Merge remote-tracking branch 'asn/bug12207_second_draft'

src/or/entrynodes.c

@@ -12,6 +12,8 @@
  * circumvention).
  **/
 
+#define ENTRYNODES_PRIVATE
+
 #include "or.h"
 #include "circpathbias.h"
 #include "circuitbuild.h"
@@ -155,7 +157,7 @@ entry_guard_set_status(entry_guard_t *e, const node_t *node,
 /** Return true iff enough time has passed since we last tried to connect
  * to the unreachable guard <b>e</b> that we're willing to try again. */
 static int
-entry_is_time_to_retry(entry_guard_t *e, time_t now)
+entry_is_time_to_retry(const entry_guard_t *e, time_t now)
 {
   long diff;
   if (e->last_attempted < e->unreachable_since)
@@ -189,7 +191,7 @@ entry_is_time_to_retry(entry_guard_t *e, time_t now)
  * a descriptor (routerinfo or microdesc) for it.
  */
 static INLINE const node_t *
-entry_is_live(entry_guard_t *e, int need_uptime, int need_capacity,
+entry_is_live(const entry_guard_t *e, int need_uptime, int need_capacity,
               int assume_reachable, int need_descriptor, const char **msg)
 {
   const node_t *node;
@@ -350,7 +352,7 @@ control_event_guard_deferred(void)
  * If <b>chosen</b> is defined, use that one, and if it's not
  * already in our entry_guards list, put it at the *beginning*.
  * Else, put the one we pick at the end of the list. */
-static const node_t *
+STATIC const node_t *
 add_an_entry_guard(const node_t *chosen, int reset_status, int prepend,
                    int for_discovery, int for_directory)
 {
@@ -437,7 +439,7 @@ add_an_entry_guard(const node_t *chosen, int reset_status, int prepend,
 /** Choose how many entry guards or directory guards we'll use. If
  * <b>for_directory</b> is true, we return how many directory guards to
  * use; else we return how many entry guards to use. */
-static int
+STATIC int
 decide_num_guards(const or_options_t *options, int for_directory)
 {
   if (for_directory && options->NumDirectoryGuards != 0)
@@ -836,7 +838,7 @@ update_node_guard_status(void)
 
 /** Adjust the entry guards list so that it only contains entries from
  * EntryNodes, adding new entries from EntryNodes to the list as needed. */
-static void
+STATIC void
 entry_guards_set_from_config(const or_options_t *options)
 {
   smartlist_t *entry_nodes, *worse_entry_nodes, *entry_fps;
@@ -995,44 +997,47 @@ choose_random_dirguard(dirinfo_type_t type)
   return choose_random_entry_impl(NULL, 1, type, NULL);
 }
 
-/** Helper for choose_random{entry,dirguard}. */
-static const node_t *
-choose_random_entry_impl(cpath_build_state_t *state, int for_directory,
-                         dirinfo_type_t dirinfo_type, int *n_options_out)
+/** Filter <b>all_entry_guards</b> for usable entry guards and put them
+ * in <b>live_entry_guards</b>. We filter based on whether the node is
+ * currently alive, and on whether it satisfies the restrictions
+ * imposed by the other arguments of this function.
+ *
+ * We don't place more guards than NumEntryGuards in <b>live_entry_guards</b>.
+ *
+ * If <b>chosen_exit</b> is set, it contains the exit node of this
+ * circuit. Make sure to not use it or its family as an entry guard.
+ *
+ * If <b>need_uptime</b> is set, we are looking for a stable entry guard.
+ * if <b>need_capacity</b> is set, we are looking for a fast entry guard.
+ *
+ * The rest of the arguments are the same as in choose_random_entry_impl().
+ *
+ * Return 1 if we should choose a guard right away. Return 0 if we
+ * should try to add more nodes to our list before deciding on a
+ * guard.
+ */
+STATIC int
+populate_live_entry_guards(smartlist_t *live_entry_guards,
+                           const smartlist_t *all_entry_guards,
+                           const node_t *chosen_exit,
+                           dirinfo_type_t dirinfo_type,
+                           int for_directory,
+                           int need_uptime, int need_capacity)
 {
   const or_options_t *options = get_options();
-  smartlist_t *live_entry_guards = smartlist_new();
-  smartlist_t *exit_family = smartlist_new();
-  const node_t *chosen_exit =
-    state?build_state_get_exit_node(state) : NULL;
   const node_t *node = NULL;
-  int need_uptime = state ? state->need_uptime : 0;
-  int need_capacity = state ? state->need_capacity : 0;
-  int preferred_min, consider_exit_family = 0;
-  int need_descriptor = !for_directory;
   const int num_needed = decide_num_guards(options, for_directory);
+  smartlist_t *exit_family = smartlist_new();
+  int retval = 0;
+  int need_descriptor = !for_directory;
 
-  if (n_options_out)
-    *n_options_out = 0;
+  tor_assert(all_entry_guards);
 
   if (chosen_exit) {
     nodelist_add_node_and_family(exit_family, chosen_exit);
-    consider_exit_family = 1;
   }
 
-  if (!entry_guards)
-    entry_guards = smartlist_new();
-
-  if (should_add_entry_nodes)
-    entry_guards_set_from_config(options);
-
-  if (!entry_list_is_constrained(options) &&
-      smartlist_len(entry_guards) < num_needed)
-    pick_entry_guards(options, for_directory);
-
- retry:
-  smartlist_clear(live_entry_guards);
-  SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, entry) {
+  SMARTLIST_FOREACH_BEGIN(all_entry_guards, const entry_guard_t *, entry) {
       const char *msg;
       node = entry_is_live(entry, need_uptime, need_capacity, 0,
                            need_descriptor, &msg);
@@ -1044,39 +1049,94 @@ choose_random_entry_impl(cpath_build_state_t *state, int for_directory,
       }
       if (node == chosen_exit)
         continue; /* don't pick the same node for entry and exit */
-      if (consider_exit_family && smartlist_contains(exit_family, node))
+      if (smartlist_contains(exit_family, node))
         continue; /* avoid relays that are family members of our exit */
       if (dirinfo_type != NO_DIRINFO &&
           !node_can_handle_dirinfo(node, dirinfo_type))
         continue; /* this node won't be able to answer our dir questions */
-#if 0 /* since EntryNodes is always strict now, this clause is moot */
-      if (options->EntryNodes &&
-          !routerset_contains_node(options->EntryNodes, node)) {
-        /* We've come to the end of our preferred entry nodes. */
-        if (smartlist_len(live_entry_guards))
-          goto choose_and_finish; /* only choose from the ones we like */
-        if (options->StrictNodes) {
-          /* in theory this case should never happen, since
-           * entry_guards_set_from_config() drops unwanted relays */
-          tor_fragile_assert();
-        } else {
-          log_info(LD_CIRC,
-                   "No relays from EntryNodes available. Using others.");
-        }
-      }
-#endif
       smartlist_add(live_entry_guards, (void*)node);
       if (!entry->made_contact) {
         /* Always start with the first not-yet-contacted entry
          * guard. Otherwise we might add several new ones, pick
          * the second new one, and now we've expanded our entry
          * guard list without needing to. */
-        goto choose_and_finish;
+        retval = 1;
+        goto done;
+      }
+      if (smartlist_len(live_entry_guards) >= num_needed) {
+        retval = 1;
+        goto done; /* We picked enough entry guards. Done! */
       }
-      if (smartlist_len(live_entry_guards) >= num_needed)
-        goto choose_and_finish; /* we have enough */
   } SMARTLIST_FOREACH_END(entry);
 
