2018-02-27 19:20:58 +00:00
|
|
|
/*-
|
2015-02-24 18:19:20 +00:00
|
|
|
* SSLsplit - transparent SSL/TLS interception
|
2018-02-27 19:20:58 +00:00
|
|
|
* https://www.roe.ch/SSLsplit
|
|
|
|
*
|
2019-08-08 09:23:04 +00:00
|
|
|
* Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
|
2012-04-13 12:47:30 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
2018-02-27 19:20:58 +00:00
|
|
|
* modification, are permitted provided that the following conditions are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
* and/or other materials provided with the distribution.
|
2012-04-13 12:47:30 +00:00
|
|
|
*
|
2018-02-27 19:20:58 +00:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
|
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
2012-04-13 12:47:30 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "attrib.h"
|
|
|
|
#include "opts.h"
|
|
|
|
|
|
|
|
#include <check.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
|
|
static char *argv01[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
2018-11-03 15:23:31 +00:00
|
|
|
#ifndef TRAVIS
|
2012-04-13 12:47:30 +00:00
|
|
|
static char *argv02[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "::1", "10443", "up:8080", "::2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif /* !TRAVIS */
|
2012-04-13 12:47:30 +00:00
|
|
|
static char *argv03[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"http", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv04[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"ssl", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv05[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"tcp", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv06[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080", "sni", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv07[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"http", "127.0.0.1", "10443", "up:8080", "sni", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv08[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080", "no_such_engine"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
2019-08-08 09:23:04 +00:00
|
|
|
#ifndef TRAVIS
|
2012-04-13 12:47:30 +00:00
|
|
|
static char *argv09[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443",
|
|
|
|
"https", "::1", "10443", "up:8080", "::2", "443"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
|
|
|
static char *argv10[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080",
|
|
|
|
"https", "::1", "10443", "up:8080"
|
2012-04-13 12:47:30 +00:00
|
|
|
};
|
2019-08-08 09:23:04 +00:00
|
|
|
#endif /* !TRAVIS */
|
2016-03-27 12:38:06 +00:00
|
|
|
static char *argv11[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"autossl", "127.0.0.1", "10025", "up:8080"
|
2016-03-27 12:38:06 +00:00
|
|
|
};
|
|
|
|
static char *argv12[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"autossl", "127.0.0.1", "10025", "up:9199", "127.0.0.2", "25",
|
|
|
|
"https", "127.0.0.1", "10443", "up:8080", "127.0.0.2", "443"
|
2016-03-27 12:38:06 +00:00
|
|
|
};
|
|
|
|
static char *argv13[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"autossl", "127.0.0.1", "10025", "up:9199", "sni", "25"
|
2016-03-27 12:38:06 +00:00
|
|
|
};
|
2017-07-25 13:07:39 +00:00
|
|
|
static char *argv14[] = {
|
2018-05-09 18:22:40 +00:00
|
|
|
"https", "127.0.0.1", "10443", "up:8080",
|
|
|
|
"autossl", "127.0.0.1", "10025", "up:9199", "127.0.0.2", "25"
|
2017-07-25 13:07:39 +00:00
|
|
|
};
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2018-11-03 15:23:31 +00:00
|
|
|
#ifdef __linux__
|
|
|
|
#define NATENGINE "netfilter"
|
|
|
|
#else
|
2012-04-13 12:47:30 +00:00
|
|
|
#define NATENGINE "pf"
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_01)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv01;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2018-11-03 15:23:31 +00:00
|
|
|
#ifndef TRAVIS
|
2012-04-13 12:47:30 +00:00
|
|
|
START_TEST(proxyspec_parse_02)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv02;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in6),
|
|
|
|
"not IPv6 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in6),
|
|
|
|
"not IPv6 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif /* !TRAVIS */
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_03)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2012-04-13 12:47:30 +00:00
|
|
|
int argc = 2;
|
|
|
|
char **argv = argv01;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_04)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 5;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv01;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_05)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv03;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(!spec->ssl, "SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_06)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv04;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(!spec->http, "HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_07)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv05;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(!spec->ssl, "SSL");
