test_dos.c (20772B)
1 /* Copyright (c) 2018-2021, The Tor Project, Inc. */ 2 /* See LICENSE for licensing information */ 3 4 #define DOS_PRIVATE 5 #define CHANNEL_OBJECT_PRIVATE 6 #define CIRCUITLIST_PRIVATE 7 8 #include "core/or/or.h" 9 #include "core/or/dos.h" 10 #include "core/or/circuitlist.h" 11 #include "lib/crypt_ops/crypto_rand.h" 12 #include "lib/time/compat_time.h" 13 #include "feature/stats/geoip_stats.h" 14 #include "core/or/channel.h" 15 #include "feature/nodelist/microdesc.h" 16 #include "feature/nodelist/networkstatus.h" 17 #include "feature/nodelist/nodelist.h" 18 #include "feature/nodelist/routerlist.h" 19 20 #include "feature/nodelist/networkstatus_st.h" 21 #include "core/or/or_connection_st.h" 22 #include "feature/nodelist/routerstatus_st.h" 23 24 #include "test/test.h" 25 #include "test/log_test_helpers.h" 26 27 static const uint64_t BILLION = 1000000000; 28 29 static networkstatus_t *dummy_ns = NULL; 30 static networkstatus_t * 31 mock_networkstatus_get_latest_consensus(void) 32 { 33 return dummy_ns; 34 } 35 36 static networkstatus_t * 37 mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) 38 { 39 tor_assert(f == FLAV_MICRODESC); 40 return dummy_ns; 41 } 42 43 /* Number of address a single node_t can have. Default to the production 44 * value. This is to control the size of the bloom filter. */ 45 static int addr_per_node = 2; 46 static int 47 mock_get_estimated_address_per_node(void) 48 { 49 return addr_per_node; 50 } 51 52 static unsigned int 53 mock_enable_dos_protection(const networkstatus_t *ns) 54 { 55 (void) ns; 56 return 1; 57 } 58 59 /** Test that the connection tracker of the DoS subsystem will block clients 60 * who try to establish too many connections */ 61 static void 62 test_dos_conn_creation(void *arg) 63 { 64 uint64_t monotime_now = 0xfffffffe; 65 66 (void) arg; 67 68 monotime_enable_test_mocking(); 69 monotime_coarse_set_mock_time_nsec(monotime_now); 70 MOCK(get_param_cc_enabled, mock_enable_dos_protection); 71 MOCK(get_param_conn_enabled, mock_enable_dos_protection); 72 73 /* Initialize test data */ 74 or_connection_t or_conn; 75 memset(&or_conn, 0, sizeof or_conn); 76 time_t wallclock_now = 1281533250; /* 2010-08-11 13:27:30 UTC */ 77 tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr, 78 "18.0.0.1")); 79 tor_addr_t *addr = &TO_CONN(&or_conn)->addr; 80 81 /* Get DoS subsystem limits */ 82 dos_init(); 83 uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL); 84 85 /* Introduce new client */ 86 geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, wallclock_now); 87 { /* Register many conns from this client but not enough to get it blocked */ 88 unsigned int i; 89 for (i = 0; i < max_concurrent_conns; i++) { 90 /* Don't trigger the connect() rate limitation so advance the clock 1 91 * second for each connection. */ 92 monotime_coarse_set_mock_time_nsec(monotime_now += BILLION); 93 update_approx_time(++wallclock_now); 94 or_conn.tracked_for_dos_mitigation = 0; 95 dos_new_client_conn(&or_conn, NULL); 96 } 97 } 98 99 /* Check that new conns are still permitted */ 100 tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ, 101 dos_conn_addr_get_defense_type(addr)); 102 103 /* Register another conn and check that new conns are not allowed anymore */ 104 or_conn.tracked_for_dos_mitigation = 0; 105 dos_new_client_conn(&or_conn, NULL); 106 tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, 107 dos_conn_addr_get_defense_type(addr)); 108 109 /* Close a client conn and see that a new conn will be permitted again */ 110 dos_close_client_conn(&or_conn); 111 or_conn.tracked_for_dos_mitigation = 0; 112 tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ, 113 dos_conn_addr_get_defense_type(addr)); 114 115 /* Register another conn and see that defense measures get reactivated */ 116 dos_new_client_conn(&or_conn, NULL); 117 tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, 118 dos_conn_addr_get_defense_type(addr)); 119 120 done: 121 dos_free_all(); 122 monotime_disable_test_mocking(); 123 } 124 125 /** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */ 126 static int 127 mock_channel_get_addr_if_possible(const channel_t *chan, tor_addr_t *addr_out) 128 { 129 (void)chan; 130 tt_int_op(AF_INET,OP_EQ, tor_addr_parse(addr_out, "18.0.0.1")); 