+ done:
+  smartlist_free(exit_family);
+
+  return retval;
+}
+
+/** Pick a node to be used as the entry guard of a circuit.
+ *
+ * If <b>state</b> is set, it contains the information we know about
+ * the upcoming circuit.
+ *
+ * If <b>for_directory</b> is set, we are looking for a directory guard.
+ *
+ * <b>dirinfo_type</b> contains the kind of directory information we
+ * are looking for in our node.
+ *
+ * If <b>n_options_out</b> is set, we set it to the number of
+ * candidate guard nodes we had before picking a specific guard node.
+ *
+ * On success, return the node that should be used as the entry guard
+ * of the circuit.  Return NULL if no such node could be found.
+ *
+ * Helper for choose_random{entry,dirguard}.
+*/
+static const node_t *
+choose_random_entry_impl(cpath_build_state_t *state, int for_directory,
+                         dirinfo_type_t dirinfo_type, int *n_options_out)
+{
+  const or_options_t *options = get_options();
+  smartlist_t *live_entry_guards = smartlist_new();
+  const node_t *chosen_exit =
+    state?build_state_get_exit_node(state) : NULL;
+  const node_t *node = NULL;
+  int need_uptime = state ? state->need_uptime : 0;
+  int need_capacity = state ? state->need_capacity : 0;
+  int preferred_min = 0;
+  const int num_needed = decide_num_guards(options, for_directory);
+  int retval = 0;
+
+  if (n_options_out)
+    *n_options_out = 0;
+
+  if (!entry_guards)
+    entry_guards = smartlist_new();
+
+  if (should_add_entry_nodes)
+    entry_guards_set_from_config(options);
+
+  if (!entry_list_is_constrained(options) &&
+      smartlist_len(entry_guards) < num_needed)
+    pick_entry_guards(options, for_directory);
+
+ retry:
+  smartlist_clear(live_entry_guards);
+
+  /* Populate the list of live entry guards so that we pick one of
+     them. */
+  retval = populate_live_entry_guards(live_entry_guards,
+                                      entry_guards,
+                                      chosen_exit,
+                                      dirinfo_type,
+                                      for_directory,
+                                      need_uptime, need_capacity);
+
+  if (retval == 1) { /* We should choose a guard right now. */
+    goto choose_and_finish;
+  }
+
   if (entry_list_is_constrained(options)) {
     /* If we prefer the entry nodes we've got, and we have at least
      * one choice, that's great. Use it. */
@@ -1115,18 +1175,7 @@ choose_random_entry_impl(cpath_build_state_t *state, int for_directory,
       need_capacity = 0;
       goto retry;
     }
-#if 0
-    /* Removing this retry logic: if we only allow one exit, and it is in the
-       same family as all our entries, then we are just plain not going to win
-       here. */
-    if (!node && entry_list_is_constrained(options) && consider_exit_family) {
-      /* still no? if we're using bridges or have strictentrynodes
-       * set, and our chosen exit is in the same family as all our
-       * bridges/entry guards, then be flexible about families. */
-      consider_exit_family = 0;
-      goto retry;
-    }
-#endif
+
     /* live_entry_guards may be empty below. Oh well, we tried. */
   }
 
@@ -1144,7 +1193,6 @@ choose_random_entry_impl(cpath_build_state_t *state, int for_directory,
   if (n_options_out)
     *n_options_out = smartlist_len(live_entry_guards);
   smartlist_free(live_entry_guards);
-  smartlist_free(exit_family);
   return node;
 }
 

src/or/entrynodes.h

@@ -77,6 +77,22 @@ int num_live_entry_guards(int for_directory);
 
 #endif
 
+#ifdef ENTRYNODES_PRIVATE
+STATIC const node_t *add_an_entry_guard(const node_t *chosen,
+                                        int reset_status, int prepend,
+                                        int for_discovery, int for_directory);
+
+STATIC int populate_live_entry_guards(smartlist_t *live_entry_guards,
+                                      const smartlist_t *all_entry_guards,
+                                      const node_t *chosen_exit,
+                                      dirinfo_type_t dirinfo_type,
+                                      int for_directory,
+                                      int need_uptime, int need_capacity);
+STATIC int decide_num_guards(const or_options_t *options, int for_directory);
+
+STATIC void entry_guards_set_from_config(const or_options_t *options);
+#endif
+
 void remove_all_entry_guards(void);
 
 void entry_guards_compute_status(const or_options_t *options, time_t now);

src/or/routerlist.c

@@ -3296,6 +3296,14 @@ routerlist_reset_warnings(void)
   networkstatus_reset_warnings();
 }
 
+/** Return 1 if the signed descriptor of this router is older than
+ *  <b>seconds</b> seconds.  Otherwise return 0. */
+MOCK_IMPL(int,
+router_descriptor_is_older_than,(const routerinfo_t *router, int seconds))
+{
+  return router->cache_info.published_on < time(NULL) - seconds;
+}
+
 /** Add <b>router</b> to the routerlist, if we don't already have it.  Replace
  * older entries (if any) with the same key.  Note: Callers should not hold
  * their pointers to <b>router</b> if this function fails; <b>router</b>
@@ -3465,7 +3473,7 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
   }
 
   if (!in_consensus && from_cache &&
-      router->cache_info.published_on < time(NULL) - OLD_ROUTER_DESC_MAX_AGE) {
+      router_descriptor_is_older_than(router, OLD_ROUTER_DESC_MAX_AGE)) {
     *msg = "Router descriptor was really old.";
     routerinfo_free(router);
     return ROUTER_WAS_NOT_NEW;

src/or/routerlist.h

@@ -212,6 +212,9 @@ STATIC int choose_array_element_by_weight(const u64_dbl_t *entries,
                                           int n_entries);
 STATIC void scale_array_elements_to_u64(u64_dbl_t *entries, int n_entries,
                                         uint64_t *total_out);
+
+MOCK_DECL(int, router_descriptor_is_older_than, (const routerinfo_t *router,
+                                                 int seconds));
 #endif
 