|
|
|
|
fail_unless(!spec->http, "HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_08)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv06;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(!spec->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(spec->sni_port == 443, "SNI port is not set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_09)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2012-04-13 12:47:30 +00:00
|
|
|
int argc = 5;
|
|
|
|
char **argv = argv07;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_10)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 5;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv06;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_11)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 4;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv08;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(!spec->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!!spec->natengine, "natengine not set");
|
|
|
|
fail_unless(!strcmp(spec->natengine, NATENGINE), "natengine mismatch");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_12)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 5;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv08;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2018-11-03 15:23:31 +00:00
|
|
|
#ifndef TRAVIS
|
2012-04-13 12:47:30 +00:00
|
|
|
START_TEST(proxyspec_parse_13)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 12;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv09;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in6),
|
|
|
|
"not IPv6 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in6),
|
|
|
|
"not IPv6 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!!spec->next, "next is not set");
|
|
|
|
fail_unless(spec->next->ssl, "not SSL");
|
|
|
|
fail_unless(spec->next->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->next->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->next->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->next->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->next->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->next->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->next->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->next->natsocket, "natsocket() is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_14)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 8;
|
2012-04-13 12:47:30 +00:00
|
|
|
char **argv = argv10;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in6),
|
|
|
|
"not IPv6 listen addr");
|
|
|
|
fail_unless(!spec->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!!spec->natengine, "natengine not set");
|
|
|
|
fail_unless(!strcmp(spec->natengine, NATENGINE), "natengine mismatch");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!!spec->next, "next is not set");
|
|
|
|
fail_unless(spec->next->ssl, "not SSL");
|
|
|
|
fail_unless(spec->next->http, "not HTTP");
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!spec->next->upgrade, "Upgrade");
|
2012-04-13 12:47:30 +00:00
|
|
|
fail_unless(spec->next->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(!spec->next->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(!spec->next->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!!spec->next->natengine, "natengine not set");
|
|
|
|
fail_unless(!strcmp(spec->next->natengine, NATENGINE),
|
|
|
|
"natengine mismatch");
|
|
|
|
fail_unless(!spec->next->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->next->natsocket, "natsocket() is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif /* !TRAVIS */
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2016-03-27 12:38:06 +00:00
|
|
|
START_TEST(proxyspec_parse_15)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 4;
|
2016-03-27 12:38:06 +00:00
|
|
|
char **argv = argv11;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(!spec->ssl, "SSL");
|
|
|
|
fail_unless(!spec->http, "HTTP");
|
|
|
|
fail_unless(spec->upgrade, "not Upgrade");
|
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(!spec->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!!spec->natengine, "natengine is not set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!spec->next, "next is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2016-03-27 12:38:06 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_16)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 12;
|
2016-03-27 12:38:06 +00:00
|
|
|