131 return 1; 132 133 done: 134 return 0; 135 } 136 137 /** Test that the circuit tracker of the DoS subsystem will block clients who 138 * try to establish too many circuits. */ 139 static void 140 test_dos_circuit_creation(void *arg) 141 { 142 (void) arg; 143 unsigned int i; 144 145 MOCK(get_param_cc_enabled, mock_enable_dos_protection); 146 MOCK(get_param_conn_enabled, mock_enable_dos_protection); 147 MOCK(channel_get_addr_if_possible, 148 mock_channel_get_addr_if_possible); 149 150 /* Initialize channels/conns/circs that will be used */ 151 channel_t *chan = tor_malloc_zero(sizeof(channel_t)); 152 channel_init(chan); 153 chan->is_client = 1; 154 155 /* Initialize test data */ 156 or_connection_t or_conn; 157 memset(&or_conn, 0, sizeof or_conn); 158 time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */ 159 tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr, 160 "18.0.0.1")); 161 tor_addr_t *addr = &TO_CONN(&or_conn)->addr; 162 163 /* Get DoS subsystem limits */ 164 dos_init(); 165 uint32_t max_circuit_count = get_param_cc_circuit_burst(NULL); 166 uint32_t min_conc_conns_for_cc = 167 get_param_cc_min_concurrent_connection(NULL); 168 169 /* Introduce new client and establish enough connections to activate the 170 * circuit counting subsystem */ 171 geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); 172 for (i = 0; i < min_conc_conns_for_cc ; i++) { 173 or_conn.tracked_for_dos_mitigation = 0; 174 dos_new_client_conn(&or_conn, NULL); 175 } 176 177 /* Register new circuits for this client and conn, but not enough to get 178 * detected as dos */ 179 for (i=0; i < max_circuit_count-1; i++) { 180 dos_cc_new_create_cell(chan); 181 } 182 /* see that we didn't get detected for dosing */ 183 tt_int_op(DOS_CC_DEFENSE_NONE, OP_EQ, dos_cc_get_defense_type(chan)); 184 185 /* Register another CREATE cell that will push us over the limit. Check that 186 * the cell gets refused. */ 187 dos_cc_new_create_cell(chan); 188 tt_int_op(DOS_CC_DEFENSE_REFUSE_CELL, OP_EQ, dos_cc_get_defense_type(chan)); 189 190 /* TODO: Wait a few seconds before sending the cell, and check that the 191 buckets got refilled properly. */ 192 /* TODO: Actually send a Tor cell (instead of calling the DoS function) and 193 * check that it will get refused */ 194 195 done: 196 tor_free(chan); 197 dos_free_all(); 198 } 199 200 /** Test that the DoS subsystem properly refills the circuit token buckets. */ 201 static void 202 test_dos_bucket_refill(void *arg) 203 { 204 (void) arg; 205 int i; 206 /* For this test, this variable is set to the current circ count of the token 207 * bucket. */ 208 uint32_t current_circ_count; 209 210 MOCK(get_param_cc_enabled, mock_enable_dos_protection); 211 MOCK(get_param_conn_enabled, mock_enable_dos_protection); 212 MOCK(channel_get_addr_if_possible, 213 mock_channel_get_addr_if_possible); 214 215 time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */ 216 update_approx_time(now); 217 218 /* Initialize channels/conns/circs that will be used */ 219 channel_t *chan = tor_malloc_zero(sizeof(channel_t)); 220 channel_init(chan); 221 chan->is_client = 1; 222 or_connection_t or_conn; 223 memset(&or_conn, 0, sizeof or_conn); 224 tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr, 225 "18.0.0.1")); 226 tor_addr_t *addr = &TO_CONN(&or_conn)->addr; 227 228 /* Initialize DoS subsystem and get relevant limits */ 229 dos_init(); 230 uint32_t max_circuit_count = get_param_cc_circuit_burst(NULL); 231 uint64_t circ_rate = get_circuit_rate_per_second(); 232 /* Check that the circuit rate is a positive number and smaller than the max 233 * circuit count */ 234 tt_u64_op(circ_rate, OP_GT, 1); 235 tt_u64_op(circ_rate, OP_LT, max_circuit_count); 236 237 /* Register this client */ 238 geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); 239 dos_new_client_conn(&or_conn, NULL); 240 241 /* Fetch this client from the geoip cache and get its DoS structs */ 242 clientmap_entry_t *entry = geoip_lookup_client(addr, NULL, 243 GEOIP_CLIENT_CONNECT); 244 tt_assert(entry); 245 dos_client_stats_t* dos_stats = &entry->dos_stats; 246 /* Check that the circuit bucket is still uninitialized */ 247 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, 0); 248 