 #endif

src/test/include.am

@@ -28,6 +28,7 @@ src_test_test_SOURCES = \
 	src/test/test_cell_queue.c \
 	src/test/test_data.c \
 	src/test/test_dir.c \
+	src/test/test_entrynodes.c \
 	src/test/test_extorport.c \
 	src/test/test_introduce.c \
 	src/test/test_logging.c \

src/test/test.c

@@ -1313,6 +1313,7 @@ extern struct testcase_t circuitmux_tests[];
 extern struct testcase_t cell_queue_tests[];
 extern struct testcase_t options_tests[];
 extern struct testcase_t socks_tests[];
+extern struct testcase_t entrynodes_tests[];
 extern struct testcase_t extorport_tests[];
 extern struct testcase_t controller_event_tests[];
 extern struct testcase_t logging_tests[];
@@ -1344,6 +1345,7 @@ static struct testgroup_t testgroups[] = {
   { "circuitlist/", circuitlist_tests },
   { "circuitmux/", circuitmux_tests },
   { "options/", options_tests },
+  { "entrynodes/", entrynodes_tests },
   { "extorport/", extorport_tests },
   { "control/", controller_event_tests },
   { "hs/", hs_tests },

src/test/test_descriptors.txt

@@ -0,0 +1,304 @@
+@uploaded-at 2014-06-08 19:20:11
+@source "127.0.0.1"
+router test000a 127.0.0.1 5000 0 7000
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint C7E7 CCB8 179F 8CC3 7F5C 8A04 2B3A 180B 934B 14BA
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest 67A152A4C7686FB07664F872620635F194D76D95
+caches-extra-info
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAOuBUIEBARMkkka/TGyaQNgUEDLP0KG7sy6KNQTNOlZHUresPr/vlVjo
+HPpLMfu9M2z18c51YX/muWwY9x4MyQooD56wI4+AqXQcJRwQfQlPn3Ay82uZViA9
+DpBajRieLlKKkl145KjArpD7F5BVsqccvjErgFYXvhhjSrx7BVLnAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAN6NLnSxWQnFXxqZi5D3b0BMgV6y9NJLGjYQVP+eWtPZWgqyv4zeYsqv
+O9y6c5lvxyUxmNHfoAbe/s8f2Vf3/YaC17asAVSln4ktrr3e9iY74a9RMWHv1Gzk
+3042nMcqj3PEhRN0PoLkcOZNjjmNbaqki6qy9bWWZDNTdo+uI44dAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+contact auth0@test.test
+ntor-onion-key pK4bs08ERYN591jj7ca17Rn9Q02TIEfhnjR6hSq+fhU=
+reject *:*
+router-signature
+-----BEGIN SIGNATURE-----
+rx88DuM3Y7tODlHNDDEVzKpwh3csaG1or+T4l2Xs1oq3iHHyPEtB6QTLYrC60trG
+aAPsj3DEowGfjga1b248g2dtic8Ab+0exfjMm1RHXfDam5TXXZU3A0wMyoHjqHuf
+eChGPgFNUvEc+5YtD27qEDcUjcinYztTs7/dzxBT4PE=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:11
+@source "127.0.0.1"
+router test001a 127.0.0.1 5001 0 7001
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint 35DA 711C FC62 F88B C243 DE32 DC0B C28A 3F62 2610
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest 9E12278D6CF7608071FE98CE9DCEE48FA264518A
+caches-extra-info
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAPbyUrorqoXMW4oezqd307ZGxgobqvQs2nb3TdQyWrwsHtJmS3utdrJS
+xJUZPNHOQ2hrDWW1VvevYqRTGeXGZr9TDZ3+t/gVUttqYRhuzzgEKVAZSsTo5ctO
+QNHnzJ6Xx/w/trhWqPTeJ7R0TCyAbWW7aE3KaKdwvZilRZp/oRUnAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBALwOJ7XZHBnjJEuwF3Os6eashNbTH9YnH8TBZBdKgu3iFJYqDslcMIPX
+gWCJ9apPHyh1+/8OLRWeEYlwoZzgGi0rjm/+BNeOOmJbjfyjk97DuB9/2O5zr1BM
+CvOHqQSzMD+vz1ebvfM039a2mO8lXruUFPZQaFVxk8371XP2khqhAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+contact auth1@test.test
+ntor-onion-key t5bI1ksTdigOksMKRHUDwx/34ajEvDN1IpArOxIEWgk=
+reject *:*
+router-signature
+-----BEGIN SIGNATURE-----
+KtMW7A/pzu+np6aKJSy6d7drIb4yjz8SPCo+oQNxj2IqNHJir2O2nWu69xy+K0c1
+RL05KkcDaYzr5hC80FD1H+sTpGYD28SPkQkzPw+0pReSDl93pVXh0rU6Cdcm75FC
+t0UZzDt4TsMuFB0ZYpM3phKcQPpiDG6aR0LskL/YUvY=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:11
+@source "127.0.0.1"
+router test004r 127.0.0.1 5004 0 7004
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:10
+fingerprint CC6A 48BD 52BD 9A2C 6670 5863 AC31 AE17 6E63 8B02
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest B5CC249CEF394B5AFCA0C77FA7D5605615FA487C
