6 local " + "address", fmt_addr(ipv6_local_address)); + } else { + addr_policy_append_reject_addr(dest, ipv6_local_address); + log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject [%s]:*' for " + "our published IPv6 address", fmt_addr(ipv6_local_address)); + } + } + + /* Reject local addresses from public netblocks on any interface. */ + if (reject_interface_addresses) { + smartlist_t *public_addresses = NULL; + + /* Reject public IPv4 addresses on any interface */ + public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0); + addr_policy_append_reject_addr_list(dest, public_addresses); + free_interface_address6_list(public_addresses); + + if (ipv6_exit) { + /* Reject public IPv6 addresses on any interface */ + public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0); + addr_policy_append_reject_addr_list(dest, public_addresses); + free_interface_address6_list(public_addresses); + } + } + + /* If addresses were added multiple times, remove all but one of them. */ + if (*dest) { + exit_policy_remove_redundancies(*dest); + } +} + #define DEFAULT_EXIT_POLICY \ "reject *:25,reject *:119,reject *:135-139,reject *:445," \ "reject *:563,reject *:1214,reject *:4661-4666," \ @@ -986,16 +1070,12 @@ exit_policy_remove_redundancies(smartlist_t *dest) /** Parse the exit policy cfg into the linked list *dest. * - * If ipv6_exit is true, prepend "reject *6:*" to the policy. + * If ipv6_exit is false, prepend "reject *6:*" to the policy. * * If rejectprivate is true: * - prepend "reject private:*" to the policy. - * - if local_address is non-zero, treat it as a host-order IPv4 address, - * and prepend an entry that rejects it as a destination. - * - if ipv6_local_address is non-NULL, prepend an entry that rejects it as - * a destination. - * - if reject_interface_addresses is true, prepend entries that reject each - * public IPv4 and IPv6 address of each interface on this machine. + * - call policies_parse_exit_policy_reject_private to reject publicly + * routable addresses on this exit relay * * If cfg doesn't end in an absolute accept or reject and if * add_default_policy is true, add the default exit @@ -1022,69 +1102,10 @@ policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, if (rejectprivate) { /* Reject IPv4 and IPv6 reserved private netblocks */ append_exit_policy_string(dest, "reject private:*"); - /* Reject our local IPv4 address */ - if (local_address) { - char buf[POLICY_BUF_LEN]; - tor_snprintf(buf, sizeof(buf), "reject %s:*", fmt_addr32(local_address)); - append_exit_policy_string(dest, buf); - log_info(LD_CONFIG, "Adding a reject ExitPolicy '%s' for our published " - "IPv4 address", buf); - } - /* Reject our local IPv6 address */ - if (ipv6_exit && ipv6_local_address != NULL) { - if (tor_addr_is_v4(ipv6_local_address)) { - log_warn(LD_CONFIG, "IPv4 address '%s' provided as our IPv6 local " - "address", fmt_addr(ipv6_local_address)); - } else { - char buf6[POLICY_BUF_LEN]; - tor_snprintf(buf6, sizeof(buf6), "reject [%s]:*", - fmt_addr(ipv6_local_address)); - append_exit_policy_string(dest, buf6); - log_info(LD_CONFIG, "Adding a reject ExitPolicy '%s' for our " - "published IPv6 address", buf6); - } - } - /* Reject local addresses from public netblocks on any interface, - * but don't reject our published addresses twice */ - if (reject_interface_addresses) { - smartlist_t *public_addresses = NULL; - char bufif[POLICY_BUF_LEN]; - - /* Reject public IPv4 addresses on any interface, - * but don't reject our published IPv4 address twice */ - public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0); - SMARTLIST_FOREACH_BEGIN(public_addresses, tor_addr_t *, a) { - if (!tor_addr_eq_ipv4h(a, local_address)) { - tor_snprintf(bufif, sizeof(bufif), "reject %s:*", - fmt_addr(a)); - append_exit_policy_string(dest, bufif); - log_info(LD_CONFIG, "Adding a reject ExitPolicy '%s' for a local " - "interface's public IPv4 address", bufif); - } - } SMARTLIST_FOREACH_END(a); - free_interface_address6_list(public_addresses); - - if (ipv6_exit) { - /* Reject public IPv6 addresses on any interface, - * but don't reject our published IPv6 address (if any) twice */ - public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0); - SMARTLIST_FOREACH_BEGIN(public_addresses, tor_addr_t *, a) { - /* if we don't have an IPv6 local address, we won't have rejected - * it above. This could happen if a future release does IPv6 - * autodiscovery, and we are waiting to discover our external IPv6 - * address */ - if (ipv6_local_address == NULL - || !tor_addr_eq(ipv6_local_address, a)) { - tor_snprintf(bufif, sizeof(bufif), "reject6 [%s]:*", - fmt_addr(a)); - append_exit_policy_string(dest, bufif); - log_info(LD_CONFIG, "Adding a reject ExitPolicy '%s' for a local " - "interface's public IPv6 address", bufif); - } - } SMARTLIST_FOREACH_END(a); - free_interface_address6_list(public_addresses); - } - } + /* Reject IPv4 and IPv6 publicly routable addresses on this exit relay */ + policies_parse_exit_policy_reject_private(dest, ipv6_exit, local_address, + ipv6_local_address, + reject_interface_addresses); } if (parse_addr_policy(cfg, dest, -1)) return -1; diff --git a/src/or/policies.h b/src/or/policies.h index f200d7b..97350f5 100644 --- a/src/or/policies.h +++ b/src/or/policies.h @@ -58,9 +58,16 @@ int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, uint32_t local_address, tor_addr_t *ipv6_local_address, int reject_interface_addresses); +void policies_parse_exit_policy_reject_private(smartlist_t **dest, + int ipv6_exit, + uint32_t local_address, + tor_addr_t *ipv6_local_address, + int reject_interface_addresses); void policies_exit_policy_append_reject_star(smartlist_t **dest); void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr); +void addr_policy_append_reject_addr_list(smartlist_t **dest, + const smartlist_t *addrs); void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter); int exit_policy_is_general_exit(smartlist_t *policy); int policy_is_reject_star(const smartlist_t *policy, sa_family_t family);

1 0

[tor/master] Block OutboundBindAddressIPv[4|6]_ and configured ports on exit relays
by nickm＠torproject.org 20 Nov '15

20 Nov '15

commit 66fac9fbadae529349f00172760688cf3caeb64d Author: teor (Tim Wilson-Brown) <teor2345(a)gmail.com> Date: Mon Nov 16 15:54:57 2015 +1100 Block OutboundBindAddressIPv[4|6]_ and configured ports on exit relays Modify policies_parse_exit_policy_reject_private so it also blocks the addresses configured for OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_, and any publicly routable port addresses on exit relays. Add and update unit tests for these functions. --- src/or/config.c | 9 ++- src/or/config.h | 4 +- src/or/policies.c | 156 ++++++++++++++++++++++++++++++------------ src/or/policies.h | 29 ++++---- src/or/router.c | 2 +- src/test/test_policy.c | 177 ++++++++++++++++++++++++++++++++++++++++++++---- 6 files changed, 303 insertions(+), 74 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index 22039b4..9028414 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -562,7 +562,6 @@ static char *get_bindaddr_from_transport_listen_line(const char *line, static int parse_dir_authority_line(const char *line, dirinfo_type_t required_type, int validate_only); -static void port_cfg_free(port_cfg_t *port); static int parse_ports(or_options_t *options, int validate_only, char **msg_out, int *n_ports_out, int *world_writable_control_socket); @@ -5737,7 +5736,7 @@ parse_dir_fallback_line(const char *line, } /** Allocate and return a new port_cfg_t with reasonable defaults. */ -static port_cfg_t * +STATIC port_cfg_t * port_cfg_new(size_t namelen) { tor_assert(namelen <= SIZE_T_CEILING - sizeof(port_cfg_t) - 1); @@ -5749,7 +5748,7 @@ port_cfg_new(size_t namelen) } /** Free all storage held in port */ -static void +STATIC void port_cfg_free(port_cfg_t *port) { tor_free(port); @@ -6673,8 +6672,8 @@ check_server_ports(const smartlist_t *ports, /** Return a list of port_cfg_t for client ports parsed from the * options. */ -const