249 /* Send a create cell: then check that the circ token bucket got initialized 250 * and one circ was subtracted. */ 251 dos_cc_new_create_cell(chan); 252 current_circ_count = max_circuit_count - 1; 253 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 254 255 /* Now send 29 more CREATEs and ensure that the bucket is missing 30 256 * tokens */ 257 for (i=0; i < 29; i++) { 258 dos_cc_new_create_cell(chan); 259 current_circ_count--; 260 } 261 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 262 263 /* OK! Progress time forward one sec, refill the bucket and check that the 264 * refill happened correctly. */ 265 now += 1; 266 update_approx_time(now); 267 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 268 /* check refill */ 269 current_circ_count += circ_rate; 270 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 271 272 /* Now send as many CREATE cells as needed to deplete our token bucket 273 * completely */ 274 for (; current_circ_count != 0; current_circ_count--) { 275 dos_cc_new_create_cell(chan); 276 } 277 tt_uint_op(current_circ_count, OP_EQ, 0); 278 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 279 280 /* Now progress time a week forward, and check that the token bucket does not 281 * have more than max_circs allowance, even tho we let it simmer for so 282 * long. */ 283 now += 604800; /* a week */ 284 update_approx_time(now); 285 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 286 current_circ_count += max_circuit_count; 287 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 288 289 /* Now send as many CREATE cells as needed to deplete our token bucket 290 * completely */ 291 for (; current_circ_count != 0; current_circ_count--) { 292 dos_cc_new_create_cell(chan); 293 } 294 tt_uint_op(current_circ_count, OP_EQ, 0); 295 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 296 297 /* Now use a very large time, and check that the token bucket does not have 298 * more than max_circs allowance, even tho we let it simmer for so long. */ 299 now = INT32_MAX; /* 2038? */ 300 update_approx_time(now); 301 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 302 current_circ_count += max_circuit_count; 303 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 304 305 /* Now send as many CREATE cells as needed to deplete our token bucket 306 * completely */ 307 for (; current_circ_count != 0; current_circ_count--) { 308 dos_cc_new_create_cell(chan); 309 } 310 tt_uint_op(current_circ_count, OP_EQ, 0); 311 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 312 313 /* Now use a very small time, and check that the token bucket has exactly 314 * the max_circs allowance, because backward clock jumps are rare. */ 315 now = INT32_MIN; /* 19?? */ 316 update_approx_time(now); 317 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 318 current_circ_count += max_circuit_count; 319 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 320 321 /* Now send as many CREATE cells as needed to deplete our token bucket 322 * completely */ 323 for (; current_circ_count != 0; current_circ_count--) { 324 dos_cc_new_create_cell(chan); 325 } 326 tt_uint_op(current_circ_count, OP_EQ, 0); 327 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 328 329 /* Progress time forward one sec again, refill the bucket and check that the 330 * refill happened correctly. */ 331 now += 1; 332 update_approx_time(now); 333 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 334 /* check refill */ 335 current_circ_count += circ_rate; 336 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 337 338 /* Now send as many CREATE cells as needed to deplete our token bucket 339 * completely */ 340 for (; current_circ_count != 0; current_circ_count--) { 341 dos_cc_new_create_cell(chan); 342 } 343 tt_uint_op(current_circ_count, OP_EQ, 0); 344 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 345 346 /* Now use a very large time (again), and check that the token bucket does 347 * not have more than max_circs allowance, even tho we let it simmer for so 348 * long. */ 349 now = INT32_MAX; /* 2038? */ 350 update_approx_time(now); 351 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 352 current_circ_count += max_circuit_count; 353 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 