Add an initial .gitignore to maint-0.1.2

svn:r16464

.gitignore

@@ -0,0 +1,132 @@
+# Global ignores
+\#*\#
+.#*
+*.orig
+*.rej
+# gcov stuff
+*.gcno
+*.gcov
+*.gcda
+# latex stuff
+*.aux
+*.dvi
+*.blg
+*.bbl
+*.log
+# Autotools stuff
+.deps
+# Stuff made by our makefiles
+*.bak
+
+# /
+/Makefile
+/Makefile.in
+/aclocal.m4
+/autom4te.cache
+/build-stamp
+/configure
+/Doxyfile
+/orconfig.h
+/orconfig.h.in
+/config.cache
+/config.log
+/config.status
+/config.guess
+/config.sub
+/conftest*
+/patch-stamp
+/stamp-h
+/stamp-h.in
+/stamp-h1
+/tor.sh
+/tor.spec
+/depcomp
+/install-sh
+/missing
+/mkinstalldirs
+/Tor*Bundle.dmg
+/tor-*-win32.exe
+
+# /contrib/
+/contrib/Makefile
+/contrib/Makefile.in
+/contrib/tor.sh
+/contrib/torctl
+/contrib/torify
+/contrib/*.pyc
+/contrib/*.pyo
+/contrib/tor.logrotate
+/contrib/tor.wxs
+
+# /contrib/osx/
+/contrib/osx/Makefile
+/contrib/osx/Makefile.in
+/contrib/osx/TorBundleDesc.plist
+/contrib/osx/TorBundleInfo.plist
+/contrib/osx/TorDesc.plist
+/contrib/osx/TorInfo.plist
+/contrib/osx/TorStartupDesc.plist
+/contrib/osx/net.freehaven.tor.plist
+
+# /contrib/suse/
+/contrib/suse/tor.sh
+/contrib/suse/Makefile.in
+/contrib/suse/Makefile
+
+# /debian/
+/debian/files
+/debian/patched
+/debian/tor
+/debian/tor.postinst.debhelper
+/debian/tor.postrm.debhelper
+/debian/tor.prerm.debhelper
+/debian/tor.substvars
+
+# /doc/
+/doc/Makefile
+/doc/Makefile.in
+/doc/tor.1
+/doc/doxygen
+
+# /doc/design-paper/
+/doc/design-paper/Makefile
+/doc/design-paper/Makefile.in
+
+# /doc/spec/
+/doc/spec/Makefile
+/doc/spec/Makefile.in
+
+# /src/
+/src/Makefile
+/src/Makefile.in
+
+# /src/common/
+/src/common/Makefile
+/src/common/Makefile.in
+/src/common/libor.a
+/src/common/libor-crypto.a
+
+# /src/config/
+/src/config/Makefile
+/src/config/Makefile.in
+/src/config/sample-server-torrc
+/src/config/torrc
+/src/config/torrc.sample
+
+# /src/or/
+/src/or/Makefile
+/src/or/Makefile.in
+/src/or/micro-revision.*
+/src/or/tor
+/src/or/test
+
+# /src/tools/
+/src/tools/tor-checkkey
+/src/tools/tor-resolve
+/src/tools/tor-gencert
+/src/tools/Makefile
+/src/tools/Makefile.in
+
+# /src/win32/
+/src/win32/Makefile
+/src/win32/Makefile.in

AUTHORS

@@ -1,3 +1,11 @@
+                    This file lists the authors for Tor,
+        a free software project to provide anonymity on the Internet.
+
+       For more information about Tor, see http://www.torproject.org/.
+
+             If you got this file as a part of a larger bundle,
+        there are probably other authors that you should be aware of.
+
 
 Main authors:
 -------------

ChangeLog

@@ -1,10 +1,389 @@
-Changes in version 0.1.2.10-rc - 2007-03-??
+Changes in version 0.1.2.20 - 2008-??-??
+  o Directory authority changes:
+    - Take lefkada out of the list of v2 directory authorities, since
+      it has been down for months.
+
+  o Major bugfixes:
+    - Patch from "Andrew S. Lists" to catch when we contact a directory
+      mirror at IP address X and he says we look like we're coming from
+      IP address X. Bugfix on 0.1.2.x.
+    - Allow a closing-down linked directory connection to have its
+      blocked_on_or_conn field set. This prevents a rare assertion error
+      that could occur when an OR connection carrying tunneled directory
+      requests closed before the requests were complete. Fixes bug 406.
+    - If we only ever used Tor for hidden service lookups or posts, we
+      would stop building circuits and start refusing connections after
+      24 hours, since we falsely believed that Tor was dormant. Reported
+      by nwf.
+    - Ensure that two circuits can never exist on the same connection
+      with the same circuit ID, even if one is marked for close.  This
+      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
+
+  o Minor bugfixes:
+    - Stop recommending that every server operator send mail to tor-ops.
+      Resolves bug 597.
+    - Fix a few memory leaks that could in theory happen under bizarre error
+      conditions.
+    - We were leaking a file descriptor if Tor started with a zero-length
+      cached-descriptors file. Patch by freddy77.
+    - Detect size overflow in zlib code.
+    - Fix a pointer error that kept us from reporting nameserver errors.
+    - On Windows, correctly detect errors when listing the contents of a
+      directory.  Fix from lodger.
+    - Fix a dumb bug that was preventing us from knowing that we should
+      preemptively build circuits to handle expected directory requests.
+      Fixes bug 660.
+    - When opening /dev/null in finish_daemonize(), do not pass the
+      O_CREAT flag.  Fortify was complaining, and correctly so.  Fixes
+      bug 742; fix from Michael Scherer.  Bugfix on 0.0.2pre19.
+
+  o Minor testing features:
+    - Add disabled-by-default code to log the relative probability of routing
+      a v2 directory request through all known routers.  This is quite handy
+      for estimating what fraction of the total v2-directory-protocol-using
+      network a directory server has seen.
+
+
+Changes in version 0.1.2.19 - 2008-01-17
+  Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
+  exit policy a little bit more conservative so it's safer to run an
+  exit relay on a home system, and fixes a variety of smaller issues.
+
+  o Security fixes:
+    - Exit policies now reject connections that are addressed to a
+      relay's public (external) IP address too, unless
+      ExitPolicyRejectPrivate is turned off. We do this because too
+      many relays are running nearby to services that trust them based
+      on network address.
+
+  o Major bugfixes:
+    - When the clock jumps forward a lot, do not allow the bandwidth
+      buckets to become negative. Fixes bug 544.
+    - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
+      on every successful resolve. Reported by Mike Perry.
+    - Purge old entries from the "rephist" database and the hidden
+      service descriptor database even when DirPort is zero.
+    - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
+      requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
+      crashing or mis-answering these requests.
+    - When we decide to send a 503 response to a request for servers, do
+      not then also send the server descriptors: this defeats the whole
+      purpose. Fixes bug 539.
+
+  o Minor bugfixes:
+    - Changing the ExitPolicyRejectPrivate setting should cause us to
+      rebuild our server descriptor.
+    - Fix handling of hex nicknames when answering controller requests for
+      networkstatus by name, or when deciding whether to warn about
+      unknown routers in a config option. (Patch from mwenge.)
+    - Fix a couple of hard-to-trigger autoconf problems that could result
+      in really weird results on platforms whose sys/types.h files define
+      nonstandard integer types.
+    - Don't try to create the datadir when running --verify-config or
+      --hash-password. Resolves bug 540.
+    - If we were having problems getting a particular descriptor from the
+      directory caches, and then we learned about a new descriptor for
+      that router, we weren't resetting our failure count. Reported
+      by lodger.
+    - Although we fixed bug 539 (where servers would send HTTP status 503
+      responses _and_ send a body too), there are still servers out there
+      that haven't upgraded. Therefore, make clients parse such bodies
+      when they receive them.
+    - Run correctly on systems where rlim_t is larger than unsigned long.
+      This includes some 64-bit systems.
+    - Run correctly on platforms (like some versions of OS X 10.5) where
+      the real limit for number of open files is OPEN_FILES, not rlim_max
+      from getrlimit(RLIMIT_NOFILES).
+    - Avoid a spurious free on base64 failure.
+    - Avoid segfaults on certain complex invocations of
+      router_get_by_hexdigest().
+    - Fix rare bug on REDIRECTSTREAM control command when called with no
+      port set: it could erroneously report an error when none had
+      happened.
+
+
+Changes in version 0.1.2.18 - 2007-10-28
+  Tor 0.1.2.18 fixes many problems including crash bugs, problems with
+  hidden service introduction that were causing huge delays, and a big
+  bug that was causing some servers to disappear from the network status
+  lists for a few hours each day.
+
+  o Major bugfixes (crashes):
+    - If a connection is shut down abruptly because of something that
+      happened inside connection_flushed_some(), do not call
+      connection_finished_flushing(). Should fix bug 451:
+      "connection_stop_writing: Assertion conn->write_event failed"
+      Bugfix on 0.1.2.7-alpha.
+    - Fix possible segfaults in functions called from
+      rend_process_relay_cell().
+
+  o Major bugfixes (hidden services):
+    - Hidden services were choosing introduction points uniquely by
+      hexdigest, but when constructing the hidden service descriptor
+      they merely wrote the (potentially ambiguous) nickname.
+    - Clients now use the v2 intro format for hidden service
+      connections: they specify their chosen rendezvous point by identity
+      digest rather than by (potentially ambiguous) nickname. These
+      changes could speed up hidden service connections dramatically.
+
+  o Major bugfixes (other):
+    - Stop publishing a new server descriptor just because we get a
+      HUP signal. This led (in a roundabout way) to some servers getting
+      dropped from the networkstatus lists for a few hours each day.
+    - When looking for a circuit to cannibalize, consider family as well
+      as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
+      circuit cannibalization).
+    - When a router wasn't listed in a new networkstatus, we were leaving
+      the flags for that router alone -- meaning it remained Named,
+      Running, etc -- even though absence from the networkstatus means
+      that it shouldn't be considered to exist at all anymore. Now we
+      clear all the flags for routers that fall out of the networkstatus
+      consensus. Fixes bug 529.
+
+  o Minor bugfixes:
+    - Don't try to access (or alter) the state file when running
+      --list-fingerprint or --verify-config or --hash-password. Resolves
+      bug 499.
+    - When generating information telling us how to extend to a given
+      router, do not try to include the nickname if it is
+      absent. Resolves bug 467.
+    - Fix a user-triggerable segfault in expand_filename(). (There isn't
+      a way to trigger this remotely.)
+    - When sending a status event to the controller telling it that an
+      OR address is readable, set the port correctly. (Previously we
+      were reporting the dir port.)
+    - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
+      command. Bugfix on 0.1.2.17.
+    - When loading bandwidth history, do not believe any information in
+      the future. Fixes bug 434.
+    - When loading entry guard information, do not believe any information
+      in the future.
+    - When we have our clock set far in the future and generate an
+      onion key, then re-set our clock to be correct, we should not stop
+      the onion key from getting rotated.
+    - On some platforms, accept() can return a broken address. Detect
+      this more quietly, and deal accordingly. Fixes bug 483.
+    - It's not actually an error to find a non-pending entry in the DNS
+      cache when canceling a pending resolve. Don't log unless stuff
+      is fishy. Resolves bug 463.
+    - Don't reset trusted dir server list when we set a configuration
+      option. Patch from Robert Hogan.
+
+
+Changes in version 0.1.2.17 - 2007-08-30
+  o Major bugfixes (security):
+    - We removed support for the old (v0) control protocol. It has been
+      deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
+      become more of a headache than it's worth.
+
+  o Major bugfixes (load balancing):
+    - When choosing nodes for non-guard positions, weight guards
+      proportionally less, since they already have enough load. Patch
+      from Mike Perry.
+    - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
+      will allow fast Tor servers to get more attention.
+    - When we're upgrading from an old Tor version, forget our current
+      guards and pick new ones according to the new weightings. These
+      three load balancing patches could raise effective network capacity
+      by a factor of four. Thanks to Mike Perry for measurements.
+
+  o Major bugfixes (stream expiration):
+    - Expire not-yet-successful application streams in all cases if
+      they've been around longer than SocksTimeout. Right now there are
+      some cases where the stream will live forever, demanding a new
+      circuit every 15 seconds. Fixes bug 454; reported by lodger.
+
+  o Minor features (controller):
+    - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
+      is valid before any authentication has been received. It tells
+      a controller what kind of authentication is expected, and what
+      protocol is spoken. Implements proposal 119.
+
+  o Minor bugfixes (performance):
+    - Save on most routerlist_assert_ok() calls in routerlist.c, thus
+      greatly speeding up loading cached-routers from disk on startup.
+    - Disable sentinel-based debugging for buffer code: we squashed all
+      the bugs that this was supposed to detect a long time ago, and now
+      its only effect is to change our buffer sizes from nice powers of
+      two (which platform mallocs tend to like) to values slightly over
+      powers of two (which make some platform mallocs sad).
+
+  o Minor bugfixes (misc):
+    - If exit bandwidth ever exceeds one third of total bandwidth, then
+      use the correct formula to weight exit nodes when choosing paths.
+      Based on patch from Mike Perry.
+    - Choose perfectly fairly among routers when choosing by bandwidth and
+      weighting by fraction of bandwidth provided by exits. Previously, we
+      would choose with only approximate fairness, and correct ourselves
+      if we ran off the end of the list.
+    - If we require CookieAuthentication but we fail to write the
+      cookie file, we would warn but not exit, and end up in a state
+      where no controller could authenticate. Now we exit.
+    - If we require CookieAuthentication, stop generating a new cookie
+      every time we change any piece of our config.
+    - Refuse to start with certain directory authority keys, and
+      encourage people using them to stop.
+    - Terminate multi-line control events properly. Original patch
+      from tup.
+    - Fix a minor memory leak when we fail to find enough suitable
+      servers to choose a circuit.
+    - Stop leaking part of the descriptor when we run into a particularly
+      unparseable piece of it.
+
+
+Changes in version 0.1.2.16 - 2007-08-01
+  o Major security fixes:
+    - Close immediately after missing authentication on control port;
+      do not allow multiple authentication attempts.
+
+
+Changes in version 0.1.2.15 - 2007-07-17
+  o Major bugfixes (compilation):
+    - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
+
+  o Major bugfixes (crashes):
+    - Try even harder not to dereference the first character after
+      an mmap(). Reported by lodger.
+    - Fix a crash bug in directory authorities when we re-number the
+      routerlist while inserting a new router.
+    - When the cached-routers file is an even multiple of the page size,
+      don't run off the end and crash. (Fixes bug 455; based on idea
+      from croup.)
+    - Fix eventdns.c behavior on Solaris: It is critical to include
+      orconfig.h _before_ sys/types.h, so that we can get the expected
+      definition of _FILE_OFFSET_BITS.
+
+  o Major bugfixes (security):
+    - Fix a possible buffer overrun when using BSD natd support. Bug
+      found by croup.
+    - When sending destroy cells from a circuit's origin, don't include
+      the reason for tearing down the circuit. The spec says we didn't,
+      and now we actually don't. Reported by lodger.
+    - Keep streamids from different exits on a circuit separate. This
+      bug may have allowed other routers on a given circuit to inject
+      cells into streams. Reported by lodger; fixes bug 446.
+    - If there's a never-before-connected-to guard node in our list,
+      never choose any guards past it. This way we don't expand our
+      guard list unless we need to.
+
+  o Minor bugfixes (guard nodes):
+    - Weight guard selection by bandwidth, so that low-bandwidth nodes
+      don't get overused as guards.
+
+  o Minor bugfixes (directory):
+    - Correctly count the number of authorities that recommend each
+      version. Previously, we were under-counting by 1.
+    - Fix a potential crash bug when we load many server descriptors at
+      once and some of them make others of them obsolete. Fixes bug 458.
+
+  o Minor bugfixes (hidden services):
+    - Stop tearing down the whole circuit when the user asks for a
+      connection to a port that the hidden service didn't configure.
+      Resolves bug 444.
+
+  o Minor bugfixes (misc):
+    - On Windows, we were preventing other processes from reading
+      cached-routers while Tor was running. Reported by janbar.
+    - Fix a possible (but very unlikely) bug in picking routers by
+      bandwidth. Add a log message to confirm that it is in fact
+      unlikely. Patch from lodger.
+    - Backport a couple of memory leak fixes.
+    - Backport miscellaneous cosmetic bugfixes.
+
+
+Changes in version 0.1.2.14 - 2007-05-25
+  o Directory authority changes:
+    - Two directory authorities (moria1 and moria2) just moved to new
+      IP addresses. This change will particularly affect those who serve
+      or use hidden services.
+
+  o Major bugfixes (crashes):
+    - If a directory server runs out of space in the connection table
+      as it's processing a begin_dir request, it will free the exit stream
+      but leave it attached to the circuit, leading to unpredictable
+      behavior. (Reported by seeess, fixes bug 425.)
+    - Fix a bug in dirserv_remove_invalid() that would cause authorities
+      to corrupt memory under some really unlikely scenarios.
+    - Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
+    - Avoid segfaults when reading from mmaped descriptor file. (Reported
+      by lodger.)
+
+  o Major bugfixes (security):
+    - When choosing an entry guard for a circuit, avoid using guards
+      that are in the same family as the chosen exit -- not just guards
+      that are exactly the chosen exit. (Reported by lodger.)
+
+  o Major bugfixes (resource management):
+    - If a directory authority is down, skip it when deciding where to get
+      networkstatus objects or descriptors. Otherwise we keep asking
+      every 10 seconds forever. Fixes bug 384.
+    - Count it as a failure if we fetch a valid network-status but we
+      don't want to keep it. Otherwise we'll keep fetching it and keep
+      not wanting to keep it. Fixes part of bug 422.
+    - If all of our dirservers have given us bad or no networkstatuses
+      lately, then stop hammering them once per minute even when we
+      think they're failed. Fixes another part of bug 422.
+
+  o Minor bugfixes:
+    - Actually set the purpose correctly for descriptors inserted with
+      purpose=controller.
+    - When we have k non-v2 authorities in our DirServer config,
+      we ignored the last k authorities in the list when updating our
+      network-statuses.
+    - Correctly back-off from requesting router descriptors that we are
+      having a hard time downloading.
+    - Read resolv.conf files correctly on platforms where read() returns
+      partial results on small file reads.
+    - Don't rebuild the entire router store every time we get 32K of
+      routers: rebuild it when the journal gets very large, or when
+      the gaps in the store get very large.
+
+  o Minor features:
+    - When routers publish SVN revisions in their router descriptors,
+      authorities now include those versions correctly in networkstatus
+      documents.
+    - Warn when using a version of libevent before 1.3b to run a server on
+      OSX or BSD: these versions interact badly with userspace threads.
+
+
+Changes in version 0.1.2.13 - 2007-04-24
+  o Minor fixes:
+    - Fix a memory leak when we ask for "all" networkstatuses and we
+      get one we don't recognize.
+    - Add more asserts to hunt down bug 417.
+    - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
+
+
+Changes in version 0.1.2.12-rc - 2007-03-16
+  o Major bugfixes:
+    - Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
+      directory information requested inside Tor connections (i.e. via
+      begin_dir cells). It only triggered when the same connection was
+      serving other data at the same time. Reported by seeess.
+
+  o Minor bugfixes:
+    - When creating a circuit via the controller, send a 'launched'
+      event when we're done, so we follow the spec better.
+
+
+Changes in version 0.1.2.11-rc - 2007-03-15
+  o Minor bugfixes (controller), reported by daejees:
+    - Correct the control spec to match how the code actually responds
+      to 'getinfo addr-mappings/*'.
+    - The control spec described a GUARDS event, but the code
+      implemented a GUARD event. Standardize on GUARD, but let people
+      ask for GUARDS too.
+
+
+Changes in version 0.1.2.10-rc - 2007-03-07
   o Major bugfixes (Windows):
     - Do not load the NT services library functions (which may not exist)
-      just to detect if we're a service trying to shut down.
+      just to detect if we're a service trying to shut down. Now we run
+      on Win98 and friends again.
 
   o Minor bugfixes (other):
     - Clarify a couple of log messages.
+    - Fix a misleading socks5 error number.
 
 
 Changes in version 0.1.2.9-rc - 2007-03-02
@@ -25,9 +404,8 @@ Changes in version 0.1.2.9-rc - 2007-03-02
       time.
 
   o Minor bugfixes (directory authorities):
-    - Stop calling servers that have been hibernating for a long time
-      "stable". Also, stop letting hibernating or obsolete servers affect
-      uptime and bandwidth cutoffs.
+    - Stop letting hibernating or obsolete servers affect uptime and
+      bandwidth cutoffs.
     - Stop listing hibernating servers in the v1 directory.
 
   o Minor bugfixes (hidden services):
@@ -388,7 +766,7 @@ Changes in version 0.1.2.5-alpha - 2007-01-06
 
   o Minor features (directory):
     - Authorities now specify server versions in networkstatus. This adds
-      about 2% to the side of compressed networkstatus docs, and allows
+      about 2% to the size of compressed networkstatus docs, and allows
       clients to tell which servers support BEGIN_DIR and which don't.
       The implementation is forward-compatible with a proposed future
       protocol version scheme not tied to Tor versions.
@@ -862,9 +1240,6 @@ Changes in version 0.1.1.24 - 2006-09-29
       This should improve client CPU usage by 25-50%.
     - Don't crash if, after a server has been running for a while,
       it can't resolve its hostname.
-    - When a client asks us to resolve (not connect to) an address,
-      and we have a cached answer, give them the cached answer.
-      Previously, we would give them no answer at all.
 
   o Minor bugfixes:
     - Allow Tor to start when RunAsDaemon is set but no logs are set.

INSTALL

@@ -1,6 +1,6 @@
 
 Most users should simply follow the directions at
-http://tor.eff.org/docs/tor-doc-unix
+https://www.torproject.org/docs/tor-doc-unix
 
 If you got the source from cvs, run "./autogen.sh", which will run the
 various auto* programs and then run ./configure for you. From there,

LICENSE

@@ -1,3 +1,14 @@
+                    This file contains the license for Tor,
+        a free software project to provide anonymity on the Internet.
+
+        It also lists the licenses for other components used by Tor.
+
+       For more information about Tor, see http://www.torproject.org/.
+
+             If you got this file as a part of a larger bundle,
+        there may be other license terms that you should be aware of.
+
+
 ===============================================================================
 Tor is distributed under this license:
 

README

@@ -1,4 +1,4 @@
 
 Tor is an implementation of Onion Routing. You can read more
-at http://tor.eff.org/
+at https://www.torproject.org/
 