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAMze36Hupy7HACcF3TMv5mJuZbx3d3cS0WYLl6vTeChBgpS5CEXq6zIu
+d31YmtUcxH6fOjDOudhbnXuoh1nH4CP+LocVHAdlGG1giAm7u8yZudVvVJiIqFgQ
+wVDcWx8LbGCi5P9J/ZPKAIVsSyS7xkOqHjz3VMo/uYLbQCFAwfkdAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAM/qGP365x6bH+ug7rKVy7V5lC9Ff2Jfk0wlTFIzzwn+DMSG6xDvulKe
+wcIzgGNdQu7qlKlQUif3GPMr0KSS32cRsmoRQJcsm9+lGUK871NyZ8AyrHT+LhyF
+cs718P0iN5yKF2FikNr727kEANCzvC1l9eP4qF5GGzsNtglbJ7bTAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+ntor-onion-key a9Pavqnx7DFhMWUO0d17qF9Py8+iie4FnxTHaTgfIXY=
+reject *:25
+reject *:119
+reject *:135-139
+reject *:445
+reject *:563
+reject *:1214
+reject *:4661-4666
+reject *:6346-6429
+reject *:6699
+reject *:6881-6999
+accept *:*
+router-signature
+-----BEGIN SIGNATURE-----
+HVW7kjBgEt+Qdvcrq+NQE1F9B8uV9D38KA2Bp6cYHLWCxL6N4GS8JQqbOEtnqaj7
+Vxrv7uy1Fzb15Zr+1sUVMxNv+LLRfr+JzfETMNYVkYDrNgr1cAAVEQzFWbIziond
+xMFp64yjEW9/I+82lb5GBZEiKdEd4QqWMmQosoYMTM8=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:12
+@source "127.0.0.1"
+router test002a 127.0.0.1 5002 0 7002
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint 29C7 BBB6 C437 32D5 BDF1 5671 F5C5 F1FB 6E36 4B47
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest 9BB181EA86E0130680C3CC04AD7DE4C341ADC2C7
+caches-extra-info
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBALNH19oF8Ajf+djlH/g7L+enFBf5Wwjmf3bPwNKWZ9G+B+Lg8SpfhZiw
+rUqi7h21f45BV/dN05dK6leWD8rj1T9kuM9TKBOEZxIWeq7zbXihyu4XPxP4FNTS
++0G7BhdP4biALENmeyLhUCZaw5Ic/jFkHT4gV9S0iVZiEDwC9twXAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBALeyQGMQBHgTxpO/i30uHjflTm9MNi3ZBNcOKpvBXWYgY42qTqOZ7Uam
+c5pmZhTLrQ1W8XlGDw8Cl8ktZ0ylodLZyUNajBtJvSFWTb8iwdZsshW6Ahb8TyfI
+Y7MwTlQ/7xw4mj1NEaui6bwGgEZUs18RTqhDrUc2Mcj1Yf61Rq+7AgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+contact auth2@test.test
+ntor-onion-key ukR41RjtiZ69KO0SrFTvL0LoZK/ZTT01FQWmCXTCUlE=
+reject *:*
+router-signature
+-----BEGIN SIGNATURE-----
+IY2s/RY4tdahrgfGG+vW7lOvpfofoxxSo7guGpSKGxVApiroCQtumoYifnnJ88G2
+K4IbxwEO8pgO8fnz1mibblUWw2vdDNjCifc1wtXJUE+ONA0UcLRlfQ94GbL8h2PG
+72z6i1+NN0QahXMk7MUbzI7bOXTJOiO8e2Zjk9vRnxI=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:12
+@source "127.0.0.1"
+router test006r 127.0.0.1 5006 0 7006
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint 829B 3FAA A42B 605A EB0B F380 8F32 8ED1 73E7 0D25
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest 7ECB757002EB9B5838B13AE6F2357A5E585131B8
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBALsNBChcLVndlS4HNXL3hxBJVgXctATz6yXcJt3bkDB5cjv7Q9fqN3Ue
+j3SI1OUBx4YrLcSLD/hELHVilLrrfbaraAFfAsydlRLjTVcMRx5FFlDd0E7TAadc
+71CkTipNnjwqz1mTRKkEFeepnh/JaFDidY9ER1rMBA5JRyBvqrD9AgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAPgipA8yLj1kqrMlAH7cK7IQEdmqmfNHGXdkYQ+TKtfLh0zeEIvvh9yh
+k+vKHS+HVoHo3tecB9QjJyDyyJTiETXCupSOY+ebG648JADAvv8v1WiE+KBXtjpl
+qgDTrDj5CwGuY6cvQdej5yg1UAVlMMZSg3thL3tCYtQbOq66lAlnAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+ntor-onion-key q02F3AQsCX7+zXNpfTqBF8O8lusPhRJpQVxOnBvbOwc=
+reject *:25
+reject *:119
+reject *:135-139
+reject *:445
+reject *:563
+reject *:1214
+reject *:4661-4666
+reject *:6346-6429
+reject *:6699
+reject *:6881-6999
+accept *:*
+router-signature
+-----BEGIN SIGNATURE-----
+L1fdgoN/eXgdzIIXO63W4yGoC9lRozMU+T0Fimhd/XFV8qxeUT83Vgf63vxLUHIb
+D4a80Wj7Pm4y5a766qLGXxlz2FYjCdkp070UpgZneB+VifUlFd/bNAjsiYTstBKM
+EI2L0mhl9d/7KK8vgtadHdX1z1u7QjyF6ccnzhfqeiY=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:12
+@source "127.0.0.1"
+router test003r 127.0.0.1 5003 0 7003
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint 71FD 3A35 F705 8020 D595 B711 D52A 9A0A 99BB B467
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest 3796BE0A95B699595445DFD3453CA2074E75BCE8