smartlist_t * -get_configured_ports(void) +MOCK_IMPL(const smartlist_t *, +get_configured_ports,(void)) { if (!configured_ports) configured_ports = smartlist_new(); diff --git a/src/or/config.h b/src/or/config.h index 51f7e90..7e88688 100644 --- a/src/or/config.h +++ b/src/or/config.h @@ -76,7 +76,7 @@ int write_to_data_subdir(const char* subdir, const char* fname, int get_num_cpus(const or_options_t *options); -const smartlist_t *get_configured_ports(void); +MOCK_DECL(const smartlist_t *,get_configured_ports,(void)); int get_first_advertised_port_by_type_af(int listener_type, int address_family); #define get_primary_or_port() \ @@ -140,6 +140,8 @@ smartlist_t *get_options_for_server_transport(const char *transport); extern struct config_format_t options_format; #endif +STATIC port_cfg_t *port_cfg_new(size_t namelen); +STATIC void port_cfg_free(port_cfg_t *port); STATIC void or_options_free(or_options_t *options); STATIC int options_validate(or_options_t *old_options, or_options_t *options, diff --git a/src/or/policies.c b/src/or/policies.c index f534632..91ca867 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -62,14 +62,18 @@ static const char *private_nets[] = { NULL }; -static int policies_parse_exit_policy_internal(config_line_t *cfg, - smartlist_t **dest, - int ipv6_exit, - int rejectprivate, - uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses, - int add_default_policy); +static int policies_parse_exit_policy_internal( + config_line_t *cfg, + smartlist_t **dest, + int ipv6_exit, + int rejectprivate, + uint32_t local_address, + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address, + int reject_interface_addresses, + int reject_configured_port_addresses, + int add_default_policy); /** Replace all "private" entries in *policy with their expanded * equivalents. */ @@ -443,7 +447,7 @@ validate_addr_policies(const or_options_t *options, char **msg) smartlist_t *addr_policy=NULL; *msg = NULL; - if (policies_parse_exit_policy_from_options(options,0,NULL,0,&addr_policy)) { + if (policies_parse_exit_policy_from_options(options,0,NULL,&addr_policy)) { REJECT("Error in ExitPolicy entry."); } @@ -993,16 +997,25 @@ exit_policy_remove_redundancies(smartlist_t *dest) } } +/* Is addr public for the purposes of rejection? */ +static int +tor_addr_is_public_for_reject(const tor_addr_t *addr) +{ + return !tor_addr_is_null(addr) && !tor_addr_is_internal(addr, 0); +} + /** Reject private helper for policies_parse_exit_policy_internal: rejects * publicly routable addresses on this exit relay. * * Add reject entries to the linked list *dest: * - if local_address is non-zero, treat it as a host-order IPv4 address, - * and prepend an entry that rejects it as a destination. - * - if ipv6_local_address is non-NULL, prepend an entry that rejects it as - * a destination. - * - if reject_interface_addresses is true, prepend entries that reject each + * and add an entry that rejects it as a destination. + * - if ipv6_local_address, ipv4_outbound_address, or ipv6_outbound_address + * are non-NULL, add entries that reject them as destinations. + * - if reject_interface_addresses is true, add entries that reject each * public IPv4 and IPv6 address of each interface on this machine. + * - if reject_configured_port_addresses is true, add entries that reject + * each IPv4 and IPv6 address configured for a port. * * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are * already blocked by policies_parse_exit_policy_internal if ipv6_exit is @@ -1011,35 +1024,83 @@ exit_policy_remove_redundancies(smartlist_t *dest) * The list *dest is created as needed. */ void -policies_parse_exit_policy_reject_private(smartlist_t **dest, - int ipv6_exit, - uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses) +policies_parse_exit_policy_reject_private( + smartlist_t **dest, + int ipv6_exit, + uint32_t local_address, + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address, + int reject_interface_addresses, + int