|
|
/*-
|
|
|
* SSLproxy
|
|
|
*
|
|
|
* Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
|
|
|
* All rights reserved.
|
|
|
*
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
* modification, are permitted provided that the following conditions are met:
|
|
|
* 1. Redistributions of source code must retain the above copyright notice,
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
* and/or other materials provided with the distribution.
|
|
|
*
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
|
*/
|
|
|
|
|
|
#include "attrib.h"
|
|
|
#include "opts.h"
|
|
|
#include "filter.h"
|
|
|
|
|
|
#include <check.h>
|
|
|
#include <unistd.h>
|
|
|
|
|
|
#ifdef HAVE_TLSV13
|
|
|
#define MAX_SSL_PROTO "tls13"
|
|
|
#define FORCE_SSL_PROTO "tls13"
|
|
|
#elif defined(HAVE_TLSV12)
|
|
|
#define MAX_SSL_PROTO "tls12"
|
|
|
#define FORCE_SSL_PROTO "tls12"
|
|
|
#elif defined(HAVE_TLSV11)
|
|
|
#define MAX_SSL_PROTO "tls11"
|
|
|
#define FORCE_SSL_PROTO "tls11"
|
|
|
#else
|
|
|
#define MAX_SSL_PROTO "tls10"
|
|
|
#define FORCE_SSL_PROTO "tls10"
|
|
|
#endif
|
|
|
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
#define SSL_PROTO_CONFIG ">=tls10<="MAX_SSL_PROTO
|
|
|
#define SSL_PROTO_CONFIG_FILTERRULE MAX_SSL_PROTO" -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO
|
|
|
#elif (OPENSSL_VERSION_NUMBER <= 0x1000013fL)
|
|
|
#define SSL_PROTO_CONFIG ""
|
|
|
#define SSL_PROTO_CONFIG_FILTERRULE "tls10"
|
|
|
#else
|
|
|
#define SSL_PROTO_CONFIG ""
|
|
|
#define SSL_PROTO_CONFIG_FILTERRULE MAX_SSL_PROTO" -"MAX_SSL_PROTO"|no_"MAX_SSL_PROTO
|
|
|
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
|
|
|
|
|
|
#ifndef OPENSSL_NO_ECDH
|
|
|
#define ECDHCURVE "no ecdhcurve|"
|
|
|
#define ECDH_PRIME2 "prime192v1|"
|
|
|
#else
|
|
|
#define ECDHCURVE ""
|
|
|
#define ECDH_PRIME2 ""
|
|
|
#endif /* !OPENSSL_NO_ECDH */
|
|
|
|
|
|
START_TEST(set_filter_struct_01)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
// ATTENTION: We can use const strings here, because we do not modify s in load_filterrule_struct()
|
|
|
s = "Action Divert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// "Divert to *" one line rule is equivalent to "Action Divert\n}" struct rule (so are the rules for the other actions)
|
|
|
|
|
|
s = "Action Divert\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_02)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nSrcIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSrcIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSrcIp 192.168.0.1*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp 192.168.0.1*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp 192.168.0.1*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSrcIp 192.168.0.1*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp 192.168.0.1*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro 192.168.0.1 192.168.0.2 192.168.0.1* 192.168.0.2*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSrcIp $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSrcIp $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
START_TEST(set_filter_struct_03)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
s = strdup("$macro root daemon admin*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
close(2);
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nUser *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser *\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser *\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser *\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser *\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser *\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\nDesc desc\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\nDesc $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\nDesc $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\nDesc $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\nDesc $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\nDesc $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == -1, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nUser $macro\nDesc $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser $macro\nDesc $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser $macro\nDesc $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser $macro\nDesc $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser $macro\nDesc $macro\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
|
|
|
START_TEST(set_filter_struct_04)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstIp *\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp *\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp *\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp *\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp *\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstIp *\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp *\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp *\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp *\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp *\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro1 192.168.0.1 192.168.0.2 192.168.0.1*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$macro2 443 444 80*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nDstIp $macro1\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstIp $macro1\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstIp $macro1\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstIp $macro1\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstIp $macro1\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_05)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = strdup("$macro example.com example*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$macro2 443 444 80*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nSNI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSNI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSNI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSNI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSNI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nCN $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nCN $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nCN $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nCN $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nCN $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nHost $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nHost $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nHost $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nHost $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nHost $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI example.com\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI example.com\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nURI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nURI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nURI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nURI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nURI $macro\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDstPort $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_06)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !connect\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !master\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !cert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !content\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = "Action Divert\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro connect master cert content pcap mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro2 !connect !master !cert !content !pcap !mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro3 connect !master cert !content pcap !mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro4 !connect master !cert content !pcap mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro4\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro4\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro4\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro4\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro4\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro5 connect master cert !content !pcap !mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro5\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro5\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro5\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro5\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro5\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