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAL44ctIioIfCYFzMTYNfK5qFAPGGUpsAFmS8pThQEY/tJU14+frJDBrC
+BkLvBs05Bw7xOUb0f2geiYGowBA6028smiq5HzTO7Kaga8vfV7AnANPX+n9cfHCr
+/2cMnKkT/GZzpdk0WbUw5Kc/G1ATIPFQHA8gZAi1fsSIDDn3GRV5AgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBALlPo5AI1mVTi+194yOSf40caoFlxSTfXt8KjGVa1dO/bpX7L3noOjYg
+goU4Aqim7BHmBWQDE/tZNTrchFoLQFHi9N4pv/0ND3sY904pzqGpe3FeTuU8P9Jg
+q2w3MeO3GwG8CJf4FOdSkgi8UKkJhOld4g4kViQbrFLXfdFvnT/zAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+ntor-onion-key qluYCRrsesOTkavCLnNK6H1ToywyDquCyYeP0h/qol4=
+reject *:25
+reject *:119
+reject *:135-139
+reject *:445
+reject *:563
+reject *:1214
+reject *:4661-4666
+reject *:6346-6429
+reject *:6699
+reject *:6881-6999
+accept *:*
+router-signature
+-----BEGIN SIGNATURE-----
+d09K7rW/OpVzoUpfZXJuJW7a+P4pROCOZTgvDUIy/Nv+EAjcYqv95PlJ8cAMqnn3
+1oQibRmmQwn0OmG5cB8NaZiueaVIRheGzHEM8rndpHn5oFXdFvV7KKjScvfuBbTk
+RYME8XyawRaqsEZnwirDDlZuiZOjdQs8bbGsko3grJE=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:12
+@source "127.0.0.1"
+router test005r 127.0.0.1 5005 0 7005
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint EB6E 42ED E6BF 5EE0 19F5 EFC1 53AD 094C 1327 7B76
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest C031EE4E1AE826C1E3C4E21D81C961869E63F5D2
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAMd9Fm4KTSjFDzEABPZ1fwBCC2DNgee6nAmlde8FRbCVfcIHRiJyv9YG
+h530yUJal3hBfiWwy/SBA4LDz1flNCEwJm81s3waj4T9c676dAOLPcnOcJM5SbaQ
+hYPDrIZLEZHAk+IoM+avKYYocwCJXwx6WTtsedF0wJBZ9mQAJERJAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAKT7ldhV43S1CgoER/pU0Rigf0NzcSy25DQJrMRQnNmXnL03Dwuv/Iu7
+dCjgg64odnvSkXHFhkbjGcg8aXikvfbMyZTbsD8NrrP6FS6pfgPgZD9W2TK7QdHI
+QXwx1IYaaJK4nDUNfJhjrclydEdxmHbO1nLG1aS0ypn/G0EBpOSnAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+ntor-onion-key umFmyRPA0dIsi0CFYCbGIPe2+OUkyslTkKKDEohjQQg=
+reject *:25
+reject *:119
+reject *:135-139
+reject *:445
+reject *:563
+reject *:1214
+reject *:4661-4666
+reject *:6346-6429
+reject *:6699
+reject *:6881-6999
+accept *:*
+router-signature
+-----BEGIN SIGNATURE-----
+JiXEbqPgDPWEb9DzCYINRXfmvMIc/IRtvshS8Vmmn7DW67TrTLKCEAnisGo92gMA
+bhxGb9G5Mxq/8YqGoqdI2Vp6tfKlz/9AmjHzFAo01y42gafXIdr1oUS2RimA8jfF
+hwfQkbG0FYEsJrH3EUa8sMhcjsEaohK/kgklMR7OgQY=
+-----END SIGNATURE-----
+@uploaded-at 2014-06-08 19:20:12
+@source "127.0.0.1"
+router test007r 127.0.0.1 5007 0 7007
+platform Tor 0.2.5.3-alpha-dev on Linux
+protocols Link 1 2 Circuit 1
+published 2014-06-08 19:20:11
+fingerprint DABD 2AAF 8C9F 3B71 7839 9C08 DCD8 CD9D 341D 0002
+uptime 0
+bandwidth 1073741824 1073741824 0
+extra-info-digest F80104A0DFFB4EB429325D41D1F71E5BF8C6C726
+onion-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAL42fYAriR/JeB/9NpVq5Y5EEHca+ugIpaSdRfbopWDtFjXLEk2jmO5A
+KoAGIkTKDr7e9101x63H+0Nh/7w3uYs/WqTXEH8/1sHwe+0PY2HL0S6qhlOo6X54
+EfK0nDDBAWFOpyiAMHRk8JVikKb56+FVIhCJgi1RIbLIiUQK2/kxAgMBAAE=
+-----END RSA PUBLIC KEY-----
+signing-key
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAKQj2U5hmB68V6NQBqD8DfIkJjovvM8t6nGfYpkT8ORsROnmgI5mjM38
+cmh5GIjY9RgoOWolLmsWQ4SXtS0FvrPft1M61UMTSHzlrEeuod5KenV7vGlX2TxT
+0DoA5TL9yY7CmxCk8CNRCtN/g7WocgIiP4KCIiEZ4VE6LIb6sxUnAgMBAAE=
+-----END RSA PUBLIC KEY-----
+hidden-service-dir
+ntor-onion-key 1UBS8rTlL39u9YxRJWhz+GTG1dS15VRi4au1i5qZOyI=
+reject *:25
+reject *:119
+reject *:135-139
+reject *:445
+reject *:563
+reject *:1214
+reject *:4661-4666
+reject *:6346-6429
+reject *:6699
+reject *:6881-6999
+accept *:*
+router-signature
+-----BEGIN SIGNATURE-----
+m7xHh+XPdLN+qcMLz1dBAEAmcdCFrtdseMHCc0FyAP2kXdayxqe3o2IOOHN++bTH
+Y5iHsZembsIJJ+D/d0YEKWKh42TUWCXBu0Gbfc4OcNuR6PFlTWO2wk7rDT3HOiFr
+pe3wJqZYkLxlBDamROAlMMRe71iag89H/4EulC18opw=
+-----END SIGNATURE-----