reject_configured_port_addresses) { tor_assert(dest); - + /* Reject our local IPv4 address */ if (local_address) { tor_addr_t v4_local; tor_addr_from_ipv4h(&v4_local, local_address); - addr_policy_append_reject_addr(dest, &v4_local); - log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*' for our " - "published IPv4 address", fmt_addr32(local_address)); + if (tor_addr_is_public_for_reject(&v4_local)) { + addr_policy_append_reject_addr(dest, &v4_local); + log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*' for our " + "published IPv4 address", fmt_addr32(local_address)); + } } - /* Reject our local IPv6 address */ - if (ipv6_exit && ipv6_local_address != NULL) { - if (tor_addr_is_v4(ipv6_local_address)) { - log_warn(LD_CONFIG, "IPv4 address '%s' provided as our IPv6 local " - "address", fmt_addr(ipv6_local_address)); - } else { - addr_policy_append_reject_addr(dest, ipv6_local_address); + /* Reject the outbound IPv4 connection address */ + if (ipv4_outbound_address + && tor_addr_is_public_for_reject(ipv4_outbound_address)) { + addr_policy_append_reject_addr(dest, ipv4_outbound_address); + log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*' for " + "our outbound IPv4 connection address", + fmt_addr(ipv4_outbound_address)); + } + + /* If we're not an IPv6 exit, all IPv6 addresses have already been rejected + * by policies_parse_exit_policy_internal */ + if (ipv6_exit) { + + /* Reject our local IPv6 address */ + if (ipv6_local_address != NULL + && tor_addr_is_public_for_reject(ipv6_local_address)) { + if (tor_addr_is_v4(ipv6_local_address)) { + log_warn(LD_CONFIG, "IPv4 address '%s' provided as our IPv6 local " + "address", fmt_addr(ipv6_local_address)); + } else { + addr_policy_append_reject_addr(dest, ipv6_local_address); + log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject [%s]:*' for " + "our published IPv6 address", fmt_addr(ipv6_local_address)); + } + } + + /* Reject the outbound IPv6 connection address */ + if (ipv6_outbound_address + && tor_addr_is_public_for_reject(ipv6_outbound_address)) { + addr_policy_append_reject_addr(dest, ipv6_outbound_address); log_info(LD_CONFIG, "Adding a reject ExitPolicy 'reject [%s]:*' for " - "our published IPv6 address", fmt_addr(ipv6_local_address)); + "our outbound IPv6 connection address", + fmt_addr(ipv6_outbound_address)); } } + /* Reject configured port addresses, if they are from public netblocks. */ + if (reject_configured_port_addresses) { + const smartlist_t *port_addrs = get_configured_ports(); + + SMARTLIST_FOREACH_BEGIN(port_addrs, port_cfg_t *, port) { + + /* Only reject IP addresses which are public */ + if (!port->is_unix_addr && tor_addr_is_public_for_reject(&port->addr)) { + + /* Reject IPv4 addresses. If we are an IPv6 exit, also reject IPv6 + * addresses */ + if (tor_addr_is_v4(&port->addr) || ipv6_exit) { + addr_policy_append_reject_addr(dest, &port->addr); + } + } + } SMARTLIST_FOREACH_END(port); + } + /* Reject local addresses from public netblocks on any interface. */ if (reject_interface_addresses) { smartlist_t *public_addresses = NULL; @@ -1074,8 +1135,8 @@ policies_parse_exit_policy_reject_private(smartlist_t **dest, * * If rejectprivate is true: * - prepend "reject private:*" to the policy. - * - call policies_parse_exit_policy_reject_private to reject publicly - * routable addresses on this exit relay + * - prepend entries that reject publicly routable addresses on this exit + * relay by calling policies_parse_exit_policy_reject_private * * If cfg doesn't end in an absolute accept or reject and if * add_default_policy is true, add the default exit @@ -1092,8 +1153,11 @@ policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, int ipv6_exit, int rejectprivate, uint32_t local_address, - tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address, int reject_interface_addresses, + int reject_configured_port_addresses, int add_default_policy) { if (!ipv6_exit) { @@ -1103,9 +1167,13 @@ policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, /* Reject IPv4 and IPv6 