|
|
|
s = strdup("$macro6 !connect !master !cert content pcap mirror");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Divert\nLog $macro6\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nLog $macro6\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nLog $macro6\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nLog $macro6\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog $macro6\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
START_TEST(set_filter_struct_07)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Repeat to add the Pass action as in the filter.t.c tests
|
|
|
s = "Action Pass\nSrcIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nSrcIp *\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Block\nUser *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nDesc *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser *\nDesc desc\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser root\nDesc *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Divert\nUser *\nDesc *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nLog *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 7: "),
|
|
|
"filter rule 7: dstip=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: sni=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: cn=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: host=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: uri=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 9: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
"filter rule 9: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
"filter rule 9: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
"filter rule 9: host=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
"filter rule 9: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
),
|
|
|
"failed to parse rule: %s", strstr(s, "filter rule 7: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
char *p = strstr(s, "filter rule 7: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 5: "),
|
|
|
"filter rule 5: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: dstip=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: sni=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: cn=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: host=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: uri=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
),
|
|
|
"failed to parse rule: %s", strstr(s, "filter rule 5: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
p = strstr(s, "filter rule 5: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=divert||||, log=|||||, precedence=0\n"
|
|
|
"filter rule 0: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=divert||||, log=|||||, precedence=0\n"
|
|
|
"filter rule 0: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=divert||||, log=|||||, precedence=0\n"
|
|
|
"filter rule 0: host=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=divert||||, log=|||||, precedence=0\n"
|
|
|
"filter rule 0: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=divert||||, log=|||||, precedence=0\n"
|
|
|
"filter rule 1: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=|||||, precedence=0\n"
|
|
|
"filter rule 1: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=|||||, precedence=0\n"
|
|
|
"filter rule 1: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=|||||, precedence=0\n"
|
|
|
"filter rule 1: host=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=|||||, precedence=0\n"
|
|
|
"filter rule 1: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=|||||, precedence=0\n"
|
|
|
"filter rule 2: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
"filter rule 2: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
"filter rule 2: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
"filter rule 2: host=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
"filter rule 2: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
"filter rule 3: dstip=192.168.0.1, dstport=, srcip=, user=, desc=, exact=site||||, all=conns|||, action=|||block|, log=|||||, precedence=1\n"
|
|
|
"filter rule 4: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
),
|
|
|
"failed to parse rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
s = filter_str(opts->filter);
|
|
|
|
|
|
// check cannot test long strings, so divide s into head and tail
|
|
|
// Test the tail first, because we will trim the tail to test the head next
|
|
|
ck_assert_msg(!strcmp(strstr(s, "user_filter_all->\n"),
|
|
|
"user_filter_all->\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" uri all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=|||block|, log=|||||, precedence=1)\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|split|pass||match, log=connect|master|cert|content|pcap|mirror, precedence=1)\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|split|pass||match, log=connect|master|cert|content|pcap|mirror, precedence=1)\n"
|
|
|
" cn all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|split|pass||match, log=connect|master|cert|content|pcap|mirror, precedence=1)\n"
|
|
|
" host all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|split|pass||match, log=connect|master|cert|content|pcap|mirror, precedence=1)\n"
|
|
|
" uri all:\n"
|
|
|
" 0: (all_sites, substring, action=divert|split|pass||match, log=connect|master|cert|content|pcap|mirror, precedence=1)\n"
|
|
|
), "failed to translate rule tail: %s", strstr(s, "user_filter_all->\n"));
|
|
|
|
|
|
// Trim the tail
|
|
|
p = strstr(s, "user_filter_all->\n");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
" user 0 root (exact)=\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn all:\n"
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host all:\n"
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" uri all:\n"
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn all:\n"
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host all:\n"
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" uri all:\n"
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
|
|
|
START_TEST(set_filter_struct_08)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nLog connect master cert content pcap mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nLog !connect !cert !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Block action at precedence 1 is not applied to a site of the same rule at precedence 2 now
|
|
|
s = "Action Block\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nSrcIp 192.168.0.1\nDstIp 192.168.0.3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another source
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Search substring (subnet?)