354 355 /* Now send as many CREATE cells as needed to deplete our token bucket 356 * completely */ 357 for (; current_circ_count != 0; current_circ_count--) { 358 dos_cc_new_create_cell(chan); 359 } 360 tt_uint_op(current_circ_count, OP_EQ, 0); 361 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 362 363 /* This code resets the time to zero with 32-bit time_t, which triggers the 364 * code that initialises the bucket. */ 365 #if SIZEOF_TIME_T == 8 366 /* Now use a very very small time, and check that the token bucket has 367 * exactly the max_circs allowance, because backward clock jumps are rare. 368 */ 369 now = (time_t)INT64_MIN; /* ???? */ 370 update_approx_time(now); 371 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 372 current_circ_count += max_circuit_count; 373 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 374 375 /* Now send as many CREATE cells as needed to deplete our token bucket 376 * completely */ 377 for (; current_circ_count != 0; current_circ_count--) { 378 dos_cc_new_create_cell(chan); 379 } 380 tt_uint_op(current_circ_count, OP_EQ, 0); 381 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 382 383 /* Progress time forward one sec again, refill the bucket and check that the 384 * refill happened correctly. */ 385 now += 1; 386 update_approx_time(now); 387 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 388 /* check refill */ 389 current_circ_count += circ_rate; 390 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 391 392 /* Now send as many CREATE cells as needed to deplete our token bucket 393 * completely */ 394 for (; current_circ_count != 0; current_circ_count--) { 395 dos_cc_new_create_cell(chan); 396 } 397 tt_uint_op(current_circ_count, OP_EQ, 0); 398 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 399 400 /* Now use a very very small time, and check that the token bucket has 401 * exactly the max_circs allowance, because backward clock jumps are rare. 402 */ 403 now = (time_t)INT64_MIN; /* ???? */ 404 update_approx_time(now); 405 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 406 current_circ_count += max_circuit_count; 407 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 408 409 /* Now send as many CREATE cells as needed to deplete our token bucket 410 * completely */ 411 for (; current_circ_count != 0; current_circ_count--) { 412 dos_cc_new_create_cell(chan); 413 } 414 tt_uint_op(current_circ_count, OP_EQ, 0); 415 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 416 417 /* Now use a very very large time, and check that the token bucket does not 418 * have more than max_circs allowance, even tho we let it simmer for so 419 * long. */ 420 now = (time_t)INT64_MAX; /* ???? */ 421 update_approx_time(now); 422 cc_stats_refill_bucket(&dos_stats->cc_stats, addr); 423 current_circ_count += max_circuit_count; 424 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 425 426 /* Now send as many CREATE cells as needed to deplete our token bucket 427 * completely */ 428 for (; current_circ_count != 0; current_circ_count--) { 429 dos_cc_new_create_cell(chan); 430 } 431 tt_uint_op(current_circ_count, OP_EQ, 0); 432 tt_uint_op(dos_stats->cc_stats.circuit_bucket, OP_EQ, current_circ_count); 433 #endif /* SIZEOF_TIME_T == 8 */ 434 435 done: 436 tor_free(chan); 437 dos_free_all(); 438 } 439 440 /* Test if we avoid counting a known relay. (We no longer do) */ 441 static void 442 test_known_relay(void *arg) 443 { 444 clientmap_entry_t *entry = NULL; 445 routerstatus_t *rs = NULL; 446 447 (void) arg; 448 449 MOCK(networkstatus_get_latest_consensus, 450 mock_networkstatus_get_latest_consensus); 451 MOCK(networkstatus_get_latest_consensus_by_flavor, 452 mock_networkstatus_get_latest_consensus_by_flavor); 453 MOCK(get_estimated_address_per_node, 454 mock_get_estimated_address_per_node); 455 MOCK(get_param_cc_enabled, mock_enable_dos_protection); 456 457 dos_init(); 458 459 dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); 460 dummy_ns->flavor = FLAV_MICRODESC; 461 dummy_ns->routerstatus_list = smartlist_new(); 462 463 /* Setup an OR conn so we can pass it to the DoS subsystem. */ 464 or_connection_t or_conn; 465 memset(&or_conn, 0, sizeof or_conn); 466 tor_addr_parse(&TO_CONN(&or_conn)->addr, "42.42.42.42"); 