ReleaseNotes

@@ -3,6 +3,872 @@ This document summarizes new features and bugfixes in each stable release
 of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
+Changes in version 0.1.2.19 - 2008-01-17
+  Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
+  exit policy a little bit more conservative so it's safer to run an
+  exit relay on a home system, and fixes a variety of smaller issues.
+
+  o Security fixes:
+    - Exit policies now reject connections that are addressed to a
+      relay's public (external) IP address too, unless
+      ExitPolicyRejectPrivate is turned off. We do this because too
+      many relays are running nearby to services that trust them based
+      on network address.
+
+  o Major bugfixes:
+    - When the clock jumps forward a lot, do not allow the bandwidth
+      buckets to become negative. Fixes bug 544.
+    - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
+      on every successful resolve. Reported by Mike Perry.
+    - Purge old entries from the "rephist" database and the hidden
+      service descriptor database even when DirPort is zero.
+    - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
+      requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
+      crashing or mis-answering these requests.
+    - When we decide to send a 503 response to a request for servers, do
+      not then also send the server descriptors: this defeats the whole
+      purpose. Fixes bug 539.
+
+  o Minor bugfixes:
+    - Changing the ExitPolicyRejectPrivate setting should cause us to
+      rebuild our server descriptor.
+    - Fix handling of hex nicknames when answering controller requests for
+      networkstatus by name, or when deciding whether to warn about
+      unknown routers in a config option. (Patch from mwenge.)
+    - Fix a couple of hard-to-trigger autoconf problems that could result
+      in really weird results on platforms whose sys/types.h files define
+      nonstandard integer types.
+    - Don't try to create the datadir when running --verify-config or
+      --hash-password. Resolves bug 540.
+    - If we were having problems getting a particular descriptor from the
+      directory caches, and then we learned about a new descriptor for
+      that router, we weren't resetting our failure count. Reported
+      by lodger.
+    - Although we fixed bug 539 (where servers would send HTTP status 503
+      responses _and_ send a body too), there are still servers out there
+      that haven't upgraded. Therefore, make clients parse such bodies
+      when they receive them.
+    - Run correctly on systems where rlim_t is larger than unsigned long.
+      This includes some 64-bit systems.
+    - Run correctly on platforms (like some versions of OS X 10.5) where
+      the real limit for number of open files is OPEN_FILES, not rlim_max
+      from getrlimit(RLIMIT_NOFILES).
+    - Avoid a spurious free on base64 failure.
+    - Avoid segfaults on certain complex invocations of
+      router_get_by_hexdigest().
+    - Fix rare bug on REDIRECTSTREAM control command when called with no
+      port set: it could erroneously report an error when none had
+      happened.
+
+
+Changes in version 0.1.2.18 - 2007-10-28
+  Tor 0.1.2.18 fixes many problems including crash bugs, problems with
+  hidden service introduction that were causing huge delays, and a big
+  bug that was causing some servers to disappear from the network status
+  lists for a few hours each day.
+
+  o Major bugfixes (crashes):
+    - If a connection is shut down abruptly because of something that
+      happened inside connection_flushed_some(), do not call
+      connection_finished_flushing(). Should fix bug 451:
+      "connection_stop_writing: Assertion conn->write_event failed"
+      Bugfix on 0.1.2.7-alpha.
+    - Fix possible segfaults in functions called from
+      rend_process_relay_cell().
+
+  o Major bugfixes (hidden services):
+    - Hidden services were choosing introduction points uniquely by
+      hexdigest, but when constructing the hidden service descriptor
+      they merely wrote the (potentially ambiguous) nickname.
+    - Clients now use the v2 intro format for hidden service
+      connections: they specify their chosen rendezvous point by identity
+      digest rather than by (potentially ambiguous) nickname. These
+      changes could speed up hidden service connections dramatically.
+
+  o Major bugfixes (other):
+    - Stop publishing a new server descriptor just because we get a
+      HUP signal. This led (in a roundabout way) to some servers getting
+      dropped from the networkstatus lists for a few hours each day.
+    - When looking for a circuit to cannibalize, consider family as well
+      as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
+      circuit cannibalization).
+    - When a router wasn't listed in a new networkstatus, we were leaving
+      the flags for that router alone -- meaning it remained Named,
+      Running, etc -- even though absence from the networkstatus means
+      that it shouldn't be considered to exist at all anymore. Now we
+      clear all the flags for routers that fall out of the networkstatus
+      consensus. Fixes bug 529.
+
+  o Minor bugfixes:
+    - Don't try to access (or alter) the state file when running
+      --list-fingerprint or --verify-config or --hash-password. Resolves
+      bug 499.
+    - When generating information telling us how to extend to a given
+      router, do not try to include the nickname if it is
+      absent. Resolves bug 467.
+    - Fix a user-triggerable segfault in expand_filename(). (There isn't
+      a way to trigger this remotely.)
+    - When sending a status event to the controller telling it that an
+      OR address is readable, set the port correctly. (Previously we
+      were reporting the dir port.)
+    - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
+      command. Bugfix on 0.1.2.17.
+    - When loading bandwidth history, do not believe any information in
+      the future. Fixes bug 434.
+    - When loading entry guard information, do not believe any information
+      in the future.
+    - When we have our clock set far in the future and generate an
+      onion key, then re-set our clock to be correct, we should not stop
+      the onion key from getting rotated.
+    - On some platforms, accept() can return a broken address. Detect
+      this more quietly, and deal accordingly. Fixes bug 483.
+    - It's not actually an error to find a non-pending entry in the DNS
+      cache when canceling a pending resolve. Don't log unless stuff
+      is fishy. Resolves bug 463.
+    - Don't reset trusted dir server list when we set a configuration
+      option. Patch from Robert Hogan.
+
+
+Changes in version 0.1.2.17 - 2007-08-30
+  o Major bugfixes (security):
+    - We removed support for the old (v0) control protocol. It has been
+      deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
+      become more of a headache than it's worth.
+
+  o Major bugfixes (load balancing):
+    - When choosing nodes for non-guard positions, weight guards
+      proportionally less, since they already have enough load. Patch
+      from Mike Perry.
+    - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
+      will allow fast Tor servers to get more attention.
+    - When we're upgrading from an old Tor version, forget our current
+      guards and pick new ones according to the new weightings. These
+      three load balancing patches could raise effective network capacity
+      by a factor of four. Thanks to Mike Perry for measurements.
+
+  o Major bugfixes (stream expiration):
+    - Expire not-yet-successful application streams in all cases if
+      they've been around longer than SocksTimeout. Right now there are
+      some cases where the stream will live forever, demanding a new
+      circuit every 15 seconds. Fixes bug 454; reported by lodger.
+
+  o Minor features (controller):
+    - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
+      is valid before any authentication has been received. It tells
+      a controller what kind of authentication is expected, and what
+      protocol is spoken. Implements proposal 119.
+
+  o Minor bugfixes (performance):
+    - Save on most routerlist_assert_ok() calls in routerlist.c, thus
+      greatly speeding up loading cached-routers from disk on startup.
+    - Disable sentinel-based debugging for buffer code: we squashed all
+      the bugs that this was supposed to detect a long time ago, and now
+      its only effect is to change our buffer sizes from nice powers of
+      two (which platform mallocs tend to like) to values slightly over
+      powers of two (which make some platform mallocs sad).
+
+  o Minor bugfixes (misc):
+    - If exit bandwidth ever exceeds one third of total bandwidth, then
+      use the correct formula to weight exit nodes when choosing paths.
+      Based on patch from Mike Perry.
+    - Choose perfectly fairly among routers when choosing by bandwidth and
+      weighting by fraction of bandwidth provided by exits. Previously, we
+      would choose with only approximate fairness, and correct ourselves
+      if we ran off the end of the list.
+    - If we require CookieAuthentication but we fail to write the
+      cookie file, we would warn but not exit, and end up in a state
+      where no controller could authenticate. Now we exit.
+    - If we require CookieAuthentication, stop generating a new cookie
+      every time we change any piece of our config.
+    - Refuse to start with certain directory authority keys, and
+      encourage people using them to stop.
+    - Terminate multi-line control events properly. Original patch
+      from tup.
+    - Fix a minor memory leak when we fail to find enough suitable
+      servers to choose a circuit.
+    - Stop leaking part of the descriptor when we run into a particularly
+      unparseable piece of it.
+
+
+Changes in version 0.1.2.16 - 2007-08-01
+  o Major security fixes:
+    - Close immediately after missing authentication on control port;
+      do not allow multiple authentication attempts.
+
+
+Changes in version 0.1.2.15 - 2007-07-17
+  o Major bugfixes (compilation):
+    - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
+
+  o Major bugfixes (crashes):
+    - Try even harder not to dereference the first character after
+      an mmap(). Reported by lodger.
+    - Fix a crash bug in directory authorities when we re-number the
+      routerlist while inserting a new router.
+    - When the cached-routers file is an even multiple of the page size,
+      don't run off the end and crash. (Fixes bug 455; based on idea
+      from croup.)
+    - Fix eventdns.c behavior on Solaris: It is critical to include
+      orconfig.h _before_ sys/types.h, so that we can get the expected
+      definition of _FILE_OFFSET_BITS.
+
+  o Major bugfixes (security):
+    - Fix a possible buffer overrun when using BSD natd support. Bug
+      found by croup.
+    - When sending destroy cells from a circuit's origin, don't include
+      the reason for tearing down the circuit. The spec says we didn't,
+      and now we actually don't. Reported by lodger.
+    - Keep streamids from different exits on a circuit separate. This
+      bug may have allowed other routers on a given circuit to inject
+      cells into streams. Reported by lodger; fixes bug 446.
+    - If there's a never-before-connected-to guard node in our list,
+      never choose any guards past it. This way we don't expand our
+      guard list unless we need to.
+
+  o Minor bugfixes (guard nodes):
+    - Weight guard selection by bandwidth, so that low-bandwidth nodes
+      don't get overused as guards.
+
+  o Minor bugfixes (directory):
+    - Correctly count the number of authorities that recommend each
+      version. Previously, we were under-counting by 1.
+    - Fix a potential crash bug when we load many server descriptors at
+      once and some of them make others of them obsolete. Fixes bug 458.
+
+  o Minor bugfixes (hidden services):
+    - Stop tearing down the whole circuit when the user asks for a
+      connection to a port that the hidden service didn't configure.
+      Resolves bug 444.
+
+  o Minor bugfixes (misc):
+    - On Windows, we were preventing other processes from reading
+      cached-routers while Tor was running. Reported by janbar.
+    - Fix a possible (but very unlikely) bug in picking routers by
+      bandwidth. Add a log message to confirm that it is in fact
+      unlikely. Patch from lodger.
+    - Backport a couple of memory leak fixes.
+    - Backport miscellaneous cosmetic bugfixes.
+
+
+Changes in version 0.1.2.14 - 2007-05-25
+  o Directory authority changes:
+    - Two directory authorities (moria1 and moria2) just moved to new
+      IP addresses. This change will particularly affect those who serve
+      or use hidden services.
+
+  o Major bugfixes (crashes):
+    - If a directory server runs out of space in the connection table
+      as it's processing a begin_dir request, it will free the exit stream
+      but leave it attached to the circuit, leading to unpredictable
+      behavior. (Reported by seeess, fixes bug 425.)
+    - Fix a bug in dirserv_remove_invalid() that would cause authorities
+      to corrupt memory under some really unlikely scenarios.
+    - Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
+    - Avoid segfaults when reading from mmaped descriptor file. (Reported
+      by lodger.)
+
+  o Major bugfixes (security):
+    - When choosing an entry guard for a circuit, avoid using guards
+      that are in the same family as the chosen exit -- not just guards
+      that are exactly the chosen exit. (Reported by lodger.)
+
+  o Major bugfixes (resource management):
+    - If a directory authority is down, skip it when deciding where to get
+      networkstatus objects or descriptors. Otherwise we keep asking
+      every 10 seconds forever. Fixes bug 384.
+    - Count it as a failure if we fetch a valid network-status but we
+      don't want to keep it. Otherwise we'll keep fetching it and keep
+      not wanting to keep it. Fixes part of bug 422.
+    - If all of our dirservers have given us bad or no networkstatuses
+      lately, then stop hammering them once per minute even when we
+      think they're failed. Fixes another part of bug 422.
+
+  o Minor bugfixes:
+    - Actually set the purpose correctly for descriptors inserted with
+      purpose=controller.
+    - When we have k non-v2 authorities in our DirServer config,
+      we ignored the last k authorities in the list when updating our
+      network-statuses.
+    - Correctly back-off from requesting router descriptors that we are
+      having a hard time downloading.
+    - Read resolv.conf files correctly on platforms where read() returns
+      partial results on small file reads.
+    - Don't rebuild the entire router store every time we get 32K of
+      routers: rebuild it when the journal gets very large, or when
+      the gaps in the store get very large.
+
+  o Minor features:
+    - When routers publish SVN revisions in their router descriptors,
+      authorities now include those versions correctly in networkstatus
+      documents.
+    - Warn when using a version of libevent before 1.3b to run a server on
+      OSX or BSD: these versions interact badly with userspace threads.
+
+
+Changes in version 0.1.2.13 - 2007-04-24
+
+Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
+of the Freenode IRC network, remembering his patience and vision for
+free speech on the Internet.
+
+  o Major features, client performance:
+    - Weight directory requests by advertised bandwidth. Now we can
+      let servers enable write limiting but still allow most clients to
+      succeed at their directory requests. (We still ignore weights when
+      choosing a directory authority; I hope this is a feature.)
+    - Stop overloading exit nodes -- avoid choosing them for entry or
+      middle hops when the total bandwidth available from non-exit nodes
+      is much higher than the total bandwidth available from exit nodes.
+    - Rather than waiting a fixed amount of time between retrying
+      application connections, we wait only 10 seconds for the first,
+      10 seconds for the second, and 15 seconds for each retry after
+      that. Hopefully this will improve the expected user experience.
+    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
+      to open a stream fails; now we do in more cases. This should
+      make clients able to find a good exit faster in some cases, since
+      unhandleable requests will now get an error rather than timing out.
+
+  o Major features, client functionality:
+    - Implement BEGIN_DIR cells, so we can connect to a directory
+      server via TLS to do encrypted directory requests rather than
+      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
+      config options if you like. For now, this feature only works if
+      you already have a descriptor for the destination dirserver.
+    - Add support for transparent application connections: this basically
+      bundles the functionality of trans-proxy-tor into the Tor
+      mainline. Now hosts with compliant pf/netfilter implementations
+      can redirect TCP connections straight to Tor without diverting
+      through SOCKS. (Based on patch from tup.)
+    - Add support for using natd; this allows FreeBSDs earlier than
+      5.1.2 to have ipfw send connections through Tor without using
+      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
+
+  o Major features, servers:
+    - Setting up a dyndns name for your server is now optional: servers
+      with no hostname or IP address will learn their IP address by
+      asking the directory authorities. This code only kicks in when you
+      would normally have exited with a "no address" error. Nothing's
+      authenticated, so use with care.
+    - Directory servers now spool server descriptors, v1 directories,
+      and v2 networkstatus objects to buffers as needed rather than en
+      masse. They also mmap the cached-routers files. These steps save
+      lots of memory.
+    - Stop requiring clients to have well-formed certificates, and stop
+      checking nicknames in certificates. (Clients have certificates so
+      that they can look like Tor servers, but in the future we might want
+      to allow them to look like regular TLS clients instead. Nicknames
+      in certificates serve no purpose other than making our protocol
+      easier to recognize on the wire.) Implements proposal 106.
+
+  o Improvements on DNS support:
+    - Add "eventdns" asynchronous dns library originally based on code
+      from Adam Langley. Now we can discard the old rickety dnsworker
+      concept, and support a wider variety of DNS functions. Allows
+      multithreaded builds on NetBSD and OpenBSD again.
+    - Add server-side support for "reverse" DNS lookups (using PTR
+      records so clients can determine the canonical hostname for a given
+      IPv4 address). Only supported by servers using eventdns; servers
+      now announce in their descriptors if they don't support eventdns.
+    - Workaround for name servers (like Earthlink's) that hijack failing
+      DNS requests and replace the no-such-server answer with a "helpful"
+      redirect to an advertising-driven search portal. Also work around
+      DNS hijackers who "helpfully" decline to hijack known-invalid
+      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
+      lets you turn it off.
+    - Servers now check for the case when common DNS requests are going to
+      wildcarded addresses (i.e. all getting the same answer), and change
+      their exit policy to reject *:* if it's happening.
+    - When asked to resolve a hostname, don't use non-exit servers unless
+      requested to do so. This allows servers with broken DNS to be
+      useful to the network.
+    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
+      useless IPv6 DNS resolves.
+    - Specify and implement client-side SOCKS5 interface for reverse DNS
+      lookups (see doc/socks-extensions.txt). Also cache them.
+    - When we change nameservers or IP addresses, reset and re-launch
+      our tests for DNS hijacking.
+
+  o Improvements on reachability testing:
+    - Servers send out a burst of long-range padding cells once they've
+      established that they're reachable. Spread them over 4 circuits,
+      so hopefully a few will be fast. This exercises bandwidth and
+      bootstraps them into the directory more quickly.
+    - When we find our DirPort to be reachable, publish a new descriptor
+      so we'll tell the world (reported by pnx).
+    - Directory authorities now only decide that routers are reachable
+      if their identity keys are as expected.
+    - Do DirPort reachability tests less often, since a single test
+      chews through many circuits before giving up.
+    - Avoid some false positives during reachability testing: don't try
+      to test via a server that's on the same /24 network as us.
+    - Start publishing one minute or so after we find our ORPort
+      to be reachable. This will help reduce the number of descriptors
+      we have for ourselves floating around, since it's quite likely
+      other things (e.g. DirPort) will change during that minute too.
+    - Routers no longer try to rebuild long-term connections to directory
+      authorities, and directory authorities no longer try to rebuild
+      long-term connections to all servers. We still don't hang up
+      connections in these two cases though -- we need to look at it
+      more carefully to avoid flapping, and we likely need to wait til
+      0.1.1.x is obsolete.
+
+  o Improvements on rate limiting:
+    - Enable write limiting as well as read limiting. Now we sacrifice
+      capacity if we're pushing out lots of directory traffic, rather
+      than overrunning the user's intended bandwidth limits.
+    - Include TLS overhead when counting bandwidth usage; previously, we
+      would count only the bytes sent over TLS, but not the bytes used
+      to send them.
+    - Servers decline directory requests much more aggressively when
+      they're low on bandwidth. Otherwise they end up queueing more and
+      more directory responses, which can't be good for latency.
+    - But never refuse directory requests from local addresses.
+    - Be willing to read or write on local connections (e.g. controller
+      connections) even when the global rate limiting buckets are empty.
+    - Flush local controller connection buffers periodically as we're
+      writing to them, so we avoid queueing 4+ megabytes of data before
+      trying to flush.
+    - Revise and clean up the torrc.sample that we ship with; add
+      a section for BandwidthRate and BandwidthBurst.
+
+  o Major features, NT services:
+    - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
+      command-line flag so that admins can override the default by saying
+      "tor --service install --user "SomeUser"". This will not affect
+      existing installed services. Also, warn the user that the service
+      will look for its configuration file in the service user's
+      %appdata% directory. (We can't do the "hardwire the user's appdata
+      directory" trick any more, since we may not have read access to that
+      directory.)
+    - Support running the Tor service with a torrc not in the same
+      directory as tor.exe and default to using the torrc located in
+      the %appdata%\Tor\ of the user who installed the service. Patch
+      from Matt Edman.
+    - Add an --ignore-missing-torrc command-line option so that we can
+      get the "use sensible defaults if the configuration file doesn't
+      exist" behavior even when specifying a torrc location on the
+      command line.
+    - When stopping an NT service, wait up to 10 sec for it to actually
+      stop. (Patch from Matt Edman; resolves bug 295.)
+
+  o Directory authority improvements:
+    - Stop letting hibernating or obsolete servers affect uptime and
+      bandwidth cutoffs.
+    - Stop listing hibernating servers in the v1 directory.
+    - Authorities no longer recommend exits as guards if this would shift
+      too much load to the exit nodes.
+    - Authorities now specify server versions in networkstatus. This adds
+      about 2% to the size of compressed networkstatus docs, and allows
+      clients to tell which servers support BEGIN_DIR and which don't.
+      The implementation is forward-compatible with a proposed future
+      protocol version scheme not tied to Tor versions.
+    - DirServer configuration lines now have an orport= option so
+      clients can open encrypted tunnels to the authorities without
+      having downloaded their descriptors yet. Enabled for moria1,
+      moria2, tor26, and lefkada now in the default configuration.
+    - Add a BadDirectory flag to network status docs so that authorities
+      can (eventually) tell clients about caches they believe to be
+      broken. Not used yet.
+    - Allow authorities to list nodes as bad exits in their
+      approved-routers file by fingerprint or by address. If most
+      authorities set a BadExit flag for a server, clients don't think
+      of it as a general-purpose exit. Clients only consider authorities
+      that advertise themselves as listing bad exits.
+    - Patch from Steve Hildrey: Generate network status correctly on
+      non-versioning dirservers.
+    - Have directory authorities allow larger amounts of drift in uptime
+      without replacing the server descriptor: previously, a server that
+      restarted every 30 minutes could have 48 "interesting" descriptors
+      per day.
+    - Reserve the nickname "Unnamed" for routers that can't pick
+      a hostname: any router can call itself Unnamed; directory
+      authorities will never allocate Unnamed to any particular router;
+      clients won't believe that any router is the canonical Unnamed.
+
+  o Directory mirrors and clients:
+    - Discard any v1 directory info that's over 1 month old (for
+      directories) or over 1 week old (for running-routers lists).
+    - Clients track responses with status 503 from dirservers. After a
+      dirserver has given us a 503, we try not to use it until an hour has
+      gone by, or until we have no dirservers that haven't given us a 503.
+    - When we get a 503 from a directory, and we're not a server, we no
+      longer count the failure against the total number of failures
+      allowed for the object we're trying to download.
+    - Prepare for servers to publish descriptors less often: never
+      discard a descriptor simply for being too old until either it is
+      recommended by no authorities, or until we get a better one for
+      the same router. Make caches consider retaining old recommended
+      routers for even longer.
+    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
+      headers for content, so that we can work better in the presence of
+      caching HTTP proxies.
+    - Stop fetching descriptors if you're not a dir mirror and you
+      haven't tried to establish any circuits lately. (This currently
+      causes some dangerous behavior, because when you start up again
+      you'll use your ancient server descriptors.)
+
+  o Major fixes, crashes:
+    - Stop crashing when the controller asks us to resetconf more than
+      one config option at once. (Vidalia 0.0.11 does this.)
+    - Fix a longstanding obscure crash bug that could occur when we run
+      out of DNS worker processes, if we're not using eventdns. (Resolves
+      bug 390.)
+    - Fix an assert that could trigger if a controller quickly set then
+      cleared EntryNodes. (Bug found by Udo van den Heuvel.)
+    - Avoid crash when telling controller about stream-status and a
+      stream is detached.
+    - Avoid sending junk to controllers or segfaulting when a controller
+      uses EVENT_NEW_DESC with verbose nicknames.
+    - Stop triggering asserts if the controller tries to extend hidden
+      service circuits (reported by mwenge).
+    - If we start a server with ClientOnly 1, then set ClientOnly to 0
+      and hup, stop triggering an assert based on an empty onion_key.
+    - Mask out all signals in sub-threads; only the libevent signal
+      handler should be processing them. This should prevent some crashes
+      on some machines using pthreads. (Patch from coderman.)
+    - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
+
+  o Major fixes, anonymity/security:
+    - Automatically avoid picking more than one node from the same
+      /16 network when constructing a circuit. Add an
+      "EnforceDistinctSubnets" option to let people disable it if they
+      want to operate private test networks on a single subnet.
+    - When generating bandwidth history, round down to the nearest
+      1k. When storing accounting data, round up to the nearest 1k.
+    - When we're running as a server, remember when we last rotated onion
+      keys, so that we will rotate keys once they're a week old even if
+      we never stay up for a week ourselves.
+    - If a client asked for a server by name, and there's a named server
+      in our network-status but we don't have its descriptor yet, we
+      could return an unnamed server instead.
+    - Reject (most) attempts to use Tor circuits with length one. (If
+      many people start using Tor as a one-hop proxy, exit nodes become
+      a more attractive target for compromise.)
+    - Just because your DirPort is open doesn't mean people should be
+      able to remotely teach you about hidden service descriptors. Now
+      only accept rendezvous posts if you've got HSAuthoritativeDir set.
+    - Fix a potential race condition in the rpm installer. Found by
+      Stefan Nordhausen.
+    - Do not log IPs with TLS failures for incoming TLS
+      connections. (Fixes bug 382.)
+
+  o Major fixes, other:
+    - If our system clock jumps back in time, don't publish a negative
+      uptime in the descriptor.
+    - When we start during an accounting interval before it's time to wake
+      up, remember to wake up at the correct time. (May fix bug 342.)
+    - Previously, we would cache up to 16 old networkstatus documents
+      indefinitely, if they came from nontrusted authorities. Now we
+      discard them if they are more than 10 days old.
+    - When we have a state file we cannot parse, tell the user and
+      move it aside. Now we avoid situations where the user starts
+      Tor in 1904, Tor writes a state file with that timestamp in it,
+      the user fixes her clock, and Tor refuses to start.
+    - Publish a new descriptor after we hup/reload. This is important
+      if our config has changed such that we'll want to start advertising
+      our DirPort now, etc.
+    - If we are using an exit enclave and we can't connect, e.g. because
+      its webserver is misconfigured to not listen on localhost, then
+      back off and try connecting from somewhere else before we fail.
+
+  o New config options or behaviors:
+    - When EntryNodes are configured, rebuild the guard list to contain,
+      in order: the EntryNodes that were guards before; the rest of the
+      EntryNodes; the nodes that were guards before.
+    - Do not warn when individual nodes in the configuration's EntryNodes,
+      ExitNodes, etc are down: warn only when all possible nodes
+      are down. (Fixes bug 348.)
+    - Put a lower-bound on MaxAdvertisedBandwidth.
+    - Start using the state file to store bandwidth accounting data:
+      the bw_accounting file is now obsolete. We'll keep generating it
+      for a while for people who are still using 0.1.2.4-alpha.
+    - Try to batch changes to the state file so that we do as few
+      disk writes as possible while still storing important things in
+      a timely fashion.
+    - The state file and the bw_accounting file get saved less often when
+      the AvoidDiskWrites config option is set.
+    - Make PIDFile work on Windows.
+    - Add internal descriptions for a bunch of configuration options:
+      accessible via controller interface and in comments in saved
+      options files.
+    - Reject *:563 (NNTPS) in the default exit policy. We already reject
+      NNTP by default, so this seems like a sensible addition.
+    - Clients now reject hostnames with invalid characters. This should
+      avoid some inadvertent info leaks. Add an option
+      AllowNonRFC953Hostnames to disable this behavior, in case somebody
+      is running a private network with hosts called @, !, and #.
+    - Check for addresses with invalid characters at the exit as well,
+      and warn less verbosely when they fail. You can override this by
+      setting ServerDNSAllowNonRFC953Addresses to 1.
+    - Remove some options that have been deprecated since at least
+      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
+      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
+      to set log options. Mark PathlenCoinWeight as obsolete.
+    - Stop accepting certain malformed ports in configured exit policies.
+    - When the user uses bad syntax in the Log config line, stop
+      suggesting other bad syntax as a replacement.
+    - Add new config option "ResolvConf" to let the server operator
+      choose an alternate resolve.conf file when using eventdns.
+    - If one of our entry guards is on the ExcludeNodes list, or the
+      directory authorities don't think it's a good guard, treat it as
+      if it were unlisted: stop using it as a guard, and throw it off
+      the guards list if it stays that way for a long time.
+    - Allow directory authorities to be marked separately as authorities
+      for the v1 directory protocol, the v2 directory protocol, and
+      as hidden service directories, to make it easier to retire old
+      authorities. V1 authorities should set "HSAuthoritativeDir 1"
+      to continue being hidden service authorities too.
+    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
+    - Make TrackExitHosts case-insensitive, and fix the behavior of
+      ".suffix" TrackExitHosts items to avoid matching in the middle of
+      an address.
+    - New DirPort behavior: if you have your dirport set, you download
+      descriptors aggressively like a directory mirror, whether or not
+      your ORPort is set.
+
+  o Docs:
+    - Create a new file ReleaseNotes which was the old ChangeLog. The
+      new ChangeLog file now includes the notes for all development
+      versions too.
+    - Add a new address-spec.txt document to describe our special-case
+      addresses: .exit, .onion, and .noconnnect.
+    - Fork the v1 directory protocol into its own spec document,
+      and mark dir-spec.txt as the currently correct (v2) spec.
+
+  o Packaging, porting, and contrib
+    - "tor --verify-config" now exits with -1(255) or 0 depending on
+      whether the config options are bad or good.
+    - The Debian package now uses --verify-config when (re)starting,
+      to distinguish configuration errors from other errors.
+    - Adapt a patch from goodell to let the contrib/exitlist script
+      take arguments rather than require direct editing.
+    - Prevent the contrib/exitlist script from printing the same
+      result more than once.
+    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
+    - In the hidden service example in torrc.sample, stop recommending
+      esoteric and discouraged hidden service options.
+    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
+      values before failing, and always enables eventdns.
+    - Try to detect Windows correctly when cross-compiling.
+    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
+      Try to fix this in configure.in by checking for most functions
+      before we check for libevent.
+    - Update RPMs to require libevent 1.2.
+    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
+      or later. Log when we are doing this, so we can diagnose it when
+      it fails. (Also, recommend libevent 1.1b for kqueue and
+      win32 methods; deprecate libevent 1.0b harder; make libevent
+      recommendation system saner.)
+    - Build with recent (1.3+) libevents on platforms that do not
+      define the nonstandard types "u_int8_t" and friends.
+    - Remove architecture from OS X builds. The official builds are
+      now universal binaries.
+    - Run correctly on OS X platforms with case-sensitive filesystems.
+    - Correctly set maximum connection limit on Cygwin. (This time
+      for sure!)
+    - Start compiling on MinGW on Windows (patches from Mike Chiussi
+      and many others).
+    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
+    - Finally fix the openssl warnings from newer gccs that believe that
+      ignoring a return value is okay, but casting a return value and
+      then ignoring it is a sign of madness.
+    - On architectures where sizeof(int)>4, still clamp declarable
+      bandwidth to INT32_MAX.
+
+  o Minor features, controller:
+    - Warn the user when an application uses the obsolete binary v0
+      control protocol. We're planning to remove support for it during
+      the next development series, so it's good to give people some
+      advance warning.
+    - Add STREAM_BW events to report per-entry-stream bandwidth
+      use. (Patch from Robert Hogan.)
+    - Rate-limit SIGNEWNYM signals in response to controllers that
+      impolitely generate them for every single stream. (Patch from
+      mwenge; closes bug 394.)
+    - Add a REMAP status to stream events to note that a stream's
+      address has changed because of a cached address or a MapAddress
+      directive.
+    - Make REMAP stream events have a SOURCE (cache or exit), and
+      make them generated in every case where we get a successful
+      connected or resolved cell.
+    - Track reasons for OR connection failure; make these reasons
+      available via the controller interface. (Patch from Mike Perry.)
+    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
+      can learn when clients are sending malformed hostnames to Tor.
+    - Specify and implement some of the controller status events.
+    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
+    - Reimplement GETINFO so that info/names stays in sync with the
+      actual keys.
+    - Implement "GETINFO fingerprint".
+    - Implement "SETEVENTS GUARD" so controllers can get updates on
+      entry guard status as it changes.
+    - Make all connections to addresses of the form ".noconnect"
+      immediately get closed. This lets application/controller combos
+      successfully test whether they're talking to the same Tor by
+      watching for STREAM events.
+    - Add a REASON field to CIRC events; for backward compatibility, this
+      field is sent only to controllers that have enabled the extended
+      event format. Also, add additional reason codes to explain why
+      a given circuit has been destroyed or truncated. (Patches from
+      Mike Perry)
+    - Add a REMOTE_REASON field to extended CIRC events to tell the
+      controller why a remote OR told us to close a circuit.
+    - Stream events also now have REASON and REMOTE_REASON fields,
+      working much like those for circuit events.
+    - There's now a GETINFO ns/... field so that controllers can ask Tor
+      about the current status of a router.
+    - A new event type "NS" to inform a controller when our opinion of
+      a router's status has changed.
+    - Add a GETINFO events/names and GETINFO features/names so controllers
+      can tell which events and features are supported.
+    - A new CLEARDNSCACHE signal to allow controllers to clear the
+      client-side DNS cache without expiring circuits.
+    - Fix CIRC controller events so that controllers can learn the
+      identity digests of non-Named servers used in circuit paths.
+    - Let controllers ask for more useful identifiers for servers. Instead
+      of learning identity digests for un-Named servers and nicknames
+      for Named servers, the new identifiers include digest, nickname,
+      and indication of Named status. Off by default; see control-spec.txt
+      for more information.
+    - Add a "getinfo address" controller command so it can display Tor's
+      best guess to the user.
+    - New controller event to alert the controller when our server
+      descriptor has changed.
+    - Give more meaningful errors on controller authentication failure.
+    - Export the default exit policy via the control port, so controllers
+      don't need to guess what it is / will be later.
+
+  o Minor bugfixes, controller:
+    - When creating a circuit via the controller, send a 'launched'
+      event when we're done, so we follow the spec better.
+    - Correct the control spec to match how the code actually responds
+      to 'getinfo addr-mappings/*'. Reported by daejees.
+    - The control spec described a GUARDS event, but the code
+      implemented a GUARD event. Standardize on GUARD, but let people
+      ask for GUARDS too. Reported by daejees.
+    - Give the controller END_STREAM_REASON_DESTROY events _before_ we
+      clear the corresponding on_circuit variable, and remember later
+      that we don't need to send a redundant CLOSED event. (Resolves part
+      3 of bug 367.)
+    - Report events where a resolve succeeded or where we got a socks
+      protocol error correctly, rather than calling both of them
+      "INTERNAL".
+    - Change reported stream target addresses to IP consistently when
+      we finally get the IP from an exit node.
+    - Send log messages to the controller even if they happen to be very
+      long.
+    - Flush ERR-level controller status events just like we currently
+      flush ERR-level log events, so that a Tor shutdown doesn't prevent
+      the controller from learning about current events.
+    - Report the circuit number correctly in STREAM CLOSED events. Bug
+      reported by Mike Perry.
+    - Do not report bizarre values for results of accounting GETINFOs
+      when the last second's write or read exceeds the allotted bandwidth.
+    - Report "unrecognized key" rather than an empty string when the
+      controller tries to fetch a networkstatus that doesn't exist.
+    - When the controller does a "GETINFO network-status", tell it
+      about even those routers whose descriptors are very old, and use
+      long nicknames where appropriate.
+    - Fix handling of verbose nicknames with ORCONN controller events:
+      make them show up exactly when requested, rather than exactly when
+      not requested.
+    - Controller signals now work on non-Unix platforms that don't define
+      SIGUSR1 and SIGUSR2 the way we expect.
+    - Respond to SIGNAL command before we execute the signal, in case
+      the signal shuts us down. Suggested by Karsten Loesing.
+    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
+
+  o Minor features, code performance:
+    - Major performance improvement on inserting descriptors: change
+      algorithm from O(n^2) to O(n).
+    - Do not rotate onion key immediately after setting it for the first
+      time.
+    - Call router_have_min_dir_info half as often. (This is showing up in
+      some profiles, but not others.)
+    - When using GCC, make log_debug never get called at all, and its
+      arguments never get evaluated, when no debug logs are configured.
+      (This is showing up in some profiles, but not others.)
+    - Statistics dumped by -USR2 now include a breakdown of public key
+      operations, for profiling.
+    - Make the common memory allocation path faster on machines where
+      malloc(0) returns a pointer.
+    - Split circuit_t into origin_circuit_t and or_circuit_t, and
+      split connection_t into edge, or, dir, control, and base structs.
+      These will save quite a bit of memory on busy servers, and they'll
+      also help us track down bugs in the code and bugs in the spec.
+    - Use OpenSSL's AES implementation on platforms where it's faster.
+      This could save us as much as 10% CPU usage.
+
+  o Minor features, descriptors and descriptor handling:
+    - Avoid duplicate entries on MyFamily line in server descriptor.
+    - When Tor receives a router descriptor that it asked for, but
+      no longer wants (because it has received fresh networkstatuses
+      in the meantime), do not warn the user. Cache the descriptor if
+      we're a cache; drop it if we aren't.
+    - Servers no longer ever list themselves in their "family" line,
+      even if configured to do so. This makes it easier to configure
+      family lists conveniently.
+
+  o Minor fixes, confusing/misleading log messages:
+    - Display correct results when reporting which versions are
+      recommended, and how recommended they are. (Resolves bug 383.)
+    - Inform the server operator when we decide not to advertise a
+      DirPort due to AccountingMax enabled or a low BandwidthRate.
+    - Only include function names in log messages for info/debug messages.
+      For notice/warn/err, the content of the message should be clear on
+      its own, and printing the function name only confuses users.
+    - Remove even more protocol-related warnings from Tor server logs,
+      such as bad TLS handshakes and malformed begin cells.
+    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
+      when the IP address is mapped through MapAddress to a hostname.
+    - Fix misleading log messages: an entry guard that is "unlisted",
+      as well as not known to be "down" (because we've never heard
+      of it), is not therefore "up".
+
+  o Minor fixes, old/obsolete behavior:
+    - Start assuming we can use a create_fast cell if we don't know
+      what version a router is running.
+    - We no longer look for identity and onion keys in "identity.key" and
+      "onion.key" -- these were replaced by secret_id_key and
+      secret_onion_key in 0.0.8pre1.
+    - We no longer require unrecognized directory entries to be
+      preceded by "opt".
+    - Drop compatibility with obsolete Tors that permit create cells
+      to have the wrong circ_id_type.
+    - Remove code to special-case "-cvs" ending, since it has not
+      actually mattered since 0.0.9.
+    - Don't re-write the fingerprint file every restart, unless it has
+      changed.
+
+  o Minor fixes, misc client-side behavior:
+    - Always remove expired routers and networkstatus docs before checking
+      whether we have enough information to build circuits. (Fixes
+      bug 373.)
+    - When computing clock skew from directory HTTP headers, consider what
+      time it was when we finished asking for the directory, not what
+      time it is now.
+    - Make our socks5 handling more robust to broken socks clients:
+      throw out everything waiting on the buffer in between socks
+      handshake phases, since they can't possibly (so the theory
+      goes) have predicted what we plan to respond to them.
+    - Expire socks connections if they spend too long waiting for the
+      handshake to finish. Previously we would let them sit around for
+      days, if the connecting application didn't close them either.
+    - And if the socks handshake hasn't started, don't send a
+      "DNS resolve socks failed" handshake reply; just close it.
+    - If the user asks to use invalid exit nodes, be willing to use
+      unstable ones.
+    - Track unreachable entry guards correctly: don't conflate
+      'unreachable by us right now' with 'listed as down by the directory
+      authorities'. With the old code, if a guard was unreachable by us
+      but listed as running, it would clog our guard list forever.
+    - Behave correctly in case we ever have a network with more than
+      2GB/s total advertised capacity.
+    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
+    - Fix a memory leak when we ask for "all" networkstatuses and we
+      get one we don't recognize.
+
+
 Changes in version 0.1.1.26 - 2006-12-14
   o Security bugfixes:
     - Stop sending the HttpProxyAuthenticator string to directory

configure.in

@@ -4,7 +4,7 @@ dnl Copyright (c) 2004-2007, Roger Dingledine, Nick Mathewson
 dnl See LICENSE for licensing information
 
 AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.1.2.9-rc-dev)
+AM_INIT_AUTOMAKE(tor, 0.1.2.19-dev)
 AM_CONFIG_HEADER(orconfig.h)
 
 AC_CANONICAL_HOST
@@ -51,7 +51,15 @@ if test x$enable_threads = x; then
         AC_MSG_NOTICE([You are running OpenBSD or NetBSD; I am assuming that
 getaddrinfo is not threadsafe here, so I will disable threads.])
         enable_threads="no"
-    fi ;;
+     else
+        # This was an inadvertant default up through 0.1.2.14; in 0.2.0.x,
+	# it's getting some testing, but for now, best leave threads off
+	# unless the user urns them on.
+        AC_MSG_NOTICE([You are running OpenBSD or NetBSD; Tor 0.1.2.x hasn't
+been tested with threads on these platforms, so I'm turning them off.  You
+can enable threads by passing --enable-threads to the configure script.])
+        enable_threads="no"
+     fi ;;
     *-*-solaris* )
      # Don't try multithreading on solaris -- cpuworkers seem to lock.
      AC_MSG_NOTICE([You are running Solaris; Sometimes threading makes
@@ -76,6 +84,7 @@ AC_ARG_ENABLE(gcc-warnings,
      AC_HELP_STRING(--enable-gcc-warnings, enable verbose warnings))
 
 AC_PROG_CC
+AC_PROG_CPP
 AC_PROG_MAKE_SET
 AC_PROG_RANLIB
 
@@ -196,7 +205,10 @@ fi
 dnl ------------------------------------------------------
 dnl Where do you live, libevent?  And how do we call you?
 
-dnl This is a disgusting hack so we safely include recent libevent headers.
+dnl This needs to happen before the below disgusting hack.
+AC_CHECK_HEADERS(sys/types.h)
+
+dnl This is a disgusting hack so we safely include older libevent headers.
 AC_CHECK_TYPE(u_int64_t, unsigned long long)
 AC_CHECK_TYPE(u_int32_t, unsigned long)
 AC_CHECK_TYPE(u_int16_t, unsigned short)
@@ -260,7 +272,7 @@ LIBS="$LIBS -levent -lws2_32"
 else
 LIBS="$LIBS -levent"
 fi
-if test $tor_cv_libevent_dir != "(system)"; then
+if test "$tor_cv_libevent_dir" != "(system)"; then
   if test -d "$tor_cv_libevent_dir/lib" ; then
     LDFLAGS="-L$tor_cv_libevent_dir/lib $LDFLAGS"
     le_libdir="$tor_cv_libevent_dir/lib"
@@ -457,7 +469,7 @@ AC_SYS_LARGEFILE
 
 dnl The warning message here is no longer strictly accurate.
 