reserved private netblocks */ append_exit_policy_string(dest, "reject private:*"); /* Reject IPv4 and IPv6 publicly routable addresses on this exit relay */ - policies_parse_exit_policy_reject_private(dest, ipv6_exit, local_address, - ipv6_local_address, - reject_interface_addresses); + policies_parse_exit_policy_reject_private( + dest, ipv6_exit, local_address, + ipv6_local_address, + ipv4_outbound_address, + ipv6_outbound_address, + reject_interface_addresses, + reject_configured_port_addresses); } if (parse_addr_policy(cfg, dest, -1)) return -1; @@ -1202,8 +1270,9 @@ int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses) + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address) { int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0; int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0; @@ -1213,7 +1282,10 @@ policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, reject_private, local_address, ipv6_local_address, - reject_interface_addresses, + ipv4_outbound_address, + ipv6_outbound_address, + reject_private, + reject_private, add_default); } @@ -1241,8 +1313,7 @@ policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, int policies_parse_exit_policy_from_options(const or_options_t *or_options, uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses, + const tor_addr_t *ipv6_local_address, smartlist_t **result) { exit_policy_parser_cfg_t parser_cfg = 0; @@ -1268,7 +1339,8 @@ policies_parse_exit_policy_from_options(const or_options_t *or_options, return policies_parse_exit_policy(or_options->ExitPolicy,result, parser_cfg,local_address, ipv6_local_address, - reject_interface_addresses); + &or_options->OutboundBindAddressIPv4_, + &or_options->OutboundBindAddressIPv6_); } /** Add "reject *:*" to the end of the policy in *dest, allocating diff --git a/src/or/policies.h b/src/or/policies.h index 97350f5..26f92ad 100644 --- a/src/or/policies.h +++ b/src/or/policies.h @@ -48,21 +48,26 @@ MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy, addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port, const node_t *node); -int policies_parse_exit_policy_from_options(const or_options_t *or_options, - uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses, - smartlist_t **result); +int policies_parse_exit_policy_from_options( + const or_options_t *or_options, + uint32_t local_address, + const tor_addr_t *ipv6_local_address, + smartlist_t **result); int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses); -void policies_parse_exit_policy_reject_private(smartlist_t **dest, - int ipv6_exit, - uint32_t local_address, - tor_addr_t *ipv6_local_address, - int reject_interface_addresses); + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address); +void policies_parse_exit_policy_reject_private( + smartlist_t **dest, + int ipv6_exit, + uint32_t local_address, + const tor_addr_t *ipv6_local_address, + const tor_addr_t *ipv4_outbound_address, + const tor_addr_t *ipv6_outbound_address, + int reject_interface_addresses, + int reject_configured_port_addresses); void policies_exit_policy_append_reject_star(smartlist_t **dest); void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr); diff --git a/src/or/router.c b/src/or/router.c index 1790416..95e5ad8 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1922,7 +1922,7 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e) /* DNS is screwed up; don't claim to be an exit. */ policies_exit_policy_append_reject_star(&ri->exit_policy); } else { - policies_parse_exit_policy_from_options(options,ri->addr,&ri->ipv6_addr,1, + policies_parse_exit_policy_from_options(options,ri->addr,&ri->ipv6_addr, &ri->exit_policy); } ri->policy_is_reject_star = diff --git a/src/test/test_policy.c b/src/test/test_policy.c index cbeb057..18d9594 100644 --- a/src/test/test_policy.c +++ b/src/test/test_policy.c @@ -2,6 +2,8 @@ /* See LICENSE for licensing information */ #include "or.h" +#define CONFIG_PRIVATE +#include "config.h" #include "router.h" #include "routerparse.h" #include "policies.h" @@ -49,7 +51,7 @@ test_policy_summary_helper(const char *policy_str, r = policies_parse_exit_policy(&line, &policy, EXIT_POLICY_IPV6_ENABLED | - EXIT_POLICY_ADD_DEFAULT, 0, NULL, 0); + EXIT_POLICY_ADD_DEFAULT, 0, NULL, NULL, NULL); tt_int_op(r,OP_EQ, 0); summary = policy_summarize(policy, AF_INET); @@ -116,7 +118,7 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy2); @@ -125,7 +127,8 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, - 0x0306090cu, &tar, 1)); + 0x0306090cu, &tar, NULL, + NULL)); tt_assert(policy12); @@ -207,14 +210,14 @@ test_policies_general(void *arg) EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy8); tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9, EXIT_POLICY_REJECT_PRIVATE | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy9); @@ -269,7 +272,7 @@ test_policies_general(void *arg) tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy, EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_ADD_DEFAULT, 0, - NULL, 0)); + NULL, NULL, NULL)); tt_assert(policy); //test_streq(policy->string, "accept *:80"); @@ -530,7 +533,7 @@ test_policies_reject_exit_address(void *arg) /* test that local_address is interpreted as an IPv4 host-order address and * rejected on an IPv4-only exit */ policies_parse_exit_policy_reject_private(&policy, 0, TEST_IPV4_ADDR, NULL, - 0); + NULL, NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); @@ -540,7 +543,7 @@ test_policies_reject_exit_address(void *arg) /* test that local_address is interpreted as an IPv4 host-order address and * rejected on an IPv4/IPv6 exit */ policies_parse_exit_policy_reject_private(&policy, 1, TEST_IPV4_ADDR, NULL, - 0); + NULL, NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); @@ -548,7 +551,8 @@ test_policies_reject_exit_address(void *arg) policy = NULL; /* test that ipv6_local_address is rejected on an IPv4/IPv6 exit */ - policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, 0); + policies_parse_exit_policy_reject_private(&policy, 1, 0, &ipv6_addr, NULL, + NULL, 0, 0); tt_assert(policy); tt_assert(smartlist_len(policy) == 1); tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); @@ -559,13 +563,155 @@ test_policies_reject_exit_address(void *arg) * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't * need to do anything) */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, 0); + policies_parse_exit_policy_reject_private(&policy, 0, 0, &ipv6_addr, NULL, + NULL, 0, 0); tt_assert(policy == NULL); done: addr_policy_list_free(policy); } +/** Run unit tests for rejecting outbound connection addresses on this + * exit relay using policies_parse_exit_policy_reject_private */ +static void +test_policies_reject_outbound_address(void *arg) +{ + smartlist_t *policy = NULL; + tor_addr_t ipv4_addr, ipv6_addr; + (void)arg; + + tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR); + tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR); + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr, + NULL, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr, + NULL, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv6_ is rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv6_ is NOT rejected on an IPv4-only exit + * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal + * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't + * need to do anything with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, + &ipv6_addr, 0, 0); + tt_assert(policy == NULL); + + /* test that OutboundBindAddressIPv4_ is rejected on an IPv4-only exit, + * but OutboundBindAddressIPv6_ is NOT rejected (all IPv6 addresses are + * rejected by policies_parse_exit_policy_internal on IPv4-only exits, so + * policies_parse_exit_policy_reject_private doesn't need to do anything + * with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, &ipv4_addr, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that OutboundBindAddressIPv4_ and OutboundBindAddressIPv6_ are + * rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, &ipv4_addr, + &ipv6_addr, 