4 files changed, 44 insertions, 32 deletions
diff --git a/src/feature/hs/hs_config.c b/src/feature/hs/hs_config.c
index 73f9176186..a76893fe1a 100644
--- a/src/feature/hs/hs_config.c
+++ b/src/feature/hs/hs_config.c
@@ -548,15 +548,19 @@ config_service(config_line_t *line, const or_options_t *options,
 
   tor_assert(service->config.version <= HS_VERSION_MAX);
 
-  /* Check permission on service directory that was just parsed. And this must
-   * be done regardless of the service version. Do not ask for the directory
-   * to be created, this is done when the keys are loaded because we could be
-   * in validation mode right now. */
-  if (hs_check_service_private_dir(options->User,
-                                   service->config.directory_path,
-                                   service->config.dir_group_readable,
-                                   0) < 0) {
-    goto err;
+  /* If we're running with TestingTorNetwork enabled, we relax the permissions
+   * check on the hs directory. */
+  if (!options->TestingTorNetwork) {
+    /* Check permission on service directory that was just parsed. And this
+     * must be done regardless of the service version. Do not ask for the
+     * directory to be created, this is done when the keys are loaded because
+     * we could be in validation mode right now. */
+    if (hs_check_service_private_dir(options->User,
+                                     service->config.directory_path,
+                                     service->config.dir_group_readable,
+                                     0) < 0) {
+      goto err;
+    }
   }
 
   /* We'll try to learn the service version here by loading the key(s) if
@@ -640,6 +644,7 @@ hs_config_service_all(const or_options_t *options, int validate_only)
     int rv = config_service(section, options, new_service_list);
     config_free_lines(section);
     if (rv < 0) {
+      config_free_lines(remaining);
       goto err;
     }
   }
diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index 70ff4e9690..a37eab5b5d 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -1607,8 +1607,8 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
  * put in decrypted_out which contains the superencrypted layer of the
  * descriptor. Return the length of decrypted_out on success else 0 is
  * returned and decrypted_out is set to NULL. */
-static size_t
-desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
+MOCK_IMPL(STATIC size_t,
+desc_decrypt_superencrypted,(const hs_descriptor_t *desc,char **decrypted_out))
 {
   size_t superencrypted_len = 0;
   char *superencrypted_plaintext = NULL;
@@ -1639,10 +1639,10 @@ desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
  * decrypted_out which contains the encrypted layer of the descriptor.
  * Return the length of decrypted_out on success else 0 is returned and
  * decrypted_out is set to NULL. */
-static size_t
-desc_decrypt_encrypted(const hs_descriptor_t *desc,
-                       const curve25519_secret_key_t *client_auth_sk,
-                       char **decrypted_out)
+MOCK_IMPL(STATIC size_t,
+desc_decrypt_encrypted,(const hs_descriptor_t *desc,
+                        const curve25519_secret_key_t *client_auth_sk,
+                        char **decrypted_out))
 {
   size_t encrypted_len = 0;
   char *encrypted_plaintext = NULL;
@@ -2145,7 +2145,7 @@ desc_decode_plaintext_v3(smartlist_t *tokens,
 
 /** Decode the version 3 superencrypted section of the given descriptor desc.
  * The desc_superencrypted_out will be populated with the decoded data. */
-static hs_desc_decode_status_t
+STATIC hs_desc_decode_status_t
 desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
                               hs_desc_superencrypted_data_t *
                               desc_superencrypted_out)
@@ -2259,7 +2259,7 @@ desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
 
 /** Decode the version 3 encrypted section of the given descriptor desc. The
  * desc_encrypted_out will be populated with the decoded data. */
-static hs_desc_decode_status_t
+STATIC hs_desc_decode_status_t
 desc_decode_encrypted_v3(const hs_descriptor_t *desc,
                          const curve25519_secret_key_t *client_auth_sk,
                          hs_desc_encrypted_data_t *desc_encrypted_out)
diff --git a/src/feature/hs/hs_descriptor.h b/src/feature/hs/hs_descriptor.h
index 7e437faeb8..d959431369 100644
--- a/src/feature/hs/hs_descriptor.h
+++ b/src/feature/hs/hs_descriptor.h
@@ -339,6 +339,25 @@ MOCK_DECL(STATIC size_t, decrypt_desc_layer,(const hs_descriptor_t *desc,
                                              bool is_superencrypted_layer,
                                              char **decrypted_out));
 
+STATIC hs_desc_decode_status_t desc_decode_encrypted_v3(
+                         const hs_descriptor_t *desc,
+                         const curve25519_secret_key_t *client_auth_sk,
+                         hs_desc_encrypted_data_t *desc_encrypted_out);
+
+STATIC hs_desc_decode_status_t
+desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
+                              hs_desc_superencrypted_data_t *
+                              desc_superencrypted_out);
+
+MOCK_DECL(STATIC size_t, desc_decrypt_encrypted,(
+                        const hs_descriptor_t *desc,
+                        const curve25519_secret_key_t *client_auth_sk,
+                        char **decrypted_out));
+
+MOCK_DECL(STATIC size_t, desc_decrypt_superencrypted,(
+                        const hs_descriptor_t *desc,
+                        char **decrypted_out));
+
 #endif /* defined(HS_DESCRIPTOR_PRIVATE) */
 
 #endif /* !defined(TOR_HS_DESCRIPTOR_H) */
diff --git a/src/feature/hs/hs_metrics.c b/src/feature/hs/hs_metrics.c
index e023eab90c..0f1824c51c 100644
--- a/src/feature/hs/hs_metrics.c
+++ b/src/feature/hs/hs_metrics.c
@@ -29,18 +29,6 @@ port_to_str(const uint16_t port)
   return buf;
 }
 
-/** Return a static buffer pointer that contains a formatted label on the form
- * of key=value.
- *
- * Subsequent call to this function invalidates the previous buffer. */
-static const char *
-format_label(const char *key, const char *value)
-{
-  static char buf[128];
-  tor_snprintf(buf, sizeof(buf), "%s=%s", key, value);
-  return buf;
-}
-
 /** Initialize a metrics store for the given service.
  *
  * Essentially, this goes over the base_metrics array and adds them all to the
@@ -61,12 +49,12 @@ init_store(hs_service_t *service)
 
     /* Add labels to the entry. */
     metrics_store_entry_add_label(entry,
-                        format_label("onion", service->onion_address));
+                  metrics_format_label("onion", service->onion_address));
     if (base_metrics[i].port_as_label && service->config.ports) {
       SMARTLIST_FOREACH_BEGIN(service->config.ports,
                               const hs_port_config_t *, p) {
         metrics_store_entry_add_label(entry,
-                      format_label("port", port_to_str(p->virtual_port)));
+                metrics_format_label("port", port_to_str(p->virtual_port)));
       } SMARTLIST_FOREACH_END(p);
     }
   }
@@ -96,7 +84,7 @@ hs_metrics_update_by_service(const hs_metrics_key_t key,
   SMARTLIST_FOREACH_BEGIN(entries, metrics_store_entry_t *, entry) {
     if (port == 0 ||
         metrics_store_entry_has_label(entry,
-                            format_label("port", port_to_str(port)))) {
+                      metrics_format_label("port", port_to_str(port)))) {
       metrics_store_entry_update(entry, n);
       break;
     }