-AC_CHECK_HEADERS(unistd.h string.h signal.h ctype.h sys/stat.h sys/types.h fcntl.h sys/fcntl.h sys/time.h errno.h assert.h time.h, , AC_MSG_WARN(some headers were not found, compilation may fail))
+AC_CHECK_HEADERS(unistd.h string.h signal.h ctype.h sys/stat.h fcntl.h sys/fcntl.h sys/time.h errno.h assert.h time.h, , AC_MSG_WARN(some headers were not found, compilation may fail))
 
 AC_CHECK_HEADERS(netdb.h sys/ioctl.h sys/socket.h arpa/inet.h netinet/in.h pwd.h grp.h)
 
@@ -478,7 +490,7 @@ AC_CHECK_HEADERS(zlib.h, , AC_MSG_ERROR(Zlib header (zlib.h) not found. Tor requ
 
 dnl These headers are not essential
 
-AC_CHECK_HEADERS(stdint.h sys/types.h inttypes.h sys/param.h sys/wait.h limits.h sys/limits.h netinet/in.h arpa/inet.h machine/limits.h syslog.h sys/time.h sys/resource.h inttypes.h utime.h sys/utime.h sys/mman.h netintet/in.h netinet/in6.h)
+AC_CHECK_HEADERS(stdint.h sys/types.h inttypes.h sys/param.h sys/wait.h limits.h sys/limits.h netinet/in.h arpa/inet.h machine/limits.h syslog.h sys/time.h sys/resource.h inttypes.h utime.h sys/utime.h sys/mman.h netintet/in.h netinet/in6.h sys/syslimits.h)
 
 AC_CHECK_HEADERS(net/if.h, [net_if_found=1], [net_if_found=0],
 [#ifdef HAVE_SYS_TYPES_H
@@ -577,6 +589,18 @@ AC_CHECK_TYPES([struct in6_addr, struct sockaddr_storage], , ,
 #include <sys/socket.h>
 #endif])
 
+AC_CHECK_TYPES([rlim_t], , ,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+])
+
 if test -z "$CROSS_COMPILE"; then
 AC_CACHE_CHECK([whether time_t is signed], tor_cv_time_t_signed, [
 AC_TRY_RUN([

contrib/osx/Makefile.am

@@ -8,5 +8,5 @@ EXTRA_DIST = PrivoxyConfDesc.plist PrivoxyConfInfo.plist          \
     TorInfo.plist.in TorStartupDesc.plist.in TorStartupInfo.plist \
     package.sh privoxy.config TorPostflight addsysuser            \
     Tor_Uninstaller.applescript uninstall_tor_bundle.sh           \
-    package_list.txt tor_logo.gif                                 \
-    TorPreFlight
+    TorbuttonInfo.plist TorbuttonDesc.plist                       \
+    package_list.txt tor_logo.gif TorPreFlight

contrib/osx/ReadMe.rtf

@@ -4,4 +4,4 @@
 \margl1440\margr1440\vieww9000\viewh9000\viewkind0
 \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural
 
-\f0\fs24 \cf0 Tor is a toolset for a wide range of organizations and people who want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.}
+\f0\fs24 \cf0 Tor is a toolset for a wide range of organizations and people who want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.}

contrib/osx/Tor

@@ -16,7 +16,29 @@ TORPID=/var/run/Tor.pid
 TORUSER=_tor
 TORGROUP=daemon
 TORCMD=$TORDIR/tor
-TORLOG=/var/log/tor/tor.log
+TORLOG=/var/log/tor.log
+
+## Determine OSX Version
+# map version to name
+if [ -x /usr/bin/sw_vers ]; then
+# This is poor, yet functional.  We don't care about the 3rd number in
+# the OS version
+  OSVER=`/usr/bin/sw_vers | grep ProductVersion | cut -f2 | cut -d"." -f1,2`
+      case "$OSVER" in
+	"10.5") OS="leopard" ARCH="universal";;
+ 	"10.4") OS="tiger" ARCH="universal";;
+ 	"10.3") OS="panther" ARCH="ppc";;
+ 	"10.2") OS="jaguar" ARCH="ppc";;
+ 	"10.1") OS="puma" ARCH="ppc";;
+ 	"10.0") OS="cheetah" ARCH="ppc";;
+      esac
+else
+	OS="unknown"
+fi
+ 
+if [ $ARCH != "universal" ]; then
+	export EVENT_NOKQUEUE=1
+fi
 
 ##
 # Tor Service

contrib/osx/TorBundleDesc.plist.in

@@ -5,9 +5,9 @@
 	<key>IFPkgDescriptionDeleteWarning</key>
 	<string></string>
 	<key>IFPkgDescriptionDescription</key>
-	<string>Bundled package of Tor @VERSION@ and Privoxy.</string>
+	<string>Bundled package of Tor @VERSION@, Privoxy 3.0.6, and Torbutton.</string>
 	<key>IFPkgDescriptionTitle</key>
-	<string>Tor - Privoxy Bundle</string>
+	<string>Tor - Privoxy - Torbutton Bundle</string>
 	<key>IFPkgDescriptionVersion</key>
 	<string>@VERSION@</string>
 </dict>

contrib/osx/TorBundleInfo.plist.in

@@ -38,6 +38,12 @@
 			<key>IFPkgFlagPackageSelection</key>
 			<string>selected</string>
 		</dict>
+		<dict>
+			<key>IFPkgFlagPackageLocation</key>
+			<string>torbutton.pkg</string>
+			<key>IFPkgFlagPackageSelection</key>
+			<string>selected</string>
+		</dict>
 	</array>
         <key>IFPkgFormatVersion</key>
         <real>0.10000000149011612</real>

contrib/osx/TorBundleWelcome.rtf

@@ -1,23 +1,38 @@
-{\rtf1\mac\ansicpg10000\cocoartf102
-{\fonttbl\f0\fswiss\fcharset77 Helvetica;\f1\fswiss\fcharset77 Helvetica-Bold;}
+{\rtf1\mac\ansicpg10000\cocoartf824\cocoasubrtf420
+{\fonttbl\f0\fswiss\fcharset77 Helvetica;\f1\fswiss\fcharset77 Helvetica-Oblique;\f2\fswiss\fcharset77 Helvetica-Bold;
+}
 {\colortbl;\red255\green255\blue255;}
 \paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh9000\viewkind0
 \pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\ql\qnatural
 
-\f0\fs24 \cf0 Welcome to Tor - Privoxy Bundle installer.\
-This will install Tor and privoxy in your computer.\
+\f0\fs24 \cf0 Welcome to Tor - Privoxy - Torbutton Bundle installer.\
+This will install Tor, Privoxy, and Torbutton in your computer.\
 \
 
-\f1\b Tor and Privoxy are separate products.\
+\f1\i Tor, Privoxy, and Torbutton are separate products.\
 They are packaged together for your convenience.
+\f2\i0\b \
+
 \f0\b0 \
-\
 \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural
-\cf0 Tor is a system for using the Internet anonymously, and allowing\
+
+\f2\b \cf0 Tor
+\f0\b0  is a system for using the Internet anonymously, and allowing\
 others to do so.\
 \
-For more information, please visit http://tor.eff.org/\
+	For more information, please visit https://www.torproject.org/\
 \
-Privoxy stands between your web browser and Tor to make your web surfing experience safer.\
+
+\f2\b Privoxy
+\f0\b0  stands between your web browser and Tor to make your web surfing experience safer.\
 \
-For more information, please visit http://www.privoxy.org/}
+	For more information, please visit http://www.privoxy.org/\
+\
+\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
+
+\f2\b \cf0 Torbutton
+\f0\b0  is a 1-click way for Firefox users to enable or disable the browser's use of Tor.   
+\f1\i Torbutton will not install if you do not have Firefox installed.
+\f0\i0 \
+\
+	For more information, please visit https://torbutton.torproject.org/}

contrib/osx/TorPostflight

@@ -1,4 +1,37 @@
 #!/bin/sh
+# ====================================================================
+#  TorPostFlight is distributed under this license
+#
+#  Copyright (c) 2006 Andrew Lewman
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#
+#     * Neither the names of the copyright owners nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# ======================================================================
 
 # TorPostflight gets invoked after any install or upgrade.
 
@@ -12,7 +45,8 @@ TORUSER=_tor
 TORGROUP=daemon
 TARGET=$2/Library/Tor
 TORDIR=$TARGET/var/lib/tor
-LOGDIR=$TARGET/var/log/tor
+LOGFILE=/var/log/tor.log
+TORBUTTON_VERSION="1.0.4.01-fx+tb"
 
 # Check defaults for TARGET
 if [ "$TARGET" == "//Library/Tor" ]; then
@@ -26,16 +60,17 @@ $ADDSYSUSER $TORUSER "Tor System user" $TORDIR
 if [ ! -d $TORDIR ]; then
   mkdir -p $TORDIR
 fi
-if [ ! -d $LOGDIR ]; then
-  mkdir -p $LOGDIR
-fi
 # Check its permissions.
 chown $TORUSER $TORDIR
 chgrp daemon $TORDIR
 chmod 700 $TORDIR
-chown $TORUSER $LOGDIR
-chgrp daemon $LOGDIR
-chmod 700 $LOGDIR
+
+if [ ! -f $LOGFILE ]; then
+    touch $LOGFILE
+    chown $TORUSER $LOGFILE
+    chgrp daemon $LOGFILE
+    chmod 660 $LOGFILE
+fi
 
 # Create the configuration file only if there wasn't one already.
 if [ ! -f $TARGET/torrc ]; then
@@ -54,14 +89,8 @@ ln -sf $TARGET/tor .
 ln -sf $TARGET/tor-resolve .
 
 cd /usr/share/man/man1
-MAN1=$TARGET/man/man1
-ln -sf $MAN1/*.1 .
-
-if [ ! -e /var/log/tor -o -L /var/log/tor ]; then
-  cd /var/log
-  rm -f tor
-  ln -sf $LOGDIR tor
-fi
+MAN1=$TARGET/share/man/man1
+#ln -sf $MAN1/*.1 .
 
 if [ -d /Library/StartupItems/Privoxy ]; then
   find /Library/StartupItems/Privoxy -print0 | xargs -0 chown root:wheel
@@ -75,26 +104,35 @@ fi
 # Copy Uninstaller
 if [ -f $PACKAGE_PATH/Contents/Resources/Tor_Uninstaller.applescript ]; then 
    cp $PACKAGE_PATH/Contents/Resources/Tor_Uninstaller.applescript $TARGET/Tor_Uninstaller.applescript
-   chmod 755 $TARGET/Tor_Uninstaller.applescript
+   chmod 550 $TARGET/Tor_Uninstaller.applescript
 fi
 
 if [ -f $PACKAGE_PATH/Contents/Resources/uninstall_tor_bundle.sh ]; then
    cp $PACKAGE_PATH/Contents/Resources/uninstall_tor_bundle.sh $TARGET/uninstall_tor_bundle.sh
-   chmod 755 $TARGET/uninstall_tor_bundle.sh
+   chmod 550 $TARGET/uninstall_tor_bundle.sh
 fi
 
 if [ -f $PACKAGE_PATH/Contents/Resources/package_list.txt ]; then
    cp $PACKAGE_PATH/Contents/Resources/package_list.txt $TARGET/package_list.txt
 fi
 
-# If the pre-install script did it's thing, it should have saved the
-# config and server keys; put these back and clean up
-if [ -f /tmp/TorSavedMe.tar.gz ]; then
-   tar zxf /tmp/TorSavedMe.tar.gz -C /
-   rm /tmp/TorSavedMe.tar.gz
-fi
-
 if [ -d /Library/StartupItems/Tor ]; then
    rm -f /Library/StartupItems/Tor/Tor.loc
    echo "$TARGET" > /Library/StartupItems/Tor/Tor.loc
 fi
+
+if [ -f /Applications/Firefox.app/Contents/MacOS/firefox ]; then
+  if [ -f $TARGET/torbutton-$TORBUTTON_VERSION.xpi ]; then
+      /Applications/Firefox.app/Contents/MacOS/firefox -install-global-extension $TARGET/torbutton-$TORBUTTON_VERSION.xpi
+# The following is a kludge to get around the fact that the installer
+# runs as root.  This means the Torbutton extension will install with
+# root permissions; thereby making uninstalling Torbutton from inside
+# Firefox impossible.  The user will be caught in an endless loop of
+# uninstall -> automatic re-installation of Torbutton.  The OSX
+# installer doesn't tell you the owner of Firefox, therefore we have to
+# parse it.
+      USR=`ls -alrt /Applications/Firefox.app/Contents/MacOS/extensions/ | tail -1 | awk '{print $3}'`
+      GRP=`ls -alrt /Applications/Firefox.app/Contents/MacOS/extensions/ | tail -1 | awk '{print $4}'`
+      chown -R $USR:$GRP /Applications/Firefox.app/Contents/MacOS/extensions/
+  fi
+fi

contrib/osx/TorPreFlight

@@ -1,4 +1,40 @@
 #!/bin/sh
+#
+# ===================================================================
+# 
+# TorPreFlight is distributed under this license:
+#
+# Copyright (c) 2006 Andrew Lewman
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#
+#     * Neither the names of the copyright owners nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#===============================================================================
+
 # TorPreFlight is invoked before the install begins
 
 # Figure out where Tor is installed
@@ -16,14 +52,8 @@ fi
 
 # Backup all of Tor, just in case
 if [ -d $TORPATH ]; then
-	tar zcf /tmp/TorSavedMe.tar.gz $TORPATH/var/lib/tor $TORPATH/torrc $PRIVOXYPATH/config $PRIVOXYPATH/user.action
+  cp $TORPATH/torrc $TORPATH/torrc.installer-saved
+  cp $PRIVOXYPATH/config $PRIVOXYPATH/config.installer-saved
+  cp $PRIVOXYPATH/user.action $PRIVOXYPATH/user.action.installer-saved
 fi
 
-# Remove Tor and everything to do with it
-if [ -f $TORPATH/uninstall_tor_bundle.sh ]; then
-	$TORPATH/uninstall_tor_bundle.sh
-else
-	$PACKAGE_PATH/Contents/Resources/uninstall_tor_bundle.sh
-fi
-
-# This is complete, we have a fresh system on which to install Tor

contrib/osx/TorbuttonDesc.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IFPkgDescriptionTitle</key>
+	<string>Torbutton Extension for Firefox</string>
+	<key>IFPkgDescriptionVersion</key>
+	<string>0.1</string>
+</dict>
+</plist>

contrib/osx/TorbuttonInfo.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleIdentifier</key>
+	<string>Torbutton Extension for Firefox</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Torbutton configuration for Tor</string>
+	<key>CFBundleName</key>
+	<string>Torbutton configuration for Tor</string>
+	<key>CFBundleSortVersionString</key>
+	<string>0.1</string>
+	<key>IFPkgFlagAuthorizationAction</key>
+	<string>RootAuthorization</string>
+        <key>IFPkgFlagRestartAction</key>
+        <string>RecommendedRestart</string>
+	<key>IFPkgFlagFollowLinks</key>
+	<true/>
+	<key>IFPkgFlagIsRequired</key>
+	<false/>
+</dict>
+</plist>

contrib/osx/addsysuser

@@ -3,43 +3,81 @@
 # Original adduser 05 Feb 2002 by Jon L. Gardner
 #
 # Modified for Tor installer by Nick Mathewson
+# 2007-06-12 Modified for leopard by Andrew Lewman
+# Copyright (c) 2007 Andrew Lewman
+#
+
 
 ROOTPROP=/
 
 if [ "`whoami`" != "root" ]; then
-echo "You must be root to execute this script."
-exit
+  echo "You must be root to execute this script."
+  exit
 fi
 if [ "x$3" = "x" ]; then
-echo 'Usage: addsysuser <username> "<full name>" <homedir>'
-exit 0
+  echo 'Usage: addsysuser <username> "<full name>" <homedir>'
+  exit 0
 fi
+
 username=$1
 realname=$2
 homedir=$3
-# GID 20 is "staff" which is the default. Change it if you want.
-gid=`niutil -readprop $ROOTPROP /groups/daemon gid`
-if [ "x`niutil -list $ROOTPROP /users|cut -f2 -d' '|grep $username`" != "x" ]; then
-echo The account $username already exists.
-exit 0
+
+if [ -x /usr/bin/dscl ]; then
+  # Determine the gid of the daemon group
+  gid=`dscl . -read /groups/daemon gid`
+  if [ "x`dscl . -list /users|cut -f2 -d' '|grep $username`" != "x" ]; then
+    echo The account $username already exists.
+    exit 0
+  fi
+  if [ -x /usr/bin/nidump ]; then
+    uiddef=`nidump passwd / | cut -d: -f3 | sort -n | grep -v '^[56789]..' |grep -v '^....$' | tail -n 1`
+  else
+    _tmp=/tmp/_dsexport_tmp.txt.$$
+    rm -f $_tmp
+    dsexport $_tmp '/Local/Default' 'dsRecTypeStandard:Users' > /dev/null 2>&1
+    uiddef=`cat $_tmp | sed 's/\\\://g' | cut -d: -f6 | grep '^[0-9]' | sort -n | grep -v '^[56789]..' | grep -v '^....$' | tail -n 1`
+    rm -f $_tmp
+  fi
+  uiddef=`echo $uiddef + 1 | bc`
+  dscl . -create /users/$username uid $uiddef
+  # home is the local path to the home directory
+  home=/Users/$username
+  echo Creating account for $username...
+  dscl . -create /users/$username
+  dscl . -create /users/$username _writers_tim_passwd $username
+  dscl . -create /users/$username realname $realname
+  dscl . -create /users/$username _writers_passwd $username
+  dscl . -create /users/$username gid $gid
+  dscl . -create /users/$username home $homedir
+  dscl . -create /users/$username name $username
+  dscl . -create /users/$username passwd '*'
+  dscl . -create /users/$username shell /dev/null
+else
+  # Determine the gid of the daemon group
+  gid=`niutil -readprop $ROOTPROP /groups/daemon gid`
+  if [ "x`niutil -list $ROOTPROP /users|cut -f2 -d' '|grep $username`" != "x" ]; then
+   echo The account $username already exists.
+   exit 0
+  fi
+  # home is the local path to the home directory
+  home=/Users/$username
+  # defhome is what goes into NetInfo
+  defhome="/Network/Servers/MyServer/Users"
+  #echo "Determining next available system uid (please be patient)..."
+  # Uids over 500 are for system users.
+  uiddef=`nidump passwd / | cut -d: -f3 | sort -n | grep -v '^[56789]..' |grep -v '^....$' | tail -n 1`
+  uiddef=`echo $uiddef + 1 |bc`
+  echo Creating account for $username...
+  niutil -create $ROOTPROP /users/$username
+  niutil -createprop $ROOTPROP /users/$username _writers_tim_passwd $username
+  niutil -createprop $ROOTPROP /users/$username realname $realname
+  niutil -createprop $ROOTPROP /users/$username _writers_passwd $username
+  niutil -createprop $ROOTPROP /users/$username uid $uiddef
+  #niutil -createprop $ROOTPROP /users/$username home_loc "<home_dir><url>afp://afp.server.com/Users/</url><path>$username</path></home_dir>"
+  niutil -createprop $ROOTPROP /users/$username gid $gid
+  niutil -createprop $ROOTPROP /users/$username home $homedir
+  niutil -createprop $ROOTPROP /users/$username name $username
+  niutil -createprop $ROOTPROP /users/$username passwd '*'
+  niutil -createprop $ROOTPROP /users/$username shell /dev/null
 fi
-# home is the local path to the home directory
-home=/Users/$username
-# defhome is what goes into NetInfo
-defhome="/Network/Servers/MyServer/Users"
-#echo "Determining next available system uid (please be patient)..."
-# Uids over 500 are for system users.
-uiddef=`nidump passwd / | cut -d: -f3 | sort -n | grep -v '^[56789]..' |grep -v '^....$' | tail -n 1`
-uiddef=`echo $uiddef + 1 |bc`
-echo Creating account for $username...
-niutil -create $ROOTPROP /users/$username
-niutil -createprop $ROOTPROP /users/$username _writers_tim_passwd $username
-niutil -createprop $ROOTPROP /users/$username realname $realname
-niutil -createprop $ROOTPROP /users/$username _writers_passwd $username
-niutil -createprop $ROOTPROP /users/$username uid $uiddef
-#niutil -createprop $ROOTPROP /users/$username home_loc "<home_dir><url>afp://afp.server.com/Users/</url><path>$username</path></home_dir>"
-niutil -createprop $ROOTPROP /users/$username gid $gid
-niutil -createprop $ROOTPROP /users/$username home $homedir
-niutil -createprop $ROOTPROP /users/$username name $username
-niutil -createprop $ROOTPROP /users/$username passwd '*'
-niutil -createprop $ROOTPROP /users/$username shell /dev/null

contrib/osx/package.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 # $Id$
 # Copyright 2004-2005 Nick Mathewson. 
+# Copyright 2005-2008 Andrew Lewman
 # See LICENSE in Tor distribution for licensing information.
 
 # This script builds a Macintosh OS X metapackage containing 4 packages:
@@ -8,6 +9,7 @@
 #    - One for Privoxy.
 #    - One for a tor-specific privoxy configuration script.
 #    - One for Startup scripts for Tor.
+#    - One for Torbutton, an extension for FireFox
 #
 # This script expects to be run from the toplevel makefile, with VERSION
 # set to the latest Tor version, and Tor already built.
@@ -20,6 +22,11 @@
 # privoxy lives somewhere else.
 PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
 
+# Where have we put the xpi and license for Torbutton? Edit this if your
+# torbutton and torbutton license live somewhere else.
+TORBUTTON_PATH=~/tmp/torbutton-1.0.4.01-fx+tb.xpi
+TORBUTTON_LIC_PATH=~/tmp/LICENSE
+
 ###
 # Helpful info on OS X packaging:
 #   http://developer.apple.com/documentation/DeveloperTools/Conceptual/SoftwareDistribution/index.html
@@ -66,11 +73,13 @@ for subdir in tor_packageroot tor_resources \
               torstartup_packageroot \
               privoxyconf_packageroot \
               torbundle_resources \
+              torbutton_packageroot \
               output; do
     mkdir $BUILD_DIR/$subdir
 done
 
 ### Make Tor package.
+
 make install DESTDIR=$BUILD_DIR/tor_packageroot
 #mv $BUILD_DIR/tor_packageroot/Library/Tor/torrc.sample $BUILD_DIR/tor_packageroot/Library/Tor/torrc
 cp contrib/osx/ReadMe.rtf $BUILD_DIR/tor_resources
@@ -104,7 +113,15 @@ cp AUTHORS $DOC/AUTHORS.txt
 groff doc/tor.1.in -T ps -m man | pstopdf -i -o $DOC/tor-reference.pdf
 groff doc/tor-resolve.1 -T ps -m man | pstopdf -i -o $DOC/tor-resolve.pdf
 mkdir $DOC/Advanced
-cp doc/tor-spec.txt doc/rend-spec.txt doc/control-spec.txt doc/socks-extensions.txt doc/version-spec.txt $DOC/Advanced
+cp	doc/spec/tor-spec.txt         \
+	doc/spec/rend-spec.txt        \
+	doc/spec/control-spec.txt     \
+	doc/spec/socks-extensions.txt \
+	doc/spec/version-spec.txt     \
+	doc/spec/address-spec.txt     \
+	doc/spec/path-spec.txt        \
+	$DOC/Advanced
+
 cp doc/HACKING $DOC/Advanced/HACKING.txt
 cp ChangeLog $DOC/Advanced/ChangeLog.txt
 
@@ -131,16 +148,31 @@ $PACKAGEMAKER -build                      \
 
 ### Make Startup Script package
 
-  mkdir -p $BUILD_DIR/torstartup_packageroot/Library/StartupItems/Tor
-  cp contrib/osx/Tor contrib/osx/StartupParameters.plist \
+mkdir -p $BUILD_DIR/torstartup_packageroot/Library/StartupItems/Tor
+cp contrib/osx/Tor contrib/osx/StartupParameters.plist \
    $BUILD_DIR/torstartup_packageroot/Library/StartupItems/Tor
 
-  find $BUILD_DIR/torstartup_packageroot -print0 | sudo xargs -0 chown root:wheel
-  $PACKAGEMAKER -build                     \
-      -p $BUILD_DIR/output/torstartup.pkg  \
-      -f $BUILD_DIR/torstartup_packageroot \
-      -i contrib/osx/TorStartupInfo.plist  \
-      -d contrib/osx/TorStartupDesc.plist
+find $BUILD_DIR/torstartup_packageroot -print0 | sudo xargs -0 chown root:wheel
+
+$PACKAGEMAKER -build 		       \
+  -p $BUILD_DIR/output/torstartup.pkg  \
+  -f $BUILD_DIR/torstartup_packageroot \
+  -i contrib/osx/TorStartupInfo.plist  \
+  -d contrib/osx/TorStartupDesc.plist
+
+### Make Torbutton Installation package
+
+mkdir -p $BUILD_DIR/torbutton_packageroot/Library/Torbutton
+cp $TORBUTTON_PATH $BUILD_DIR/torbutton_packageroot/Library/Torbutton/
+cp $TORBUTTON_LIC_PATH $BUILD_DIR/torbutton_packageroot/Library/Torbutton/Torbutton-LICENSE.txt
+
+find $BUILD_DIR/torbutton_packageroot -print0 | sudo xargs -0 chown root:wheel
+
+$PACKAGEMAKER -build 		       	\
+  -p $BUILD_DIR/output/torbutton.pkg	\
+  -f $BUILD_DIR/torbutton_packageroot 	\
+  -i contrib/osx/TorbuttonInfo.plist  	\
+  -d contrib/osx/TorbuttonDesc.plist
 
 ### Assemble the metapackage.  Packagemaker won't buld metapackages from
 # the command line, so we need to do it by hand.
@@ -167,6 +199,7 @@ cp $PRIVOXY_RESDIR/License.html $BUILD_DIR/output/Privoxy\ License.html
 cp $PRIVOXY_RESDIR/ReadMe.txt $BUILD_DIR/output/Privoxy\ ReadMe.txt
 cp contrib/osx/ReadMe.rtf $BUILD_DIR/output/Tor\ ReadMe.rtf
 cp LICENSE $BUILD_DIR/output/Tor\ License.txt
+cp $TORBUTTON_LIC_PATH $BUILD_DIR/output/Torbutton_LICENSE.txt
 
 ### Package it all into a DMG
 

contrib/osx/package_list.txt

@@ -3,3 +3,4 @@ Privoxy
 torstartup
 privoxyconf
 Vidalia
+torbutton

contrib/osx/uninstall_tor_bundle.sh

@@ -33,11 +33,9 @@
 ##	(ie "Tor", "torstartup", ...) the list should be new-line-delimited.
 PACKAGE_LIST_SRC=./package_list.txt
 
-
 ### this is the name of the user created in the install process of Tor
 TOR_USER=_tor
 
-
 ### these should be constant across all osX installs (so leave them be)
 STARTUP_ITEMS_DIR=/Library/StartupItems
 PKG_RCPT_BASE_DIR=/Library/Receipts
@@ -45,7 +43,6 @@ BOM_INTERMEDIATE_DIR=Contents/Resources
 INFO_INTERMEDIATE_DIR=$BOM_INTERMEDIATE_DIR/English.lproj
 TEMP_BOM_CONTENTS=/tmp/tor_uninst_scratch
 
-
 ### make sure the script is being run as root, barf if not
 if [ "`whoami`" != "root" ]; then
 	echo "Must be root to run the uninstall script."
@@ -128,13 +125,16 @@ done < $PACKAGE_LIST_SRC
 
 ## nuke the user created by the install process.
 echo ". Removing created user $TOR_USER"
-niutil -destroy . /users/$TOR_USER
-
+if [ -x /usr/bin/dscl ]; then
+   dscl . -delete /users/$TOR_USER
+else
+   niutil -destroy . /users/$TOR_USER
+fi
 
 ## clean up
 echo ". Cleaning up"
 rm -rf $TEMP_BOM_CONTENTS
-rm -rf /Library/Privoxy/ /Library/StartupItems/Privoxy/ /Library/Tor/ /Library/StartupItems/Tor/
+rm -rf /Library/Privoxy/ /Library/StartupItems/Privoxy/ /Library/Tor/ /Library/StartupItems/Tor/ /Library/Torbutton/ 
 
 echo ". Finished"
 

contrib/package_nsis-mingw.sh

@@ -1,5 +1,39 @@
 #!/bin/sh
 #
+# ===============================================================================
+# package_nsis-ming.sh is distributed under this license:
+
+# Copyright (c) 2006-2008 Andrew Lewman
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+
+#     * Neither the names of the copyright owners nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# ===============================================================================
+
 # Script to package a Tor installer on win32.  This script assumes that
 # you have already built Tor, that you are running msys/mingw, and that
 # you know what you are doing.
@@ -21,8 +55,6 @@ mkdir win_tmp/tmp
 
 cp src/or/tor.exe win_tmp/bin/
 cp src/tools/tor-resolve.exe win_tmp/bin/
-cp /usr/local/ssl/lib/libcrypto.a win_tmp/bin/
-cp /usr/local/ssl/lib/libssl.a win_tmp/bin/
 cp contrib/tor.ico win_tmp/bin/
 
 # YOU must copy torbutton xpi into the contrib dir

contrib/suse/tor.sh.in

@@ -1,5 +1,7 @@
 #!/bin/sh
 #
+# Copyright (c) 2006-2007 Andrew Lewman
+#
 # tor    The Onion Router
 #
 # Startup/shutdown script for tor. This is a wrapper around torctl;
@@ -16,11 +18,12 @@
 
 ### BEGIN INIT INFO
 # Provides: tor
-# Required-Start: $network
-# Required-Stop: $network
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs $network
 # Default-Start: 3 5
 # Default-Stop: 0 1 2 6
-# Description: Start the tor daemon
+# Short-Description: Start the tor daemon
+# Description:  Start the tor daemon:  the anon-proxy server
 ### END INIT INFO
 
 . /etc/rc.status

contrib/tor-mingw.nsi.in

@@ -1,23 +1,26 @@
 ;tor.nsi - A basic win32 installer for Tor
 ; Originally written by J Doe.
-; See LICENSE for licensing information
+; Modified by Steve Topletz
+; See the Tor LICENSE for licensing information
 ;-----------------------------------------
 ;
 !include "MUI.nsh"
-
-!define VERSION "0.1.2.9-rc-dev"
+!include "LogicLib.nsh"
+!include "FileFunc.nsh"
+!insertmacro GetParameters
+  
+!define VERSION "0.1.2.19-dev"
 !define INSTALLER "tor-${VERSION}-win32.exe"
-!define WEBSITE "http://tor.eff.org/"
-
+!define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"
-;BIN is where it expects to find tor.exe, tor-resolve.exe, libcrypto.a and libssl.a
-!define BIN "..\bin"
-
-SetCompressor lzma
+!define BIN "..\bin" ;BIN is where it expects to find tor.exe, tor-resolve.exe
+  
+ 
+SetCompressor /SOLID LZMA ;Tighter compression
+RequestExecutionLevel user ;Updated for Vista compatibility
 OutFile ${INSTALLER}
 InstallDir $PROGRAMFILES\Tor
 SetOverWrite ifnewer
-
 Name "Tor"
 Caption "Tor ${VERSION} Setup"
 BrandingText "The Onion Router"
@@ -25,19 +28,18 @@ CRCCheck on
 XPStyle on
 VIProductVersion "${VERSION}"
 VIAddVersionKey "ProductName" "The Onion Router: Tor"
-VIAddVersionKey "Comments" "http://tor.eff.org"
+VIAddVersionKey "Comments" "${WEBSITE}"
 VIAddVersionKey "LegalTrademarks" "Three line BSD"
-VIAddVersionKey "LegalCopyright" "©2004-2007, Roger Dingledine, Nick Mathewson"
-VIAddVersionKey "FileDescription" "Tor is an implementation of Onion Routing. You can read more at http://tor.eff.org/"
+VIAddVersionKey "LegalCopyright" "©2004-2008, Roger Dingledine, Nick Mathewson"
+VIAddVersionKey "FileDescription" "Tor is an implementation of Onion Routing. You can read more at ${WEBSITE}"
 VIAddVersionKey "FileVersion" "${VERSION}"
 
-!define MUI_WELCOMEPAGE_TITLE "Welcome to the Tor ${VERSION} Setup Wizard"
+!define MUI_WELCOMEPAGE_TITLE "Welcome to the Tor Setup Wizard"
 !define MUI_WELCOMEPAGE_TEXT "This wizard will guide you through the installation of Tor ${VERSION}.\r\n\r\nIf you have previously installed Tor and it is currently running, please exit Tor first before continuing this installation.\r\n\r\n$_CLICK"
 !define MUI_ABORTWARNING
 !define MUI_ICON "${NSISDIR}\Contrib\Graphics\Icons\win-install.ico"
 !define MUI_UNICON "${NSISDIR}\Contrib\Graphics\Icons\win-uninstall.ico"
 !define MUI_HEADERIMAGE_BITMAP "${NSISDIR}\Contrib\Graphics\Header\win.bmp"
-!define MUI_HEADERIMAGE
 !define MUI_FINISHPAGE_RUN "$INSTDIR\tor.exe"
 !define MUI_FINISHPAGE_LINK "Visit the Tor website for the latest updates."
 !define MUI_FINISHPAGE_LINK_LOCATION ${WEBSITE}
@@ -56,8 +58,12 @@ VIAddVersionKey "FileVersion" "${VERSION}"
 !insertmacro MUI_UNPAGE_FINISH
 !insertmacro MUI_LANGUAGE "English"
 
-Var configdir
-Var configfile
+Var CONFIGDIR
+Var CONFIGFILE
+
+Function .onInit
+	Call ParseCmdLine
+FunctionEnd
 
 ;Sections
 ;--------
@@ -65,95 +71,48 @@ Var configfile
 Section "Tor" Tor
 ;Files that have to be installed for tor to run and that the user
 ;cannot choose not to install
-   SectionIn RO
-   SetOutPath $INSTDIR
-   File "${BIN}\tor.exe"
-   File "${BIN}\tor-resolve.exe"
-   File "${BIN}\tor.ico"
-   WriteIniStr "$INSTDIR\Tor Website.url" "InternetShortcut" "URL" ${WEBSITE}
+	SectionIn RO
+	SetOutPath $INSTDIR
+	Call ExtractBinaries
+	Call ExtractIcon
+	WriteINIStr "$INSTDIR\Tor Website.url" "InternetShortcut" "URL" ${WEBSITE}
 
-   StrCpy $configfile "torrc"
-   StrCpy $configdir $APPDATA\Tor
+	StrCpy $CONFIGFILE "torrc"
+	StrCpy $CONFIGDIR $APPDATA\Tor
 ;   ;If $APPDATA isn't valid here (Early win95 releases with no updated
 ;   ; shfolder.dll) then we put it in the program directory instead.
 ;   StrCmp $APPDATA "" "" +2
-;      StrCpy $configdir $INSTDIR
-   SetOutPath $configdir
-   ;If there's already a torrc config file, ask if they want to
-   ;overwrite it with the new one.
-   IfFileExists "$configdir\torrc" "" endiftorrc
-      MessageBox MB_ICONQUESTION|MB_YESNO "You already have a Tor config file.$\r$\nDo you want to overwrite it with the default sample config file?" IDNO yesreplace
-      Delete $configdir\torrc
-      Goto endiftorrc
-     yesreplace:
-      StrCpy $configfile "torrc.sample"
-   endiftorrc:
-   File /oname=$configfile "..\src\config\torrc.sample"
-SectionEnd
-
-Section "OpenSSL 0.9.8d" OpenSSL
-   SetOutPath $INSTDIR
-   File "${BIN}\libcrypto.a"
-   File "${BIN}\libssl.a"
+;      StrCpy $CONFIGDIR $INSTDIR
+	SetOutPath $CONFIGDIR
+	;If there's already a torrc config file, ask if they want to
+	;overwrite it with the new one.
+	${If} ${FileExists} "$CONFIGDIR\torrc"
+		MessageBox MB_ICONQUESTION|MB_YESNO "You already have a Tor config file.$\r$\nDo you want to overwrite it with the default sample config file?" IDYES Yes IDNO No
+		Yes:
+			Delete $CONFIGDIR\torrc
+			Goto Next
+		No:
+			StrCpy $CONFIGFILE "torrc.sample"
+		Next:
+	${EndIf}
+	File /oname=$CONFIGFILE "..\src\config\torrc.sample"
 SectionEnd
 
 Section "Documents" Docs
-   SetOutPath "$INSTDIR\Documents"
-   ;File "doc\FAQ"
-   File "..\doc\HACKING"
-   File "..\doc\spec\address-spec.txt"
-   File "..\doc\spec\control-spec.txt"
-   File "..\doc\spec\control-spec-v0.txt"
-   File "..\doc\spec\dir-spec.txt"
-   File "..\doc\spec\dir-spec-v1.txt"
-   File "..\doc\spec\path-spec.txt"
-   File "..\doc\spec\rend-spec.txt"
-   File "..\doc\spec\socks-extensions.txt"
-   File "..\doc\spec\tor-spec.txt"
-   File "..\doc\spec\version-spec.txt"
-   ;
-   ; WEBSITE-FILES-HERE
-   ;
-   File "..\doc\tor-resolve.html"
-   File "..\doc\tor-reference.html"
-   ;
-   File "..\doc\design-paper\tor-design.pdf"
-   ;
-   File "..\README"
-   File "..\AUTHORS"
-   File "..\ChangeLog"
-   File "..\LICENSE"
+	Call ExtractDocuments
 SectionEnd
 
-;Section "TorButton for FireFox" Torbutton
-;   SetOutPath $INSTDIR
-;   File "${BIN}\torbutton-1.0.4-fx+tb.xpi"
-;
-;   ReadRegStr $1 HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe" "Path"
-;   StrCmp $1 "" +2 0 ; if Path is empty or null, then skip to an error, otherwise proceed
-;	Exec '"$1firefox.exe" -install-global-extension "$INSTDIR\torbutton-1.0.4-fx+tb.xpi"'
-;	DetailPrint "Torbutton installed"
-;	Goto +2
-;	MessageBox MB_OK|MB_ICONSTOP "FireFox wasn't found on your system.  Not installing Torbutton."
-;	DetailPrint "Firefox NOT found."
-;SectionEnd
-
 SubSection /e "Shortcuts" Shortcuts
 