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.3\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring src
|
|
|
s = "Action Match\nSrcIp 192.168.1.*\nDstIp 192.168.0.1\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring src and target
|
|
|
s = "Action Match\nSrcIp 192.168.2.*\nDstIp 192.168.3.*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=divert||||, log=|||||, precedence=2\n"
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=3\n"
|
|
|
"filter rule 2: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=3\n"
|
|
|
"filter rule 3: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=|||block|, log=|||||, precedence=2\n"
|
|
|
"filter rule 4: dstip=192.168.0.3, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 5: dstip=192.168.0.1, dstport=, srcip=192.168.0.2, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 6: dstip=, dstport=, srcip=192.168.0.2, user=, desc=, exact=||ip||, all=||sites|, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 7: dstip=192.168.0., dstport=, srcip=192.168.0.2, user=, desc=, exact=||ip||, all=|||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 8: dstip=192.168.0.3, dstport=, srcip=192.168.0.2, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 9: dstip=192.168.0.1, dstport=, srcip=192.168.1., user=, desc=, exact=site||||, all=|||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 10: dstip=192.168.3., dstport=, srcip=192.168.2., user=, desc=, exact=||||, all=|||, action=||||match, log=|||||, precedence=2\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=divert||||, log=|||||, precedence=2\n"
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=3\n"
|
|
|
"filter rule 2: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=||pass||, log=!connect||!cert||!pcap|, precedence=3\n"
|
|
|
"filter rule 3: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=|||block|, log=|||||, precedence=2\n"
|
|
|
"filter rule 4: dstip=192.168.0.3, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 5: dstip=192.168.0.1, dstport=, srcip=192.168.0.2, exact=site||ip, all=||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 6: dstip=, dstport=, srcip=192.168.0.2, exact=||ip, all=|sites|, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 7: dstip=192.168.0., dstport=, srcip=192.168.0.2, exact=||ip, all=||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 8: dstip=192.168.0.3, dstport=, srcip=192.168.0.2, exact=site||ip, all=||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 9: dstip=192.168.0.1, dstport=, srcip=192.168.1., exact=site||, all=||, action=||||match, log=|||||, precedence=2\n"
|
|
|
"filter rule 10: dstip=192.168.3., dstport=, srcip=192.168.2., exact=||, all=||, action=||||match, log=|||||, precedence=2\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=3)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip 1 192.168.0.2 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0. (substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.1. (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip 1 192.168.2. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.3. (substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=3)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip 1 192.168.0.2 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0. (substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip all:\n"
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.1. (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=2)\n"
|
|
|
" ip 1 192.168.2. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.3. (substring, action=||||match, log=|||||, precedence=2)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_09)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nDstPort 443\nLog connect master cert content pcap mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nDstPort 443\nLog !connect !cert !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Block action at precedence 2 is not applied to a port of the same rule at precedence 3 now
|
|
|
s = "Action Block\nSrcIp 192.168.0.1\nDstIp 192.168.0.2\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target, the following port rules should not change this site rule
|
|
|
s = "Action Match\nSrcIp 192.168.0.1\nDstIp 192.168.0.3\nLog !mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target port
|
|
|
s = "Action Match\nSrcIp 192.168.0.1\nDstIp 192.168.0.3\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target port
|
|
|
s = "Action Match\nSrcIp 192.168.0.1\nDstIp 192.168.0.3\nDstPort 80\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another source
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source
|
|
|
s = "Action Match\nSrcIp 192.168.1.*\nDstIp 192.168.0.1\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source and target
|
|
|
s = "Action Match\nSrcIp 192.168.2.*\nDstIp 192.168.3.*\nDstPort 443\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.1\nDstPort *\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Search substring
|
|
|
s = "Action Match\nSrcIp 192.168.0.2\nDstIp 192.168.0.1\nDstPort 80*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source, target, and port
|
|
|
s = "Action Match\nSrcIp 192.168.4.*\nDstIp 192.168.5.*\nDstPort 80*\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=divert||||, log=|||||, precedence=3\n"
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=4\n"
|
|
|
"filter rule 2: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=4\n"
|
|
|
"filter rule 3: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=|||block|, log=|||||, precedence=3\n"
|
|
|
"filter rule 4: dstip=192.168.0.3, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|||||!mirror, precedence=3\n"
|
|
|
"filter rule 5: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 6: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 7: dstip=192.168.0.1, dstport=443, srcip=192.168.0.2, user=, desc=, exact=site|port|ip||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 8: dstip=192.168.0.1, dstport=443, srcip=192.168.1., user=, desc=, exact=site|port|||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 9: dstip=192.168.3., dstport=443, srcip=192.168.2., user=, desc=, exact=|port|||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 10: dstip=192.168.0.1, dstport=, srcip=192.168.0.2, user=, desc=, exact=site||ip||, all=|||ports, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 11: dstip=192.168.0.1, dstport=80, srcip=192.168.0.2, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 12: dstip=192.168.5., dstport=80, srcip=192.168.4., user=, desc=, exact=||||, all=|||, action=||||match, log=|||||, precedence=3\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=divert||||, log=|||||, precedence=3\n"
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=4\n"
|
|
|
"filter rule 2: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=||pass||, log=!connect||!cert||!pcap|, precedence=4\n"
|
|
|
"filter rule 3: dstip=192.168.0.2, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=|||block|, log=|||||, precedence=3\n"
|
|
|
"filter rule 4: dstip=192.168.0.3, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=|||||!mirror, precedence=3\n"
|
|
|
"filter rule 5: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 6: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, exact=site|port|ip, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 7: dstip=192.168.0.1, dstport=443, srcip=192.168.0.2, exact=site|port|ip, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 8: dstip=192.168.0.1, dstport=443, srcip=192.168.1., exact=site|port|, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 9: dstip=192.168.3., dstport=443, srcip=192.168.2., exact=|port|, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 10: dstip=192.168.0.1, dstport=, srcip=192.168.0.2, exact=site||ip, all=||ports, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 11: dstip=192.168.0.1, dstport=80, srcip=192.168.0.2, exact=site||ip, all=||, action=||||match, log=|||||, precedence=3\n"
|
|
|
"filter rule 12: dstip=192.168.5., dstport=80, srcip=192.168.4., exact=||, all=||, action=||||match, log=|||||, precedence=3\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=3)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" 1: 80 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 1 192.168.0.2 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.1. (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 1 192.168.2. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.3. (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 2 192.168.4. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.5. (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
|
|
|
" 1: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=3)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" 1: 80 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 1 192.168.0.2 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.1. (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 1 192.168.2. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.3. (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=3)\n"
|
|
|
" ip 2 192.168.4. (substring)=\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.5. (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|||||, precedence=3)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
START_TEST(set_filter_struct_10)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nUser root\nSNI example.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser root\nSNI example.com\nLog connect master cert content pcap mirror\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Move UserAuth up once at each new rule
|
|
|
s = "Action Pass\nUser root\nSNI example.com\nUserAuth yes\nLog !connect !cert !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Block action at precedence 2 is not applied to a site of the same rule at precedence 4 now
|
|
|
s = "Action Block\nUser root\nUserAuth yes\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUserAuth yes\nUser root\nSNI example2.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another source
|
|
|
s = "UserAuth yes\nAction Match\nUser daemon\nSNI example.com\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nSNI *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Search substring (subdomain?)