char **argv = argv12;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2016-03-27 12:38:06 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(spec->ssl, "not SSL");
|
|
|
|
fail_unless(spec->http, "not HTTP");
|
|
|
|
fail_unless(!spec->upgrade, "Upgrade");
|
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!!spec->next, "next is not set");
|
|
|
|
fail_unless(!spec->next->ssl, "SSL");
|
|
|
|
fail_unless(!spec->next->http, "HTTP");
|
|
|
|
fail_unless(spec->next->upgrade, "not Upgrade");
|
|
|
|
fail_unless(spec->next->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->next->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->next->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->next->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->next->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->next->natsocket, "natsocket() is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2016-03-27 12:38:06 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(proxyspec_parse_17)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 6;
|
2016-03-27 12:38:06 +00:00
|
|
|
char **argv = argv13;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
2016-03-27 12:38:06 +00:00
|
|
|
close(2);
|
2021-09-14 10:25:03 +00:00
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2016-03-27 12:38:06 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2017-07-25 13:07:39 +00:00
|
|
|
START_TEST(proxyspec_parse_18)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
2018-05-09 17:05:29 +00:00
|
|
|
proxyspec_t *spec = NULL;
|
2018-05-09 18:22:40 +00:00
|
|
|
int argc = 10;
|
2017-07-25 13:07:39 +00:00
|
|
|
char **argv = argv14;
|
|
|
|
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_t *tmp_global_opts = malloc(sizeof(tmp_global_opts_t));
|
|
|
|
memset(tmp_global_opts, 0, sizeof(tmp_global_opts_t));
|
|
|
|
|
|
|
|
proxyspec_parse(&argc, &argv, NATENGINE, global, "sslproxy", tmp_global_opts);
|
2019-07-12 12:52:36 +00:00
|
|
|
spec = global->spec;
|
2017-07-25 13:07:39 +00:00
|
|
|
fail_unless(!!spec, "failed to parse spec");
|
|
|
|
fail_unless(!spec->ssl, "SSL");
|
|
|
|
fail_unless(!spec->http, "HTTP");
|
|
|
|
fail_unless(spec->upgrade, "not Upgrade");
|
|
|
|
fail_unless(spec->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(spec->connect_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 connect addr");
|
|
|
|
fail_unless(!spec->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!spec->natengine, "natengine is set");
|
|
|
|
fail_unless(!spec->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->natsocket, "natsocket() is set");
|
|
|
|
fail_unless(!!spec->next, "next is not set");
|
|
|
|
fail_unless(spec->next->ssl, "not SSL");
|
|
|
|
fail_unless(spec->next->http, "not HTTP");
|
|
|
|
fail_unless(!spec->next->upgrade, "Upgrade");
|
|
|
|
fail_unless(spec->next->listen_addrlen == sizeof(struct sockaddr_in),
|
|
|
|
"not IPv4 listen addr");
|
|
|
|
fail_unless(!spec->next->connect_addrlen, "connect addr set");
|
|
|
|
fail_unless(!spec->next->sni_port, "SNI port is set");
|
|
|
|
fail_unless(!!spec->next->natengine, "natengine is not set");
|
|
|
|
fail_unless(!spec->next->natlookup, "natlookup() is set");
|
|
|
|
fail_unless(!spec->next->natsocket, "natsocket() is set");
|
2019-07-12 12:52:36 +00:00
|
|
|
global_free(global);
|
2021-09-14 10:25:03 +00:00
|
|
|
tmp_global_opts_free(tmp_global_opts);
|
2017-07-25 13:07:39 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2019-08-02 10:21:01 +00:00
|
|
|
START_TEST(proxyspec_set_proto_01)
|
|
|
|
{
|
|
|
|
global_t *global = global_new();
|
2020-05-15 16:13:47 +00:00
|
|
|
proxyspec_t *spec = proxyspec_new(global, "sslproxy", NULL);
|
2019-08-02 10:21:01 +00:00
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "tcp");
|
|
|
|
fail_unless(!spec->ssl, "ssl set in tcp spec");
|
|
|
|
fail_unless(!spec->http, "http set in tcp spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in tcp spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in tcp spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in tcp spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "ssl");
|
|
|
|
fail_unless(spec->ssl, "ssl not set in ssl spec");
|
|
|
|
fail_unless(!spec->http, "http set in ssl spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in ssl spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in ssl spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in ssl spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "http");
|
|
|
|
fail_unless(!spec->ssl, "ssl set in http spec");
|
|
|
|
fail_unless(spec->http, "http not set in http spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in http spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in http spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in http spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "https");
|