 Section "Start Menu" StartMenu
-   SetOutPath $INSTDIR
-   IfFileExists "$SMPROGRAMS\Tor\*.*" "" +2
-      RMDir /r "$SMPROGRAMS\Tor"
-   CreateDirectory "$SMPROGRAMS\Tor"
-   CreateShortCut "$SMPROGRAMS\Tor\Tor.lnk" "$INSTDIR\tor.exe" "" "$INSTDIR\tor.ico" 
-   CreateShortCut "$SMPROGRAMS\Tor\Torrc.lnk" "Notepad.exe" "$configdir\torrc"
-   CreateShortCut "$SMPROGRAMS\Tor\Tor Website.lnk" "$INSTDIR\Tor Website.url"
-   CreateShortCut "$SMPROGRAMS\Tor\Uninstall.lnk" "$INSTDIR\Uninstall.exe"
-   IfFileExists "$INSTDIR\Documents\*.*" "" endifdocs
-      CreateDirectory "$SMPROGRAMS\Tor\Documents"
-      CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Manual.lnk" "$INSTDIR\Documents\tor-reference.html"
-      CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Documentation.lnk" "$INSTDIR\Documents"
-      CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Specification.lnk" "$INSTDIR\Documents\tor-spec.txt"
+  SetOutPath $INSTDIR
+  ${If} ${FileExists} "$SMPROGRAMS\Tor\*.*"
+    RMDir /r "$SMPROGRAMS\Tor"
+  ${EndIf}
+  Call CreateTorLinks
+  ${If} ${FileExists} "$INSTDIR\Documents\*.*"
+    Call CreateDocLinks
+  ${EndIf}
    endifdocs:
 SectionEnd
 
@@ -170,24 +129,7 @@ SectionEnd
 SubSectionEnd
 
 Section "Uninstall"
-   Delete "$DESKTOP\Tor.lnk"
-   Delete "$INSTDIR\libcrypto.a"
-   Delete "$INSTDIR\libssl.a"
-   Delete "$INSTDIR\tor.exe"
-   Delete "$INSTDIR\tor-resolve.exe"
-   Delete "$INSTDIR\Tor Website.url"
-   Delete "$INSTDIR\torrc"
-   Delete "$INSTDIR\torrc.sample"
-   Delete "$INSTDIR\tor.ico"
-   StrCmp $configdir $INSTDIR +2 ""
-      RMDir /r $configdir
-   Delete "$INSTDIR\Uninstall.exe"
-   RMDir /r "$INSTDIR\Documents"
-   RMDir $INSTDIR
-   RMDir /r "$SMPROGRAMS\Tor"
-   RMDir /r "$APPDATA\Tor"
-   Delete "$SMSTARTUP\Tor.lnk"
-   DeleteRegKey HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor"
+   Call un.InstallPackage
 SectionEnd
 
 Section -End
@@ -199,12 +141,125 @@ Section -End
 SectionEnd
 
 !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
-  !insertmacro MUI_DESCRIPTION_TEXT ${Tor} "The core executable and config files needed for Tor to run."
-  !insertmacro MUI_DESCRIPTION_TEXT ${OpenSSL} "OpenSSL libraries required by Tor."
-  !insertmacro MUI_DESCRIPTION_TEXT ${Docs} "Documentation about Tor."
-  !insertmacro MUI_DESCRIPTION_TEXT ${ShortCuts} "Shortcuts to easily start Tor"
-  !insertmacro MUI_DESCRIPTION_TEXT ${StartMenu} "Shortcuts to access Tor and it's documentation from the Start Menu"
-  !insertmacro MUI_DESCRIPTION_TEXT ${Desktop} "A shortcut to start Tor from the desktop"
-  !insertmacro MUI_DESCRIPTION_TEXT ${Startup} "Launches Tor automatically at startup in a minimized window"
+!insertmacro MUI_DESCRIPTION_TEXT ${Tor} "The core executable and config files needed for Tor to run."
+!insertmacro MUI_DESCRIPTION_TEXT ${Docs} "Documentation about Tor."
+!insertmacro MUI_DESCRIPTION_TEXT ${ShortCuts} "Shortcuts to easily start Tor"
+!insertmacro MUI_DESCRIPTION_TEXT ${StartMenu} "Shortcuts to access Tor and it's documentation from the Start Menu"
+!insertmacro MUI_DESCRIPTION_TEXT ${Desktop} "A shortcut to start Tor from the desktop"
+!insertmacro MUI_DESCRIPTION_TEXT ${Startup} "Launches Tor automatically at startup in a minimized window"
 !insertmacro MUI_FUNCTION_DESCRIPTION_END
 
+;####################Functions#########################
+
+Function ExtractBinaries
+	File "${BIN}\tor.exe"
+	File "${BIN}\tor-resolve.exe"
+FunctionEnd
+
+Function ExtractIcon
+	File "${BIN}\tor.ico"
+FunctionEnd
+
+Function ExtractSpecs
+	;File "doc\FAQ"
+	File "..\doc\HACKING"
+	File "..\doc\spec\address-spec.txt"
+	File "..\doc\spec\control-spec.txt"
+	File "..\doc\spec\control-spec-v0.txt"
+	File "..\doc\spec\dir-spec.txt"
+	File "..\doc\spec\dir-spec-v1.txt"
+	File "..\doc\spec\path-spec.txt"
+	File "..\doc\spec\rend-spec.txt"
+	File "..\doc\spec\socks-extensions.txt"
+	File "..\doc\spec\tor-spec.txt"
+	File "..\doc\spec\version-spec.txt"
+FunctionEnd
+
+Function ExtractHTML
+	File "..\doc\tor-resolve.html"
+	File "..\doc\tor-reference.html"
+FunctionEnd
+
+Function ExtractDesignDocs
+	File "..\doc\design-paper\tor-design.pdf"
+FunctionEnd
+
+Function ExtractReleaseDocs
+	File "..\README"
+	File "..\AUTHORS"
+	File "..\ChangeLog"
+	File "..\LICENSE"
+FunctionEnd
+
+Function ExtractDocuments
+	SetOutPath "$INSTDIR\Documents"
+	Call ExtractSpecs
+	Call ExtractHTML
+	Call ExtractDesignDocs
+	Call ExtractReleaseDocs
+FunctionEnd
+
+Function un.InstallFiles
+	Delete "$DESKTOP\Tor.lnk"
+	Delete "$INSTDIR\tor.exe"
+	Delete "$INSTDIR\tor-resolve.exe"
+	Delete "$INSTDIR\Tor Website.url"
+	Delete "$INSTDIR\torrc"
+	Delete "$INSTDIR\torrc.sample"
+	Delete "$INSTDIR\tor.ico"
+	Delete "$SMSTARTUP\Tor.lnk"
+	Delete "$INSTDIR\Uninstall.exe"
+FunctionEnd
+
+Function un.InstallDirectories
+	${If} $CONFIGDIR == $INSTDIR
+		RMDir /r $CONFIGDIR
+	${EndIf}
+	RMDir /r "$INSTDIR\Documents"
+	RMDir $INSTDIR
+	RMDir /r "$SMPROGRAMS\Tor"
+	RMDir /r "$APPDATA\Tor"
+FunctionEnd
+
+Function un.WriteRegistry
+	DeleteRegKey HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor"
+FunctionEnd
+
+Function un.InstallPackage
+	Call un.InstallFiles
+	Call un.InstallDirectories
+	Call un.WriteRegistry
+FunctionEnd
+
+Function CreateTorLinks
+	CreateDirectory "$SMPROGRAMS\Tor"
+	CreateShortCut "$SMPROGRAMS\Tor\Tor.lnk" "$INSTDIR\tor.exe" "" "$INSTDIR\tor.ico"
+	CreateShortCut "$SMPROGRAMS\Tor\Torrc.lnk" "Notepad.exe" "$CONFIGDIR\torrc"
+	CreateShortCut "$SMPROGRAMS\Tor\Tor Website.lnk" "$INSTDIR\Tor Website.url"
+	CreateShortCut "$SMPROGRAMS\Tor\Uninstall.lnk" "$INSTDIR\Uninstall.exe"
+FunctionEnd
+
+Function CreateDocLinks
+	CreateDirectory "$SMPROGRAMS\Tor\Documents"
+	CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Manual.lnk" "$INSTDIR\Documents\tor-reference.html"
+	CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Documentation.lnk" "$INSTDIR\Documents"
+	CreateShortCut "$SMPROGRAMS\Tor\Documents\Tor Specification.lnk" "$INSTDIR\Documents\tor-spec.txt"
+FunctionEnd
+
+Function ParseCmdLine
+	${GetParameters} $1
+	${If} $1 == "-x" ;Extract All Files
+		StrCpy $INSTDIR $EXEDIR
+		Call ExtractBinaries
+		Call ExtractDocuments
+		Quit
+	${ElseIf} $1 == "-b" ;Extract Binaries Only
+		StrCpy $INSTDIR $EXEDIR
+		Call ExtractBinaries
+		Quit
+	${ElseIf} $1 != ""
+		MessageBox MB_OK|MB_TOPMOST `${Installer} [-x|-b]$\r$\n$\r$\n  -x    Extract all files$\r$\n  -b    Extract binary files only`
+		Quit
+	${EndIf}
+FunctionEnd
+

contrib/tor.nsi.in

@@ -34,7 +34,7 @@
 
 !define VERSION "0.1.2.3-alpha-dev"
 !define INSTALLER "tor-${VERSION}-win32.exe"
-!define WEBSITE "http://tor.eff.org/"
+!define WEBSITE "https://www.torproject.org/"
 
 !define LICENSE "..\LICENSE"
 ;BIN is where it expects to find tor.exe, tor_resolve.exe, libeay32.dll and

debian/changelog

@@ -1,6 +1,102 @@
+tor (0.1.2.19-3) unstable; urgency=critical
+
+  * It's 2008.  Now is the time to add copyright statements for 2007.
+  * Work around fig2dev failing to build the images on all archs -
+    backport from 0.2.0.22-rc-1 (re #457568).
+  * backport from 0.2.0.26-rc-1: Conflict with old libssls.
+  * backport from 0.2.0.26-rc-1: On upgrading from versions prior to,
+    including, 0.1.2.19-2 if we are a server (we have a /var/lib/tor/keys
+    directory)
+    - move /var/lib/tor/keys/secret_onion_key out of the way.
+    - move /var/lib/tor/keys/secret_onion_key.old out of the way.
+    - move /var/lib/tor/keys/secret_id_key out of the way if it was
+      created on or after 2006-09-17, which is the day the bad
+      libssl was uploaded to Debian unstable.
+  * backport from 0.2.0.26-rc-1: Add a NEWS file explaining this change.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 14 May 2008 15:05:47 +0200
+
+tor (0.1.2.19-2) unstable; urgency=low
+
+  * Backport from 0.2.0.18-alpha + 1:  We now use the shipped images
+    on mipsel and sparc (in addition to s390) because fig2dev segfaults
+    on those archs (re #457568).
+
+ -- Peter Palfrader <weasel@debian.org>  Sat,  2 Feb 2008 15:14:23 +0100
+
+tor (0.1.2.19-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Thu, 17 Jan 2008 20:57:42 +0100
+
+tor (0.1.2.18-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 29 Oct 2007 20:36:38 +0100
+
+tor (0.1.2.17-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 31 Aug 2007 03:14:33 +0200
+
+tor (0.1.2.16-1) unstable; urgency=high
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Thu,  2 Aug 2007 06:43:09 +0200
+
+tor (0.1.2.15-1) unstable; urgency=low
+
+  * New upstream version.
+  * Change build-depends from tetex to texlive suite.
+
+ -- Peter Palfrader <weasel@debian.org>  Thu, 19 Jul 2007 22:33:43 +0200
+
+tor (0.1.2.14-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 25 May 2007 21:49:20 +0200
+
+tor (0.1.2.13-3) unstable; urgency=low
+
+  * Always give a shell (/bin/sh) when we use su(1) in our init script
+    (closes: #421465).
+
+ -- Peter Palfrader <weasel@debian.org>  Sun,  6 May 2007 14:44:11 +0200
+
+tor (0.1.2.13-2) unstable; urgency=low
+
+  * In options_init_from_torrc()'s error path only config_free() options
+    if they already have been initialized (closes: #421235).
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 27 Apr 2007 13:06:37 +0200
+
+tor (0.1.2.13-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 24 Apr 2007 21:21:10 +0200
+
+tor (0.1.2.12-rc-1) experimental; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Sat, 17 Mar 2007 11:35:31 +0100
+
+tor (0.1.2.10-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Change recommends on privoxy to privoxy | polipo (>= 1) (closes: #413728).
+
+ -- Peter Palfrader <weasel@debian.org>  Fri,  9 Mar 2007 10:57:40 +0100
+
 tor (0.1.2.8-beta-1) experimental; urgency=low
 
-  *  upstream version.
+  * New upstream version.
 
  -- Peter Palfrader <weasel@debian.org>  Mon, 26 Feb 2007 11:50:49 +0100
 

debian/control

@@ -2,13 +2,14 @@ Source: tor
 Section: comm
 Priority: optional
 Maintainer: Peter Palfrader <weasel@debian.org>
-Build-Depends: debhelper (>= 4.1.65), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), tetex-bin, tetex-extra, transfig, gs, binutils (>= 2.14.90.0.7)
+Build-Depends: debhelper (>= 4.1.65), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), texlive-base-bin, texlive-latex-base, texlive-fonts-recommended, transfig, gs, binutils (>= 2.14.90.0.7)
 Standards-Version: 3.7.2
 
 Package: tor
 Architecture: any
 Depends: ${shlibs:Depends}, adduser, tsocks
-Recommends: privoxy, socat
+Conflicts: libssl0.9.8 (<< 0.9.8g-9)
+Recommends: privoxy | polipo (>= 1), socat
 Suggests: mixmaster, mixminion, anon-proxy
 Description: anonymizing overlay network for TCP
  Tor is a connection-based low-latency anonymous communication system which

debian/copyright

@@ -9,14 +9,16 @@ Upstream Authors: Roger Dingledine <arma@freehaven.net>
 Copyright (c) 2001 Matej Pfajfar
 Copyright (c) 2001-2004, Roger Dingledine
 Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
+Copyright (c) 2007-2008, The Tor Project, Inc.
 strlcat, strlcpy: Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
 ht.h: Copyright (c) 2002, Christopher Clark, 2006 Nick Mathewson
-Modifications for Debian: Copyright (c) 2004, 2005, 2006 Peter Palfrader
+Modifications for Debian: Copyright (c) 2004, 2005, 2006, 2007, 2008 Peter Palfrader
 
 Tor is distributed under this license:
 ===============================================================================
 Copyright (c) 2001-2004, Roger Dingledine
 Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
+Copyright (c) 2007-2008, The Tor Project, Inc.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are

debian/patches/06_add_compile_time_defaults.dpatch

@@ -23,9 +23,9 @@ esac
 exit 0
 
 @DPATCH@
-diff -urNad tor~/src/or/config.c tor/src/or/config.c
---- tor~/src/or/config.c	2006-07-23 19:31:29.000000000 +0200
-+++ tor/src/or/config.c	2006-07-24 05:13:19.924871985 +0200
+diff -urNad tor-debian~/src/or/config.c tor-debian/src/or/config.c
+--- tor-debian~/src/or/config.c	2007-03-06 21:52:33.000000000 +0100
++++ tor-debian/src/or/config.c	2007-04-27 13:05:42.420147495 +0200
 @@ -12,6 +12,7 @@
   **/
  
@@ -34,8 +34,8 @@ diff -urNad tor~/src/or/config.c tor/src/or/config.c
  #ifdef MS_WINDOWS
  #include <shlobj.h>
  #endif
-@@ -396,6 +397,10 @@
- static void check_libevent_version(const char *m, const char *v, int server);
+@@ -592,6 +593,10 @@
+ static void check_libevent_version(const char *m, int server);
  #endif
  
 +static int debian_running_as_debiantor();
@@ -44,8 +44,8 @@ diff -urNad tor~/src/or/config.c tor/src/or/config.c
 +
  /*static*/ or_options_t *options_new(void);
  
- #define OR_OPTIONS_MAGIC 9090909
-@@ -2663,7 +2668,7 @@
+ /** Magic value for or_options_t. */
+@@ -2982,7 +2987,7 @@
  int
  options_init_from_torrc(int argc, char **argv)
  {
@@ -54,7 +54,7 @@ diff -urNad tor~/src/or/config.c tor/src/or/config.c
    config_line_t *cl;
    char *cf=NULL, *fname=NULL, *errmsg=NULL;
    int i, retval;
-@@ -2671,6 +2676,9 @@
+@@ -2991,6 +2996,9 @@
    static char **backup_argv;
    static int backup_argc;
  
@@ -64,7 +64,17 @@ diff -urNad tor~/src/or/config.c tor/src/or/config.c
    if (argv) { /* first time we're called. save commandline args */
      backup_argv = argv;
      backup_argc = argc;
-@@ -3948,3 +3956,52 @@
+@@ -3120,7 +3128,8 @@
+  err:
+   tor_free(fname);
+   torrc_fname = NULL;
+-  config_free(&options_format, newoptions);
++  if (newoptions)
++    config_free(&options_format, newoptions);
+   if (errmsg) {
+     log(LOG_WARN,LD_CONFIG,"Failed to parse/validate config: %s", errmsg);
+     tor_free(errmsg);
+@@ -4306,3 +4315,52 @@
    puts(routerparse_c_id);
  }
  
@@ -79,7 +89,7 @@ diff -urNad tor~/src/or/config.c tor/src/or/config.c
 +  uid = getuid();
 +  pw = getpwuid(uid);
 +  if (!pw) {
-+    log(LOG_WARN, LD_GENERAL, "Could not get passwd information for %d.", uid);
++    log(LOG_WARN, LD_GENERAL, "Could not get passwd information for uid %d.", uid);
 +    return -1;
 +  }
 +  assert(pw->pw_name);

debian/rules

@@ -92,7 +92,7 @@ build-stamp:  config.status
 	@echo
 
 	# XXX
-	# So, gs-gpl on s390 is broken (#321435) and fails to properly build
+	# So, gs-gpl on s390 is broken (#457568) and fails to properly build
 	# .pdf files from .fig files using fig2dev.  Therefore we ship them
 	# until this bug is fixed.
 	#
@@ -100,15 +100,15 @@ build-stamp:  config.status
 	#
 	# the hexdumps were built using something like
 	#   perl -e 'while (<>) { print unpack ("H*", $_); }' interaction.pdf | fold > hexdump-interaction.pdf
-	if [ "$(DEB_BUILD_GNU_TYPE)" = "s390-linux-gnu" ]; then \
-		cd doc/design-paper; \
+	# 
+	# And it fails on a bunch of other archs too.
+	cd doc/design-paper; \
 		fig2dev -L pdf cell-struct.fig cell-struct.pdf || \
 			( echo "** Using shipped pdf file because fig2dev failed"; \
 			  perl -e 'while (<>) { chomp; print pack ("H*", $$_); }' ../../debian/hexdump-cell-struct.pdf > cell-struct.pdf ); \
 		fig2dev -L pdf interaction.fig interaction.pdf || \
 			( echo "** Using shipped pdf file because fig2dev failed"; \
 			  perl -e 'while (<>) { chomp; print pack ("H*", $$_); }' ../../debian/hexdump-interaction.pdf > interaction.pdf ); \
-	fi
 	# XXX ends
 
 	make -C doc/design-paper tor-design.ps tor-design.pdf

debian/tor.NEWS

@@ -0,0 +1,16 @@
+tor (0.2.0.26-rc-1) experimental; urgency=critical
+
+  * weak cryptographic keys
+
+    It has been discovered that the random number generator in Debian's
+    openssl package is predictable.  This is caused by an incorrect
+    Debian-specific change to the openssl package (CVE-2008-0166).  As a
+    result, cryptographic key material may be guessable.
+
+    See Debian Security Advisory number 1571 (DSA-1571) for more information:
+    http://lists.debian.org/debian-security-announce/2008/msg00152.html
+
+    If you run a Tor server using this package please see
+    /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 13 May 2008 12:49:05 +0200

debian/tor.init

@@ -90,9 +90,9 @@ case "$1" in
 	fi
 
 	echo "Starting $DESC: $NAME..."
-	if ! su -c "$DAEMON --verify-config" debian-tor > /dev/null; then
+	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
 		echo "ABORTED: Tor configuration invalid:" >&2
-		su -c "$DAEMON --verify-config" debian-tor >&2
+		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
 		exit 1
 	fi
 
@@ -131,9 +131,9 @@ case "$1" in
 		exit 0
 	fi
 
-	if ! su -c "$DAEMON --verify-config" debian-tor > /dev/null; then
+	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
 		echo "ABORTED: Tor configuration invalid:" >&2
-		su -c "$DAEMON --verify-config" debian-tor >&2
+		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
 		exit 1
 	fi
 
@@ -148,9 +148,9 @@ case "$1" in
 	fi
 	;;
   restart)
-	if ! su -c "$DAEMON --verify-config" debian-tor > /dev/null; then
+	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
 		echo "Restarting Tor ABORTED: Tor configuration invalid:" >&2
-		su -c "$DAEMON --verify-config" debian-tor >&2
+		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
 		exit 1
 	fi
 

debian/tor.postinst

@@ -61,6 +61,68 @@ else
     fi
 fi
 
+
+move_away_keys=0
+
+if [ "$1" = "configure" ] &&
+   [ -e /var/lib/tor/keys ] &&
+   [ ! -z "$2" ]; then
+	if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
+		move_away_keys=1
+	fi
+fi
+if [ "$move_away_keys" = "1" ]; then
+	echo "Retiring possibly compromised keys.  See /usr/share/doc/tor/NEWS.Debian.gz"
+	echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
+	echo "further information."
+	if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
+		mkdir /var/lib/tor/keys/moved-away-by-tor-package
+		cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
+It has been discovered that the random number generator in Debian's
+openssl package is predictable.  This is caused by an incorrect
+Debian-specific change to the openssl package (CVE-2008-0166).  As a
+result, cryptographic key material may be guessable.
+
+See Debian Security Advisory number 1571 (DSA-1571) for more information:
+http://lists.debian.org/debian-security-announce/2008/msg00152.html
+
+The Debian package for Tor has moved away the onion keys upon package
+upgrade, and it will have moved away your identity key if it was created
+in the affected timeframe.  There is no sure way to automatically tell
+if your key was created with an affected openssl library, so this move
+is done unconditionally.
+
+If you have restarted Tor since this change (and the package probably
+did that for you already unless you configured your system differently)
+then the Tor daemon already created new keys for itself and in all
+likelyhood is already working just fine with new keys.
+
+If you are absolutely certain that your identity key was created with
+a non-affected version of openssl and for some reason you have to retain
+the old identity, then you can move back the copy of secret_id_key to
+/var/lib/tor/keys.  Do not move back the onion keys, they were created
+only recently since they are temporary keys with a lifetime of only a few
+days anyway.
+
+Sincerely,
+Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
+EOF
+	fi
+	for f in secret_onion_key secret_onion_key.old; do
+		if [ -e /var/lib/tor/keys/"$f" ]; then
+			mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
+		fi
+	done
+	if [ -e /var/lib/tor/keys/secret_id_key ]; then
+		id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
+		sept=`date -d '2006-09-10' +%s`
+		if [ "$id_mtime" -gt "$sept" ] ; then
+			mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
+		fi
+	fi
+fi
+
+
 #DEBHELPER#
 
 exit 0

doc/TODO.012

@@ -0,0 +1,35 @@
+(Remember to include both the revision number _AND_ an abbreviated
+description of the patch.)
+
+Backport items for 0.1.2:
+  o r11166: Don't believe future dates from the state file.
+  o r11828+: Detect bad sa_family from accept().
+  o r11882: Avoid crash-bug 451.
+  o r11886: Consider family as well as identity when cannibalizing circuits.
+  - backport the osx privoxy.config changes
+  X no need to backport the windows privoxy.config changes because they're
+    not in SVN??
+  o r12339: rlim_t may be wider than unsigned long.
+  o r12341: Work if the real open-file limit is OPEN_FILES.
+  o r12459: Exit policies reject public IP address too
+  X r13532: Drop tor_strpartition().
+
+Backport for 0.1.2.x once better tested:
+  D r11287: Reject address mappings to internal addresses. (??)
+    (this will break some existing test-network configurations, yes?)
+  o r11499, r11500, r11501: hidserv hexdigests rather than nicknames
+  o r11829: Don't warn when cancel_pending_resolve() finds a cached failure.
+  o r11915: just because you hup, don't publish a near-duplicate descriptor
+  d r11994: Call routerlist_remove_old_routers() less.  This will be a
+            tricky backport.
+  X r12153 and r12154: Give better warnings when we fail to mmap a descriptor
+            store that we just wrote.
+  X r12945: better cross-compilation support in configure.in
+  X r12946: iPhone support; requires r12945.
+  X r13647: Make "trackhostexits ." work
+    - Document that trackhostexits . doesn't work in 0.1.2.x
+  - r13406: fix bandwidth bucket calculations
+  - r13372: Don't use ourselves as intro point, rend point, or final hop
+    for internal circuits.
+  - r13643: reset timeout when flushing final bytes from a connection.
+  - r13655: avoid flush on connection closed because of bug.

doc/design-paper/tor-design.bib

@@ -199,13 +199,13 @@
 @Misc{tor-spec,
    author =      {Roger Dingledine and Nick Mathewson},
    title =       {Tor Protocol Specifications},
-   note =        {\url{http://tor.eff.org/svn/trunk/doc/tor-spec.txt}},
+   note =        {\url{https://www.torproject.org/svn/trunk/doc/tor-spec.txt}},
 }
 
 @Misc{incentives-txt,
    author =      {Roger Dingledine and Nick Mathewson},
    title =       {Tor Incentives Design Brainstorms},
-   note =        {\url{http://tor.eff.org/svn/trunk/doc/incentives.txt}},
+   note =        {\url{https://www.torproject.org/svn/trunk/doc/incentives.txt}},
 }
 
 @InProceedings{BM:mixencrypt,
@@ -1134,7 +1134,7 @@
   booktitle = {Proceedings of the 13th USENIX Security Symposium},
   year = {2004},
   month = {August},
-  note = {\url{http://tor.eff.org/tor-design.pdf}}
+  note = {\url{https://www.torproject.org/tor-design.pdf}}
 }
 
 @inproceedings{flow-correlation04,

doc/spec/control-spec.txt

@@ -194,7 +194,7 @@ $Id$
      EventCode = "CIRC" / "STREAM" / "ORCONN" / "BW" / "DEBUG" /
          "INFO" / "NOTICE" / "WARN" / "ERR" / "NEWDESC" / "ADDRMAP" /
          "AUTHDIR_NEWDESCS" / "DESCCHANGED" / "STATUS_GENERAL" /
-         "STATUS_CLIENT" / "STATUS_SERVER" / "GUARDS" / "NS" / "STREAM_BW"
+         "STATUS_CLIENT" / "STATUS_SERVER" / "GUARD" / "NS" / "STREAM_BW"
 
   Any events *not* listed in the SETEVENTS line are turned off; thus, sending
   SETEVENTS with an empty body turns off all event reporting.
@@ -299,8 +299,8 @@ $Id$
   address.
 
   Example:
-    C: MAPADDRESS 0.0.0.0=tor.eff.org 1.2.3.4=tor.freehaven.net
-    S: 250-127.192.10.10=tor.eff.org
+    C: MAPADDRESS 0.0.0.0=torproject.org 1.2.3.4=tor.freehaven.net
+    S: 250-127.192.10.10=torproject.org
     S: 250 1.2.3.4=tor.freehaven.net
 
   {Note: This feature is designed to be used to help Tor-ify applications
@@ -378,8 +378,8 @@ $Id$
     "addr-mappings/all"
     "addr-mappings/config"
     "addr-mappings/cache"
-    "addr-mappings/control" -- a space-separated list of address
-      mappings, each in the form of "from-address=to-address".
+    "addr-mappings/control" -- a \r\n-separated list of address
+      mappings, each in the form of "from-address to-address".
       The 'config' key returns those address mappings set in the
       configuration; the 'cache' key returns the mappings in the
       client-side DNS cache; the 'control' key returns the mappings set
@@ -1263,7 +1263,7 @@ $Id$
 4.1.11. Our set of guard nodes has changed
 
   Syntax:
-     "650" SP "GUARDS" SP Type SP Name SP Status ... CRLF
+     "650" SP "GUARD" SP Type SP Name SP Status ... CRLF
      Type = "ENTRY"
      Name = The (possibly verbose) nickname of the guard affected.
      Status = "NEW" | "UP" | "DOWN" | "BAD" | "GOOD" | "DROPPED"

doc/spec/dir-spec.txt

@@ -642,9 +642,10 @@ $Id$
    When choosing which documents to download, clients treat their list of
    directory authorities as a circular ring, and begin with the authority
    appearing immediately after the authority for their most recently
-   retrieved network-status document.  If this attempt fails, the client
-   retries at other caches several times, before moving on to the next
-   network-status document in sequence.
+   retrieved network-status document.  If this attempt fails (either it
+   fails to download at all, or the one it gets is not as good as the
+   one it has), the client retries at other caches several times, before
+   moving on to the next network-status document in sequence.
 
    Clients discard all network-status documents over 24 hours old.
 

doc/spec/rend-spec.txt

@@ -4,7 +4,7 @@ $Id$
 
 0. Overview and preliminaries
 
-   Read http://tor.eff.org/doc/design-paper/tor-design.html#sec:rendezvous
+   Read https://www.torproject.org/doc/design-paper/tor-design.html#sec:rendezvous
    before you read this specification. It will make more sense.
 
    Rendezvous points provide location-hidden services (server

doc/tor-doc-osx.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-doc-server.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-doc-unix.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-doc-win32.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-doc.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-hidden-service.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-osx-dmg-creation.txt

@@ -2,7 +2,7 @@
 ##
 
 The following steps are the exact steps used to produce the "official"
-OSX builds of tor
+OSX builds of tor.
 
 Summary:
 1) Compile and install a static version of the latest release of
@@ -10,53 +10,21 @@ libevent.
 2) Acquire privoxyosx_setup_3.0.6.zip.  
 http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
   Remember where you put this file.
-3) Acquire and install your preferred version of tor via "make
-dist-osx"
-
-Details:
-### Compiling libevent
-
-1)  Download the latest libevent from
-http://www.monkey.org/~provos/libevent/
-
-2) The first step of compiling libevent is to configure it as
-follows:
-       ./configure --enable-static --disable-shared
-
-3) Complete the "make" and "make install".  You will need to be root,
-or sudo -s, to complete the "make install".
-
-4) If you have previouslly installed libevent, go rm the old libevent.so*
-files so the linker doesn't get suckered into using them.
-
-
-### Acquiring privoxy
-
-1) Download osx privoxy source from
-http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
-
-2) Edit /path/to/tor/contrib/osx/package.sh and confirm
-PRIVOXY_PKG_ZIP= is set to the correct path to find the
-file privoxyosx_setup_3.0.6.zip
-
-
-## Compiling Tor
-
-1) Get your preferred version of the tor source from tor.eff.org.
-
-2) In the top level, this means /path/to/tor/, not tor/contrib/osx,
-do a configure with these parameters:
-     CONFDIR=/Library/Tor ./configure --prefix=/Library/Tor \
-     --bindir=/Library/Tor --sysconfdir=/Library  \
-     --enable-static --disable-shared
-
-3) In same top level dir, do a "make dist-osx".  There now exists a
-.dmg file in the same directory.  Install from this dmg.
-
+3) Acquire torbutton xpi and license file.
+4) Acquire and install your preferred version of tor. Extract.
+5) Update some variables in contrib/osx/package.sh
+6) "make dist-osx"
+7) You now have a dmg from which you can install Tor, Privoxy, and the
+Torbutton extension for Firefox.
 
 ## Universal Binaries for OSX PPC and X86
+## This method works in OSX 10.4 (Tiger) and 10.5 (Leopard) only.
+## See far below if you don't care about cross compiling for PPC and X86.
+## The single architecture process starts with "###"
 
-1) Install XCode 2.4 updates available from http://developer.apple.com.
+1) Install XCode 2.4.1 updates available from http://developer.apple.com.
+
+## Compiling libevent
 
 2)  Download latest libevent from
 http://www.monkey.org/~provos/libevent/
@@ -75,30 +43,109 @@ by default, in /usr/local/lib/.
 