src/test/test_entrynodes.c

@@ -0,0 +1,574 @@
+/* Copyright (c) 2014, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#include "orconfig.h"
+
+#define STATEFILE_PRIVATE
+#define ENTRYNODES_PRIVATE
+#define ROUTERLIST_PRIVATE
+
+#include "or.h"
+#include "test.h"
+#include "entrynodes.h"
+#include "routerparse.h"
+#include "nodelist.h"
+#include "util.h"
+#include "routerlist.h"
+#include "routerset.h"
+#include "statefile.h"
+#include "config.h"
+
+/* TODO:
+ * choose_random_entry() test with state set.
+ *
+ * parse_state() tests with more than one guards.
+ *
+ * More tests for set_from_config(): Multiple nodes, use fingerprints,
+ *                                   use country codes.
+ */
+
+/** Dummy Tor state used in unittests. */
+static or_state_t *dummy_state = NULL;
+static or_state_t *
+get_or_state_replacement(void)
+{
+  return dummy_state;
+}
+
+/* NOP replacement for router_descriptor_is_older_than() */
+static int
+router_descriptor_is_older_than_replacement(const routerinfo_t *router,
+                                            int seconds)
+{
+  (void) router;
+  (void) seconds;
+  return 0;
+}
+
+/* Number of descriptors contained in test_descriptors.txt. */
+#define NUMBER_OF_DESCRIPTORS 8
+
+/** Parse a file containing router descriptors and load them to our
+    routerlist. This function is used to setup an artificial network
+    so that we can conduct entry guard tests. */
+static void
+setup_fake_routerlist(const char *fname)
+{
+  int retval;
+  char *contents = NULL;
+  struct stat st;
+  routerlist_t *our_routerlist = NULL;
+  smartlist_t *our_nodelist = NULL;
+
+  /* Read the file that contains our test descriptors. */
+  test_assert(file_status(fname) == FN_FILE);
+  contents = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
+  test_assert(contents);
+
+  /* We need to mock this function otherwise the descriptors will not
+     accepted as they are too old. */
+  MOCK(router_descriptor_is_older_than,
+       router_descriptor_is_older_than_replacement);
+
+  /* Load all the test descriptors to the routerlist. */
+  retval = router_load_routers_from_string(contents, NULL, SAVED_IN_JOURNAL,
+                                           NULL, 0, NULL);
+  tt_int_op(retval, ==, NUMBER_OF_DESCRIPTORS);
+
+  /* Sanity checking of routerlist and nodelist. */
+  our_routerlist = router_get_routerlist();
+  tt_int_op(smartlist_len(our_routerlist->routers), ==, NUMBER_OF_DESCRIPTORS);
+  routerlist_assert_ok(our_routerlist);
+
+  our_nodelist = nodelist_get_list();
+  tt_int_op(smartlist_len(our_nodelist), ==, NUMBER_OF_DESCRIPTORS);
+
+  /* Mark all routers as non-guards but up and running! */
+  SMARTLIST_FOREACH_BEGIN(our_nodelist, node_t *, node) {
+    node->is_running = 1;
+    node->is_valid = 1;
+    node->is_possible_guard = 0;
+  } SMARTLIST_FOREACH_END(node);
+
+ done:
+  UNMOCK(router_descriptor_is_older_than);
+  tor_free(contents);
+}
+
+/* Unittest cleanup function: Cleanup the fake network. */
+static int
+fake_network_cleanup(const struct testcase_t *testcase, void *ptr)
+{
+  (void) testcase;
+  (void) ptr;
+
+  routerlist_free_all();
+  nodelist_free_all();
+  entry_guards_free_all();
+  or_state_free(dummy_state);
+
+  return 1; /* NOP */
+}
+
+/* Unittest setup function: Setup a fake network. */
+static void *
+fake_network_setup(const struct testcase_t *testcase)
+{
+  /* This is the file containing our test descriptors. */
+  const char *fname = BUILDDIR "/src/test/test_descriptors.txt";
+
+  (void) testcase;
+
+  /* Setup fake state */
+  dummy_state = tor_malloc_zero(sizeof(or_state_t));
+  MOCK(get_or_state,
+       get_or_state_replacement);
+
+  /* Setup fake routerlist. */
+  setup_fake_routerlist(fname);
+
+  /* Return anything but NULL (it's interpreted as test fail) */
+  return dummy_state;
+}
+
+/** Test choose_random_entry() with none of our routers being guard nodes. */
+static void
+test_choose_random_entry_no_guards(void *arg)
+{
+  const node_t *chosen_entry = NULL;
+
+  (void) arg;
+
+  /* Try to pick an entry even though none of our routers are guards. */
+  chosen_entry = choose_random_entry(NULL);
+
+  /* Unintuitively, we actually pick a random node as our entry,
+     because router_choose_random_node() relaxes its constraints if it
+     can't find a proper entry guard. */
+  test_assert(chosen_entry);
+
+ done:
+  ;
+}
+
+/** Test choose_random_entry() with only one of our routers being a
+    guard node. */
+static void
+test_choose_random_entry_one_possible_guard(void *arg)
+{
+  const node_t *chosen_entry = NULL;
+  node_t *the_guard = NULL;
+  smartlist_t *our_nodelist = NULL;
+
+  (void) arg;
+
+  /* Set one of the nodes to be a guard. */
+  our_nodelist = nodelist_get_list();
+  the_guard = smartlist_get(our_nodelist, 4); /* chosen by fair dice roll */
+  the_guard->is_possible_guard = 1;
+
+  /* Pick an entry. Make sure we pick the node we marked as guard. */
+  chosen_entry = choose_random_entry(NULL);
+  tt_ptr_op(chosen_entry, ==, the_guard);
+
+ done:
+  ;
+}
+
+/** Helper to conduct tests for populate_live_entry_guards().
+
+   This test adds some entry guards to our list, and then tests
+   populate_live_entry_guards() to mke sure it filters them correctly.
+
+   <b>num_needed</b> is the number of guard nodes we support. It's
+   configurable to make sure we function properly with 1 or 3 guard
+   nodes configured.
+*/
+static void
+populate_live_entry_guards_test_helper(int num_needed)
+{
+  smartlist_t *our_nodelist = NULL;
+  smartlist_t *live_entry_guards = smartlist_new();
+  const smartlist_t *all_entry_guards = get_entry_guards();
+  or_options_t *options = get_options_mutable();
+  int retval;
+
+  /* Set NumEntryGuards to the provided number. */
+  options->NumEntryGuards = num_needed;
+  tt_int_op(num_needed, ==, decide_num_guards(options, 0));
+
+  /* The global entry guards smartlist should be empty now. */
+  tt_int_op(smartlist_len(all_entry_guards), ==, 0);
+
+  /* Walk the nodelist and add all nodes as entry guards. */
+  our_nodelist = nodelist_get_list();
+  tt_int_op(smartlist_len(our_nodelist), ==, NUMBER_OF_DESCRIPTORS);
+
+  SMARTLIST_FOREACH_BEGIN(our_nodelist, const node_t *, node) {
+    const node_t *node_tmp;
+    node_tmp = add_an_entry_guard(node, 0, 1, 0, 0);
+    test_assert(node_tmp);
+  } SMARTLIST_FOREACH_END(node);
+
+  /* Make sure the nodes were added as entry guards. */