|
|
|
fail_unless(spec->ssl, "ssl not set in https spec");
|
|
|
|
fail_unless(spec->http, "http not set in https spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in https spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in https spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in https spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "autossl");
|
|
|
|
fail_unless(!spec->ssl, "ssl set in autossl spec");
|
|
|
|
fail_unless(!spec->http, "http set in autossl spec");
|
|
|
|
fail_unless(spec->upgrade, "upgrade not set in autossl spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in autossl spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in autossl spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "pop3");
|
|
|
|
fail_unless(!spec->ssl, "ssl set in pop3 spec");
|
|
|
|
fail_unless(!spec->http, "http set in pop3 spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in pop3 spec");
|
|
|
|
fail_unless(spec->pop3, "pop3 not set in pop3 spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in pop3 spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "pop3s");
|
|
|
|
fail_unless(spec->ssl, "ssl not set in pop3s spec");
|
|
|
|
fail_unless(!spec->http, "http set in pop3s spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in pop3s spec");
|
|
|
|
fail_unless(spec->pop3, "pop3 not set in pop3s spec");
|
|
|
|
fail_unless(!spec->smtp, "smtp set in pop3s spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "smtp");
|
|
|
|
fail_unless(!spec->ssl, "ssl set in smtp spec");
|
|
|
|
fail_unless(!spec->http, "http set in smtp spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in smtp spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in smtp spec");
|
|
|
|
fail_unless(spec->smtp, "smtp not set in smtp spec");
|
|
|
|
|
|
|
|
proxyspec_set_proto(spec, "smtps");
|
|
|
|
fail_unless(spec->ssl, "ssl not set in smtps spec");
|
|
|
|
fail_unless(!spec->http, "http set in smtps spec");
|
|
|
|
fail_unless(!spec->upgrade, "upgrade set in smtps spec");
|
|
|
|
fail_unless(!spec->pop3, "pop3 set in smtps spec");
|
|
|
|
fail_unless(spec->smtp, "smtp not set in smtps spec");
|
|
|
|
|
|
|
|
proxyspec_free(spec);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2012-05-14 20:50:20 +00:00
|
|
|
START_TEST(opts_debug_01)
|
|
|
|
{
|
2019-07-12 12:52:36 +00:00
|
|
|
global_t *global = global_new();
|
|
|
|
|
|
|
|
global->debug = 0;
|
|
|
|
fail_unless(!global->debug, "plain 0");
|
|
|
|
fail_unless(!OPTS_DEBUG(global), "macro 0");
|
|
|
|
global->debug = 1;
|
|
|
|
fail_unless(!!global->debug, "plain 1");
|
|
|
|
fail_unless(!!OPTS_DEBUG(global), "macro 1");
|
|
|
|
global_free(global);
|
2012-05-14 20:50:20 +00:00
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
START_TEST(opts_set_passsite_01)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
char *ps;
|
|
|
|
opts_t *opts = opts_new();
|
|
|
|
|
|
|
|
char *s = strdup("example.com");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 0);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
|
|
|
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->site, "example.com"), "site not example.com");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->ip, "ip set");
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->user, "user set");
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(opts->filter_rules->all_conns, "all_conns not 1");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->keyword, "keyword set");
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->next, "next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-09 10:33:01 +00:00
|
|
|
ps = filter_rule_str(opts->filter_rules);
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, user=, keyword=, all=conns||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1"), "failed parsing passite example.com: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#else /* WITHOUT_USERAUTH */
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1"), "failed parsing passite example.com: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* WITHOUT_USERAUTH */
|
2019-08-02 10:21:01 +00:00
|
|
|
free(ps);
|
|
|
|
|
|
|
|
opts_free(opts);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
START_TEST(opts_set_passsite_02)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
char *ps;
|
|
|
|
opts_t *opts = opts_new();
|
|
|
|
|
|
|
|
char *s = strdup("example.com 192.168.0.1");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 0);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
|
|
|
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->site, "example.com"), "site not example.com");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->ip, "192.168.0.1"), "ip not 192.168.0.1");
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->user, "user set");