 5) Check for a successful universal binary of libevent.a in, by default,
 /usr/local/lib by using the following command:
-	file /usr/local/lib/libevent.a
+	"file /usr/local/lib/libevent.a"
 
 	Your output should be:
 /usr/local/lib/libevent.a: Mach-O fat file with 2 architectures
 /usr/local/lib/libevent.a (for architecture i386):      current ar archive random library
 /usr/local/lib/libevent.a (for architecture ppc):       current ar archive
 
-6) Get your preferred version of the tor source from tor.eff.org.
+## Acquiring privoxy
 
-7) In the top level, this means /path/to/tor/, not tor/contrib/osx,
+6) Download osx privoxy source from
+http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
+
+7) Place the privoxyosx_setup_3.0.6.zip in a location of your choice.
+Remember this location.
+
+8) Get your preferred version of Torbutton from https://torbutton.torproject.org.
+Place into a location of your choosing, remember this location.
+
+9) Get the torbutton LICENSE file from https://torbutton.torproject.org.
+Place into a location of your choosing, remember this location.
+
+10) Get your preferred version of the tor source from https://www.torproject.org/download.  
+Extract the tarball.
+
+11) Update three variables in contrib/osx/package.sh:
+PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
+TORBUTTON_PATH=~/tmp/torbutton-1.1.9.1-alpha.xpi
+TORBUTTON_LIC_PATH=~/tmp/LICENSE
+
+Make sure the paths are correct.  The build will fail if they are not.
+
+12) In the top level, this means /path/to/tor/, not tor/contrib/osx,
 do a configure with these parameters:
 CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
 LDFLAGS="-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk" \
 CONFDIR=/Library/Tor \
 ./configure --prefix=/Library/Tor --bindir=/Library/Tor \
---sysconfdir=/Library --enable-static --disable-shared \
---disable-dependency-tracking
+--sysconfdir=/Library --disable-dependency-tracking
 
-8) "make dist-osx"
+13) "make dist-osx"
 
-9) Confirm you have created a universal binary by issuing the follow command:
-file src/or/tor
+14) Confirm you have created a universal binary by issuing the follow command:
+"file src/or/tor".  Its output should be as follows:
 src/or/tor: Mach-O fat file with 2 architectures
 src/or/tor (for architecture i386):     Mach-O executable i386
 src/or/tor (for architecture ppc):      Mach-O executable ppc
 
-Congrats.  You have a universal binary.
+15) There should exist in the top-level directory a
+Tor-$VERSION-universal-$OS-Bundle.dmg
+
+16) Congrats.  You have a universal binary. You are now ready to install Tor,
+Privoxy, and the Torbutton extension for Firefox.
+
+
+### Single Architecture Binaries for PPC or X86, not both.
+### This method works in all versions of OSX 10.1 through 10.5
+
+### Compiling libevent
+
+1)  Download the latest libevent from
+http://www.monkey.org/~provos/libevent/
+
+2) The first step of compiling libevent is to configure it as
+follows:
+       ./configure --enable-static --disable-shared
+
+3) Complete the "make" and "make install".  You will need to be root,
+or sudo -s, to complete the "make install".
+
+4) If you have previouslly installed libevent, go rm the old libevent.so*
+files so the linker doesn't get suckered into using them.
+
+### Acquiring privoxy
+
+1) Download osx privoxy source from
+http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
+
+2) Place the privoxyosx_setup_3.0.6.zip in a location of your choice.
+Remember this location.
+
+### Compiling Tor
+
+1) Get your preferred version of Torbutton from
+https://torbutton.torproject.org.  
+Place into a location of your choosing, remember this location.
+
+2) Get the torbutton LICENSE file from https://torbutton.torproject.org.  
+Place into a location of your choosing, remember this location.
+
+3) Get your preferred version of the tor source from https://www.torproject.org.  Extract the
+tarball.
+
+4) Update three variables in contrib/osx/package.sh:
+PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
+TORBUTTON_PATH=~/tmp/torbutton-1.1.9.1-alpha.xpi
+TORBUTTON_LIC_PATH=~/tmp/LICENSE
+
+Make sure the paths are correct.  The build will fail if they are not.
+
+5) In the top level, this means /path/to/tor/, not tor/contrib/osx,
+do a configure with these parameters:
+     CONFDIR=/Library/Tor ./configure --prefix=/Library/Tor \
+     --bindir=/Library/Tor --sysconfdir=/Library
+
+6) In same top level dir, do a "make dist-osx".  There now exists a
+.dmg file in the same directory.  Install from this dmg.

doc/tor-switchproxy.html

@@ -10,7 +10,7 @@
 
 <p>
 This document is obsolete. See the new <a
-href="http://tor.eff.org/documentation.html">Tor documentation</a> page.
+href="https://www.torproject.org/documentation.html">Tor documentation</a> page.
 </p>
 
 </body>

doc/tor-win32-mingw-creation.txt

@@ -5,7 +5,7 @@ Stage One:  Download and Install MinGW.
 ---------------------------------------
 
 Download mingw:
-http://prdownloads.sf.net/mingw/MinGW-5.0.3.exe?download
+http://prdownloads.sf.net/mingw/MinGW-5.1.3.exe?download
 
 Download msys:
 http://prdownloads.sf.net/mingw/MSYS-1.0.10.exe?download
@@ -13,7 +13,13 @@ http://prdownloads.sf.net/mingw/MSYS-1.0.10.exe?download
 Download the mingw developer tool kit:
 http://prdownloads.sf.net/mingw/msysDTK-1.0.1.exe?download
 
-Install mingw, msys and mingw-dtk.
+Download the mingw autoconf-2.59 update:
+http://prdownloads.sf.net/mingw/msys-autoconf-2.59.tar.bz2?download
+
+Install mingw, msys and mingw-dtk.  Extract msys-autoconf-2.59.tar.bz2 into
+your mingw install location.  For example, if you installed mingw into
+/c/mingw/1.0/ you want to extract msys-autoconf-2.59.tar.bz2 into this
+directory.
 
 Create a directory called "tor-mingw".
 
@@ -21,22 +27,22 @@ Stage Two:  Download, extract, compile openssl
 ----------------------------------------------
 
 Download openssl:
-http://www.openssl.org/source/openssl-0.9.8d.tar.gz
+http://www.openssl.org/source/openssl-0.9.8g.tar.gz
 
 Extract openssl:
 Copy the openssl tarball into the "tor-mingw" directory.
 Type "cd tor-mingw/"
-Type "tar zxf openssl-0.9.8d.tar.gz"
+Type "tar zxf openssl-0.9.8g.tar.gz"
 
 Make openssl libraries:
-Type "cd tor-mingw/openssl-0.9.8d/"
-Type "./Configure mingw"
+Type "cd tor-mingw/openssl-0.9.8g/"
+Type "./Configure -no-idea -no-rc5 -no-mdc2 mingw"
 Edit Makefile and remove the "test:" and "tests:" sections.
 Type "rm -rf ./test"
 Type "cd crypto/"
 Type "find ./ -name "*.h" -exec cp {} ../include/openssl/ \;"
 Type "cd ../ssl/"
-Type "find ./ -name "*.h" -exec cp {} ../include/openssl/ \;
+Type "find ./ -name "*.h" -exec cp {} ../include/openssl/ \;"
 Type "cd .."
 Type "cp *.h include/openssl/"
 # The next steps can take up to 30 minutes to complete.
@@ -77,39 +83,45 @@ Type "make -f win32/Makefile.gcc"
 Done.
 
 
-Stage Four: Download, extract, and patch libevent-1.1b.
+Stage Four: Download, extract, and compile libevent-1.3e
 ------------------------------------------------------
 
-Download libevent-1.3a:
+Download the libevent 1.3e release:
 http://www.monkey.org/~provos/libevent/
 
 Copy the libevent tarball into the "tor-mingw" directory.
 Type "cd tor-mingw"
 
-Extract libevent: 
-Type "tar zxf libevent-1.3a.tar.gz"
+Extract libevent.
 
 Type "./configure --enable-static --disable-shared"
---------------------libevent 1.3a only---------------------------------------
-You need to manually edit the Makefile and remove all references to "sample".
-libevent 1.3a won't compile in mingw currently due to issues in event_test.c.
-Removing the "sample" directory and all references to it in Makefile create a
-completely valid libevent library.
------------------------------------------------------------------------------
 Type "make"
 Type "make install"
 
 Stage Five:  Build Tor
 ----------------------
 
-Download the current Tor alpha release from http://tor.eff.org/download.html.
+Download the current Tor alpha release from https://www.torproject.org/download.html.
 Copy the Tor tarball into the "tor-mingw" directory.
 Extract Tor:
 Type "tar zxf latest-tor-alpha.tar.gz"
 
 cd tor-<version>
-Type "./configure --enable-static --disable-shared"
+Type "./configure"
 Type "make"
 
 You now have a tor.exe in src/or/.  This is Tor.
-You now have a tor_resolve.exe in src/tools/.
+You now have a tor-resolve.exe in src/tools/.
+
+Stage Six:  Build the installer
+-------------------------------
+
+Install the latest NSIS:
+http://nsis.sourceforge.net/Download
+
+Run the package script in contrib:
+From the Tor build directory above, run:
+"./contrib/package_nsis-mingw.sh"
+
+The resulting Tor installer executable is in ./win_tmp/.
+

doc/tor.1.in

@@ -417,13 +417,6 @@ but never attach a new stream to a circuit that is too old.
 (Default: 10 minutes)
 .LP
 .TP
-\fBNodeFamily \fR\fInickname\fR,\fInickname\fR,\fI...\fP
-The named Tor servers constitute a "family" of similar or co-administered
-servers, so never use any two of them in the same circuit. Defining a
-NodeFamily is only needed when a server doesn't list the family itself
-(with MyFamily). This option can be used multiple times.
-.LP
-.TP
 \fBEnforceDistinctSubnets \fR\fB0\fR|\fB1\fR\fP
 If 1, Tor will not put two servers whose IP addresses are "too
 close" on the same circuit.  Currently, two addresses are
@@ -545,7 +538,7 @@ resolved.  This helps trap accidental attempts to resolve URLs and so on.
 (Default: 0)
 .LP
 .TP
-\fBFastFirstHopPK \fR\fB0\fR|fB1\fR\fP
+\fBFastFirstHopPK \fR\fB0\fR|\fB1\fR\fP
 When this option is enabled and we aren't running as a server, Tor
 skips the public key step for the first hop of creating circuits.  This is
 safe since we have already used TLS to authenticate the server and to
@@ -628,11 +621,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8,
 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
 172.16.0.0/12), you can use the "private" alias instead of an address.
 These addresses are rejected by default (at the beginning of your
-exit policy) unless you set the ExitPolicyRejectPrivate config option
+exit policy), along with your public IP address, unless you set the
+ExitPolicyRejectPrivate config option
 to 0. For example, once you've done that, you could allow HTTP to
 127.0.0.1 and block all other connections to internal networks with
-"accept
-127.0.0.1:80,reject private:*".  See RFC 1918 and RFC 3330 for more
+"accept 127.0.0.1:80,reject private:*", though that may also allow
+connections to your own computer that are addressed to its public
+(external) IP address. See RFC 1918 and RFC 3330 for more
 details about internal and reserved IP address space.
 
 This directive can be specified multiple times so you don't have to put
@@ -662,7 +657,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
 .LP
 .TP
 \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP
-Reject all private (local) networks at the beginning of your exit
+Reject all private (local) networks, along with your own public IP
+address, at the beginning of your exit
 policy. See above entry on ExitPolicy. (Default: 1)
 .LP
 .TP
@@ -1090,7 +1086,7 @@ The private key for this hidden service.
 .BR tsocks (1),
 .BR torify (1)
 
-.BR http://tor.eff.org/
+.BR https://www.torproject.org/
 
 .SH BUGS
 Plenty, probably. Tor is still in development. Please report them.

src/common/compat.c

@@ -94,6 +94,9 @@ const char compat_c_id[] =
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
+#ifdef HAVE_SYS_SYSLIMITS_H
+#include <sys/syslimits.h>
+#endif
 
 #ifdef USE_BSOCKETS
 #include <bsocket.h>
@@ -155,19 +158,18 @@ tor_mmap_file(const char *filename)
     /* Zero-length file. If we call mmap on it, it will succeed but
      * return NULL, and bad things will happen. So just fail. */
     log_info(LD_FS,"File \"%s\" is empty. Ignoring.",filename);
+    close(fd);
     return NULL;
   }
 
   string = mmap(0, size, PROT_READ, MAP_PRIVATE, fd, 0);
+  close(fd);
   if (string == MAP_FAILED) {
-    close(fd);
     log_warn(LD_FS,"Could not mmap file \"%s\": %s", filename,
              strerror(errno));
     return NULL;
   }
 
-  close(fd);
-
   res = tor_malloc_zero(sizeof(tor_mmap_impl_t));
   res->base.data = string;
   res->base.size = filesize;
@@ -199,8 +201,8 @@ tor_mmap_file(const char *filename)
   res->mmap_handle = NULL;
 
   res->file_handle = CreateFile(filename,
-                                GENERIC_READ,
-                                0, NULL,
+                                GENERIC_READ, FILE_SHARE_READ,
+                                NULL,
                                 OPEN_EXISTING,
                                 FILE_ATTRIBUTE_NORMAL,
                                 0);
@@ -606,6 +608,10 @@ tor_socketpair(int family, int type, int protocol, int fd[2])
 
 #define ULIMIT_BUFFER 32 /* keep 32 extra fd's beyond _ConnLimit */
 
+#if defined(HAVE_GETRLIMIT) && !defined(HAVE_RLIM_T)
+typedef unsigned long rlim_t;
+#endif
+
 /** Learn the maximum allowed number of file descriptors. (Some systems
  * have a low soft limit.
  *
@@ -627,7 +633,7 @@ set_max_file_descriptors(unsigned long limit, unsigned long cap)
   }
 #else
   struct rlimit rlim;
-  unsigned long most;
+  rlim_t most;
   tor_assert(limit > 0);
   tor_assert(cap > 0);
 
@@ -642,16 +648,40 @@ set_max_file_descriptors(unsigned long limit, unsigned long cap)
              limit, (unsigned long)rlim.rlim_max);
     return -1;
   }
-  most = (rlim.rlim_max > cap) ? cap : (unsigned) rlim.rlim_max;
+  most = (rlim.rlim_max > (rlim_t)cap) ? (rlim_t)cap : rlim.rlim_max;
   if (most > rlim.rlim_cur) {
     log_info(LD_NET,"Raising max file descriptors from %lu to %lu.",
-             (unsigned long)rlim.rlim_cur, most);
+             (unsigned long)rlim.rlim_cur, (unsigned long)most);
   }
   rlim.rlim_cur = most;
   if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) {
-    log_warn(LD_CONFIG, "Could not set maximum number of file descriptors: %s",
-             strerror(errno));
-    return -1;
+    int bad = 1;
+#ifdef OPEN_MAX
+    if (errno == EINVAL && OPEN_MAX < rlim.rlim_cur) {
+      /* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
+       * full of nasty lies.  I'm looking at you, OSX 10.5.... */
+      rlim.rlim_cur = OPEN_MAX;
+      if (setrlimit(RLIMIT_NOFILE, &rlim) == 0) {
+        if (rlim.rlim_cur < limit) {
+          log_warn(LD_CONFIG, "We are limited to %lu file descriptors by "
+                 "OPEN_MAX, and ConnLimit is %lu.  Changing ConnLimit; sorry.",
+                   (unsigned long)OPEN_MAX, limit);
+        } else {
+          log_info(LD_CONFIG, "Dropped connection limit to OPEN_MAX (%lu); "
+                   "Apparently, %lu was too high and rlimit lied to us.",
+                  (unsigned long)OPEN_MAX, (unsigned long)most);
+        }
+        most = rlim.rlim_cur;
+        bad = 0;
+      }
+    }
+#endif
+    if (bad) {
+      log_warn(LD_CONFIG,
+               "Couldn't set maximum number of file descriptors: %s",
+               strerror(errno));
+      return -1;
+    }
   }
   /* leave some overhead for logs, etc, */
   limit = most;

src/common/compat.h

@@ -154,6 +154,14 @@ int tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
 const void *tor_memmem(const void *haystack, size_t hlen, const void *needle,
                        size_t nlen)  ATTR_PURE ATTR_NONNULL((1,3));
 
+static const void *tor_memstr(const void *haystack, size_t hlen,
+                           const char *needle) ATTR_PURE ATTR_NONNULL((1,3));
+static INLINE const void *
+tor_memstr(const void *haystack, size_t hlen, const char *needle)
+{
+  return tor_memmem(haystack, hlen, needle, strlen(needle));
+}
+
 #define TOR_ISALPHA(c)   isalpha((int)(unsigned char)(c))
 #define TOR_ISALNUM(c)   isalnum((int)(unsigned char)(c))
 #define TOR_ISSPACE(c)   isspace((int)(unsigned char)(c))

src/common/container.c

@@ -65,6 +65,8 @@ smartlist_set_capacity(smartlist_t *sl, int n)
 {
   if (n < sl->num_used)
     n = sl->num_used;
+  if (n < 1)
+    n = 1;
   if (sl->capacity != n) {
     sl->capacity = n;
     sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity);

src/common/torgzip.c

@@ -70,7 +70,7 @@ tor_gzip_compress(char **out, size_t *out_len,
                   compress_method_t method)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
 
   tor_assert(out);
@@ -118,7 +118,12 @@ tor_gzip_compress(char **out, size_t *out_len,
           break;
       case Z_BUF_ERROR:
         offset = stream->next_out - ((unsigned char*)*out);
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {
@@ -173,7 +178,7 @@ tor_gzip_uncompress(char **out, size_t *out_len,
                     int protocol_warn_level)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
   int r;
 
@@ -240,7 +245,12 @@ tor_gzip_uncompress(char **out, size_t *out_len,
           goto err;
         }
         offset = stream->next_out - (unsigned char*)*out;
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {

src/common/torint.h

@@ -292,9 +292,9 @@ typedef uint32_t uintptr_t;
 
 #ifndef SIZE_T_MAX
 #if (SIZEOF_SIZE_T == 4)
-#define SIZE_T_MAX 0xfffffffful
+#define SIZE_T_MAX UINT32_MAX
 #elif (SIZEOF_SIZE_T == 8)
-#define SIZE_T_MAX 0xfffffffffffffffful
+#define SIZE_T_MAX UINT64_MAX
 #else
 #error "Can't define SIZE_T_MAX"
 #endif

src/common/util.c

@@ -418,6 +418,36 @@ eat_whitespace(const char *s)
   }
 }
 
+/** Return a pointer to the first char of s before <b>eos</b> that is not
+ * whitespace and not a comment, or to the terminating NUL or eos if no such
+ * character exists.
+ */
+const char *
+eat_whitespace_eos(const char *s, const char *eos)
+{
+  tor_assert(s);
+  tor_assert(eos && s <= eos);
+
+  while (s < eos) {
+    switch (*s) {
+    case '\0':
+    default:
+      return s;
+    case ' ':
+    case '\t':
+    case '\n':
+    case '\r':
+      ++s;
+      break;
+    case '#':
+      ++s;
+      while (s < eos && *s && *s != '\n')
+        ++s;
+    }
+  }
+  return s;
+}
+
 /** Return a pointer to the first char of s that is not a space or a tab,
  * or to the terminating NUL if no such character exists. */
 const char *
@@ -1525,7 +1555,7 @@ expand_filename(const char *filename)
         return NULL;
       }
       home = tor_strdup(home);
-      rest = strlen(filename)>=2?(filename+2):NULL;
+      rest = strlen(filename)>=2?(filename+2):"";
     } else {
 #ifdef HAVE_PWD_H
       char *username, *slash;
@@ -1540,7 +1570,7 @@ expand_filename(const char *filename)
         return NULL;
       }
       tor_free(username);
-      rest = slash ? (slash+1) : NULL;
+      rest = slash ? (slash+1) : "";
 #else
       log_warn(LD_CONFIG, "Couldn't expend homedir on system without pwd.h");
       return tor_strdup(filename);
@@ -1555,7 +1585,7 @@ expand_filename(const char *filename)
      * Round up to 16 in case we can't do math. */
     len = strlen(home)+strlen(rest)+16;
     result = tor_malloc(len);
-    tor_snprintf(result,len,"%s/%s",home,rest?rest:"");
+    tor_snprintf(result,len,"%s/%s",home,rest);
     tor_free(home);
     return result;
   } else {
@@ -1577,7 +1607,7 @@ tor_listdir(const char *dirname)
   size_t pattern_len = strlen(dirname)+16;
   pattern = tor_malloc(pattern_len);
   tor_snprintf(pattern, pattern_len, "%s\\*", dirname);
-  if (!(handle = FindFirstFile(pattern, &findData))) {
+  if (INVALID_HANDLE_VALUE == (handle = FindFirstFile(pattern, &findData))) {
     tor_free(pattern);
     return NULL;
   }
@@ -2040,8 +2070,7 @@ finish_daemon(const char *desired_cwd)
     exit(1);
   }
 
-  nullfd = open("/dev/null",
-                O_CREAT | O_RDWR | O_APPEND);
+  nullfd = open("/dev/null", O_RDWR | O_APPEND);
   if (nullfd < 0) {
     log_err(LD_GENERAL,"/dev/null can't be opened. Exiting.");
     exit(1);

src/common/util.h

@@ -158,6 +158,7 @@ uint64_t tor_parse_uint64(const char *s, int base, uint64_t min,
                          uint64_t max, int *ok, char **next);
 const char *hex_str(const char *from, size_t fromlen) ATTR_NONNULL((1));
 const char *eat_whitespace(const char *s) ATTR_PURE;
+const char *eat_whitespace_eos(const char *s, const char *eos) ATTR_PURE;
 const char *eat_whitespace_no_nl(const char *s) ATTR_PURE;
 const char *find_whitespace(const char *s) ATTR_PURE;
 int tor_mem_is_zero(const char *mem, size_t len) ATTR_PURE;

src/or/buffers.c

@@ -15,7 +15,7 @@ const char buffers_c_id[] =
 
 #include "or.h"
 
-#define SENTINELS
+#undef SENTINELS
 #undef CHECK_AFTER_RESIZE
 #undef PARANOIA
 #undef NOINLINE
@@ -1228,54 +1228,20 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
   }
 }
 
-/** If there is a complete version 0 control message waiting on buf, then store
- * its contents into *<b>type_out</b>, store its body's length into
- * *<b>len_out</b>, allocate and store a string for its body into
- * *<b>body_out</b>, and return 1.  (body_out will always be NUL-terminated,
- * even if the control message body doesn't end with NUL.)
- *
- * If there is not a complete control message waiting, return 0.
- *
- * Return -1 on error; return -2 on "seems to be control protocol v1."
- */
+/** Return 1 iff buf looks more like it has an (obsolete) v0 controller
+ * command on it than any valid v1 controller command. */
 int
-fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out,
-                        char **body_out, int check_for_v1)
+peek_buf_has_control0_command(buf_t *buf)
 {
-  uint32_t msglen;
-  uint16_t type;
-  char tmp[4];
-
-  tor_assert(buf);
-  tor_assert(len_out);
-  tor_assert(type_out);
-  tor_assert(body_out);
-
-  *len_out = 0;
-  *body_out = NULL;
-
-  if (buf->datalen < 4)
-    return 0;
-
-  peek_from_buf(tmp, 4, buf);
-
-  msglen = ntohs(get_uint16(tmp));
-  type = ntohs(get_uint16(tmp+2));
-  if (type > 255 && check_for_v1)
-    return -2;
-
-  if (buf->datalen < 4 + (unsigned)msglen)
-    return 0;
-
-  *len_out = msglen;
-  *type_out = type;
-  buf_remove_from_front(buf, 4);
-  if (msglen) {
-    *body_out = tor_malloc(msglen+1);
-    fetch_from_buf(*body_out, msglen, buf);
-    (*body_out)[msglen] = '\0';
+  if (buf->datalen >= 4) {
+    char header[4];
+    uint16_t cmd;
+    peek_from_buf(header, sizeof(header), buf);
+    cmd = ntohs(get_uint16(header+2));
+    if (cmd <= 0x14)
+      return 1; /* This is definitely not a v1 control command. */
   }
-  return 1;
+  return 0;
 }
 
 /** Helper: return a pointer to the first instance of <b>c</b> in the

src/or/circuitbuild.c

@@ -94,7 +94,7 @@ get_unique_circ_id_by_conn(or_connection_t *conn)
       return 0;
     }
     test_circ_id |= high_bit;
-  } while (circuit_get_by_circid_orconn(test_circ_id, conn));
+  } while (circuit_id_in_use_on_orconn(test_circ_id, conn));
   return test_circ_id;
 }
 
@@ -1246,14 +1246,14 @@ choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
     smartlist_subtract(sl,excludedexits);
     if (options->StrictExitNodes || smartlist_overlap(sl,preferredexits))
       smartlist_intersect(sl,preferredexits);
-    router = routerlist_sl_choose_by_bandwidth(sl, 1);
+    router = routerlist_sl_choose_by_bandwidth(sl, 1, 0);
   } else {
     /* Either there are no pending connections, or no routers even seem to
      * possibly support any of them.  Choose a router at random that satisfies
      * at least one predicted exit port. */
 
     int try;
-    smartlist_t *needed_ports = circuit_get_unhandled_ports(time(NULL));
+    smartlist_t *needed_ports;
 
     if (best_support == -1) {
       if (need_uptime || need_capacity) {
@@ -1271,6 +1271,7 @@ choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
       log_notice(LD_CIRC, "All routers are down or won't exit -- choosing a "
                  "doomed exit at random.");
     }
+    needed_ports = circuit_get_unhandled_ports(time(NULL));
     for (try = 0; try < 2; try++) {
       /* try once to pick only from routers that satisfy a needed port,
        * then if there are none, pick from any that support exiting. */
@@ -1289,7 +1290,7 @@ choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
         smartlist_intersect(sl,preferredexits);
         /* XXX sometimes the above results in null, when the requested
          * exit node is down. we should pick it anyway. */
-      router = routerlist_sl_choose_by_bandwidth(sl, 1);
+      router = routerlist_sl_choose_by_bandwidth(sl, 1, 0);
       if (router)
         break;
     }
@@ -1722,9 +1723,11 @@ extend_info_from_router(routerinfo_t *r)
   extend_info_t *info;
   tor_assert(r);
   info = tor_malloc_zero(sizeof(extend_info_t));
-  strlcpy(info->nickname, r->nickname, sizeof(info->nickname));
+  if (r->nickname)
+    strlcpy(info->nickname, r->nickname, sizeof(info->nickname));
   memcpy(info->identity_digest, r->cache_info.identity_digest, DIGEST_LEN);
-  info->onion_key = crypto_pk_dup_key(r->onion_pkey);
+  if (r->onion_pkey)
+    info->onion_key = crypto_pk_dup_key(r->onion_pkey);
   info->addr = r->addr;
   info->port = r->or_port;
   return info;
@@ -1738,7 +1741,8 @@ extend_info_from_routerstatus(routerstatus_t *s)
   extend_info_t *info;
   tor_assert(s);
   info = tor_malloc_zero(sizeof(extend_info_t));
-  strlcpy(info->nickname, s->nickname, sizeof(info->nickname));
+  if (s->nickname)
+    strlcpy(info->nickname, s->nickname, sizeof(info->nickname));
   memcpy(info->identity_digest, s->identity_digest, DIGEST_LEN);
   info->onion_key = NULL; /* routerstatus doesn't know this */
   info->addr = s->addr;
@@ -2255,10 +2259,8 @@ static void
 entry_guards_prepend_from_config(void)
 {
   or_options_t *options = get_options();
-  smartlist_t *entry_routers = smartlist_create();
-  smartlist_t *old_entry_guards_on_list = smartlist_create();
-  smartlist_t *old_entry_guards_not_on_list = smartlist_create();
-  smartlist_t *entry_fps = smartlist_create();
+  smartlist_t *entry_routers, *entry_fps;
+  smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list;
   tor_assert(entry_guards);
 
   should_add_entry_nodes = 0;
@@ -2274,6 +2276,11 @@ entry_guards_prepend_from_config(void)
   log_info(LD_CIRC,"Adding configured EntryNodes '%s'.",
            options->EntryNodes);
 
+  entry_routers = smartlist_create();
+  entry_fps = smartlist_create();
+  old_entry_guards_on_list = smartlist_create();
+  old_entry_guards_not_on_list = smartlist_create();
+
   /* Split entry guards into those on the list and those not. */
   add_nickname_list_to_smartlist(entry_routers, options->EntryNodes, 0);
   SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri,
@@ -2322,11 +2329,17 @@ choose_random_entry(cpath_build_state_t *state)
 {
   or_options_t *options = get_options();
   smartlist_t *live_entry_guards = smartlist_create();
+  smartlist_t *exit_family = smartlist_create();
   routerinfo_t *chosen_exit = build_state_get_exit_router(state);
   routerinfo_t *r = NULL;
   int need_uptime = state->need_uptime;
   int need_capacity = state->need_capacity;
 
+  if (chosen_exit) {
+    smartlist_add(exit_family, chosen_exit);
+    routerlist_add_family(exit_family, chosen_exit);
+  }
+
   if (!entry_guards)
     entry_guards = smartlist_create();
 
@@ -2343,8 +2356,15 @@ choose_random_entry(cpath_build_state_t *state)
   SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
     {
       r = entry_is_live(entry, need_uptime, need_capacity, 0);
-      if (r && r != chosen_exit) {
+      if (r && !smartlist_isin(exit_family, r)) {
         smartlist_add(live_entry_guards, r);
+        if (!entry->made_contact) {
+          /* Always start with the first not-yet-contacted entry
+           * guard. Otherwise we might add several new ones, pick
+           * the second new one, and now we've expanded our entry
+           * guard list without needing to. */
+          goto choose_and_finish;
+        }
         if (smartlist_len(live_entry_guards) >= options->NumEntryGuards)
           break; /* we have enough */
       }
@@ -2378,8 +2398,10 @@ choose_random_entry(cpath_build_state_t *state)
     /* live_entry_guards will be empty below. Oh well, we tried. */
   }
 
+ choose_and_finish:
   r = smartlist_choose(live_entry_guards);
   smartlist_free(live_entry_guards);
+  smartlist_free(exit_family);
   return r;
 }
 
@@ -2395,6 +2417,7 @@ entry_guards_parse_state(or_state_t *state, int set, char **msg)
   entry_guard_t *node = NULL;
   smartlist_t *new_entry_guards = smartlist_create();
   config_line_t *line;
+  time_t now = time(NULL);
 
   *msg = NULL;
   for (line = state->EntryGuards; line; line = line->next) {
@@ -2437,6 +2460,11 @@ entry_guards_parse_state(or_state_t *state, int set, char **msg)
                           "Bad time in EntryGuardDownSince/UnlistedSince");
         break;
       }
+      if (when > now) {
+        /* It's a bad idea to believe info in the future: you can wind
+         * up with timeouts that aren't allowed to happen for years. */
+        continue;
+      }
       if (strlen(line->value) >= ISO_TIME_LEN+ISO_TIME_LEN+1) {
         /* ignore failure */
         parse_iso_time(line->value+ISO_TIME_LEN+1, &last_try);

src/or/circuitlist.c

@@ -615,6 +615,14 @@ circuit_get_by_circid_orconn(uint16_t circ_id, or_connection_t *conn)
     return circ;
 }
 
+/** Return true iff the circuit ID <b>circ_id</b> is currently used by a
+ * circuit, marked or not, on <b>conn</b>. */
+int
+circuit_id_in_use_on_orconn(uint16_t circ_id, or_connection_t *conn)
+{
+  return circuit_get_by_circid_orconn_impl(circ_id, conn) != NULL;
+}
+
 /** Return the circuit that a given edge connection is using. */
 circuit_t *
 circuit_get_by_edge_conn(edge_connection_t *conn)
@@ -779,10 +787,16 @@ circuit_find_to_cannibalize(uint8_t purpose, extend_info_t *info,
         if (info) {
           /* need to make sure we don't duplicate hops */
           crypt_path_t *hop = circ->cpath;
+          routerinfo_t *ri1 = router_get_by_digest(info->identity_digest);
           do {
+            routerinfo_t *ri2;
             if (!memcmp(hop->extend_info->identity_digest,
                         info->identity_digest, DIGEST_LEN))
               goto next;
+            if (ri1 &&
+                (ri2 = router_get_by_digest(hop->extend_info->identity_digest))
+                && routers_in_same_family(ri1, ri2))
+              goto next;
             hop=hop->next;
           } while (hop!=circ->cpath);
         }
@@ -884,9 +898,9 @@ _circuit_mark_for_close(circuit_t *circ, int reason, int line,
                file, line, circ->purpose);
     }
     reason = END_CIRC_REASON_NONE;
-  } else if (CIRCUIT_IS_ORIGIN(circ) && reason < _END_CIRC_REASON_MIN) {
-    /* We don't send reasons when closing circuits at the origin, but we want
-     * to track them anyway so we can give them to the controller. */
+  }
+  if (CIRCUIT_IS_ORIGIN(circ)) {
+    /* We don't send reasons when closing circuits at the origin. */
     reason = END_CIRC_REASON_NONE;
   }
 
@@ -1050,10 +1064,15 @@ assert_circuit_ok(const circuit_t *c)
   tor_assert(c->purpose >= _CIRCUIT_PURPOSE_MIN &&
              c->purpose <= _CIRCUIT_PURPOSE_MAX);
 
-  if (CIRCUIT_IS_ORIGIN(c))
-    origin_circ = TO_ORIGIN_CIRCUIT((circuit_t*)c);
-  else
-    or_circ = TO_OR_CIRCUIT((circuit_t*)c);
+  {
+    /* Having a separate variable for this pleases GCC 4.2 in ways I hope I
+     * never understand. -NM. */
+    circuit_t *nonconst_circ = (circuit_t*) c;
+    if (CIRCUIT_IS_ORIGIN(c))
+      origin_circ = TO_ORIGIN_CIRCUIT(nonconst_circ);
+    else
+      or_circ = TO_OR_CIRCUIT(nonconst_circ);
+  }
 
   if (c->n_conn) {
     tor_assert(!memcmp(c->n_conn->identity_digest, c->n_conn_id_digest,

src/or/circuituse.c

@@ -94,7 +94,6 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
     } else {
       if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) {
         /* don't use three-hop circuits -- that could hurt our anonymity. */
-        log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
         return 0;
       }
     }
@@ -1215,6 +1214,16 @@ connection_ap_handshake_attach_circuit(edge_connection_t *conn)
 
   conn_age = time(NULL) - conn->_base.timestamp_created;
 
+  if (conn_age >= get_options()->SocksTimeout) {
+    int severity = (!conn->_base.addr && !conn->_base.port) ?
+                     LOG_INFO : LOG_NOTICE;
+    log_fn(severity, LD_APP,
+           "Tried for %d seconds to get a connection to %s:%d. Giving up.",
+           conn_age, safe_str(conn->socks_request->address),
+           conn->socks_request->port);
+    return -1;
+  }
+
   if (!connection_edge_is_rendezvous_stream(conn)) { /* we're a general conn */
     origin_circuit_t *circ=NULL;
 

src/or/command.c

@@ -196,7 +196,7 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
-  if (circuit_get_by_circid_orconn(cell->circ_id, conn)) {
+  if (circuit_id_in_use_on_orconn(cell->circ_id, conn)) {
     routerinfo_t *router = router_get_by_digest(conn->identity_digest);
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "Received CREATE cell (circID %d) for known circ. "

src/or/config.c

@@ -441,7 +441,7 @@ static config_var_description_t options_description[] = {
     "and servers." },
   { "ORListenAddress", "Bind to this address to listen for connections from "
     "clients and servers, instead of the default 0.0.0.0:ORPort." },
-  { "PublishServerDescriptors", "Set to 0 in order to keep the server from "
+  { "PublishServerDescriptor", "Set to 0 in order to keep the server from "
     "uploading info to the directory authorities." },
   /*{ "RedirectExit", "When an outgoing connection tries to connect to a "
    *"given address, redirect it to another address instead." },
@@ -584,7 +584,7 @@ typedef enum {
   /* Note: we compare these, so it's important that "old" precede everything,
    * and that "other" come last. */
   LE_OLD=0, LE_10C, LE_10D, LE_10E, LE_11, LE_11A, LE_11B, LE_12, LE_12A,
-  LE_13, LE_13A,
+  LE_13, LE_13A, LE_13B,
   LE_OTHER
 } le_version_t;
 static le_version_t decode_libevent_version(void);
@@ -732,15 +732,12 @@ add_default_trusted_dirservers(void)
 {
   int i;
   const char *dirservers[] = {
-    /* eventually we should mark moria1 as "v1only" */
-    "moria1 v1 orport=9001 18.244.0.188:9031 "
+    "moria1 v1 orport=9001 128.31.0.34:9031 "
       "FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441",
-    "moria2 v1 orport=443 18.244.0.114:80 "
+    "moria2 v1 orport=9002 128.31.0.34:9032 "
       "719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF",
     "tor26 v1 orport=443 86.59.21.38:80 "
       "847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
-    "lefkada orport=443 140.247.60.64:80 "
-      "38D4 F5FC F7B1 0232 28B8 95EA 56ED E7D5 CCDC AF32",
     "dizum 194.109.206.212:80 "
       "7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
     NULL
@@ -789,7 +786,8 @@ options_act_reversible(or_options_t *old_options, char **msg)
   }
 