|
|
|
s = "Action Match\nUser daemon\nSNI .example.com*\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUser daemon\nSNI example3.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source
|
|
|
s = "Action Match\nUser admin1*\nSNI example4.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser admin2*\nSNI example5.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=divert||||, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 1: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 2: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 3: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=|||block|, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: sni=example2.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: sni=example.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: sni=, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=||sites|, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: sni=.example.com, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: sni=example3.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 9: sni=example4.com, dstport=, srcip=, user=admin1, desc=, exact=site||||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 10: sni=example5.com, dstport=, srcip=, user=admin2, desc=, exact=site||||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
" user 0 daemon (exact)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: example.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example3.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni substring:\n"
|
|
|
" 0: .example.com (substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 root (exact)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example2.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_substring->\n"
|
|
|
" user 0 admin1 (substring)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: example4.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 admin2 (substring)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: example5.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_11)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nUser root\nCN example.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser root\nCN example.com\nDstPort 443\nUserAuth yes\nLog connect master cert content pcap mirror\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser root\nCN example.com\nDstPort 443\nUserAuth yes\nLog !connect !cert !pcap\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Block action at precedence 3 is not applied to a site of the same rule at precedence 5 now
|
|
|
s = "Action Block\nUser root\nCN example.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUser root\nCN example2.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another source
|
|
|
s = "Action Match\nUser daemon\nCN example.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nCN *\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nCN example.com\nDstPort *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nCN *\nDstPort *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Search substring (subdomain?)
|
|
|
s = "Action Match\nUser daemon\nCN .example.com*\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nCN .example.com*\nDstPort 443*\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUser daemon\nCN example3.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source
|
|
|
s = "Action Match\nUser admin1*\nCN example4.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser admin2*\nCN example5.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 7: "),
|
|
|
"filter rule 7: cn=example.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||ports, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: cn=, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=||sites|ports, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 9: cn=.example.com, dstport=443, srcip=, user=daemon, desc=, exact=|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 10: cn=.example.com, dstport=443, srcip=, user=daemon, desc=, exact=|||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 11: cn=example3.com, dstport=443, srcip=, user=daemon, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 12: cn=example4.com, dstport=443, srcip=, user=admin1, desc=, exact=site|port|||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 13: cn=example5.com, dstport=443, srcip=, user=admin2, desc=, exact=site|port|||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 7: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
char *p = strstr(s, "filter rule 7: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=divert||||, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 1: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 2: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 3: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=|||block|, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: cn=example2.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: cn=example.com, dstport=443, srcip=, user=daemon, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: cn=, dstport=443, srcip=, user=daemon, desc=, exact=|port||user|, all=||sites|, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule head: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "user_filter_substring->\n"),
|
|
|
"user_filter_substring->\n"
|
|
|
" user 0 admin1 (substring)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: example4.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 admin2 (substring)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: example5.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule tail: %s", strstr(s, "user_filter_substring->\n"));
|
|
|
|
|
|
// Trim the tail
|
|
|
p = strstr(s, "user_filter_substring->\n");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
" user 0 daemon (exact)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: example.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example3.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: .example.com (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 443 (substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn all:\n"
|
|
|
" 0: (all_sites, substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 root (exact)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: example.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example2.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_12)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Divert\nUser root\nDesc desc\nHost example.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Split\nUser root\nDesc desc\nHost example.com\nDstPort 443\nLog connect master cert content pcap mirror\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Pass\nUser root\nDesc desc\nHost example.com\nLog !connect !cert !pcap\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Block action at precedence 2 is not applied to a site of the same rule at precedence 5 now
|
|
|
s = "Action Block\nUser root\nDesc desc\nHost example.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUser root\nDesc desc\nHost example2.com\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another source
|
|
|
s = "Action Match\nUser daemon\nDesc desc\nHost example.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser daemon\nDesc desc\nHost *\nDstPort 443\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Search substring (subdomain?)