+  tt_int_op(smartlist_len(all_entry_guards), ==, NUMBER_OF_DESCRIPTORS);
+
+  /* Ensure that all the possible entry guards are enough to satisfy us. */
+  tt_int_op(smartlist_len(all_entry_guards), >=, num_needed);
+
+  /* Walk the entry guard list for some sanity checking */
+  SMARTLIST_FOREACH_BEGIN(all_entry_guards, const entry_guard_t *, entry) {
+    /* Since we called add_an_entry_guard() with 'for_discovery' being
+       False, all guards should have made_contact enabled. */
+    tt_int_op(entry->made_contact, ==, 1);
+
+    /* Since we don't have a routerstatus, all of the entry guards are
+       not directory servers. */
+    tt_int_op(entry->is_dir_cache, ==, 0);
+  } SMARTLIST_FOREACH_END(entry);
+
+  /* First, try to get some fast guards. This should fail. */
+  retval = populate_live_entry_guards(live_entry_guards,
+                                      all_entry_guards,
+                                      NULL,
+                                      NO_DIRINFO, /* Don't care about DIRINFO*/
+                                      0, 0,
+                                      1); /* We want fast guard! */
+  tt_int_op(retval, ==, 0);
+  tt_int_op(smartlist_len(live_entry_guards), ==, 0);
+
+  /* Now try to get some stable guards. This should fail too. */
+  retval = populate_live_entry_guards(live_entry_guards,
+                                      all_entry_guards,
+                                      NULL,
+                                      NO_DIRINFO,
+                                      0,
+                                      1, /* We want stable guard! */
+                                      0);
+  tt_int_op(retval, ==, 0);
+  tt_int_op(smartlist_len(live_entry_guards), ==, 0);
+
+  /* Now try to get any guard we can find. This should succeed. */
+  retval = populate_live_entry_guards(live_entry_guards,
+                                      all_entry_guards,
+                                      NULL,
+                                      NO_DIRINFO,
+                                      0, 0, 0); /* No restrictions! */
+
+  /* Since we had more than enough guards in 'all_entry_guards', we
+     should have added 'num_needed' of them to live_entry_guards.
+     'retval' should be 1 since we now have enough live entry guards
+     to pick one.  */
+  tt_int_op(retval, ==, 1);
+  tt_int_op(smartlist_len(live_entry_guards), ==, num_needed);
+
+ done:
+  smartlist_free(live_entry_guards);
+}
+
+/* Test populate_live_entry_guards() for 1 guard node. */
+static void
+test_populate_live_entry_guards_1guard(void *arg)
+{
+  (void) arg;
+
+  populate_live_entry_guards_test_helper(1);
+}
+
+/* Test populate_live_entry_guards() for 3 guard nodes. */
+static void
+test_populate_live_entry_guards_3guards(void *arg)
+{
+  (void) arg;
+
+  populate_live_entry_guards_test_helper(3);
+}
+
+/** Append some EntryGuard lines to the Tor state at <b>state</b>.
+
+   <b>entry_guard_lines</b> is a smartlist containing 2-tuple
+   smartlists that carry the key and values of the statefile.
+   As an example:
+   entry_guard_lines =
+     (("EntryGuard", "name 67E72FF33D7D41BF11C569646A0A7B4B188340DF DirCache"),
+      ("EntryGuardDownSince", "2014-06-07 16:02:46 2014-06-07 16:02:46"))
+*/
+static void
+state_insert_entry_guard_helper(or_state_t *state,
+                                smartlist_t *entry_guard_lines)
+{
+  config_line_t **next, *line;
+
+  next = &state->EntryGuards;
+  *next = NULL;
+
+  /* Loop over all the state lines in the smartlist */
+  SMARTLIST_FOREACH_BEGIN(entry_guard_lines, const smartlist_t *,state_lines) {
+    /* Get key and value for each line */
+    const char *state_key = smartlist_get(state_lines, 0);
+    const char *state_value = smartlist_get(state_lines, 1);
+
+    *next = line = tor_malloc_zero(sizeof(config_line_t));
+    line->key = tor_strdup(state_key);
+    tor_asprintf(&line->value, "%s", state_value);
+    next = &(line->next);
+  } SMARTLIST_FOREACH_END(state_lines);
+}
+
+/** Free memory occupied by <b>entry_guard_lines</b>. */
+static void
+state_lines_free(smartlist_t *entry_guard_lines)
+{
+  SMARTLIST_FOREACH_BEGIN(entry_guard_lines, smartlist_t *, state_lines) {
+    char *state_key = smartlist_get(state_lines, 0);
+    char *state_value = smartlist_get(state_lines, 1);
+
+    tor_free(state_key);
+    tor_free(state_value);
+    smartlist_free(state_lines);
+  } SMARTLIST_FOREACH_END(state_lines);
+
+  smartlist_free(entry_guard_lines);
+}
+
+/* Tests entry_guards_parse_state(). It creates a fake Tor state with
+   a saved entry guard and makes sure that Tor can parse it and
+   creates the right entry node out of it.
+*/
+static void
+test_entry_guards_parse_state_simple(void *arg)
+{
+  or_state_t *state = or_state_new();
+  const smartlist_t *all_entry_guards = get_entry_guards();
+  smartlist_t *entry_state_lines = smartlist_new();
+  char *msg = NULL;
+  int retval;
+
+  /* Details of our fake guard node */
+  const char *nickname = "hagbard";
+  const char *fpr = "B29D536DD1752D542E1FBB3C9CE4449D51298212";
+  const char *tor_version = "0.2.5.3-alpha-dev";
+  const char *added_at = "2014-05-22 02:40:47";
+  const char *unlisted_since = "2014-06-08 16:16:50";
+
+  (void) arg;
+
+  /* The global entry guards smartlist should be empty now. */
+  tt_int_op(smartlist_len(all_entry_guards), ==, 0);
+
+  { /* Prepare the state entry */
+
+    /* Prepare the smartlist to hold the key/value of each line */
+    smartlist_t *state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuard");
+    smartlist_add_asprintf(state_line, "%s %s %s", nickname, fpr, "DirCache");
+    smartlist_add(entry_state_lines, state_line);
+
+    state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuardAddedBy");
+    smartlist_add_asprintf(state_line, "%s %s %s", fpr, tor_version, added_at);
+    smartlist_add(entry_state_lines, state_line);
+
+    state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuardUnlistedSince");
+    smartlist_add_asprintf(state_line, "%s", unlisted_since);
+    smartlist_add(entry_state_lines, state_line);
+  }
+
+  /* Inject our lines in the state */
+  state_insert_entry_guard_helper(state, entry_state_lines);
+
+  /* Parse state */
+  retval = entry_guards_parse_state(state, 1, &msg);
+  tt_int_op(retval, >=, 0);
+
+  /* Test that the guard was registered.
+     We need to re-get the entry guard list since its pointer was
+     overwritten in entry_guards_parse_state(). */