   /* Ensure data directory is private; create if possible. */
-  if (check_private_dir(options->DataDirectory, CPD_CREATE)<0) {
+  if (check_private_dir(options->DataDirectory,
+               options->command == CMD_RUN_TOR ? CPD_CREATE : CPD_CHECK)<0) {
     char buf[1024];
     int tmp = tor_snprintf(buf, sizeof(buf),
               "Couldn't access/create private data directory \"%s\"",
@@ -885,8 +883,8 @@ options_act(or_options_t *old_options)
   int running_tor = options->command == CMD_RUN_TOR;
   char *msg;
 
-  clear_trusted_dir_servers();
   if (options->DirServers) {
+    clear_trusted_dir_servers();
     for (cl = options->DirServers; cl; cl = cl->next) {
       if (parse_dir_server_line(cl->value, 0)<0) {
         log_err(LD_BUG,
@@ -895,7 +893,8 @@ options_act(or_options_t *old_options)
       }
     }
   } else {
-    add_default_trusted_dirservers();
+    if (!smartlist_len(router_get_trusted_dir_servers()))
+      add_default_trusted_dirservers();
   }
 
   if (running_tor && rend_config_services(options, 0)<0) {
@@ -917,16 +916,16 @@ options_act(or_options_t *old_options)
     tor_free(fn);
   }
 
-  /* Load state */
-  if (! global_state)
-    if (or_state_load())
-      return -1;
-
   /* Bail out at this point if we're not going to be a client or server:
    * we want to not fork, and to log stuff to stderr. */
   if (options->command != CMD_RUN_TOR)
     return 0;
 
+  /* Load state */
+  if (! global_state)
+    if (or_state_load())
+      return -1;
+
   {
     smartlist_t *sl = smartlist_create();
     char *errmsg = NULL;
@@ -934,6 +933,8 @@ options_act(or_options_t *old_options)
       if (parse_redirect_line(sl, cl, &errmsg)<0) {
         log_warn(LD_CONFIG, "%s", errmsg);
         tor_free(errmsg);
+        SMARTLIST_FOREACH(sl, exit_redirect_t *, er, tor_free(er));
+        smartlist_free(sl);
         return -1;
       }
     }
@@ -958,7 +959,10 @@ options_act(or_options_t *old_options)
   /* Update address policies. */
   policies_parse_from_options(options);
 
-  init_cookie_authentication(options->CookieAuthentication);
+  if (init_cookie_authentication(options->CookieAuthentication) < 0) {
+    log_warn(LD_CONFIG,"Error creating cookie authentication file");
+    return -1;
+  }
 
   /* reload keys as needed for rendezvous services. */
   if (rend_service_load_keys()<0) {
@@ -1803,6 +1807,7 @@ list_torrc_options(void)
       smartlist_clear(lines);
     }
   }
+  smartlist_free(lines);
 }
 
 /** Last value actually set by resolve_my_address. */
@@ -2734,6 +2739,9 @@ options_validate(or_options_t *old_options, or_options_t *options,
     return -1;
   if (check_nickname_list(options->MyFamily, "MyFamily", msg))
     return -1;
+
+  if (options->NodeFamilies)
+    COMPLAIN("NodeFamily config option is broken in this version of Tor.");
   for (cl = options->NodeFamilies; cl; cl = cl->next) {
     if (check_nickname_list(cl->value, "NodeFamily", msg))
       return -1;
@@ -2869,6 +2877,8 @@ options_transition_affects_descriptor(or_options_t *old_options,
       !opt_streq(old_options->Nickname,new_options->Nickname) ||
       !opt_streq(old_options->Address,new_options->Address) ||
       !config_lines_eq(old_options->ExitPolicy,new_options->ExitPolicy) ||
+      old_options->ExitPolicyRejectPrivate !=
+        new_options->ExitPolicyRejectPrivate ||
       old_options->ORPort != new_options->ORPort ||
       old_options->DirPort != new_options->DirPort ||
       old_options->ClientOnly != new_options->ClientOnly ||
@@ -3464,6 +3474,13 @@ parse_dir_server_line(const char *line, int validate_only)
     log_warn(LD_CONFIG, "Key digest for DirServer is wrong length.");
     goto err;
   }
+  if (!strcmp(fingerprint, "E623F7625FBE0C87820F11EC5F6D5377ED816294")) {
+    /* a known bad fingerprint. refuse to use it. */
+    log_warn(LD_CONFIG, "Dangerous dirserver line. To correct, erase your "
+             "torrc file (%s), or reinstall Tor and use the default torrc.",
+             get_torrc_fname());
+    goto err;
+  }
   if (base16_decode(digest, DIGEST_LEN, fingerprint, HEX_DIGEST_LEN)<0) {
     log_warn(LD_CONFIG, "Unable to decode DirServer key digest.");
     goto err;
@@ -3829,6 +3846,7 @@ static const struct {
   { "1.2a", LE_12A },
   { "1.3",  LE_13 },
   { "1.3a", LE_13A },
+  { "1.3b", LE_13B },
   { NULL, LE_OTHER }
 };
 
@@ -3855,10 +3873,11 @@ decode_libevent_version(void)
 static void
 check_libevent_version(const char *m, int server)
 {
-  int buggy = 0, iffy = 0, slow = 0;
+  int buggy = 0, iffy = 0, slow = 0, thread_unsafe = 0;
   le_version_t version;
   const char *v = event_get_version();
   const char *badness = NULL;
+  const char *sad_os = "";
 
   version = decode_libevent_version();
 
@@ -3891,7 +3910,26 @@ check_libevent_version(const char *m, int server)
       buggy = 1;
   }
 
-  if (buggy) {
+  /* Libevent versions before 1.3b do very badly on operating systems with
+   * user-space threading implementations. */
+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__NetBSD__)
+  if (server && version < LE_13B) {
+    thread_unsafe = 1;
+    sad_os = "BSD variants";
+      }
+#elif defined(__APPLE__) || defined(__darwin__)
+  if (server && version < LE_13B) {
+    thread_unsafe = 1;
+    sad_os = "Mac OS X";
+  }
+#endif
+
+  if (thread_unsafe) {
+    log(LOG_WARN, LD_GENERAL,
+        "Libevent version %s often crashes when running a Tor server with %s. "
+        "Please use the latest version of libevent (1.3b or later)",v,sad_os);
+    badness = "BROKEN";
+  } else if (buggy) {
     log(LOG_WARN, LD_GENERAL,
         "There are known bugs in using %s with libevent %s. "
         "Please use the latest version of libevent.", m, v);
@@ -3908,9 +3946,6 @@ check_libevent_version(const char *m, int server)
         v,m);
     badness = "SLOW";
   }
-  /* XXXX012 if libevent 1.3b comes out before 0.1.2.x, and it works,
-   * recomment an upgrade to everybody on BSD or OSX or anywhere with
-   * that flavor of pthreads. */
   if (badness) {
     control_event_general_status(LOG_WARN,
         "BAD_LIBEVENT VERSION=%s METHOD=%s BADNESS=%s RECOVERED=NO",
@@ -3963,16 +3998,18 @@ or_state_validate(or_state_t *old_state, or_state_t *state,
   if (entry_guards_parse_state(state, 0, msg)<0) {
     return -1;
   }
-  if (state->TorVersion) {
+  if (state->EntryGuards && state->TorVersion) {
     tor_version_t v;
     if (tor_version_parse(state->TorVersion, &v)) {
       log_warn(LD_GENERAL, "Can't parse Tor version '%s' from your state "
                "file. Proceeding anyway.", state->TorVersion);
     } else { /* take action based on v */
-      if (tor_version_as_new_as(state->TorVersion, "0.1.1.10-alpha") &&
-          !tor_version_as_new_as(state->TorVersion, "0.1.1.16-rc-cvs")) {
-        log_notice(LD_CONFIG, "Detected state file from buggy version '%s'. "
-                   "Enabling workaround to choose working entry guards.",
+      if ((tor_version_as_new_as(state->TorVersion, "0.1.1.10-alpha") &&
+           !tor_version_as_new_as(state->TorVersion, "0.1.2.17")) ||
+          (tor_version_as_new_as(state->TorVersion, "0.2.0.0-alpha") &&
+           !tor_version_as_new_as(state->TorVersion, "0.2.0.6-alpha"))) {
+        log_notice(LD_CONFIG, "Detected state file from old version '%s'. "
+                   "Choosing new entry guards for you.",
                    state->TorVersion);
         config_free_lines(state->EntryGuards);
         state->EntryGuards = NULL;

src/or/connection.c

@@ -132,10 +132,7 @@ conn_state_to_string(int type, int state)
       break;
     case CONN_TYPE_CONTROL:
       switch (state) {
-        case CONTROL_CONN_STATE_OPEN_V0: return "open (protocol v0)";
         case CONTROL_CONN_STATE_OPEN_V1: return "open (protocol v1)";
-        case CONTROL_CONN_STATE_NEEDAUTH_V0:
-          return "waiting for authentication (protocol unknown)";
         case CONTROL_CONN_STATE_NEEDAUTH_V1:
           return "waiting for authentication (protocol v1)";
       }
@@ -404,7 +401,7 @@ connection_about_to_close_connection(connection_t *conn)
   edge_connection_t *edge_conn;
   time_t now = time(NULL);
 
-  assert(conn->marked_for_close);
+  tor_assert(conn->marked_for_close);
 
   if (CONN_IS_EDGE(conn)) {
     if (!conn->edge_has_sent_end) {
@@ -739,7 +736,7 @@ connection_handle_listener_read(connection_t *conn, int new_type)
   struct sockaddr_in remote;
   char addrbuf[256];
   /* length of the remote address. Must be whatever accept() needs. */
-  socklen_t remotelen = 256;
+  socklen_t remotelen = sizeof(addrbuf);
   char tmpbuf[INET_NTOA_BUF_LEN];
   tor_assert((size_t)remotelen >= sizeof(struct sockaddr_in));
   memset(addrbuf, 0, sizeof(addrbuf));
@@ -765,6 +762,16 @@ connection_handle_listener_read(connection_t *conn, int new_type)
             news,conn->s);
 
   set_socket_nonblocking(news);
+  if (((struct sockaddr*)addrbuf)->sa_family != AF_INET) {
+    log_info(LD_BUG, "A listener connection returned a socket with a "
+             "mismatched family.  %s for addr_family %d gave us a socket "
+             "with address family %d.  Dropping.",
+             conn_type_to_string(conn->type),
+             (int)AF_INET,
+             (int)((struct sockaddr*)addrbuf)->sa_family);
+    tor_close_socket(news);
+    return 0;
+  }
 
   if (check_sockaddr_in((struct sockaddr*)addrbuf, remotelen, LOG_INFO)<0) {
     log_info(LD_NET,
@@ -860,7 +867,7 @@ connection_init_accepted_conn(connection_t *conn, uint8_t listener_type)
       conn->state = DIR_CONN_STATE_SERVER_COMMAND_WAIT;
       break;
     case CONN_TYPE_CONTROL:
-      conn->state = CONTROL_CONN_STATE_NEEDAUTH_V0;
+      conn->state = CONTROL_CONN_STATE_NEEDAUTH_V1;
       break;
   }
   return 0;
@@ -1321,15 +1328,19 @@ connection_bucket_refill(int seconds_elapsed)
 
   /* refill the global buckets */
   if (global_read_bucket < (int)options->BandwidthBurst) {
+    int initial_read_bucket = global_read_bucket;
     global_read_bucket += (int)options->BandwidthRate*seconds_elapsed;
-    if (global_read_bucket > (int)options->BandwidthBurst)
+    if (global_read_bucket > (int)options->BandwidthBurst ||
+        global_read_bucket < initial_read_bucket)
       global_read_bucket = (int)options->BandwidthBurst;
     log(LOG_DEBUG, LD_NET,"global_read_bucket now %d.", global_read_bucket);
   }
   if (global_write_bucket < (int)options->BandwidthBurst) {
+    int initial_write_bucket = global_write_bucket;
     global_write_bucket_empty_last_second = global_write_bucket == 0;
     global_write_bucket += (int)options->BandwidthRate*seconds_elapsed;
-    if (global_write_bucket > (int)options->BandwidthBurst)
+    if (global_write_bucket > (int)options->BandwidthBurst ||
+        global_write_bucket < initial_write_bucket)
       global_write_bucket = (int)options->BandwidthBurst;
     log(LOG_DEBUG, LD_NET,"global_write_bucket now %d.", global_write_bucket);
   }
@@ -1342,8 +1353,10 @@ connection_bucket_refill(int seconds_elapsed)
     if (connection_speaks_cells(conn)) {
       or_connection_t *or_conn = TO_OR_CONN(conn);
       if (connection_read_bucket_should_increase(or_conn)) {
+        int initial_read_bucket = or_conn->read_bucket;
         or_conn->read_bucket += or_conn->bandwidthrate*seconds_elapsed;
-        if (or_conn->read_bucket > or_conn->bandwidthburst)
+        if (or_conn->read_bucket > or_conn->bandwidthburst ||
+            or_conn->read_bucket < initial_read_bucket)
           or_conn->read_bucket = or_conn->bandwidthburst;
         //log_fn(LOG_DEBUG,"Receiver bucket %d now %d.", i,
         //       conn->read_bucket);
@@ -2121,8 +2134,7 @@ connection_state_is_open(connection_t *conn)
       (conn->type == CONN_TYPE_AP && conn->state == AP_CONN_STATE_OPEN) ||
       (conn->type == CONN_TYPE_EXIT && conn->state == EXIT_CONN_STATE_OPEN) ||
       (conn->type == CONN_TYPE_CONTROL &&
-       (conn->state == CONTROL_CONN_STATE_OPEN_V0 ||
-        conn->state == CONTROL_CONN_STATE_OPEN_V1)))
+       conn->state == CONTROL_CONN_STATE_OPEN_V1))
     return 1;
 
   return 0;
@@ -2283,6 +2295,9 @@ connection_finished_flushing(connection_t *conn)
 {
   tor_assert(conn);
 
+  if (conn->s < 0 || !conn->write_event)
+    return 0;
+
 //  log_fn(LOG_DEBUG,"entered. Socket %u.", conn->s);
 
   switch (conn->type) {
@@ -2388,7 +2403,8 @@ assert_connection_ok(connection_t *conn, time_t now)
   if (conn->outbuf_flushlen > 0) {
     tor_assert(connection_is_writing(conn) || conn->wants_to_write ||
                (conn->type == CONN_TYPE_DIR &&
-                TO_DIR_CONN(conn)->is_blocked_on_or_conn));
+                (conn->marked_for_close ||
+                 TO_DIR_CONN(conn)->is_blocked_on_or_conn)));
   }
 
   if (conn->hold_open_until_flushed)

src/or/connection_edge.c

@@ -29,7 +29,8 @@ static smartlist_t *redirect_exit_list = NULL;
 
 static int connection_ap_handshake_process_socks(edge_connection_t *conn);
 static int connection_ap_process_natd(edge_connection_t *conn);
-static int connection_exit_connect_dir(edge_connection_t *exit_conn);
+static int connection_exit_connect_dir(edge_connection_t *exit_conn,
+                                       or_circuit_t *circ);
 static int hostname_is_noconnect_address(const char *address);
 
 /** An AP stream has failed/finished. If it hasn't already sent back
@@ -1389,6 +1390,11 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
       connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
       return -1;
     }
+
+    /* Help predict this next time. We're not sure if it will need
+     * a stable circuit yet, but we know we'll need *something*. */
+    rep_hist_note_used_internal(time(NULL), 0, 1);
+
     if (r==0) {
       conn->_base.state = AP_CONN_STATE_RENDDESC_WAIT;
       log_info(LD_REND, "Unknown descriptor %s. Fetching.",
@@ -1684,10 +1690,14 @@ connection_ap_process_natd(edge_connection_t *conn)
   }
 
   daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
-  while (*tbuf != '\0' && *tbuf != ' ')
-    tbuf++;
-  *tbuf = '\0';
-  tbuf++;
+  if (!(tbuf = strchr(tbuf, ' '))) {
+    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
+             "said: %s",
+             escaped(tmp_buf));
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+    return -1;
+  }
+  *tbuf++ = '\0';
 
   /* pretend that a socks handshake completed so we don't try to
    * send a socks reply down a natd conn */
@@ -2203,8 +2213,6 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
       relay_send_command_from_edge(rh.stream_id, circ, RELAY_COMMAND_END,
                                    end_payload, 1, NULL);
       connection_free(TO_CONN(n_stream));
-      /* knock the whole thing down, somebody screwed up */
-      circuit_mark_for_close(circ, END_CIRC_REASON_CONNECTFAILED);
       tor_free(address);
       return 0;
     }
@@ -2239,10 +2247,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
   if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
     if (or_circ && or_circ->p_conn && or_circ->p_conn->_base.addr)
       n_stream->_base.addr = or_circ->p_conn->_base.addr;
-    n_stream->next_stream = TO_OR_CIRCUIT(circ)->n_streams;
     n_stream->on_circuit = circ;
-    TO_OR_CIRCUIT(circ)->n_streams = n_stream;
-    return connection_exit_connect_dir(n_stream);
+    return connection_exit_connect_dir(n_stream, TO_OR_CIRCUIT(circ));
   }
 
   /* send it off to the gethostbyname farm */
@@ -2424,7 +2430,8 @@ connection_exit_connect(edge_connection_t *edge_conn)
  * as appropriate.
  */
 static int
-connection_exit_connect_dir(edge_connection_t *exit_conn)
+connection_exit_connect_dir(edge_connection_t *exit_conn,
+                            or_circuit_t *circ)
 {
   int fd[2];
   int err;
@@ -2470,6 +2477,9 @@ connection_exit_connect_dir(edge_connection_t *exit_conn)
     return 0;
   }
 
+  exit_conn->next_stream = circ->n_streams;
+  circ->n_streams = exit_conn;
+
   if (connection_add(TO_CONN(dir_conn))<0) {
     connection_edge_end(exit_conn, END_STREAM_REASON_RESOURCELIMIT,
                         exit_conn->cpath_layer);

src/or/directory.c

@@ -455,6 +455,10 @@ directory_initiate_command(const char *address, uint32_t addr,
      * populate it and add it at the right state
      * socketpair and hook up both sides
      */
+
+    if (private_connection)
+      rep_hist_note_used_port(conn->_base.port, time(NULL));
+
     conn->dirconn_direct = 0;
     conn->_base.s =
       connection_ap_make_bridge(conn->_base.address, conn->_base.port,
@@ -900,7 +904,7 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
   if (conn->dirconn_direct) {
     char *guess = http_get_header(headers, X_ADDRESS_HEADER);
     if (guess) {
-      router_new_address_suggestion(guess);
+      router_new_address_suggestion(guess, conn);
       tor_free(guess);
     }
   }
@@ -932,7 +936,7 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
   }
   (void) skewed; /* skewed isn't used yet. */
 
-  if (status_code == 503) {
+  if (status_code == 503 && body_len < 16) {
     local_routerstatus_t *rs;
     trusted_dir_server_t *ds;
     time_t now = time(NULL);
@@ -947,6 +951,12 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
 
     tor_free(body); tor_free(headers); tor_free(reason);
     return -1;
+  } else if (status_code == 503) {
+    /* XXXX022 Remove this once every server with bug 539 is obsolete. */
+    log_info(LD_DIR, "Server at '%s:%d' sent us a 503 response, but included "
+             "a body anyway.  We'll pretend it gave us a 200.",
+             conn->_base.address, conn->_base.port);
+    status_code = 200;
   }
 
   plausible = body_is_plausible(body, body_len, conn->_base.purpose);
@@ -1158,7 +1168,7 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
     if (which || (conn->requested_resource &&
                   !strcmpstart(conn->requested_resource, "all"))) {
       /* as we learn from them, we remove them from 'which' */
-      router_load_routers_from_string(body, SAVED_NOWHERE, which);
+      router_load_routers_from_string(body, body_len, SAVED_NOWHERE, which);
       directory_info_has_arrived(time(NULL), 0);
     }
     if (which) { /* mark remaining ones as failed */
@@ -1361,7 +1371,7 @@ write_http_status_line(dir_connection_t *conn, int status,
 {
   char buf[256];
   if (tor_snprintf(buf, sizeof(buf), "HTTP/1.0 %d %s\r\n\r\n",
-      status, reason_phrase) < 0) {
+                   status, reason_phrase ? reason_phrase : "OK") < 0) {
     log_warn(LD_BUG,"Bug: status line too long.");
     return;
   }
@@ -1730,6 +1740,7 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
                  "Client asked for server descriptors, but we've been "
                  "writing too many bytes lately. Sending 503 Dir busy.");
         write_http_status_line(conn, 503, "Directory busy, try again later");
+        conn->dir_spool_src = DIR_SPOOL_NONE;
         return 0;
       }
       write_http_response_header(conn, -1,
@@ -1853,7 +1864,7 @@ directory_handle_command_post(dir_connection_t *conn, const char *headers,
   log_debug(LD_DIRSERV,"rewritten url as '%s'.", url);
 
   if (!strcmp(url,"/tor/")) { /* server descriptor post */
-    const char *msg;
+    const char *msg = NULL;
     int r = dirserv_add_descriptor(body, &msg);
     tor_assert(msg);
     if (r > 0)
@@ -2015,14 +2026,21 @@ dir_networkstatus_download_failed(smartlist_t *failed, int status_code)
 static void
 dir_routerdesc_download_failed(smartlist_t *failed, int status_code)
 {
-  char digest[DIGEST_LEN];
-  local_routerstatus_t *rs;
   time_t now = time(NULL);
   int server = server_mode(get_options()) && get_options()->DirPort;
+  smartlist_t *routerstatuses, *digests = smartlist_create();
+
   SMARTLIST_FOREACH(failed, const char *, cp,
   {
-    base16_decode(digest, DIGEST_LEN, cp, strlen(cp));
-    rs = router_get_combined_status_by_digest(digest);
+    char *d = tor_malloc(DIGEST_LEN);
+    base16_decode(d, DIGEST_LEN, cp, strlen(cp));
+    smartlist_add(digests, d);
+  });
+  routerstatuses = router_get_combined_status_by_descriptor_digests(digests);
+  SMARTLIST_FOREACH(digests, char *, d, tor_free(d));
+  smartlist_free(digests);
+
+  SMARTLIST_FOREACH(routerstatuses, local_routerstatus_t *, rs, {
     if (!rs || rs->n_download_failures >= MAX_ROUTERDESC_DOWNLOAD_FAILURES)
       continue;
     if (status_code != 503 || server)
@@ -2050,17 +2068,19 @@ dir_routerdesc_download_failed(smartlist_t *failed, int status_code)
       }
     }
     if (rs->next_attempt_at == 0)
-      log_debug(LD_DIR, "%s failed %d time(s); I'll try again immediately.",
-                cp, (int)rs->n_download_failures);
+      log_debug(LD_DIR, "dl failed %d time(s); I'll try again immediately.",
+                (int)rs->n_download_failures);
     else if (rs->next_attempt_at < TIME_MAX)
-      log_debug(LD_DIR, "%s failed %d time(s); I'll try again in %d seconds.",
-                cp, (int)rs->n_download_failures,
+      log_debug(LD_DIR, "dl failed %d time(s); I'll try again in %d seconds.",
+                (int)rs->n_download_failures,
                 (int)(rs->next_attempt_at-now));
     else
-      log_debug(LD_DIR, "%s failed %d time(s); Giving up for a while.",
-                cp, (int)rs->n_download_failures);
+      log_debug(LD_DIR, "dl failed %d time(s); Giving up for a while.",
+                (int)rs->n_download_failures);
   });
 
+  smartlist_free(routerstatuses);
+
   /* No need to relaunch descriptor downloads here: we already do it
    * every 10 seconds (DESCRIPTOR_RETRY_INTERVAL) in main.c. */
 }

src/or/dirserv.c

@@ -610,6 +610,7 @@ directory_remove_invalid(void)
                ent->nickname, msg?msg:"");
       routerlist_remove(rl, ent, i--, 0);
       changed = 1;
+      continue;
     }
     if (bool_neq((r & FP_NAMED), ent->is_named)) {
       log_info(LD_DIRSERV,
@@ -1678,6 +1679,8 @@ generate_v2_networkstatus(void)
       outp += strlen(outp);
       if (ri->platform && !strcmpstart(ri->platform, "Tor ")) {
         const char *eos = find_whitespace(ri->platform+4);
+        if (eos && !strcmpstart(eos, " (r"))
+          eos = find_whitespace(eos+1);
         if (eos) {
           char *platform = tor_strndup(ri->platform, eos-(ri->platform));
           if (tor_snprintf(outp, endp-outp,
@@ -2048,12 +2051,20 @@ connection_dirserv_unlink_from_bridge(dir_connection_t *dir_conn)
   or_conn = connection_dirserv_get_target_or_conn(dir_conn);
   if (or_conn) {
     /* XXXX Really, this is only necessary if dir_conn->is_blocked_on_or_conn.
-     * But for now, let's leave it in, so the assert can catch  */
+     * But for now, let's leave it in, so the assert can catch problems.  */
     connection_dirserv_remove_from_blocked_list(or_conn, dir_conn);
   }
   dir_conn->is_blocked_on_or_conn = 0; /* Probably redundant. */
-  edge_conn->bridge_for_conn = NULL;
   dir_conn->bridge_conn = NULL;
+  if (edge_conn) {
+    edge_conn->bridge_for_conn = NULL;
+    if (!edge_conn->_base.marked_for_close) {
+      TO_CONN(edge_conn)->edge_has_sent_end = 1;
+      connection_mark_for_close(TO_CONN(edge_conn));
+    }
+  }
+  if (!dir_conn->_base.marked_for_close)
+    connection_mark_for_close(TO_CONN(dir_conn));
 }
 
 /** Stop writing on a bridged dir_conn, and remember that it's blocked because
@@ -2081,8 +2092,8 @@ connection_dirserv_stop_blocking_all_on_or_conn(or_connection_t *or_conn)
 {
   dir_connection_t *dir_conn, *next;
 
-  while (or_conn->blocked_dir_connections) {
-    dir_conn = or_conn->blocked_dir_connections;
+  dir_conn = or_conn->blocked_dir_connections;
+  while (dir_conn) {
     next = dir_conn->next_blocked_on_same_or_conn;
 
     dir_conn->is_blocked_on_or_conn = 0;

src/or/dns.c

@@ -185,7 +185,7 @@ evdns_log_cb(int warn, const char *msg)
   }
   if (!strcmpstart(msg, "Nameserver ") && (cp=strstr(msg, " has failed: "))) {
     char *ns = tor_strndup(msg+11, cp-(msg+11));
-    const char *err = strchr(cp, ':'+2);
+    const char *err = strchr(cp, ':')+2;
     /* Don't warn about a single failed nameserver; we'll warn with 'all
      * nameservers have failed' if we're completely out of nameservers;
      * otherwise, the situation is tolerable. */
@@ -409,15 +409,15 @@ purge_expired_resolves(time_t now)
                 removed ? removed->address : "NULL", (void*)remove);
       }
       tor_assert(removed == resolve);
-      if (resolve->is_reverse)
-        tor_free(resolve->result.hostname);
-      resolve->magic = 0xF0BBF0BB;
-      tor_free(resolve);
     } else {
       /* This should be in state DONE. Make sure it's not in the cache. */
       cached_resolve_t *tmp = HT_FIND(cache_map, &cache_root, resolve);
       tor_assert(tmp != resolve);
     }
+    if (resolve->is_reverse)
+      tor_free(resolve->result.hostname);
+    resolve->magic = 0xF0BBF0BB;
+    tor_free(resolve);
   }
 
   assert_cache_ok();
@@ -839,9 +839,19 @@ dns_cancel_pending_resolve(const char *address)
   strlcpy(search.address, address, sizeof(search.address));
 
   resolve = HT_FIND(cache_map, &cache_root, &search);
-  if (!resolve || resolve->state != CACHE_STATE_PENDING) {
-    log_notice(LD_BUG,"Address %s is not pending. Dropping.",
+  if (!resolve)
+    return;
+
+  if (resolve->state != CACHE_STATE_PENDING) {
+    /* We can get into this state if we never actually created the pending
+     * resolve, due to finding an earlier cached error or something.  Just
+     * ignore it. */
+    if (resolve->pending_connections) {
+      log_warn(LD_BUG,
+               "Address %s is not pending but has pending connections!",
                escaped_safe_str(address));
+      tor_fragile_assert();
+    }
     return;
   }
 
@@ -1519,6 +1529,7 @@ configure_nameservers(int force)
   or_options_t *options;
   const char *conf_fname;
   struct stat st;
+  int r;
   options = get_options();
   conf_fname = options->ServerDNSResolvConfFile;
 #ifndef MS_WINDOWS
@@ -1543,9 +1554,9 @@ configure_nameservers(int force)
       evdns_clear_nameservers_and_suspend();
     }
     log_info(LD_EXIT, "Parsing resolver configuration in '%s'", conf_fname);
-    if (evdns_resolv_conf_parse(DNS_OPTIONS_ALL, conf_fname)) {
-      log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers in '%s'",
-               conf_fname, conf_fname);
+    if ((r = evdns_resolv_conf_parse(DNS_OPTIONS_ALL, conf_fname))) {
+      log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers in '%s' (%d)",
+               conf_fname, conf_fname, r);
       return -1;
     }
     if (evdns_count_nameservers() == 0) {

src/or/eventdns.c

@@ -32,10 +32,9 @@
  * Version: 0.1b
  */
 
-#include <sys/types.h>
 #include "eventdns_tor.h"
+#include <sys/types.h>
 //#define NDEBUG
-#include "../common/torint.h"
 
 #ifndef DNS_USE_CPU_CLOCK_FOR_ID
 #ifndef DNS_USE_GETTIMEOFDAY_FOR_ID
@@ -2683,7 +2682,7 @@ resolv_conf_parse_line(char *const start, int flags) {
 int
 evdns_resolv_conf_parse(int flags, const char *const filename) {
 	struct stat st;
-	int fd;
+	int fd, n, r;
 	u8 *resolv;
 	char *start;
 	int err = 0;
@@ -2707,10 +2706,15 @@ evdns_resolv_conf_parse(int flags, const char *const filename) {
 	resolv = (u8 *) malloc((size_t)st.st_size + 1);
 	if (!resolv) { err = 4; goto out1; }
 
-	if (read(fd, resolv, (size_t)st.st_size) != st.st_size) {
-		err = 5; goto out2;
+    n = 0;
+	while ((r = read(fd, resolv+n, (size_t)st.st_size-n)) > 0) {
+		n += r;
+		if (n == st.st_size)
+			break;
+		assert(n < st.st_size);
 	}
-	resolv[st.st_size] = 0;	 // we malloced an extra byte
+	if (r < 0) { err = 5; goto out2; }
+	resolv[n] = 0;	 // we malloced an extra byte; this should be fine.
 
 	start = (char *) resolv;
 	for (;;) {

src/or/main.c

@@ -747,6 +747,8 @@ run_scheduled_events(time_t now)
   static time_t time_to_try_getting_descriptors = 0;
   static time_t time_to_reset_descriptor_failures = 0;
   static time_t time_to_add_entropy = 0;
+#define CLEAN_CACHES_INTERVAL (30*60)
+  static time_t time_to_clean_caches = 0;
   or_options_t *options = get_options();
   int i;
   int have_dir_info;
@@ -854,12 +856,14 @@ run_scheduled_events(time_t now)
 /** How often do we (as a cache) fetch a new V1 runningrouters document? */
 #define V1_RUNNINGROUTERS_FETCH_PERIOD (30*60)
     time_to_fetch_running_routers = now + V1_RUNNINGROUTERS_FETCH_PERIOD;
+  }
 
-     /* Also, take this chance to remove old information from rephist
-     * and the rend cache. */
+  /* Remove old information from rephist and the rend cache. */
+  if (time_to_clean_caches < now) {
     rep_history_clean(now - options->RephistTrackTime);
     rend_cache_clean();
- }
+    time_to_clean_caches = now + CLEAN_CACHES_INTERVAL;
+  }
 
   /* 2b. Once per minute, regenerate and upload the descriptor if the old
    * one is inaccurate. */
@@ -1133,7 +1137,7 @@ dns_servers_relaunch_checks(void)
 }
 
 /** Called when we get a SIGHUP: reload configuration files and keys,
- * retry all connections, re-upload all descriptors, and so on. */
+ * retry all connections, and so on. */
 static int
 do_hup(void)
 {
@@ -1178,7 +1182,6 @@ do_hup(void)
 
   if (server_mode(options)) {
 //    const char *descriptor;
-    mark_my_descriptor_dirty();
     /* Restart cpuworker and dnsworker processes, so they get up-to-date
      * configuration options. */
     cpuworkers_rotate();
@@ -1354,7 +1357,7 @@ signal_callback(int fd, short events, void *arg)
   switch (sig)
     {
     case SIGTERM:
-      log_err(LD_GENERAL,"Catching signal TERM, exiting cleanly.");
+      log_notice(LD_GENERAL,"Catching signal TERM, exiting cleanly.");
       tor_cleanup();
       exit(0);
       break;
@@ -1926,8 +1929,8 @@ nt_service_control(DWORD request)
   switch (request) {
     case SERVICE_CONTROL_STOP:
         case SERVICE_CONTROL_SHUTDOWN:
-          log_err(LD_GENERAL,
-                  "Got stop/shutdown request; shutting down cleanly.");
+          log_notice(LD_GENERAL,
+                     "Got stop/shutdown request; shutting down cleanly.");
           service_status.dwCurrentState = SERVICE_STOP_PENDING;
           event_loopexit(&exit_now);
           return;

src/or/onion.c

@@ -335,14 +335,14 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
   len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
                                  key_material, 20+key_out_len);
   if (len < 0)
-    return -1;
+    goto err;
 
   if (memcmp(key_material, handshake_reply+DH_KEY_LEN, 20)) {
     /* H(K) does *not* match. Something fishy. */
     tor_free(key_material);
     log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
              "Bug or attack.");
-    return -1;
+    goto err;
   }
 
   /* use the rest of the key material for our shared keys, digests, etc */
@@ -356,6 +356,9 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
 
   tor_free(key_material);
   return 0;
+ err:
+  tor_free(key_material);
+  return -1;
 }
 