|
|
|
s = "Action Match\nUser daemon\nDesc desc\nHost .example.com*\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another target
|
|
|
s = "Action Match\nUser daemon\nDesc desc\nHost example3.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add substring source
|
|
|
s = "Action Match\nUser admin1*\nDesc desc1*\nHost example4.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser admin2*\nDesc desc2*\nHost example5.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another desc
|
|
|
s = "Action Match\nUser daemon\nDesc desc2\nHost example6.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add all users
|
|
|
s = "Action Match\nUser *\nDesc desc\nHost example7.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add all users all sni sites
|
|
|
s = "Action Match\nUser *\nDesc desc\nSNI *\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
// Add another desc
|
|
|
s = "Action Match\nDesc desc3\nURI example8.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser *\nDesc desc4*\nHost example9.com\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = "Action Match\nUser admin*\nDesc desc5*\nHost example10.com*\nDstPort 443*\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 9: "),
|
|
|
"filter rule 9: host=example4.com, dstport=, srcip=, user=admin1, desc=desc1, exact=site||||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 10: host=example5.com, dstport=, srcip=, user=admin2, desc=desc2, exact=site||||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 11: host=example6.com, dstport=, srcip=, user=daemon, desc=desc2, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 12: host=example7.com, dstport=, srcip=, user=, desc=desc, exact=site||||desc, all=|users||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 13: sni=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 14: uri=example8.com, dstport=, srcip=, user=, desc=desc3, exact=site||||desc, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 15: host=example9.com, dstport=, srcip=, user=, desc=desc4, exact=site||||, all=|users||, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 16: host=example10.com, dstport=443, srcip=, user=admin, desc=desc5, exact=||||, all=|||, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 9: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
char *p = strstr(s, "filter rule 9: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=divert||||, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 1: host=example.com, dstport=443, srcip=, user=root, desc=desc, exact=site|port||user|desc, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 2: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 3: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=|||block|, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: host=example2.com, dstport=443, srcip=, user=root, desc=desc, exact=site|port||user|desc, all=|||, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: host=example.com, dstport=, srcip=, user=daemon, desc=desc, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: host=, dstport=443, srcip=, user=daemon, desc=desc, exact=|port||user|desc, all=||sites|, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: host=.example.com, dstport=, srcip=, user=daemon, desc=desc, exact=|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 8: host=example3.com, dstport=, srcip=, user=daemon, desc=desc, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "userdesc_filter_substring->\n"),
|
|
|
"userdesc_filter_substring->\n"
|
|
|
" user 0 admin (substring)=\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc5 (substring)=\n"
|
|
|
" host substring:\n"
|
|
|
" 0: example10.com (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 443 (substring, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 admin1 (substring)=\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc1 (substring)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example4.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 2 admin2 (substring)=\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example5.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
" sni all:\n"
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example7.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc 1 desc3 (exact)=\n"
|
|
|
" uri exact:\n"
|
|
|
" 0: example8.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
" desc 0 desc4 (substring)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example9.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule tail: %s", strstr(s, "userdesc_filter_substring->\n"));
|
|
|
|
|
|
// Trim the tail
|
|
|
p = strstr(s, "userdesc_filter_substring->\n");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
" user 0 daemon (exact)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example3.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host substring:\n"
|
|
|
" 0: .example.com (substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" host all:\n"
|
|
|
" 0: (all_sites, substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc 1 desc2 (exact)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example6.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" user 1 root (exact)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
" host exact:\n"
|
|
|
" 0: example.com (exact, action=divert||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" 1: example2.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
|
|
|