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!opts->filter_rules->all_conns, "all_conns not 0");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->keyword, "keyword set");
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->next, "next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-09 10:33:01 +00:00
|
|
|
ps = filter_rule_str(opts->filter_rules);
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=192.168.0.1, user=, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2"), "failed parsing passite example.com 192.168.0.1: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#else /* WITHOUT_USERAUTH */
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=192.168.0.1, all=|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2"), "failed parsing passite example.com 192.168.0.1: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
2019-08-02 10:21:01 +00:00
|
|
|
free(ps);
|
|
|
|
|
|
|
|
opts_free(opts);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
START_TEST(opts_set_passsite_03)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
char *ps;
|
|
|
|
opts_t *opts = opts_new();
|
|
|
|
|
|
|
|
opts->user_auth = 1;
|
|
|
|
|
|
|
|
char *s = strdup("example.com root");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 0);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
|
|
|
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->site, "example.com"), "site not example.com");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->ip, "ip set");
|
|
|
|
fail_unless(!strcmp(opts->filter_rules->user, "root"), "user not root");
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!opts->filter_rules->all_conns, "all_conns not 0");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->keyword, "keyword set");
|
|
|
|
fail_unless(!opts->filter_rules->next, "next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-09 10:33:01 +00:00
|
|
|
ps = filter_rule_str(opts->filter_rules);
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, user=root, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3"), "failed parsing passite example.com root: %s", ps);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(ps);
|
|
|
|
|
|
|
|
opts_free(opts);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
START_TEST(opts_set_passsite_04)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
char *ps;
|
|
|
|
opts_t *opts = opts_new();
|
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts->user_auth = 1;
|
|
|
|
|
2019-08-02 10:21:01 +00:00
|
|
|
char *s = strdup("*.google.com * android");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 0);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
|
|
|
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->site, "*.google.com"), "site not *.google.com");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->ip, "ip set");
|
|
|
|
fail_unless(!opts->filter_rules->user, "user set");
|
2021-09-12 12:08:59 +00:00
|
|
|
fail_unless(!opts->filter_rules->all_conns, "all_conns not 0");
|
|
|
|
fail_unless(opts->filter_rules->all_users, "all_users not 1");
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!strcmp(opts->filter_rules->keyword, "android"), "keyword not android");
|
|
|
|
fail_unless(!opts->filter_rules->next, "next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-09 10:33:01 +00:00
|
|
|
ps = filter_rule_str(opts->filter_rules);
|
2021-09-18 13:54:14 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=*.google.com, exact, ip=, user=, keyword=android, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3"), "failed parsing passite *.google.com * android: %s", ps);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(ps);
|
|
|
|
|
|
|
|
opts_free(opts);
|
|
|
|
}
|
|
|
|
END_TEST
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
2019-08-02 10:21:01 +00:00
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
START_TEST(opts_set_passsite_05)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
char *ps;
|
|
|
|
char *s;
|
|
|
|
opts_t *opts = opts_new();
|
|
|
|
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
// Dup string using strdup(), otherwise strtok_r() in opts_set_passsite() will cause segmentation fault
|
2019-08-02 10:21:01 +00:00
|
|
|
s = strdup("example.com");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 0);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->next, "next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-07 17:12:46 +00:00
|
|
|
s = strdup("example.com *");
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
opts_set_passsite(opts, s, 1);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(opts->filter_rules->next, "next not set");
|
|
|
|
fail_unless(!opts->filter_rules->next->next, "next->next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
2021-09-07 17:12:46 +00:00
|
|
|
s = strdup("example.com 192.168.0.1");