+  all_entry_guards = get_entry_guards();
+  tt_int_op(smartlist_len(all_entry_guards), ==, 1);
+
+  { /* Test the entry guard structure */
+    char hex_digest[1024];
+    char str_time[1024];
+
+    const entry_guard_t *e = smartlist_get(all_entry_guards, 0);
+    tt_str_op(e->nickname, ==, nickname); /* Verify nickname */
+
+    base16_encode(hex_digest, sizeof(hex_digest),
+                  e->identity, DIGEST_LEN);
+    tt_str_op(hex_digest, ==, fpr); /* Verify fingerprint */
+
+    tt_assert(e->is_dir_cache); /* Verify dirness */
+
+    tt_str_op(e->chosen_by_version, ==, tor_version); /* Verify tor version */
+
+    tt_assert(e->made_contact); /* All saved guards have been contacted */
+
+    tt_assert(e->bad_since); /* Verify bad_since timestamp */
+    format_iso_time(str_time, e->bad_since);
+    tt_str_op(str_time, ==, unlisted_since);
+
+    /* The rest should be unset */
+    tt_assert(!e->unreachable_since);
+    tt_assert(!e->can_retry);
+    tt_assert(!e->path_bias_noticed);
+    tt_assert(!e->path_bias_warned);
+    tt_assert(!e->path_bias_extreme);
+    tt_assert(!e->path_bias_disabled);
+    tt_assert(!e->path_bias_use_noticed);
+    tt_assert(!e->path_bias_use_extreme);
+    tt_assert(!e->last_attempted);
+  }
+
+ done:
+  state_lines_free(entry_state_lines);
+  or_state_free(state);
+}
+
+/** Similar to test_entry_guards_parse_state_simple() but aims to test
+    the PathBias-related details of the entry guard. */
+static void
+test_entry_guards_parse_state_pathbias(void *arg)
+{
+  or_state_t *state = or_state_new();
+  const smartlist_t *all_entry_guards = get_entry_guards();
+  char *msg = NULL;
+  int retval;
+  smartlist_t *entry_state_lines = smartlist_new();
+
+  /* Path bias details of the fake guard */
+  const double circ_attempts = 9;
+  const double circ_successes = 8;
+  const double successful_closed = 4;
+  const double collapsed = 2;
+  const double unusable = 0;
+  const double timeouts = 1;
+
+  (void) arg;
+
+  /* The global entry guards smartlist should be empty now. */
+  tt_int_op(smartlist_len(all_entry_guards), ==, 0);
+
+  { /* Prepare the state entry */
+
+    /* Prepare the smartlist to hold the key/value of each line */
+    smartlist_t *state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuard");
+    smartlist_add_asprintf(state_line,
+             "givethanks B29D536DD1752D542E1FBB3C9CE4449D51298212 NoDirCache");
+    smartlist_add(entry_state_lines, state_line);
+
+    state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuardAddedBy");
+    smartlist_add_asprintf(state_line,
+      "B29D536DD1752D542E1FBB3C9CE4449D51298212 0.2.5.3-alpha-dev "
+      "2014-05-22 02:40:47");
+    smartlist_add(entry_state_lines, state_line);
+
+    state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuardUnlistedSince");
+    smartlist_add_asprintf(state_line, "2014-06-08 16:16:50");
+    smartlist_add(entry_state_lines, state_line);
+
+    state_line = smartlist_new();
+    smartlist_add_asprintf(state_line, "EntryGuardPathBias");
+    smartlist_add_asprintf(state_line, "%f %f %f %f %f %f",
+                           circ_attempts, circ_successes, successful_closed,
+                           collapsed, unusable, timeouts);
+    smartlist_add(entry_state_lines, state_line);
+  }
+
+  /* Inject our lines in the state */
+  state_insert_entry_guard_helper(state, entry_state_lines);
+
+  /* Parse state */
+  retval = entry_guards_parse_state(state, 1, &msg);
+  tt_int_op(retval, >=, 0);
+
+  /* Test that the guard was registered */
+  all_entry_guards = get_entry_guards();
+  tt_int_op(smartlist_len(all_entry_guards), ==, 1);
+
+  { /* Test the path bias of this guard */
+    const entry_guard_t *e = smartlist_get(all_entry_guards, 0);
+
+    tt_assert(!e->is_dir_cache);
+    tt_assert(!e->can_retry);
+
+    /* XXX tt_double_op doesn't support equality. Cast to int for now. */
+    tt_int_op((int)e->circ_attempts, ==, (int)circ_attempts);
+    tt_int_op((int)e->circ_successes, ==, (int)circ_successes);
+    tt_int_op((int)e->successful_circuits_closed, ==, (int)successful_closed);
+    tt_int_op((int)e->timeouts, ==, (int)timeouts);
+    tt_int_op((int)e->collapsed_circuits, ==, (int)collapsed);
+    tt_int_op((int)e->unusable_circuits, ==, (int)unusable);
+  }
+
+ done:
+  or_state_free(state);
+  state_lines_free(entry_state_lines);
+}
+
+/* Simple test of entry_guards_set_from_config() by specifying a
+   particular EntryNode and making sure it gets picked. */
+static void
+test_entry_guards_set_from_config(void *arg)
+{
+  or_options_t *options = get_options_mutable();
+  const smartlist_t *all_entry_guards = get_entry_guards();
+  const char *entrynodes_str = "test003r";
+  const node_t *chosen_entry = NULL;
+  int retval;
+
+  (void) arg;
+
+  /* Prase EntryNodes as a routerset. */
+  options->EntryNodes = routerset_new();
+  retval = routerset_parse(options->EntryNodes,
+                           entrynodes_str,
+                           "test_entrynodes");
+  tt_int_op(retval, >=, 0);
+
+  /* Read nodes from EntryNodes */
+  entry_guards_set_from_config(options);
+
+  /* Test that only one guard was added. */
+  tt_int_op(smartlist_len(all_entry_guards), ==, 1);
+
+  /* Make sure it was the guard we specified. */
+  chosen_entry = choose_random_entry(NULL);
+  tt_str_op(chosen_entry->ri->nickname, ==, entrynodes_str);
+
+ done:
+  routerset_free(options->EntryNodes);
+}
+
+static const struct testcase_setup_t fake_network = {
+  fake_network_setup, fake_network_cleanup
+};
+
+struct testcase_t entrynodes_tests[] = {
+  { "choose_random_entry_no_guards", test_choose_random_entry_no_guards,
+    TT_FORK, &fake_network, NULL },
+  { "choose_random_entry_one_possibleguard",
+    test_choose_random_entry_one_possible_guard,
+    TT_FORK, &fake_network, NULL },
+  { "populate_live_entry_guards_1guard",
+    test_populate_live_entry_guards_1guard,
+    TT_FORK, &fake_network, NULL },
+  { "populate_live_entry_guards_3guards",
+    test_populate_live_entry_guards_3guards,
+    TT_FORK, &fake_network, NULL },
+  { "entry_guards_parse_state_simple",
+    test_entry_guards_parse_state_simple,
+    TT_FORK, &fake_network, NULL },
+  { "entry_guards_parse_state_pathbias",
+    test_entry_guards_parse_state_pathbias,
+    TT_FORK, &fake_network, NULL },
+  { "entry_guards_set_from_config",
+    test_entry_guards_set_from_config,
+    TT_FORK, &fake_network, NULL },
+  END_OF_TESTCASES
+};
+