START_TEST(set_filter_struct_13)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = strdup("$ips 192.168.0.1 192.168.0.2*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$dstips 192.168.0.3 192.168.0.4*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$ports 80* 443");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$logs !master !pcap");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Match\nSrcIp $ips\nDstIp $dstips\nDstPort $ports\nLog $logs\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 1: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 2: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 3: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, user=, desc=, exact=site|port|ip||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 4: dstip=192.168.0.4, dstport=80, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 5: dstip=192.168.0.4, dstport=80, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 6: dstip=192.168.0.4, dstport=443, srcip=192.168.0.1, user=, desc=, exact=|port|ip||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 7: dstip=192.168.0.4, dstport=443, srcip=192.168.0.1, user=, desc=, exact=|port|ip||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 8: dstip=192.168.0.3, dstport=80, srcip=192.168.0.2, user=, desc=, exact=site||||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 9: dstip=192.168.0.3, dstport=80, srcip=192.168.0.2, user=, desc=, exact=site||||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 10: dstip=192.168.0.3, dstport=443, srcip=192.168.0.2, user=, desc=, exact=site|port|||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 11: dstip=192.168.0.3, dstport=443, srcip=192.168.0.2, user=, desc=, exact=site|port|||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 12: dstip=192.168.0.4, dstport=80, srcip=192.168.0.2, user=, desc=, exact=||||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 13: dstip=192.168.0.4, dstport=80, srcip=192.168.0.2, user=, desc=, exact=||||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 14: dstip=192.168.0.4, dstport=443, srcip=192.168.0.2, user=, desc=, exact=|port|||, all=|||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 15: dstip=192.168.0.4, dstport=443, srcip=192.168.0.2, user=, desc=, exact=|port|||, all=|||, action=||||match, log=||||!pcap|, precedence=4\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 1: dstip=192.168.0.3, dstport=80, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 2: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 3: dstip=192.168.0.3, dstport=443, srcip=192.168.0.1, exact=site|port|ip, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 4: dstip=192.168.0.4, dstport=80, srcip=192.168.0.1, exact=||ip, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 5: dstip=192.168.0.4, dstport=80, srcip=192.168.0.1, exact=||ip, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 6: dstip=192.168.0.4, dstport=443, srcip=192.168.0.1, exact=|port|ip, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 7: dstip=192.168.0.4, dstport=443, srcip=192.168.0.1, exact=|port|ip, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 8: dstip=192.168.0.3, dstport=80, srcip=192.168.0.2, exact=site||, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 9: dstip=192.168.0.3, dstport=80, srcip=192.168.0.2, exact=site||, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 10: dstip=192.168.0.3, dstport=443, srcip=192.168.0.2, exact=site|port|, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 11: dstip=192.168.0.3, dstport=443, srcip=192.168.0.2, exact=site|port|, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 12: dstip=192.168.0.4, dstport=80, srcip=192.168.0.2, exact=||, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 13: dstip=192.168.0.4, dstport=80, srcip=192.168.0.2, exact=||, all=||, action=||||match, log=||||!pcap|, precedence=4\n"
|
|
|
"filter rule 14: dstip=192.168.0.4, dstport=443, srcip=192.168.0.2, exact=|port|, all=||, action=||||match, log=|!master||||, precedence=4\n"
|
|
|
"filter rule 15: dstip=192.168.0.4, dstport=443, srcip=192.168.0.2, exact=|port|, all=||, action=||||match, log=||||!pcap|, precedence=4\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0.4 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.0.2 (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0.4 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0.4 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
" ip 0 192.168.0.2 (substring)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" ip substring:\n"
|
|
|
" 0: 192.168.0.4 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port exact:\n"
|
|
|
" 0: 443 (exact, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=|!master|||!pcap|, precedence=4)\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
START_TEST(set_filter_struct_14)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = strdup("$users root admin*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$descs desc1 desc2*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$sites site1 site2*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
// check errors out if we add all log actions to the macro:
|
|
|
// "../../src/check_pack.c:306: Message string too long"
|
|
|
// Also, the compiler gives:
|
|
|
// warning: string length ‘4186’ is greater than the length ‘4095’ ISO C99 compilers are required to support [-Woverlength-strings]
|
|
|
// so use 2 log actions only
|
|
|
s = strdup("$logs connect content");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Match\nUser $users\nDesc $descs\nSNI $sites\nLog $logs\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 8: "),
|
|
|
"filter rule 8: sni=site1, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 9: sni=site1, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 10: sni=site2, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 11: sni=site2, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 12: sni=site1, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 13: sni=site1, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 14: sni=site2, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 15: sni=site2, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 8: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