|
|
|
|
opts_set_passsite(opts, s, 2);
|
|
|
|
free(s);
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(opts->filter_rules->next, "next not set");
|
|
|
|
fail_unless(opts->filter_rules->next->next, "next->next not set");
|
|
|
|
fail_unless(!opts->filter_rules->next->next->next, "next->next->next set");
|
2021-09-07 17:12:46 +00:00
|
|
|
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2019-08-02 10:21:01 +00:00
|
|
|
opts->user_auth = 1;
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
// Use root user, opts_set_passsite() calls sys_isuser() to validate the user
|
2019-08-02 10:21:01 +00:00
|
|
|
s = strdup("example.com root");
|
2021-09-07 17:12:46 +00:00
|
|
|
opts_set_passsite(opts, s, 3);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(opts->filter_rules->next, "next not set");
|
|
|
|
fail_unless(opts->filter_rules->next->next, "next->next not set");
|
|
|
|
fail_unless(opts->filter_rules->next->next->next, "next->next->next not set");
|
|
|
|
fail_unless(!opts->filter_rules->next->next->next->next, "next->next->next->next set");
|
2019-08-02 10:21:01 +00:00
|
|
|
|
|
|
|
s = strdup("*.google.com * android");
|
2021-09-07 17:12:46 +00:00
|
|
|
opts_set_passsite(opts, s, 4);
|
2019-08-02 10:21:01 +00:00
|
|
|
free(s);
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
2021-09-09 10:33:01 +00:00
|
|
|
ps = filter_rule_str(opts->filter_rules);
|
|
|
|
fail_unless(opts->filter_rules->next, "next not set");
|
|
|
|
fail_unless(opts->filter_rules->next->next, "next->next not set");
|
2021-09-07 17:12:46 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(opts->filter_rules->next->next->next, "next->next->next not set");
|
|
|
|
fail_unless(opts->filter_rules->next->next->next->next, "next->next->next->next not set");
|
|
|
|
fail_unless(!opts->filter_rules->next->next->next->next->next, "next->next->next->next->next set");
|
2021-09-19 13:21:50 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, user=, keyword=, all=conns||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
|
|
|
|
"filter rule 1: site=example.com, exact, ip=, user=, keyword=, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
|
2021-09-18 13:54:14 +00:00
|
|
|
"filter rule 2: site=example.com, exact, ip=192.168.0.1, user=, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
|
2021-09-19 13:21:50 +00:00
|
|
|
"filter rule 3: site=example.com, exact, ip=, user=root, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3\n"
|
|
|
|
"filter rule 4: site=*.google.com, exact, ip=, user=, keyword=android, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3"),
|
2021-09-09 10:33:01 +00:00
|
|
|
"failed parsing multiple passites: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#else /* WITHOUT_USERAUTH */
|
2021-09-09 10:33:01 +00:00
|
|
|
fail_unless(!opts->filter_rules->next->next->next, "next->next->next set");
|
2021-09-19 13:21:50 +00:00
|
|
|
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
|
2021-09-18 13:54:14 +00:00
|
|
|
"filter rule 1: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
|
2021-09-19 13:21:50 +00:00
|
|
|
"filter rule 2: site=example.com, exact, ip=192.168.0.1, all=|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2"),
|
2021-09-09 10:33:01 +00:00
|
|
|
"failed parsing multiple passites: %s", ps);
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* WITHOUT_USERAUTH */
|
2019-08-02 10:21:01 +00:00
|
|
|
free(ps);
|
|
|
|
|
|
|
|
opts_free(opts);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
START_TEST(opts_is_yesno_01)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
int yes;
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("yes");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == 1, "failed yes");
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("ye");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == -1, "failed ye");
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("yes1");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == -1, "failed yes1");
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == -1, "failed empty string");
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
START_TEST(opts_is_yesno_02)
|
2019-08-02 10:21:01 +00:00
|
|
|
{
|
|
|
|
int yes;
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("no");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == 0, "failed no");
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("n");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == -1, "failed n");
|
|
|
|
|
2021-09-14 15:32:57 +00:00
|
|
|
yes = is_yesno("no1");
|
2019-08-02 10:21:01 +00:00
|
|
|
fail_unless(yes == -1, "failed no1");
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
START_TEST(opts_get_name_value_01)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
char *name;
|
|
|
|
char *value;