 /** Implement the server side of the CREATE_FAST abbreviated handshake.  The
@@ -428,6 +431,7 @@ fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
     /* H(K) does *not* match. Something fishy. */
     log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. "
              "Bug or attack.");
+    tor_free(out);
     return -1;
   }
   memcpy(key_out, out+DIGEST_LEN, key_out_len);

src/or/or.h

@@ -341,17 +341,11 @@ typedef enum {
 #define DIR_CONN_IS_SERVER(conn) ((conn)->purpose == DIR_PURPOSE_SERVER)
 
 #define _CONTROL_CONN_STATE_MIN 1
-/** State for a control connection: Authenticated and accepting v0 commands. */
-#define CONTROL_CONN_STATE_OPEN_V0 1
 /** State for a control connection: Authenticated and accepting v1 commands. */
 #define CONTROL_CONN_STATE_OPEN_V1 2
-/** State for a control connection: Waiting for authentication; either
- * speaking v0 commands or waiting for evidence that it's a v1
- * connection. */
-#define CONTROL_CONN_STATE_NEEDAUTH_V0 3
 /** State for a control connection: Waiting for authentication; speaking
  * protocol v1. */
-#define CONTROL_CONN_STATE_NEEDAUTH_V1 4
+#define CONTROL_CONN_STATE_NEEDAUTH_V1 3
 #define _CONTROL_CONN_STATE_MAX 4
 
 #define _DIR_PURPOSE_MIN 1
@@ -942,6 +936,9 @@ typedef struct control_connection_t {
    * events as appropriate. */
   unsigned int use_extended_events:1;
 
+  /** True if we have sent a protocolinfo reply on this connection. */
+  unsigned int have_sent_protocolinfo:1;
+
   uint32_t incoming_cmd_len;
   uint32_t incoming_cmd_cur_len;
   char *incoming_cmd;
@@ -1929,8 +1926,7 @@ int fetch_from_buf_http(buf_t *buf,
                         int force_complete);
 int fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
                          int log_sockstype, int safe_socks);
-int fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out,
-                            char **body_out, int check_for_v1);
+int peek_buf_has_control0_command(buf_t *buf);
 int fetch_from_buf_line(buf_t *buf, char *data_out, size_t *data_len);
 int fetch_from_buf_line_lf(buf_t *buf, char *data_out, size_t *data_len);
 
@@ -2001,6 +1997,7 @@ origin_circuit_t *origin_circuit_new(void);
 or_circuit_t *or_circuit_new(uint16_t p_circ_id, or_connection_t *p_conn);
 circuit_t *circuit_get_by_circid_orconn(uint16_t circ_id,
                                         or_connection_t *conn);
+int circuit_id_in_use_on_orconn(uint16_t circ_id, or_connection_t *conn);
 circuit_t *circuit_get_by_edge_conn(edge_connection_t *conn);
 void circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason);
 origin_circuit_t *circuit_get_by_global_id(uint32_t id);
@@ -2604,9 +2601,8 @@ void policies_parse_from_options(or_options_t *options);
 int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b);
 addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr,
                               uint16_t port, addr_policy_t *policy);
-int policies_parse_exit_policy(config_line_t *cfg,
-                               addr_policy_t **dest,
-                               int rejectprivate);
+int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
+                               int rejectprivate, const char *local_address);
 int exit_policy_is_general_exit(addr_policy_t *policy);
 int policy_is_reject_star(addr_policy_t *policy);
 int getinfo_helper_policies(control_connection_t *conn,
@@ -2826,7 +2822,8 @@ void mark_my_descriptor_dirty_if_older_than(time_t when);
 void mark_my_descriptor_dirty(void);
 void check_descriptor_bandwidth_changed(time_t now);
 void check_descriptor_ipaddress_changed(time_t now);
-void router_new_address_suggestion(const char *suggestion);
+void router_new_address_suggestion(const char *suggestion,
+                                   const dir_connection_t *conn);
 int router_compare_to_my_exit_policy(edge_connection_t *conn);
 routerinfo_t *router_get_my_routerinfo(void);
 const char *router_get_my_descriptor(void);
@@ -2895,6 +2892,7 @@ routerstatus_t *router_pick_trusteddirserver(authority_type_t type,
 trusted_dir_server_t *router_get_trusteddirserver_by_digest(
      const char *digest);
 void routerlist_add_family(smartlist_t *sl, routerinfo_t *router);
+int routers_in_same_family(routerinfo_t *r1, routerinfo_t *r2);
 void add_nickname_list_to_smartlist(smartlist_t *sl, const char *list,
                                     int must_be_running);
 int router_nickname_is_in_list(routerinfo_t *router, const char *list);
@@ -2907,7 +2905,8 @@ routerinfo_t *router_find_exact_exit_enclave(const char *address,
 int router_is_unreliable(routerinfo_t *router, int need_uptime,
                          int need_capacity, int need_guard);
 uint32_t router_get_advertised_bandwidth(routerinfo_t *router);
-routerinfo_t *routerlist_sl_choose_by_bandwidth(smartlist_t *sl, int for_exit);
+routerinfo_t *routerlist_sl_choose_by_bandwidth(smartlist_t *sl, int for_exit,
+                                                int for_guard);
 routerstatus_t *routerstatus_sl_choose_by_bandwidth(smartlist_t *sl);
 
 routerinfo_t *router_choose_random_node(const char *preferred,
@@ -2943,7 +2942,7 @@ int router_add_to_routerlist(routerinfo_t *router, const char **msg,
                              int from_cache, int from_fetch);
 int router_load_single_router(const char *s, uint8_t purpose,
                               const char **msg);
-void router_load_routers_from_string(const char *s,
+void router_load_routers_from_string(const char *s, size_t len,
                                      saved_location_t saved_location,
                                      smartlist_t *requested_fingerprints);
 typedef enum {
@@ -2966,6 +2965,9 @@ void clear_trusted_dir_servers(void);
 int any_trusted_dir_is_v1_authority(void);
 networkstatus_t *networkstatus_get_by_digest(const char *digest);
 local_routerstatus_t *router_get_combined_status_by_digest(const char *digest);
+smartlist_t *router_get_combined_status_by_descriptor_digests(
+                                                   smartlist_t *digests);
+
 routerstatus_t *routerstatus_get_by_hexdigest(const char *hexdigest);
 void update_networkstatus_downloads(time_t now);
 void update_router_descriptor_downloads(time_t now);
@@ -3021,6 +3023,7 @@ int router_append_dirobj_signature(char *buf, size_t buf_len,
                                    const char *digest,
                                    crypto_pk_env_t *private_key);
 int router_parse_list_from_string(const char **s,
+                                  const char *eos,
                                   smartlist_t *dest,
                                   saved_location_t saved_location);
 int router_parse_routerlist_from_directory(const char *s,

src/or/policies.c

@@ -232,7 +232,7 @@ validate_addr_policies(or_options_t *options, char **msg)
   *msg = NULL;
 
   if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
-                                 options->ExitPolicyRejectPrivate))
+                                 options->ExitPolicyRejectPrivate, NULL))
     REJECT("Error in ExitPolicy entry.");
 
   /* The rest of these calls *append* to addr_policy. So don't actually
@@ -554,10 +554,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest)
  */
 int
 policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
-                           int rejectprivate)
+                           int rejectprivate, const char *local_address)
 {
-  if (rejectprivate)
+  if (rejectprivate) {
     append_exit_policy_string(dest, "reject private:*");
+    if (local_address) {
+      char buf[POLICY_BUF_LEN];
+      tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address);
+      append_exit_policy_string(dest, buf);
+    }
+  }
   if (parse_addr_policy(cfg, dest, -1))
     return -1;
   append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);

src/or/relay.c

@@ -17,7 +17,8 @@ const char relay_c_id[] =
 static int relay_crypt(circuit_t *circ, cell_t *cell, int cell_direction,
                 crypt_path_t **layer_hint, char *recognized);
 static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,
-                                       int cell_direction);
+                                            int cell_direction,
+                                            crypt_path_t *layer_hint);
 
 static int
 connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
@@ -162,7 +163,8 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction)
   }
 
   if (recognized) {
-    edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction);
+    edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction,
+                                                layer_hint);
     if (cell_direction == CELL_DIRECTION_OUT) {
       ++stats_n_relay_cells_delivered;
       log_debug(LD_OR,"Sending away from origin.");
@@ -372,7 +374,8 @@ circuit_package_relay_cell(cell_t *cell, circuit_t *circ,
  * attached to circ, return that conn, else return NULL.
  */
 static edge_connection_t *
-relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction)
+relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction,
+                  crypt_path_t *layer_hint)
 {
   edge_connection_t *tmpconn;
   relay_header_t rh;
@@ -390,7 +393,8 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction)
     for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;
          tmpconn=tmpconn->next_stream) {
       if (rh.stream_id == tmpconn->stream_id &&
-          !tmpconn->_base.marked_for_close) {
+          !tmpconn->_base.marked_for_close &&
+          tmpconn->cpath_layer == layer_hint) {
         log_debug(LD_APP,"found conn for stream %d.", rh.stream_id);
         return tmpconn;
       }

src/or/rendclient.c

@@ -468,7 +468,7 @@ rend_client_desc_here(const char *query)
     } else { /* 404, or fetch didn't get that far */
       log_notice(LD_REND,"Closing stream for '%s.onion': hidden service is "
                  "unavailable (try again later).", safe_str(query));
-      connection_mark_unattached_ap(conn, END_STREAM_REASON_TIMEOUT);
+      connection_mark_unattached_ap(conn, END_STREAM_REASON_RESOLVEFAILED);
     }
   }
 }

src/or/rendcommon.c

@@ -146,7 +146,7 @@ rend_parse_service_descriptor(const char *str, size_t len)
     result->protocols = ntohs(get_uint16(cp));
     cp += 2;
   } else {
-    result->protocols = 1;
+    result->protocols = 1<<2; /* always use intro format 2 */
   }
   if (end-cp < 2) goto truncated;
   result->n_intro_points = ntohs(get_uint16(cp));
@@ -436,7 +436,7 @@ rend_process_relay_cell(circuit_t *circ, int command, size_t length,
 {
   or_circuit_t *or_circ = NULL;
   origin_circuit_t *origin_circ = NULL;
-  int r;
+  int r=0;
   if (CIRCUIT_IS_ORIGIN(circ))
     origin_circ = TO_ORIGIN_CIRCUIT(circ);
   else
@@ -444,31 +444,40 @@ rend_process_relay_cell(circuit_t *circ, int command, size_t length,
 
   switch (command) {
     case RELAY_COMMAND_ESTABLISH_INTRO:
-      r = rend_mid_establish_intro(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_establish_intro(or_circ,payload,length);
       break;
     case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
-      r = rend_mid_establish_rendezvous(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_establish_rendezvous(or_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE1:
-      r = rend_mid_introduce(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_introduce(or_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE2:
-      r = rend_service_introduce(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_service_introduce(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE_ACK:
-      r = rend_client_introduction_acked(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_introduction_acked(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS1:
-      r = rend_mid_rendezvous(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_rendezvous(or_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS2:
-      r = rend_client_receive_rendezvous(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_receive_rendezvous(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRO_ESTABLISHED:
-      r = rend_service_intro_established(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_service_intro_established(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
-      r = rend_client_rendezvous_acked(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_rendezvous_acked(origin_circ,payload,length);
       break;
     default:
       tor_assert(0);

src/or/rendservice.c

@@ -254,6 +254,7 @@ rend_config_services(or_options_t *options, int validate_only)
         log_warn(LD_CONFIG,
                  "Got multiple HiddenServiceNodes lines for a single "
                  "service.");
+        rend_service_free(service);
         return -1;
       }
       service->intro_prefer_nodes = tor_strdup(line->value);
@@ -263,6 +264,7 @@ rend_config_services(or_options_t *options, int validate_only)
         log_warn(LD_CONFIG,
                  "Got multiple HiddenServiceExcludedNodes lines for "
                  "a single service.");
+        rend_service_free(service);
         return -1;
       }
       service->intro_exclude_nodes = tor_strdup(line->value);
@@ -303,16 +305,17 @@ rend_service_update_descriptor(rend_service_t *service)
   d->intro_point_extend_info = tor_malloc_zero(sizeof(extend_info_t*)*n);
   d->protocols = (1<<2) | (1<<0); /* We support protocol 2 and protocol 0. */
   for (i=0; i < n; ++i) {
-    router = router_get_by_nickname(smartlist_get(service->intro_nodes, i),1);
+    const char *name = smartlist_get(service->intro_nodes, i);
+    router = router_get_by_nickname(name, 1);
     if (!router) {
       log_info(LD_REND,"Router '%s' not found for intro point %d. Skipping.",
-               safe_str((char*)smartlist_get(service->intro_nodes, i)), i);
+               safe_str(name), i);
       continue;
     }
     circ = find_intro_circuit(router, service->pk_digest);
     if (circ && circ->_base.purpose == CIRCUIT_PURPOSE_S_INTRO) {
       /* We have an entirely established intro circuit. */
-      d->intro_points[d->n_intro_points] = tor_strdup(router->nickname);
+      d->intro_points[d->n_intro_points] = tor_strdup(name);
       d->intro_point_extend_info[d->n_intro_points] =
         extend_info_from_router(router);
       d->n_intro_points++;
@@ -552,7 +555,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
   if (len != REND_COOKIE_LEN+DH_KEY_LEN) {
     log_warn(LD_PROTOCOL, "Bad length %u for INTRODUCE2 cell.", (int)len);
     reason = END_CIRC_REASON_TORPROTOCOL;
-    return -1;
+    goto err;
   }
 
   r_cookie = ptr;

src/or/rephist.c

@@ -719,6 +719,8 @@ rep_hist_load_state(or_state_t *state, char **err)
     if (s_values && s_begins >= now - NUM_SECS_BW_SUM_INTERVAL*NUM_TOTALS) {
       start = s_begins - s_interval*(smartlist_len(s_values));
 
+      if (start > now)
+        continue;
       b->cur_obs_time = start;
       b->next_period = start + NUM_SECS_BW_SUM_INTERVAL;
       SMARTLIST_FOREACH(s_values, char *, cp, {
@@ -727,8 +729,10 @@ rep_hist_load_state(or_state_t *state, char **err)
           all_ok=0;
           log_notice(LD_GENERAL, "Could not parse '%s' into a number.'", cp);
         }
-        add_obs(b, start, v);
-        start += NUM_SECS_BW_SUM_INTERVAL;
+        if (start < now) {
+          add_obs(b, start, v);
+          start += NUM_SECS_BW_SUM_INTERVAL;
+        }
       });
     }
 

src/or/router.c

@@ -239,7 +239,7 @@ init_keys(void)
   char digest[20];
   char *cp;
   or_options_t *options = get_options();
-  or_state_t *state = get_or_state();
+  time_t now = time(NULL);
 
   if (!key_lock)
     key_lock = tor_mutex_new();
@@ -249,8 +249,10 @@ init_keys(void)
   if (!server_mode(options)) {
     if (!(prkey = crypto_new_pk_env()))
       return -1;
-    if (crypto_pk_generate_key(prkey))
+    if (crypto_pk_generate_key(prkey)) {
+      crypto_free_pk_env(prkey);
       return -1;
+    }
     set_identity_key(prkey);
     /* Create a TLS context; default the client nickname to "client". */
     if (tor_tls_context_new(get_identity_key(),
@@ -284,15 +286,24 @@ init_keys(void)
   prkey = init_key_from_file(keydir);
   if (!prkey) return -1;
   set_onion_key(prkey);
-  if (state->LastRotatedOnionKey > 100) { /* allow for some parsing slop. */
-    onionkey_set_at = state->LastRotatedOnionKey;
-  } else {
-    /* We have no LastRotatedOnionKey set; either we just created the key
-     * or it's a holdover from 0.1.2.4-alpha-dev or earlier.  In either case,
-     * start the clock ticking now so that we will eventually rotate it even
-     * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */
-    state->LastRotatedOnionKey = onionkey_set_at = time(NULL);
-    or_state_mark_dirty(state, options->AvoidDiskWrites ? time(NULL)+3600 : 0);
+
+  if (options->command == CMD_RUN_TOR) {
+    /* Only mess with the state file if we're actually running Tor */
+    or_state_t *state = get_or_state();
+    if (state->LastRotatedOnionKey > 100 && state->LastRotatedOnionKey < now) {
+      /* We allow for some parsing slop, but we don't want to risk accepting
+       * valus in the distant future.  If we did, we might never rotate the
+       * onion key. */
+      onionkey_set_at = state->LastRotatedOnionKey;
+    } else {
+      /* We have no LastRotatedOnionKey set; either we just created the key
+       * or it's a holdover from 0.1.2.4-alpha-dev or earlier.  In either case,
+       * start the clock ticking now so that we will eventually rotate it even
+       * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */
+      state->LastRotatedOnionKey = onionkey_set_at = now;
+      or_state_mark_dirty(state,
+                          options->AvoidDiskWrites ? now+3600 : 0);
+    }
   }
 
   tor_snprintf(keydir,sizeof(keydir),"%s/keys/secret_onion_key.old",datadir);
@@ -529,7 +540,7 @@ router_orport_found_reachable(void)
       return;
     control_event_server_status(LOG_NOTICE,
                                 "REACHABILITY_SUCCEEDED ORADDRESS=%s:%d",
-                                me->address, me->dir_port);
+                                me->address, me->or_port);
   }
 }
 
@@ -886,7 +897,7 @@ router_rebuild_descriptor(int force)
   }
 
   policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
-                             options->ExitPolicyRejectPrivate);
+                             options->ExitPolicyRejectPrivate, ri->address);
 
   if (desc_routerinfo) { /* inherit values */
     ri->is_valid = desc_routerinfo->is_valid;
@@ -949,9 +960,9 @@ router_rebuild_descriptor(int force)
   }
   ri->cache_info.signed_descriptor_len =
     strlen(ri->cache_info.signed_descriptor_body);
-  crypto_digest(ri->cache_info.signed_descriptor_digest,
-                ri->cache_info.signed_descriptor_body,
-                ri->cache_info.signed_descriptor_len);
+
+  router_get_router_hash(ri->cache_info.signed_descriptor_body,
+                         ri->cache_info.signed_descriptor_digest);
 
   if (desc_routerinfo)
     routerinfo_free(desc_routerinfo);
@@ -1066,7 +1077,8 @@ static uint32_t last_guessed_ip = 0;
  * If this address is different from the one we think we are now, and
  * if our computer doesn't actually know its IP address, then switch. */
 void
-router_new_address_suggestion(const char *suggestion)
+router_new_address_suggestion(const char *suggestion,
+                              const dir_connection_t *conn)
 {
   uint32_t addr, cur = 0;
   struct in_addr in;
@@ -1096,6 +1108,13 @@ router_new_address_suggestion(const char *suggestion)
     /* Don't believe anybody who says our IP is, say, 127.0.0.1. */
     return;
   }
+  if (addr == conn->_base.addr) {
+    /* Don't believe anybody who says our IP is their IP. */
+    log_debug(LD_DIR, "A directory server told us our IP address is %s, "
+              "but he's just reporting his own IP address. Ignoring.",
+              suggestion);
+    return;
+  }
 
   /* Okay.  We can't resolve our own address, and X-Your-Address-Is is giving
    * us an answer different from what we had the last time we managed to

src/or/routerlist.c

@@ -15,6 +15,10 @@ const char routerlist_c_id[] =
 
 #include "or.h"
 
+// #define DEBUG_ROUTERLIST
+
+// #define DUMP_DIR_WEIGHTS
+
 /****************************************************************************/
 
 /* static function prototypes */
@@ -99,6 +103,10 @@ static int have_warned_about_old_version = 0;
  * listed by the authorities  */
 static int have_warned_about_new_version = 0;
 
+#ifdef DUMP_DIR_WEIGHTS
+static int log_dir_weights = 0;
+#endif
+
 /** Return the number of v2 directory authorities */
 static INLINE int
 get_n_v2_authorities(void)
@@ -241,7 +249,6 @@ _compare_routers_by_age(const void **_a, const void **_b)
 static int
 router_rebuild_store(int force)
 {
-  size_t len = 0;
   or_options_t *options;
   size_t fname_len;
   smartlist_t *chunk_list = NULL;
@@ -337,13 +344,15 @@ router_rebuild_store(int force)
   write_str_to_file(fname, "", 1);
 
   r = 0;
-  router_store_len = len;
+  tor_assert(offset >= 0);
+  router_store_len = (size_t) offset;
   router_journal_len = 0;
   router_bytes_dropped = 0;
  done:
   smartlist_free(old_routers);
   smartlist_free(routers);
   tor_free(fname);
+  tor_free(fname_tmp);
   SMARTLIST_FOREACH(chunk_list, sized_chunk_t *, c, tor_free(c));
   smartlist_free(chunk_list);
   return r;
@@ -373,6 +382,7 @@ router_reload_router_list(void)
   if (routerlist->mmap_descriptors) {
     router_store_len = routerlist->mmap_descriptors->size;
     router_load_routers_from_string(routerlist->mmap_descriptors->data,
+                                    routerlist->mmap_descriptors->size,
                                     SAVED_IN_CACHE, NULL);
   }
 
@@ -381,7 +391,7 @@ router_reload_router_list(void)
   if (file_status(fname) == FN_FILE)
     contents = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, NULL);
   if (contents) {
-    router_load_routers_from_string(contents,
+    router_load_routers_from_string(contents, strlen(contents),
                                     SAVED_IN_JOURNAL, NULL);
     tor_free(contents);
   }
@@ -573,20 +583,56 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
   });
 
   if (smartlist_len(tunnel)) {
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights)
+      log_notice(LD_DIR, "Picking from tunnel-supporting dirs");
+#endif
     result = routerstatus_sl_choose_by_bandwidth(tunnel);
   } else if (smartlist_len(overloaded_tunnel)) {
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights)
+      log_notice(LD_DIR, "Picking from overloaded tunnel-supporting dirs");
+#endif
     result = routerstatus_sl_choose_by_bandwidth(overloaded_tunnel);
   } else if (smartlist_len(trusted_tunnel)) {
     /* FFFF We don't distinguish between trusteds and overloaded trusteds
      * yet. Maybe one day we should. */
     /* FFFF We also don't load balance over authorities yet. I think this
      * is a feature, but it could easily be a bug. -RD */
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights) {
+      int n = smartlist_len(trusted_tunnel);
+      double d = n ? 100.0/n : 0.0;
+      log_notice(LD_DIR, "Picking from trusted tunnel-supporting dirs.");
+      SMARTLIST_FOREACH(trusted_tunnel, routerstatus_t *, rs,
+         log_notice(LD_DIR, "  [%05.2lf] %s %s", d,
+                    hex_str(rs->identity_digest, DIGEST_LEN), rs->nickname));
+    }
+#endif
     result = smartlist_choose(trusted_tunnel);
   } else if (smartlist_len(direct)) {
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights)
+      log_notice(LD_DIR, "Picking from direct dir connections");
+#endif
     result = routerstatus_sl_choose_by_bandwidth(direct);
   } else if (smartlist_len(overloaded_direct)) {
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights)
+      log_notice(LD_DIR, "Picking from overloaded direct dir connections");
+#endif
     result = routerstatus_sl_choose_by_bandwidth(overloaded_direct);
   } else {
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights) {
+      int n = smartlist_len(trusted_tunnel);
+      double d = n ? 100.0/n : 0.0;
+      log_notice(LD_DIR, "Picking from trusted direct dir connections");
+      SMARTLIST_FOREACH(trusted_tunnel, routerstatus_t *, rs,
+         log_notice(LD_DIR, "  [%05.2lf] %s %s", d,
+                    hex_str(rs->identity_digest, DIGEST_LEN), rs->nickname));
+    }
+#endif
     result = smartlist_choose(trusted_direct);
   }
   smartlist_free(direct);
@@ -615,14 +661,14 @@ router_pick_trusteddirserver_impl(authority_type_t type,
   routerstatus_t *result;
   time_t now = time(NULL);
 
+  if (!trusted_dir_servers)
+    return NULL;
+
   direct = smartlist_create();
   tunnel = smartlist_create();
   overloaded_direct = smartlist_create();
   overloaded_tunnel = smartlist_create();
 
-  if (!trusted_dir_servers)
-    return NULL;
-
   SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
     {
       int is_overloaded =
@@ -761,6 +807,47 @@ routerlist_add_family(smartlist_t *sl, routerinfo_t *router)
   }
 }
 
+/** Return true iff r is named by some nickname in <b>lst</b>. */
+static INLINE int
+router_in_nickname_smartlist(smartlist_t *lst, routerinfo_t *r)
+{
+  if (!lst) return 0;
+  SMARTLIST_FOREACH(lst, const char *, name,
+    if (router_nickname_matches(r, name))
+      return 1;);
+  return 0;
+}
+
+/** Return true iff router1 and router2 have the same /16 network. */
+static INLINE int
+routers_in_same_network_family(routerinfo_t *r1, routerinfo_t *r2)
+{
+  return (r1->addr & 0xffff0000) == (r2->addr & 0xffff0000);
+}
+
+/** Return true iff r1 and r2 are in the same family, but not the same
+ * router. */
+int
+routers_in_same_family(routerinfo_t *r1, routerinfo_t *r2)
+{
+  or_options_t *options = get_options();
+  config_line_t *cl;
+
+  if (options->EnforceDistinctSubnets && routers_in_same_network_family(r1,r2))
+    return 1;
+
+  if (router_in_nickname_smartlist(r1->declared_family, r2) &&
+      router_in_nickname_smartlist(r2->declared_family, r1))
+    return 1;
+
+  for (cl = options->NodeFamilies; cl; cl = cl->next) {
+    if (router_nickname_is_in_list(r1, cl->value) &&
+        router_nickname_is_in_list(r2, cl->value))
+      return 1;
+  }
+  return 0;
+}
+
 /** Given a (possibly NULL) comma-and-whitespace separated list of nicknames,
  * see which nicknames in <b>list</b> name routers in our routerlist, and add
  * the routerinfos for those routers to <b>sl</b>.  If <b>must_be_running</b>,
@@ -931,7 +1018,7 @@ router_get_advertised_bandwidth(routerinfo_t *router)
 
 /** Do not weight any declared bandwidth more than this much when picking
  * routers by bandwidth. */
-#define MAX_BELIEVABLE_BANDWIDTH 1500000 /* 1.5 MB/sec */
+#define MAX_BELIEVABLE_BANDWIDTH 10000000 /* 10 MB/sec */
 
 /** Helper function:
  * choose a random element of smartlist <b>sl</b>, weighted by
@@ -941,27 +1028,35 @@ router_get_advertised_bandwidth(routerinfo_t *router)
  * routerinfo_t's. Otherwise it's a list of routerstatus_t's.
  *
  * If <b>for_exit</b>, we're picking an exit node: consider all nodes'
- * bandwidth equally regardless of their Exit status.  If not <b>for_exit</b>,
+ * bandwidth equally regardless of their Exit status, since there may be
+ * some in the list because they exit to obscure ports. If not <b>for_exit</b>,
  * we're picking a non-exit node: weight exit-node's bandwidth downwards
  * depending on the smallness of the fraction of Exit-to-total bandwidth.
+ *
+ * If <b>for_guard</b>, we're picking a guard node: consider all guard's
+ * bandwidth equally. Otherwise, weight guards proportionally less.
  */
 static void *
-smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
+smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int for_guard,
+                              int statuses)
 {
   int i;
   routerinfo_t *router;
-  routerstatus_t *status;
+  routerstatus_t *status=NULL;
   int32_t *bandwidths;
   int is_exit;
+  int is_guard;
   uint64_t total_nonexit_bw = 0, total_exit_bw = 0, total_bw = 0;
+  uint64_t total_nonguard_bw = 0, total_guard_bw = 0;
   uint64_t rand_bw, tmp;
   double exit_weight;
+  double guard_weight;
   int n_unknown = 0;
 
   /* First count the total bandwidth weight, and make a list
    * of each value.  <0 means "unknown; no routerinfo."  We use the
    * bits of negative values to remember whether the router was fast (-x)&1
-   * and whether it was an exit (-x)&2.  Yes, it's a hack. */
+   * and whether it was an exit (-x)&2 or guard (-x)&4.  Yes, it's a hack. */
   bandwidths = tor_malloc(sizeof(int32_t)*smartlist_len(sl));
 
   /* Iterate over all the routerinfo_t or routerstatus_t, and */
@@ -975,16 +1070,19 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
       status = smartlist_get(sl, i);
       router = router_get_by_digest(status->identity_digest);
       is_exit = status->is_exit;
+      is_guard = status->is_possible_guard;
       if (router) {
         this_bw = router_get_advertised_bandwidth(router);
       } else { /* guess */
         is_known = 0;
         flags = status->is_fast ? 1 : 0;
         flags |= is_exit ? 2 : 0;
+        flags |= is_guard ? 4 : 0;
       }
     } else {
       router = smartlist_get(sl, i);
       is_exit = router->is_exit;
+      is_guard = router->is_possible_guard;
       this_bw = router_get_advertised_bandwidth(router);
     }
     /* if they claim something huge, don't believe it */
@@ -992,6 +1090,10 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
       this_bw = MAX_BELIEVABLE_BANDWIDTH;
     if (is_known) {
       bandwidths[i] = (int32_t) this_bw; // safe since MAX_BELIEVABLE<INT32_MAX
+      if (is_guard)
+        total_guard_bw += this_bw;
+      else
+        total_nonguard_bw += this_bw;
       if (is_exit)
         total_exit_bw += this_bw;
       else
@@ -1020,11 +1122,16 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
       if (bw>=0)
         continue;
       is_exit = ((-bw)&2);
+      is_guard = ((-bw)&4);
       bandwidths[i] = ((-bw)&1) ? avg_fast : avg_slow;
       if (is_exit)
         total_exit_bw += bandwidths[i];
       else
         total_nonexit_bw += bandwidths[i];
+      if (is_guard)
+        total_guard_bw += bandwidths[i];
+      else
+        total_nonguard_bw += bandwidths[i];
     }
   }
 
@@ -1034,25 +1141,53 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
     return smartlist_choose(sl);
   }
 
-  /* Figure out how to weight exits. */
-  if (for_exit) {
-    /* If we're choosing an exit node, exit bandwidth counts fully. */
-    exit_weight = 1.0;
-    total_bw = total_exit_bw + total_nonexit_bw;
-  } else if (total_exit_bw < total_nonexit_bw / 2) {
-    /* If we're choosing a relay and exits are greatly outnumbered, ignore
-     * them. */
-    exit_weight = 0.0;
-    total_bw = total_nonexit_bw;
-  } else {
-    /* If we're choosing a relay and exits aren't outnumbered use the formula
-     * from path-spec. */
-    uint64_t leftover = (total_exit_bw - total_nonexit_bw / 2);
-    exit_weight = U64_TO_DBL(leftover) /
-      U64_TO_DBL(leftover + total_nonexit_bw);
-    total_bw =  total_nonexit_bw +
-      DBL_TO_U64(exit_weight * U64_TO_DBL(total_exit_bw));
+  /* Figure out how to weight exits and guards. */
+  {
+    double all_bw = U64_TO_DBL(total_exit_bw+total_nonexit_bw);
+    double exit_bw = U64_TO_DBL(total_exit_bw);
+    double guard_bw = U64_TO_DBL(total_guard_bw);
+    /*
+     * For detailed derivation of this formula, see
+     *   http://archives.seul.org/or/dev/Jul-2007/msg00056.html
+     */
+    if (for_exit)
+      exit_weight = 1.0;
+    else
+      exit_weight = 1.0 - all_bw/(3.0*exit_bw);
+
+    if (for_guard)
+      guard_weight = 1.0;
+    else
+      guard_weight = 1.0 - all_bw/(3.0*guard_bw);
+
+    if (exit_weight <= 0.0)
+      exit_weight = 0.0;
+
+    if (guard_weight <= 0.0)
+      guard_weight = 0.0;
+
+    total_bw = 0;
+    for (i=0; i < smartlist_len(sl); i++) {
+      if (statuses) {
+        status = smartlist_get(sl, i);
+        is_exit = status->is_exit;
+        is_guard = status->is_possible_guard;
+      } else {
+        router = smartlist_get(sl, i);
+        is_exit = router->is_exit;
+        is_guard = router->is_possible_guard;
+      }
+      if (is_exit && is_guard)
+        total_bw += ((uint64_t)(bandwidths[i] * exit_weight * guard_weight));
+      else if (is_guard)
+        total_bw += ((uint64_t)(bandwidths[i] * guard_weight));
+      else if (is_exit)
+        total_bw += ((uint64_t)(bandwidths[i] * exit_weight));
+      else
+        total_bw += bandwidths[i];
+    }
   }
+
   /*
   log_debug(LD_CIRC, "Total bw = "U64_FORMAT", total exit bw = "U64_FORMAT
             ", total nonexit bw = "U64_FORMAT", exit weight = %lf "
@@ -1067,20 +1202,51 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
   /* Last, count through sl until we get to the element we picked */
   tmp = 0;
   for (i=0; i < smartlist_len(sl); i++) {
+    uint64_t this_bw;
     if (statuses) {
       status = smartlist_get(sl, i);
       is_exit = status->is_exit;
+      is_guard = status->is_possible_guard;
     } else {
       router = smartlist_get(sl, i);
       is_exit = router->is_exit;
+      is_guard = router->is_possible_guard;
     }
-    if (is_exit)
-      tmp += ((uint64_t)(bandwidths[i] * exit_weight));
+
+    /* Weights can be 0 if not counting guards/exits */
+    if (is_exit && is_guard)
+      this_bw = ((uint64_t)(bandwidths[i] * exit_weight * guard_weight));
+    else if (is_guard)
+      this_bw = ((uint64_t)(bandwidths[i] * guard_weight));
+    else if (is_exit)
+      this_bw = ((uint64_t)(bandwidths[i] * exit_weight));
     else
-      tmp += bandwidths[i];
+      this_bw = bandwidths[i];
+    tmp += this_bw;
+
+#ifdef DUMP_DIR_WEIGHTS
+    if (log_dir_weights && statuses) {
+      routerstatus_t *rs = smartlist_get(sl, i);
+      double pct = 100.0 * (U64_TO_DBL(this_bw)/U64_TO_DBL(total_bw));
+      log_notice(LD_DIR, "  [%05.2lf] %s %s", pct,
+                 hex_str(rs->identity_digest, DIGEST_LEN), rs->nickname);
+    } else
+#endif
+
     if (tmp >= rand_bw)
       break;
   }
+#ifdef DUMP_DIR_WEIGHTS
+  if (log_dir_weights)
+    return NULL;
+#endif
+
+  if (i == smartlist_len(sl)) {
+    /* This is possible due to round-off error. */
+    --i;
+    log_warn(LD_BUG, "Round-off error in computing bandwidth had an effect on "
+             " which router we chose.  Please tell the developers.");
+  }
   tor_free(bandwidths);
   return smartlist_get(sl, i);
 }
@@ -1089,18 +1255,19 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, int for_exit, int statuses)
  * the advertised bandwidth of each router.
  */
 routerinfo_t *
-routerlist_sl_choose_by_bandwidth(smartlist_t *sl, int for_exit)
+routerlist_sl_choose_by_bandwidth(smartlist_t *sl, int for_exit, int for_guard)
 {
-  return smartlist_choose_by_bandwidth(sl, for_exit, 0);
+  return smartlist_choose_by_bandwidth(sl, for_exit, for_guard, 0);
 }
 