467 468 rs = tor_malloc_zero(sizeof(*rs)); 469 tor_addr_copy(&rs->ipv4_addr, &TO_CONN(&or_conn)->addr); 470 crypto_rand(rs->identity_digest, sizeof(rs->identity_digest)); 471 smartlist_add(dummy_ns->routerstatus_list, rs); 472 473 /* This will make the nodelist bloom filter very large 474 * (the_nodelist->node_addrs) so we will fail the contain test rarely. */ 475 addr_per_node = 1024; 476 nodelist_set_consensus(dummy_ns); 477 478 /* We have now a node in our list so we'll make sure we don't count it as a 479 * client connection. */ 480 geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr, 481 NULL, 0); 482 /* Suppose we have 5 connections in rapid succession */ 483 dos_new_client_conn(&or_conn, NULL); 484 or_conn.tracked_for_dos_mitigation = 0; 485 dos_new_client_conn(&or_conn, NULL); 486 or_conn.tracked_for_dos_mitigation = 0; 487 dos_new_client_conn(&or_conn, NULL); 488 or_conn.tracked_for_dos_mitigation = 0; 489 dos_new_client_conn(&or_conn, NULL); 490 or_conn.tracked_for_dos_mitigation = 0; 491 dos_new_client_conn(&or_conn, NULL); 492 entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL, 493 GEOIP_CLIENT_CONNECT); 494 tt_assert(entry); 495 /* We should have a count of 5. */ 496 tt_uint_op(entry->dos_stats.conn_stats.concurrent_count, OP_EQ, 5); 497 498 done: 499 routerstatus_free(rs); 500 smartlist_clear(dummy_ns->routerstatus_list); 501 networkstatus_vote_free(dummy_ns); 502 dos_free_all(); 503 UNMOCK(networkstatus_get_latest_consensus); 504 UNMOCK(networkstatus_get_latest_consensus_by_flavor); 505 UNMOCK(get_estimated_address_per_node); 506 UNMOCK(get_param_cc_enabled); 507 } 508 509 /** Test that the connection tracker of the DoS subsystem will block clients 510 * who try to establish too many connections */ 511 static void 512 test_dos_conn_rate(void *arg) 513 { 514 (void) arg; 515 516 MOCK(get_param_cc_enabled, mock_enable_dos_protection); 517 MOCK(get_param_conn_enabled, mock_enable_dos_protection); 518 519 /* Initialize test data */ 520 or_connection_t or_conn; 521 memset(&or_conn, 0, sizeof or_conn); 522 time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */ 523 tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr, 524 "18.0.0.1")); 525 tor_addr_t *addr = &TO_CONN(&or_conn)->addr; 526 update_approx_time(now); 527 528 /* Get DoS subsystem limits */ 529 dos_init(); 530 uint32_t burst_conn = get_param_conn_connect_burst(NULL); 531 532 /* Introduce new client */ 533 geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); 534 { /* Register many conns from this client but not enough to get it blocked */ 535 unsigned int i; 536 for (i = 0; i < burst_conn - 1; i++) { 537 or_conn.tracked_for_dos_mitigation = 0; 538 dos_new_client_conn(&or_conn, NULL); 539 } 540 } 541 542 /* Check that new conns are still permitted */ 543 tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ, 544 dos_conn_addr_get_defense_type(addr)); 545 546 /* Register another conn and check that new conns are not allowed anymore. 547 * We should have reached our burst. */ 548 or_conn.tracked_for_dos_mitigation = 0; 549 dos_new_client_conn(&or_conn, NULL); 550 tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, 551 dos_conn_addr_get_defense_type(addr)); 552 553 /* Advance the time 12 hours. It should still be blocked. */ 554 update_approx_time(now + (12 * 60 * 60)); 555 tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, 556 dos_conn_addr_get_defense_type(addr)); 557 558 /* Advance the time 24 hours plus 13 hours. It should be unblocked. 559 * Remember, we had a random value between 24 hours and rand(24/2) thus 560 * adding 13 hours is safe. */ 561 update_approx_time(now + (37 * 60 * 60)); 562 tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ, 563 dos_conn_addr_get_defense_type(addr)); 564 565 done: 566 dos_free_all(); 567 } 568 569 struct testcase_t dos_tests[] = { 570 { "conn_creation", test_dos_conn_creation, TT_FORK, NULL, NULL }, 571 { "circuit_creation", test_dos_circuit_creation, TT_FORK, NULL, NULL }, 572 { "bucket_refill", test_dos_bucket_refill, TT_FORK, NULL, NULL }, 573 { "known_relay" , test_known_relay, TT_FORK, 574 NULL, NULL }, 575 { "conn_rate", test_dos_conn_rate, TT_FORK, NULL, NULL }, 576 END_OF_TESTCASES 577 };