|
|
|
|
|
|
|
|
name = strdup("Name Value");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name Value");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
2021-09-14 23:58:45 +00:00
|
|
|
// Leading white space must be handled by the caller,
|
|
|
|
// so we don't have a test for " Name Value", or similar
|
2019-08-02 10:21:01 +00:00
|
|
|
|
|
|
|
name = strdup("Name Value ");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name=Value");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name=Value ");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name = Value");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name = Value ");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, "Value"), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(retval == -1, "failed rejecting just name");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name ");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name ");
|
|
|
|
retval = get_name_value(&name, &value, ' ', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name=");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name= ");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name =");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
name = strdup("Name = ");
|
|
|
|
retval = get_name_value(&name, &value, '=', 0);
|
|
|
|
fail_unless(!strcmp(name, "Name"), "failed parsing name");
|
|
|
|
fail_unless(!strcmp(value, ""), "failed parsing value");
|
|
|
|
fail_unless(retval == 0, "failed parsing name empty value");
|
|
|
|
free(name);
|
|
|
|
}
|
|
|
|
END_TEST
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
Suite *
|
|
|
|
opts_suite(void)
|
|
|
|
{
|
|
|
|
Suite *s;
|
|
|
|
TCase *tc;
|
|
|
|
s = suite_create("opts");
|
|
|
|
|
|
|
|
tc = tcase_create("proxyspec_parse");
|
|
|
|
tcase_add_test(tc, proxyspec_parse_01);
|
2016-03-25 11:00:35 +00:00
|
|
|
#ifndef TRAVIS
|
|
|
|
tcase_add_test(tc, proxyspec_parse_02); /* IPv6 */
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif /* !TRAVIS */
|
2012-04-13 12:47:30 +00:00
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_03, EXIT_FAILURE);
|
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_04, EXIT_FAILURE);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_05);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_06);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_07);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_08);
|
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_09, EXIT_FAILURE);
|
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_10, EXIT_FAILURE);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_11);
|
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_12, EXIT_FAILURE);
|
2016-03-25 11:00:35 +00:00
|
|
|
#ifndef TRAVIS
|
|
|
|
tcase_add_test(tc, proxyspec_parse_13); /* IPv6 */
|
|
|
|
tcase_add_test(tc, proxyspec_parse_14); /* IPv6 */
|
2018-11-03 15:23:31 +00:00
|
|
|
#endif /* !TRAVIS */
|
2016-03-27 12:38:06 +00:00
|
|
|
tcase_add_test(tc, proxyspec_parse_15);
|
|
|
|
tcase_add_test(tc, proxyspec_parse_16);
|
|
|
|
tcase_add_exit_test(tc, proxyspec_parse_17, EXIT_FAILURE);
|
2017-07-25 13:07:39 +00:00
|
|
|
tcase_add_test(tc, proxyspec_parse_18);
|
2019-08-02 10:21:01 +00:00
|
|
|
tcase_add_test(tc, proxyspec_set_proto_01);
|
2012-04-13 12:47:30 +00:00
|
|
|
suite_add_tcase(s, tc);
|
|
|
|
|
2019-08-02 10:21:01 +00:00
|
|
|
tc = tcase_create("opts_config");
|
2012-05-14 20:50:20 +00:00
|
|
|
tcase_add_test(tc, opts_debug_01);
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
tcase_add_test(tc, opts_set_passsite_01);
|
|
|
|
tcase_add_test(tc, opts_set_passsite_02);
|
2020-08-25 20:32:32 +00:00
|
|
|
#ifndef WITHOUT_USERAUTH
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
tcase_add_test(tc, opts_set_passsite_03);
|
|
|
|
tcase_add_test(tc, opts_set_passsite_04);
|
2020-08-25 20:32:32 +00:00
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.
This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.
And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.
Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.
Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.
Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 09:29:49 +00:00
|
|
|
tcase_add_test(tc, opts_set_passsite_05);
|
2021-09-14 15:32:57 +00:00
|
|
|
tcase_add_test(tc, opts_is_yesno_01);
|
|
|
|
tcase_add_test(tc, opts_is_yesno_02);
|
2019-08-02 10:21:01 +00:00
|
|
|
tcase_add_test(tc, opts_get_name_value_01);
|
2012-05-14 20:50:20 +00:00
|
|
|
suite_add_tcase(s, tc);
|
|
|
|
|
2018-11-03 15:23:31 +00:00
|
|
|
#ifdef TRAVIS
|
|
|
|
fprintf(stderr, "opts: 3 tests omitted because building in travis\n");
|
|
|
|
#endif
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
return s;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* vim: set noet ft=c: */
|