0, 0); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 2); + tt_assert(test_policy_has_address_helper(policy, &ipv4_addr)); + tt_assert(test_policy_has_address_helper(policy, &ipv6_addr)); + addr_policy_list_free(policy); + policy = NULL; + +done: + addr_policy_list_free(policy); +} + +static smartlist_t *test_configured_ports = NULL; +const smartlist_t *mock_get_configured_ports(void); + +/** Returns test_configured_ports */ +const smartlist_t * +mock_get_configured_ports(void) +{ + return test_configured_ports; +} + +/** Run unit tests for rejecting publicly routable configured port addresses + * on this exit relay using policies_parse_exit_policy_reject_private */ +static void +test_policies_reject_port_address(void *arg) +{ + smartlist_t *policy = NULL; + port_cfg_t *ipv4_port = NULL; + port_cfg_t *ipv6_port = NULL; + (void)arg; + + test_configured_ports = smartlist_new(); + + ipv4_port = port_cfg_new(0); + tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR); + smartlist_add(test_configured_ports, ipv4_port); + + ipv6_port = port_cfg_new(0); + tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR); + smartlist_add(test_configured_ports, ipv6_port); + + MOCK(get_configured_ports, mock_get_configured_ports); + + /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port + * is NOT rejected (all IPv6 addresses are rejected by + * policies_parse_exit_policy_internal on IPv4-only exits, so + * policies_parse_exit_policy_reject_private doesn't need to do anything + * with IPv6 addresses on IPv4-only exits) */ + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 0, 1); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 1); + tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); + addr_policy_list_free(policy); + policy = NULL; + + /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */ + policies_parse_exit_policy_reject_private(&policy, 1, 0, NULL, NULL, NULL, + 0, 1); + tt_assert(policy); + tt_assert(smartlist_len(policy) == 2); + tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr)); + tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr)); + addr_policy_list_free(policy); + policy = NULL; + +done: + addr_policy_list_free(policy); + if (test_configured_ports) { + SMARTLIST_FOREACH(test_configured_ports, + port_cfg_t *, p, port_cfg_free(p)); + smartlist_free(test_configured_ports); + test_configured_ports = NULL; + } + UNMOCK(get_configured_ports); +} + #undef TEST_IPV4_ADDR #undef TEST_IPV6_ADDR @@ -582,12 +728,14 @@ test_policies_reject_interface_address(void *arg) (void)arg; /* test that no addresses are rejected when none are supplied/requested */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 0); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 0, 0); tt_assert(policy == NULL); /* test that only IPv4 interface addresses are rejected on an IPv4-only exit */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 1, 0); if (policy) { tt_assert(smartlist_len(policy) == smartlist_len(public_ipv4_addrs)); addr_policy_list_free(policy); @@ -596,7 +744,8 @@ test_policies_reject_interface_address(void *arg) /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6 * exit */ - policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, 1); + policies_parse_exit_policy_reject_private(&policy, 0, 0, NULL, NULL, NULL, + 1, 0); if (policy) { tt_assert(smartlist_len(policy) == (smartlist_len(public_ipv4_addrs) + smartlist_len(public_ipv6_addrs))); @@ -705,6 +854,8 @@ struct testcase_t policy_tests[] = { { "general", test_policies_general, 0, NULL, NULL }, { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL }, { "reject_interface_address", test_policies_reject_interface_address, 0, NULL, NULL }, + { "reject_outbound_address", test_policies_reject_outbound_address, 0, NULL, NULL }, + { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL }, END_OF_TESTCASES };

1 0

← Newer
1
...
18
19
20
21
22
23
24
...
86
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits November 2015