 /** Choose a random element of status list <b>sl</b>, weighted by
- * the advertised bandwidth of each status.
+ * the advertised bandwidth of each status. Avoid putting load on
+ * exits and guards.
  */
 routerstatus_t *
 routerstatus_sl_choose_by_bandwidth(smartlist_t *sl)
 {
-  return smartlist_choose_by_bandwidth(sl, 1, 1);
+  return smartlist_choose_by_bandwidth(sl, 0, 0, 1);
 }
 
 /** Return a random running router from the routerlist.  If any node
@@ -1156,8 +1323,9 @@ router_choose_random_node(const char *preferred,
     if (excludedsmartlist)
       smartlist_subtract(sl,excludedsmartlist);
 
-    if (need_capacity)
-      choice = routerlist_sl_choose_by_bandwidth(sl, weight_for_exit);
+    if (need_capacity || need_guard)
+      choice = routerlist_sl_choose_by_bandwidth(sl, weight_for_exit,
+                                                 need_guard);
     else
       choice = smartlist_choose(sl);
 
@@ -1384,7 +1552,7 @@ router_get_by_hexdigest(const char *hexdigest)
 
   ri = router_get_by_digest(digest);
 
-  if (len > HEX_DIGEST_LEN) {
+  if (ri && len > HEX_DIGEST_LEN) {
     if (hexdigest[HEX_DIGEST_LEN] == '=') {
       if (strcasecmp(ri->nickname, hexdigest+HEX_DIGEST_LEN+1) ||
           !ri->is_named)
@@ -1592,13 +1760,21 @@ _routerlist_find_elt(smartlist_t *sl, void *ri, int idx)
 static void
 routerlist_insert(routerlist_t *rl, routerinfo_t *ri)
 {
+  {
+    /* XXXX remove this code once bug 404 is fixed. */
+    routerinfo_t *ri_generated = router_get_my_routerinfo();
+    tor_assert(ri_generated != ri);
+  }
+
   digestmap_set(rl->identity_map, ri->cache_info.identity_digest, ri);
   digestmap_set(rl->desc_digest_map, ri->cache_info.signed_descriptor_digest,
                 &(ri->cache_info));
   smartlist_add(rl->routers, ri);
   ri->routerlist_index = smartlist_len(rl->routers) - 1;
   router_dir_info_changed();
-  // routerlist_assert_ok(rl);
+#ifdef DEBUG_ROUTERLIST
+  routerlist_assert_ok(rl);
+#endif
 }
 
 /** If we're a directory cache and routerlist <b>rl</b> doesn't have
@@ -1607,6 +1783,11 @@ routerlist_insert(routerlist_t *rl, routerinfo_t *ri)
 static void
 routerlist_insert_old(routerlist_t *rl, routerinfo_t *ri)
 {
+  {
+    /* XXXX remove this code once bug 404 is fixed. */
+    routerinfo_t *ri_generated = router_get_my_routerinfo();
+    tor_assert(ri_generated != ri);
+  }
   if (get_options()->DirPort &&
       !digestmap_get(rl->desc_digest_map,
                      ri->cache_info.signed_descriptor_digest)) {
@@ -1616,7 +1797,9 @@ routerlist_insert_old(routerlist_t *rl, routerinfo_t *ri)
   } else {
     routerinfo_free(ri);
   }
-  // routerlist_assert_ok(rl);
+#ifdef DEBUG_ROUTERLIST
+  routerlist_assert_ok(rl);
+#endif
 }
 
 /** Remove an item <b>ri</b> from the routerlist <b>rl</b>, updating indices
@@ -1647,15 +1830,18 @@ routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int idx, int make_old)
     smartlist_add(rl->old_routers, sd);
     digestmap_set(rl->desc_digest_map, sd->signed_descriptor_digest, sd);
   } else {
-    ri_tmp = digestmap_remove(rl->desc_digest_map,
+    signed_descriptor_t *sd_tmp = digestmap_remove(rl->desc_digest_map,
                               ri->cache_info.signed_descriptor_digest);
-    tor_assert(ri_tmp == ri);
+    tor_assert(sd_tmp == &ri->cache_info);
     router_bytes_dropped += ri->cache_info.signed_descriptor_len;
     routerinfo_free(ri);
   }
-  // routerlist_assert_ok(rl);
+#ifdef DEBUG_ROUTERLIST
+  routerlist_assert_ok(rl);
+#endif
 }
 
+/** DOCDOC */
 static void
 routerlist_remove_old(routerlist_t *rl, signed_descriptor_t *sd, int idx)
 {
@@ -1669,7 +1855,9 @@ routerlist_remove_old(routerlist_t *rl, signed_descriptor_t *sd, int idx)
   tor_assert(sd_tmp == sd);
   router_bytes_dropped += sd->signed_descriptor_len;
   signed_descriptor_free(sd);
-  // routerlist_assert_ok(rl);
+#ifdef DEBUG_ROUTERLIST
+  routerlist_assert_ok(rl);
+#endif
 }
 
 /** Remove <b>ri_old</b> from the routerlist <b>rl</b>, and replace it with
@@ -1679,10 +1867,19 @@ routerlist_remove_old(routerlist_t *rl, signed_descriptor_t *sd, int idx)
  * index as ri_old, if possible.  ri is freed as appropriate. */
 static void
 routerlist_replace(routerlist_t *rl, routerinfo_t *ri_old,
-                   routerinfo_t *ri_new, int idx, int make_old)
+                   routerinfo_t *ri_new)
 {
+  int idx;
+  {
+    /* XXXX remove this code once bug 404 is fixed. */
+    routerinfo_t *ri_generated = router_get_my_routerinfo();
+    tor_assert(ri_generated != ri_new);
+  }
   tor_assert(ri_old != ri_new);
-  idx = _routerlist_find_elt(rl->routers, ri_old, idx);
+  idx = ri_old->routerlist_index;
+  tor_assert(0 <= idx && idx < smartlist_len(rl->routers));
+  tor_assert(smartlist_get(rl->routers, idx) == ri_old);
+
   router_dir_info_changed();
   if (idx >= 0) {
     smartlist_set(rl->routers, idx, ri_new);
@@ -1702,7 +1899,7 @@ routerlist_replace(routerlist_t *rl, routerinfo_t *ri_old,
   digestmap_set(rl->desc_digest_map,
           ri_new->cache_info.signed_descriptor_digest, &(ri_new->cache_info));
 
-  if (make_old && get_options()->DirPort) {
+  if (get_options()->DirPort) {
     signed_descriptor_t *sd = signed_descriptor_from_routerinfo(ri_old);
     smartlist_add(rl->old_routers, sd);
     digestmap_set(rl->desc_digest_map, sd->signed_descriptor_digest, sd);
@@ -1714,9 +1911,12 @@ routerlist_replace(routerlist_t *rl, routerinfo_t *ri_old,
       digestmap_remove(rl->desc_digest_map,
                        ri_old->cache_info.signed_descriptor_digest);
     }
+    router_bytes_dropped += ri_old->cache_info.signed_descriptor_len;
     routerinfo_free(ri_old);
   }
-  // routerlist_assert_ok(rl);
+#ifdef DEBUG_ROUTERLIST
+  routerlist_assert_ok(rl);
+#endif
 }
 
 /** Free all memory held by the routerlist module. */
@@ -1879,6 +2079,11 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
   int authdir = get_options()->AuthoritativeDir;
   int authdir_believes_valid = 0;
   routerinfo_t *old_router;
+  /* router_have_minimum_dir_info() has side effects, so do it before we
+   * start the real work */
+  int authdir_may_warn_about_unreachable_server =
+    authdir && !from_cache && !from_fetch &&
+    router_have_minimum_dir_info();
 
   tor_assert(msg);
 
@@ -1946,9 +2151,6 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
   old_router = digestmap_get(routerlist->identity_map,
                              router->cache_info.identity_digest);
   if (old_router) {
-    int pos = old_router->routerlist_index;
-    tor_assert(smartlist_get(routerlist->routers, pos) == old_router);
-
     if (router->cache_info.published_on <=
         old_router->cache_info.published_on) {
       /* Same key, but old */
@@ -1974,10 +2176,8 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
         router->num_unreachable_notifications =
           old_router->num_unreachable_notifications;
       }
-      if (authdir && !from_cache && !from_fetch &&
-          router_have_minimum_dir_info() &&
-          dirserv_thinks_router_is_blatantly_unreachable(router,
-                                                         time(NULL))) {
+      if (authdir_may_warn_about_unreachable_server &&
+          dirserv_thinks_router_is_blatantly_unreachable(router, time(NULL))) {
         if (router->num_unreachable_notifications >= 3) {
           unreachable = 1;
           log_notice(LD_DIR, "Notifying server '%s' that it's unreachable. "
@@ -1992,7 +2192,7 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
           router->num_unreachable_notifications++;
         }
       }
-      routerlist_replace(routerlist, old_router, router, pos, 1);
+      routerlist_replace(routerlist, old_router, router);
       if (!from_cache) {
         router_append_to_journal(&router->cache_info);
       }
@@ -2146,6 +2346,8 @@ routerlist_remove_old_routers(void)
   if (!routerlist || !networkstatus_list)
     return;
 
+  routerlist_assert_ok(routerlist);
+
   retain = digestmap_new();
   cutoff = now - OLD_ROUTER_DESC_MAX_AGE;
   /* Build a list of all the descriptors that _anybody_ recommends. */
@@ -2185,6 +2387,8 @@ routerlist_remove_old_routers(void)
     }
   }
 
+  routerlist_assert_ok(routerlist);
+
   /* Remove far-too-old members of routerlist->old_routers. */
   cutoff = now - OLD_ROUTER_DESC_MAX_AGE;
   for (i = 0; i < smartlist_len(routerlist->old_routers); ++i) {
@@ -2196,6 +2400,8 @@ routerlist_remove_old_routers(void)
     }
   }
 
+  routerlist_assert_ok(routerlist);
+
   /* Now we might have to look at routerlist->old_routers for extraneous
    * members. (We'd keep all the members if we could, but we need to save
    * space.) First, check whether we have too many router descriptors, total.
@@ -2294,7 +2500,8 @@ router_load_single_router(const char *s, uint8_t purpose, const char **msg)
  * fingerprint from the list.
  */
 void
-router_load_routers_from_string(const char *s, saved_location_t saved_location,
+router_load_routers_from_string(const char *s, size_t len,
+                                saved_location_t saved_location,
                                 smartlist_t *requested_fingerprints)
 {
   smartlist_t *routers = smartlist_create(), *changed = smartlist_create();
@@ -2302,7 +2509,7 @@ router_load_routers_from_string(const char *s, saved_location_t saved_location,
   const char *msg;
   int from_cache = (saved_location != SAVED_NOWHERE);
 
-  router_parse_list_from_string(&s, routers, saved_location);
+  router_parse_list_from_string(&s, s+len, routers, saved_location);
 
   routers_update_status_from_networkstatus(routers, !from_cache);
 
@@ -2328,13 +2535,13 @@ router_load_routers_from_string(const char *s, saved_location_t saved_location,
       }
     }
 
-    if (router_add_to_routerlist(ri, &msg, from_cache, !from_cache) >= 0)
+    if (router_add_to_routerlist(ri, &msg, from_cache, !from_cache) >= 0) {
       smartlist_add(changed, ri);
+      control_event_descriptors_changed(changed);
+      smartlist_clear(changed);
+    }
   });
 
-  if (smartlist_len(changed))
-    control_event_descriptors_changed(changed);
-
   routerlist_assert_ok(routerlist);
   router_rebuild_store(0);
 
@@ -2483,9 +2690,9 @@ router_set_networkstatus(const char *s, time_t arrived_at,
     if (smartlist_string_isin(requested_fingerprints, fp)) {
       smartlist_string_remove(requested_fingerprints, fp);
     } else {
-      char *requested =
-        smartlist_join_strings(requested_fingerprints," ",0,NULL);
       if (source != NS_FROM_DIR_ALL) {
+        char *requested =
+          smartlist_join_strings(requested_fingerprints," ",0,NULL);
         log_warn(LD_DIR,
                "We received a network status with a fingerprint (%s) that we "
                "never requested. (We asked for: %s.) Dropping.",
@@ -2510,9 +2717,6 @@ router_set_networkstatus(const char *s, time_t arrived_at,
     return 0;
   }
 
-  if (source != NS_FROM_CACHE && trusted_dir)
-    trusted_dir->n_networkstatus_failures = 0;
-
   found = 0;
   for (i=0; i < smartlist_len(networkstatus_list); ++i) {
     networkstatus_t *old_ns = smartlist_get(networkstatus_list, i);
@@ -2522,6 +2726,7 @@ router_set_networkstatus(const char *s, time_t arrived_at,
                   ns->networkstatus_digest, DIGEST_LEN)) {
         /* Same one we had before. */
         networkstatus_free(ns);
+        tor_assert(trusted_dir);
         log_info(LD_DIR,
                  "Not replacing network-status from %s (published %s); "
                  "we already have it.",
@@ -2536,16 +2741,19 @@ router_set_networkstatus(const char *s, time_t arrived_at,
           }
           old_ns->received_on = arrived_at;
         }
+        ++trusted_dir->n_networkstatus_failures;
         return 0;
       } else if (old_ns->published_on >= ns->published_on) {
         char old_published[ISO_TIME_LEN+1];
         format_iso_time(old_published, old_ns->published_on);
+        tor_assert(trusted_dir);
         log_info(LD_DIR,
                  "Not replacing network-status from %s (published %s);"
                  " we have a newer one (published %s) for this authority.",
                  trusted_dir->description, published,
                  old_published);
         networkstatus_free(ns);
+        ++trusted_dir->n_networkstatus_failures;
         return 0;
       } else {
         networkstatus_free(old_ns);
@@ -2556,6 +2764,9 @@ router_set_networkstatus(const char *s, time_t arrived_at,
     }
   }
 
+  if (source != NS_FROM_CACHE && trusted_dir)
+    trusted_dir->n_networkstatus_failures = 0;
+
   if (!found)
     smartlist_add(networkstatus_list, ns);
 
@@ -2651,6 +2862,31 @@ router_get_combined_status_by_digest(const char *digest)
                            _compare_digest_to_routerstatus_entry);
 }
 
+/** Return a newly allocated list of the local_routerstatus_t for all routers
+ * where we believe that the digest of their current descriptor is some digest
+ * listed in <b>digests</b>. */
+smartlist_t *
+router_get_combined_status_by_descriptor_digests(smartlist_t *digests)
+{
+  digestmap_t *map;
+  smartlist_t *result;
+
+  if (!routerstatus_list)
+    return NULL;
+
+  map = digestmap_new();
+  result = smartlist_create();
+  SMARTLIST_FOREACH(digests, const char *, d, digestmap_set(map, d, (void*)1));
+
+  SMARTLIST_FOREACH(routerstatus_list, local_routerstatus_t *, lrs, {
+      if (digestmap_get(map, lrs->status.descriptor_digest))
+        smartlist_add(result, lrs);
+    });
+
+  digestmap_free(map, NULL);
+  return result;
+}
+
 /** Given a nickname (possibly verbose, possibly a hexadecimal digest), return
  * the corresponding local_routerstatus_t, or NULL if none exists.  Warn the
  * user if <b>warn_if_unnamed</b> is set, and they have specified a router by
@@ -2667,11 +2903,11 @@ router_get_combined_status_by_nickname(const char *nickname,
     return NULL;
 
   if (nickname[0] == '$') {
-    if (base16_decode(digest, DIGEST_LEN, nickname+1, strlen(nickname))<0)
+    if (base16_decode(digest, DIGEST_LEN, nickname+1, strlen(nickname+1))<0)
       return NULL;
     return router_get_combined_status_by_digest(digest);
   } else if (strlen(nickname) == HEX_DIGEST_LEN &&
-       (base16_decode(digest, DIGEST_LEN, nickname+1, strlen(nickname))==0)) {
+       (base16_decode(digest, DIGEST_LEN, nickname, strlen(nickname))==0)) {
     return router_get_combined_status_by_digest(digest);
   }
 
@@ -2708,8 +2944,10 @@ router_get_combined_status_by_nickname(const char *nickname,
     base16_encode(fp, sizeof(fp),
                   best->status.identity_digest, DIGEST_LEN);
     log_warn(LD_CONFIG,
-         "To look up a status, you specified a server \"%s\" by name, but the "
-         "directory authorities do not have a binding for this nickname. "
+         "When looking up a status, you specified a server \"%s\" by name, "
+         "but the directory authorities do not have any key registered for "
+         "this nickname -- so it could be used by any server, "
+         "not just the one you meant. "
          "To make sure you get the same server in the future, refer to "
          "it by key, as \"$%s\".", nickname, fp);
     best->name_lookup_warned = 1;
@@ -2896,20 +3134,24 @@ update_networkstatus_client_downloads(time_t now)
   /* If no networkstatus was found, choose a dirserver at random as "most
    * recent". */
   if (most_recent_idx<0)
-    most_recent_idx = crypto_rand_int(n_dirservers);
+    most_recent_idx = crypto_rand_int(smartlist_len(trusted_dir_servers));
 
   if (fetch_latest) {
     int i;
     int n_failed = 0;
     for (i = most_recent_idx + 1; 1; ++i) {
       trusted_dir_server_t *ds;
-      if (i >= n_dirservers)
+      if (i >= smartlist_len(trusted_dir_servers))
         i = 0;
       ds = smartlist_get(trusted_dir_servers, i);
       if (! ds->is_v2_authority)
         continue;
-      if (n_failed < n_dirservers &&
-          ds->n_networkstatus_failures > NETWORKSTATUS_N_ALLOWABLE_FAILURES) {
+      if (n_failed >= n_dirservers) {
+        log_info(LD_DIR, "All authorities have failed. Not trying any.");
+        smartlist_free(missing);
+        return;
+      }
+      if (ds->n_networkstatus_failures > NETWORKSTATUS_N_ALLOWABLE_FAILURES) {
         ++n_failed;
         continue;
       }
@@ -3174,7 +3416,7 @@ compute_recommended_versions(time_t now, int client,
       } else {
         if (n_seen > n_versioning/2 && current)
           smartlist_add(recommended, current);
-        n_seen = 0;
+        n_seen = 1;
         current = cp;
       }
     });
@@ -3257,9 +3499,7 @@ routers_update_all_from_networkstatus(void)
         have_warned_about_invalid_status = 1;
       } else if (n_naming && !n_named) {
         log_info(LD_GENERAL, "0/%d name-binding directory authorities "
-                 "recognize your nickname. Please consider sending your "
-                 "nickname and identity fingerprint to the tor-ops.",
-                 n_naming);
+                 "recognize your nickname.", n_naming);
         have_warned_about_invalid_status = 1;
       }
     }
@@ -3375,6 +3615,16 @@ networkstatus_list_update_recent(time_t now)
   }
 }
 
+#ifdef DUMP_DIR_WEIGHTS
+static void
+dump_dir_weights(void)
+{
+  log_dir_weights = 1;
+  router_pick_directory_server_impl(0, 0, 0, 1);
+  log_dir_weights = 0;
+}
+#endif
+
 /** Helper for routerstatus_list_update_from_networkstatus: remember how many
  * authorities recommend a given descriptor digest. */
 typedef struct {
@@ -3626,7 +3876,7 @@ routerstatus_list_update_from_networkstatus(time_t now)
     memcpy(&rs_out->status, most_recent, sizeof(routerstatus_t));
     /* Copy status info about this router, if we had any before. */
     if ((rs_old = router_get_combined_status_by_digest(lowest))) {
-      if (!memcmp(rs_out->status.descriptor_digest,
+      if (!memcmp(rs_old->status.descriptor_digest,
                   most_recent->descriptor_digest, DIGEST_LEN)) {
         rs_out->n_download_failures = rs_old->n_download_failures;
         rs_out->next_attempt_at = rs_old->next_attempt_at;
@@ -3685,6 +3935,10 @@ routerstatus_list_update_from_networkstatus(time_t now)
 
   control_event_networkstatus_changed(changed_list);
   smartlist_free(changed_list);
+
+#ifdef DUMP_DIR_WEIGHTS
+  dump_dir_weights();
+#endif
 }
 
 /** Given a list <b>routers</b> of routerinfo_t *, update each routers's
@@ -3710,8 +3964,19 @@ routers_update_status_from_networkstatus(smartlist_t *routers,
     rs = router_get_combined_status_by_digest(digest);
     ds = router_get_trusteddirserver_by_digest(digest);
 
-    if (!rs)
+    if (!rs) {
+      if (!namingdir)
+        router->is_named = 0;
+      if (!authdir) {
+        if (router->purpose == ROUTER_PURPOSE_GENERAL) {
+          router->is_valid = router->is_running =
+            router->is_fast = router->is_stable =
+            router->is_possible_guard = router->is_exit =
+            router->is_bad_exit = 0;
+        }
+      }
       continue;
+    }
 
     if (!namingdir)
       router->is_named = rs->status.is_named;
@@ -4042,6 +4307,7 @@ update_router_descriptor_cache_downloads(time_t now)
   n_download = 0;
   SMARTLIST_FOREACH(networkstatus_list, networkstatus_t *, ns,
     {
+      trusted_dir_server_t *ds;
       smartlist_t *dl;
       dl = downloadable[ns_sl_idx] = smartlist_create();
       download_from[ns_sl_idx] = smartlist_create();
@@ -4055,6 +4321,13 @@ update_router_descriptor_cache_downloads(time_t now)
          * we take this clause out. -RD */
         continue;
       }
+
+      /* Don't try dirservers that we think are down -- we might have
+       * just tried them and just marked them as down. */
+      ds = router_get_trusteddirserver_by_digest(ns->identity_digest);
+      if (ds && !ds->is_running)
+        continue;
+
       SMARTLIST_FOREACH(ns->entries, routerstatus_t * , rs,
         {
           if (!rs->need_to_mirror)
@@ -4473,11 +4746,16 @@ routerlist_assert_ok(routerlist_t *rl)
   digestmap_iter_t *iter;
   routerinfo_t *r2;
   signed_descriptor_t *sd2;
-  if (!routerlist)
+  if (!rl)
     return;
   SMARTLIST_FOREACH(rl->routers, routerinfo_t *, r,
   {
     r2 = digestmap_get(rl->identity_map, r->cache_info.identity_digest);
+    if (r != r2) {
+      log_err(LD_BUG,
+              "fatal error: router at %p did not match router at %p. [%d]",
+              r, r2, r_sl_idx);
+    }
     tor_assert(r == r2);
     sd2 = digestmap_get(rl->desc_digest_map,
                         r->cache_info.signed_descriptor_digest);

src/or/routerparse.c

@@ -163,6 +163,8 @@ static void token_free(directory_token_t *tok);
 static smartlist_t *find_all_exitpolicy(smartlist_t *s);
 static directory_token_t *find_first_by_keyword(smartlist_t *s,
                                                 directory_keyword keyword);
+static directory_token_t *find_last_by_keyword(smartlist_t *s,
+                                                directory_keyword keyword);
 static int tokenize_string(const char *start, const char *end,
                            smartlist_t *out, where_syntax where);
 static directory_token_t *get_next_token(const char **s, where_syntax where);
@@ -238,7 +240,6 @@ router_append_dirobj_signature(char *buf, size_t buf_len, const char *digest,
   i = strlen(buf);
   if (base64_encode(buf+i, buf_len-i, signature, 128) < 0) {
     log_warn(LD_BUG,"couldn't base64-encode signature");
-    tor_free(buf);
     return -1;
   }
 
@@ -532,6 +533,7 @@ find_dir_signing_key(const char *str)
   }
   if (tok->tp != K_DIR_SIGNING_KEY) {
     log_warn(LD_DIR, "Dir-signing-key token did not parse as expected");
+    token_free(tok);
     return NULL;
   }
 
@@ -540,6 +542,7 @@ find_dir_signing_key(const char *str)
     tok->key = NULL; /* steal reference. */
   } else {
     log_warn(LD_DIR, "Dir-signing-key token contained no key");
+    token_free(tok);
     return NULL;
   }
 
@@ -641,32 +644,46 @@ check_directory_signature(const char *digest,
  * Returns 0 on success and -1 on failure.
  */
 int
-router_parse_list_from_string(const char **s, smartlist_t *dest,
+router_parse_list_from_string(const char **s, const char *eos,
+                              smartlist_t *dest,
                               saved_location_t saved_location)
 {
   routerinfo_t *router;
   const char *end, *cp, *start;
+  char *buf;
+  size_t buf_len;
 
   tor_assert(s);
   tor_assert(*s);
   tor_assert(dest);
 
   start = *s;
+  if (!eos)
+    eos = *s + strlen(*s);
+
   while (1) {
-    *s = eat_whitespace(*s);
+    *s = eat_whitespace_eos(*s, eos);
+    if (eos - *s < 32) /* not long enough to hold a descriptor. */
+      break;
+
     /* Don't start parsing the rest of *s unless it contains a router. */
     if (strcmpstart(*s, "router ")!=0)
       break;
-    if ((end = strstr(*s+1, "\nrouter "))) {
+    if ((end = tor_memstr(*s+1, eos-(*s+1), "\nrouter "))) {
       cp = end;
       end++;
-    } else if ((end = strstr(*s+1, "\ndirectory-signature"))) {
+    } else if ((end = tor_memstr(*s+1, eos-(*s+1), "\ndirectory-signature"))) {
       cp = end;
       end++;
     } else {
-      cp = end = *s+strlen(*s);
+      cp = end = eos;
     }
 
+    /* Start by backing up a character.  If we were at eos, we'll now point
+     * to a valid character. If we were at a \nrouter or \ndirectory-signature,
+     * we'll back up to before the \n. */
+    --cp;
+
     while (cp > *s && (!*cp || TOR_ISSPACE(*cp)))
       --cp;
     /* cp now points to the last non-space character in this descriptor. */
@@ -676,14 +693,23 @@ router_parse_list_from_string(const char **s, smartlist_t *dest,
     /* cp now points to the first \n before the last non-blank line in this
      * descriptor */
 
+    if (eos - cp < 25) /* not long enough to hold an "end signature" */
+      break;
+
     if (strcmpstart(cp, "\n-----END SIGNATURE-----\n")) {
       log_info(LD_DIR, "Ignoring truncated router descriptor.");
       *s = end;
       continue;
     }
 
-    router = router_parse_entry_from_string(*s, end,
+    /* router_parse_entry_from_string isn't necessarily safe if the string
+     * is non-NUL-terminated.  This fix is a workaround for the stable
+     * series only;  */
+    buf_len = end-*s;
+    buf = tor_strndup(*s, buf_len); /* nul-terminates the copy. */
+    router = router_parse_entry_from_string(buf, buf+buf_len,
                                             saved_location != SAVED_IN_CACHE);
+    tor_free(buf);
 
     if (!router) {
       log_warn(LD_DIR, "Error reading router; skipping");
@@ -754,7 +780,7 @@ router_parse_entry_from_string(const char *s, const char *end,
 
   if (router_get_router_hash(s, digest) < 0) {
     log_warn(LD_DIR, "Couldn't compute router hash.");
-    return NULL;
+    goto err;
   }
   tokens = smartlist_create();
   if (tokenize_string(s,end,tokens,RTR)) {
@@ -938,7 +964,12 @@ router_parse_entry_from_string(const char *s, const char *end,
     log_warn(LD_DIR, "Missing router signature");
     goto err;
   }
-  if (strcmp(tok->object_type, "SIGNATURE") || tok->object_size != 128) {
+  if (tok != find_last_by_keyword(tokens, K_ROUTER_SIGNATURE)) {
+    log_warn(LD_DIR, "Multiple signatures on one router. Ignoring.");
+    goto err;
+  }
+  if (!tok->object_type ||
+      strcmp(tok->object_type, "SIGNATURE") || tok->object_size != 128) {
     log_warn(LD_DIR, "Bad object type or length on router signature");
     goto err;
   }
@@ -1103,7 +1134,7 @@ routerstatus_parse_entry_from_string(const char **s, smartlist_t *tokens)
       rs->version_supports_begindir = 1;
     } else {
       rs->version_supports_begindir =
-        tor_version_as_new_as(tok->args[0], "0.1.2.2-alpha");
+        tor_version_as_new_as(tok->args[0], "0.2.0.1-alpha");
     }
   }
 
@@ -1252,6 +1283,7 @@ networkstatus_parse_from_string(const char *s)
     if (!(tok = find_first_by_keyword(tokens, K_CLIENT_VERSIONS)) ||
         tok->n_args<1) {
       log_warn(LD_DIR, "Missing client-versions");
+      goto err;
     }
     ns->client_versions = tok->args[0];
     tok->args[0] = NULL;
@@ -1637,7 +1669,7 @@ get_next_token(const char **s, where_syntax where)
   }
   *s = eat_whitespace(*s);
   if (strcmpstart(*s, "-----BEGIN ")) {
-    goto done_tokenizing;
+    goto check_obj;
   }
   obstart = *s;
   *s += 11; /* length of "-----BEGIN ". */
@@ -1673,6 +1705,7 @@ get_next_token(const char **s, where_syntax where)
     }
     *s += i+6;
   }
+ check_obj:
   switch (o_syn)
     {
     case NO_OBJ:
@@ -1716,6 +1749,7 @@ tokenize_string(const char *start, const char *end, smartlist_t *out,
     tok = get_next_token(s, where);
     if (tok->tp == _ERR) {
       log_warn(LD_DIR, "parse error: %s", tok->error);
+      token_free(tok);
       return -1;
     }
     smartlist_add(out, tok);
@@ -1735,6 +1769,17 @@ find_first_by_keyword(smartlist_t *s, directory_keyword keyword)
   return NULL;
 }
 
+/** Find the last token in <b>s</b> whose keyword is <b>keyword</b>; return
+ * NULL if no such keyword is found.
+ */
+static directory_token_t *
+find_last_by_keyword(smartlist_t *s, directory_keyword keyword)
+{
+  directory_token_t *last = NULL;
+  SMARTLIST_FOREACH(s, directory_token_t *, t, if (t->tp == keyword) last = t);
+  return last;
+}
+
 /** Return a newly allocated smartlist of all accept or reject tokens in
  * <b>s</b>.
  */

src/or/test.c

@@ -1753,7 +1753,7 @@ test_policies(void)
           compare_addr_to_addr_policy(0xc0a80102, 2, policy));
 
   policy2 = NULL;
-  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1));
+  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL));
   test_assert(policy2);
 
   test_assert(!exit_policy_is_general_exit(policy));
@@ -1773,7 +1773,7 @@ test_policies(void)
   line.key = (char*)"foo";
   line.value = (char*)"accept *:80,reject private:*,reject *:*";
   line.next = NULL;
-  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0));
+  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL));
   test_assert(policy);
   test_streq(policy->string, "accept *:80");
   test_streq(policy->next->string, "reject *:*");
@@ -1815,7 +1815,7 @@ test_rend_fns(void)
   test_assert(!crypto_pk_cmp_keys(d1->pk, d2->pk));
   test_eq(d2->timestamp, now);
   test_eq(d2->version, 0);
-  test_eq(d2->protocols, 1);
+  test_eq(d2->protocols, 4);
   test_eq(d2->n_intro_points, 3);
   test_streq(d2->intro_points[0], "tom");
   test_streq(d2->intro_points[1], "crow");

src/win32/orconfig.h

@@ -227,6 +227,6 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.1.2.9-rc-dev"
+#define VERSION "0.1.2.19-dev"
 
 

tor.spec.in

@@ -117,19 +117,19 @@ Version: %{version}
 Release: %{release}
 
 Summary: Anonymizing overlay network for TCP (The onion router)
-URL: http://tor.eff.org/
+URL: https://www.torproject.org/
 Group: System Environment/Daemons
 
 License: BSD-like
 Vendor: R. Dingledine <arma@seul.org>
-Packager: Andrew Lewman <phobos@interloper.org>
+Packager: Andrew Lewman <phobos@rootme.org>
 
 %if %{is_suse}
 Requires: openssl >= 0.9.6
 BuildRequires: openssl-devel >= 0.9.6, rpm >= 4.0, zlib-devel
 %else 
-Requires: openssl >= 0.9.6, libevent >= 1.2
-BuildRequires: openssl-devel >= 0.9.6, libevent-devel >= 1.2
+Requires: openssl >= 0.9.6
+BuildRequires: openssl-devel >= 0.9.6, libevent-devel >= 1.1a
 %endif
 %if %{is_fc}
 BuildRequires: rpm-build >= 4.0
@@ -137,7 +137,7 @@ BuildRequires: rpm-build >= 4.0
 Requires(pre): /usr/bin/id, /bin/date, /bin/sh
 Requires(pre): %{_sbindir}/useradd, %{_sbindir}/groupadd
 
-Source0: http://tor.eff.org/dist/%{name}-%{native_version}.tar.gz
+Source0: https://www.torproject.org/dist/%{name}-%{native_version}.tar.gz
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 
@@ -191,7 +191,7 @@ for high-stakes anonymity.
 %__install -p -m 755 contrib/torctl ${RPM_BUILD_ROOT}%{_bindir}
 
 # Set up config file; "sample" file implements a basic user node.
-%__install -p -m 644 ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/torrc.sample ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/torrc
+%__install -p -m 644 src/config/torrc.sample ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/torrc.sample
 
 # Install the logrotate control file.
 %__mkdir_p -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
@@ -297,6 +297,10 @@ exit 0
 
 %changelog
 
+* Wed Oct 17 2007 Andrew Lewman <phobos@rootme.org>
+- Remove tor_gencert as this feature isn't backported yet.
+- Confirm all we really need is libevent 1.1a at a minimum 
+
 * Tue Feb 27 2007 Andrew Lewman <phobos@rootme.org>
 - Fix a potential race condition in how we determine the running state of tor.  Found by Stefan Nordhausen.
 - see OR-CVS for details