char *p = strstr(s, "filter rule 8: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: sni=site1, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 1: sni=site1, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 2: sni=site2, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 3: sni=site2, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: sni=site1, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: sni=site1, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: sni=site2, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: sni=site2, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
" user 0 root (exact)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni substring:\n"
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni substring:\n"
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
" user 0 admin (substring)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni substring:\n"
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" sni substring:\n"
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
START_TEST(set_filter_struct_15)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = strdup("$users root admin*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$descs desc1 desc2*");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = strdup("$sites site1* site2");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
// Syntactically right, but semantically redundant/useless
|
|
|
s = strdup("$ports 80* *");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
// check errors out if we add all log actions to the macro:
|
|
|
// "../../src/check_pack.c:306: Message string too long"
|
|
|
// Also, the compiler gives:
|
|
|
// warning: string length ‘4186’ is greater than the length ‘4095’ ISO C99 compilers are required to support [-Woverlength-strings]
|
|
|
// so use 1 log action only
|
|
|
s = strdup("$logs pcap");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
s = "Action Match\nUser $users\nDesc $descs\nCN $sites\nDstPort $ports\nLog $logs\nUserAuth yes\n}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "filter rule 8: "),
|
|
|
"filter rule 8: cn=site1, dstport=80, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 9: cn=site1, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 10: cn=site2, dstport=80, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 11: cn=site2, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 12: cn=site1, dstport=80, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 13: cn=site1, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 14: cn=site2, dstport=80, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 15: cn=site2, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 8: "));
|
|
|
|
|
|
// Trim the tail
|
|
|
char *p = strstr(s, "filter rule 8: ");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: cn=site1, dstport=80, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 1: cn=site1, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 2: cn=site2, dstport=80, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 3: cn=site2, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 4: cn=site1, dstport=80, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 5: cn=site1, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 6: cn=site2, dstport=80, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
"filter rule 7: cn=site2, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
|
|
|
ck_assert_msg(!strcmp(strstr(s, "userdesc_filter_substring->\n"),
|
|
|
"userdesc_filter_substring->\n"
|
|
|
" user 0 admin (substring)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule tail: %s", strstr(s, "userdesc_filter_substring->\n"));
|
|
|
|
|
|
// Trim the tail
|
|
|
p = strstr(s, "userdesc_filter_substring->\n");
|
|
|
*p = '\0';
|
|
|
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
" user 0 root (exact)=\n"
|
|
|
" desc exact:\n"
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" desc substring:\n"
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
" cn exact:\n"
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
" port substring:\n"
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
" port all:\n"
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|"ECDHCURVE"no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
|
|
|
START_TEST(set_filter_struct_16)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Match\n"
|
|
|
"SrcIp 192.168.0.1\n"
|
|
|
"DstIp 192.168.0.2\n"
|
|
|
"Log connect\n"
|
|
|
"ReconnectSSL yes\n"
|
|
|
"DenyOCSP no\n"
|
|
|
"Passthrough yes\n"
|
|
|
"CACert ../testproxy/ca.crt\n"
|
|
|
"CAKey ../testproxy/ca.key\n"
|
|
|
"ClientCert ../testproxy/ca2.crt\n"
|
|
|
"ClientKey ../testproxy/ca2.key\n"
|
|
|
"CAChain ../testproxy/server.crt\n"
|
|
|
"LeafCRLURL http://example1.com/example1.crl\n"
|
|
|
//"DHGroupParams /etc/sslproxy/dh.pem\n"
|
|
|
#ifndef OPENSSL_NO_ECDH
|
|
|
"ECDHCurve prime192v1\n"
|
|
|
#endif /* !OPENSSL_NO_ECDH */
|
|
|
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
"SSLCompression yes\n"
|
|
|
#endif /* SSL_OP_NO_COMPRESSION */
|
|
|
"ForceSSLProto "FORCE_SSL_PROTO"\n"
|
|
|
"DisableSSLProto "MAX_SSL_PROTO"\n"
|
|
|
"EnableSSLProto tls1\n"
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
"MinSSLProto tls10\n"
|
|
|
"MaxSSLProto tls11\n"
|
|
|
#endif
|
|
|
"Ciphers LOW\n"
|
|
|
"CipherSuites TLS_AES_128_CCM_SHA256\n"
|
|
|
"RemoveHTTPAcceptEncoding no\n"
|
|
|
"RemoveHTTPReferer no\n"
|
|
|
"VerifyPeer no\n"
|
|
|
"AllowWrongHost yes\n"
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
"UserAuth no\n"
|
|
|
"UserTimeout 1200\n"
|
|
|
"UserAuthURL https://192.168.0.12/userdblogin1.php\n"
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
"ValidateProto no\n"
|
|
|
"MaxHTTPHeaderSize 2048\n"
|
|
|
"}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|reconnect_ssl|2048\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|reconnect_ssl|2048)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
START_TEST(set_filter_struct_17)
|
|
|
{
|
|
|
char *s;
|
|
|
int rv;
|
|
|
opts_t *opts = opts_new();
|
|
|
conn_opts_t *conn_opts = conn_opts_new();
|
|
|
|
|
|
tmp_opts_t *tmp_opts = malloc(sizeof (tmp_opts_t));
|
|
|
memset(tmp_opts, 0, sizeof (tmp_opts_t));
|
|
|
|
|
|
s = strdup("$sites site1* site2");
|
|
|
rv = filter_macro_set(opts, s, 0);
|
|
|
ck_assert_msg(rv == 0, "failed to set macro");
|
|
|
free(s);
|
|
|
|
|
|
FILE *f;
|
|
|
unsigned int line_num = 0;
|
|
|
|
|
|
s = "Action Match\n"
|
|
|
"SrcIp 192.168.0.1\n"
|
|
|
|
|
|
// Multi-site struct rule with macro
|
|
|
"DstIp 192.168.0.2\n"
|
|
|
"SNI example.com\n"
|
|
|
"CN example.com*\n"
|
|
|
"Host $sites\n"
|
|
|
"URI *\n"
|
|
|
|
|
|
"Log connect\n"
|
|
|
"ReconnectSSL yes\n"
|
|
|
"DenyOCSP no\n"
|
|
|
"Passthrough yes\n"
|
|
|
"CACert ../testproxy/ca.crt\n"
|
|
|
"CAKey ../testproxy/ca.key\n"
|
|
|
"ClientCert ../testproxy/ca2.crt\n"
|
|
|
"ClientKey ../testproxy/ca2.key\n"
|
|
|
"CAChain ../testproxy/server.crt\n"
|
|
|
"LeafCRLURL http://example1.com/example1.crl\n"
|
|
|
//"DHGroupParams /etc/sslproxy/dh.pem\n"
|
|
|
#ifndef OPENSSL_NO_ECDH
|
|
|
"ECDHCurve prime192v1\n"
|
|
|
#endif /* !OPENSSL_NO_ECDH */
|
|
|
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
"SSLCompression yes\n"
|
|
|
#endif /* SSL_OP_NO_COMPRESSION */
|
|
|
"ForceSSLProto "FORCE_SSL_PROTO"\n"
|
|
|
"DisableSSLProto "MAX_SSL_PROTO"\n"
|
|
|
"EnableSSLProto tls1\n"
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
"MinSSLProto tls10\n"
|
|
|
"MaxSSLProto tls11\n"
|
|
|
#endif
|
|
|
"Ciphers LOW\n"
|
|
|
"CipherSuites TLS_AES_128_CCM_SHA256\n"
|
|
|
"RemoveHTTPAcceptEncoding no\n"
|
|
|
"RemoveHTTPReferer no\n"
|
|
|
"VerifyPeer no\n"
|
|
|
"AllowWrongHost yes\n"
|
|
|
"UserAuth no\n"
|
|
|
"UserTimeout 1200\n"
|
|
|
"UserAuthURL https://192.168.0.12/userdblogin1.php\n"
|
|
|
"ValidateProto no\n"
|
|
|
"MaxHTTPHeaderSize 2048\n"
|
|
|
"}";
|
|
|
f = fmemopen(s, strlen(s), "r");
|
|
|
rv = load_filterrule_struct(opts, conn_opts, "sslproxy", &line_num, f, tmp_opts);
|
|
|
fclose(f);
|
|
|
ck_assert_msg(rv == 0, "failed to parse rule");
|
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
ck_assert_msg(!strcmp(s,
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 0: sni=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 0: cn=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 0: host=site1, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 0: uri=, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=||sites|, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 1: sni=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 1: cn=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 1: host=site2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
"filter rule 1: uri=, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=||sites|, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
"failed to parse rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts->filter = filter_set(opts->filter_rules, "sslproxy", tmp_opts);
|
|
|
|
|
|
s = filter_str(opts->filter);
|
|
|
ck_assert_msg(!strcmp(s, "filter=>\n"
|
|
|
"userdesc_filter_exact->\n"
|
|
|
"userdesc_filter_substring->\n"
|
|
|
"user_filter_exact->\n"
|
|
|
"user_filter_substring->\n"
|
|
|
"desc_filter_exact->\n"
|
|
|
"desc_filter_substring->\n"
|
|
|
"user_filter_all->\n"
|
|
|
"ip_filter_exact->\n"
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
" ip exact:\n"
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
" sni exact:\n"
|
|
|
" 0: example.com (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
" cn substring:\n"
|
|
|
" 0: example.com (substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
" host exact:\n"
|
|
|
" 0: site2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
" host substring:\n"
|
|
|
" 0: site1 (substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
" uri all:\n"
|
|
|
" 0: (all_sites, substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|"ECDH_PRIME2"no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
"ip_filter_substring->\n"
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
free(s);
|
|
|
|
|
|
opts_free(opts);
|
|
|
conn_opts_free(conn_opts);
|
|
|
tmp_opts_free(tmp_opts);
|
|
|
}
|
|
|
END_TEST
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
|
|
|
Suite *
|
|
|
filter_struct_suite(void)
|
|
|
{
|
|
|
Suite *s;
|
|
|
TCase *tc;
|
|
|
s = suite_create("filter_struct");
|
|
|
|
|
|
tc = tcase_create("set_filter_struct");
|
|
|
tcase_add_test(tc, set_filter_struct_01);
|
|
|
tcase_add_test(tc, set_filter_struct_02);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
tcase_add_test(tc, set_filter_struct_03);
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
tcase_add_test(tc, set_filter_struct_04);
|
|
|
tcase_add_test(tc, set_filter_struct_05);
|
|
|
tcase_add_test(tc, set_filter_struct_06);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
tcase_add_test(tc, set_filter_struct_07);
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
tcase_add_test(tc, set_filter_struct_08);
|
|
|
tcase_add_test(tc, set_filter_struct_09);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
tcase_add_test(tc, set_filter_struct_10);
|
|
|
tcase_add_test(tc, set_filter_struct_11);
|
|
|
tcase_add_test(tc, set_filter_struct_12);
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
tcase_add_test(tc, set_filter_struct_13);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
tcase_add_test(tc, set_filter_struct_14);
|
|
|
tcase_add_test(tc, set_filter_struct_15);
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
tcase_add_test(tc, set_filter_struct_16);
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
tcase_add_test(tc, set_filter_struct_17);
|
|
|
#endif /* !WITHOUT_USERAUTH */
|
|
|
suite_add_tcase(s, tc);
|
|
|
|
|
|
return s;
|
|
|
}
|
|
|
|
|
|
/* vim: set noet ft=c: */
|