New upstream version

rpms

.gitignore

@@ -0,0 +1,136 @@
+# Editor droppings
+\#*\#
+.#*
+*~
+# C stuff
+*.o
+# Diff droppings
+*.orig
+*.rej
+# gcov stuff
+*.gcno
+*.gcov
+*.gcda
+# latex stuff
+*.aux
+*.dvi
+*.blg
+*.bbl
+*.log
+# Autotools stuff
+.deps
+# Stuff made by our makefiles
+*.bak
+
+# /
+/Makefile
+/Makefile.in
+/aclocal.m4
+/autom4te.cache
+/build-stamp
+/configure
+/Doxyfile
+/orconfig.h
+/orconfig.h.in
+/config.cache
+/config.log
+/config.status
+/config.guess
+/config.sub
+/conftest*
+/patch-stamp
+/stamp-h
+/stamp-h.in
+/stamp-h1
+/tor.sh
+/tor.spec
+/depcomp
+/install-sh
+/missing
+/mkinstalldirs
+/Tor*Bundle.dmg
+/tor-*-win32.exe
+
+# /contrib/
+/contrib/Makefile
+/contrib/Makefile.in
+/contrib/tor.sh
+/contrib/torctl
+/contrib/torify
+/contrib/*.pyc
+/contrib/*.pyo
+/contrib/tor.logrotate
+/contrib/tor.wxs
+
+# /contrib/osx/
+/contrib/osx/Makefile
+/contrib/osx/Makefile.in
+/contrib/osx/TorBundleDesc.plist
+/contrib/osx/TorBundleInfo.plist
+/contrib/osx/TorDesc.plist
+/contrib/osx/TorInfo.plist
+/contrib/osx/TorStartupDesc.plist
+/contrib/osx/net.freehaven.tor.plist
+
+# /contrib/suse/
+/contrib/suse/tor.sh
+/contrib/suse/Makefile.in
+/contrib/suse/Makefile
+
+# /debian/
+/debian/files
+/debian/patched
+/debian/tor
+/debian/tor.postinst.debhelper
+/debian/tor.postrm.debhelper
+/debian/tor.prerm.debhelper
+/debian/tor.substvars
+
+# /doc/
+/doc/Makefile
+/doc/Makefile.in
+/doc/tor.1
+/doc/doxygen
+
+# /doc/design-paper/
+/doc/design-paper/Makefile
+/doc/design-paper/Makefile.in
+
+# /doc/spec/
+/doc/spec/Makefile
+/doc/spec/Makefile.in
+
+# /src/
+/src/Makefile
+/src/Makefile.in
+
+# /src/common/
+/src/common/Makefile
+/src/common/Makefile.in
+/src/common/libor.a
+/src/common/libor-crypto.a
+
+# /src/config/
+/src/config/Makefile
+/src/config/Makefile.in
+/src/config/sample-server-torrc
+/src/config/torrc
+/src/config/torrc.sample
+
+# /src/or/
+/src/or/Makefile
+/src/or/Makefile.in
+/src/or/micro-revision.*
+/src/or/tor
+/src/or/test
+
+# /src/tools/
+/src/tools/tor-checkkey
+/src/tools/tor-resolve
+/src/tools/tor-gencert
+/src/tools/Makefile
+/src/tools/Makefile.in
+
+# /src/win32/
+/src/win32/Makefile
+/src/win32/Makefile.in

ChangeLog

@@ -1,4 +1,612 @@
-Changes in version 0.2.0.21-rc - 2008-0?-??
+Changes in version 0.2.0.35 - 2009-06-24
+  o Security fix:
+    - Avoid crashing in the presence of certain malformed descriptors.
+      Found by lark, and by automated fuzzing.
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
+  o Major bugfixes:
+    - Finally fix the bug where dynamic-IP relays disappear when their
+      IP address changes: directory mirrors were mistakenly telling
+      them their old address if they asked via begin_dir, so they
+      never got an accurate answer about their new address, so they
+      just vanished after a day. For belt-and-suspenders, relays that
+      don't set Address in their config now avoid using begin_dir for
+      all direct connections. Should fix bugs 827, 883, and 900.
+    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
+      that would occur on some exit nodes when DNS failures and timeouts
+      occurred in certain patterns. Fix for bug 957.
+
+  o Minor bugfixes:
+    - When starting with a cache over a few days old, do not leak
+      memory for the obsolete router descriptors in it. Bugfix on
+      0.2.0.33; fixes bug 672.
+    - Hidden service clients didn't use a cached service descriptor that
+      was older than 15 minutes, but wouldn't fetch a new one either,
+      because there was already one in the cache. Now, fetch a v2
+      descriptor unless the same descriptor was added to the cache within
+      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
+
+
+Changes in version 0.2.0.34 - 2009-02-08
+  Tor 0.2.0.34 features several more security-related fixes. You should
+  upgrade, especially if you run an exit relay (remote crash) or a
+  directory authority (remote infinite loop), or you're on an older
+  (pre-XP) or not-recently-patched Windows (remote exploit).
+
+  This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
+  have many known flaws, and nobody should be using them. You should
+  upgrade. If you're using a Linux or BSD and its packages are obsolete,
+  stop using those packages and upgrade anyway.
+
+  o Security fixes:
+    - Fix an infinite-loop bug on handling corrupt votes under certain
+      circumstances. Bugfix on 0.2.0.8-alpha.
+    - Fix a temporary DoS vulnerability that could be performed by
+      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
+    - Avoid a potential crash on exit nodes when processing malformed
+      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
+    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
+      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
+
+  o Minor bugfixes:
+    - Fix compilation on systems where time_t is a 64-bit integer.
+      Patch from Matthias Drochner.
+    - Don't consider expiring already-closed client connections. Fixes
+      bug 893. Bugfix on 0.0.2pre20.
+
+
+Changes in version 0.2.0.33 - 2009-01-21
+  Tor 0.2.0.33 fixes a variety of bugs that were making relays less
+  useful to users. It also finally fixes a bug where a relay or client
+  that's been off for many days would take a long time to bootstrap.
+
+  This update also fixes an important security-related bug reported by
+  Ilja van Sprundel. You should upgrade. (We'll send out more details
+  about the bug once people have had some time to upgrade.)
+
+  o Security fixes:
+    - Fix a heap-corruption bug that may be remotely triggerable on
+      some platforms. Reported by Ilja van Sprundel.
+
+  o Major bugfixes:
+    - When a stream at an exit relay is in state "resolving" or
+      "connecting" and it receives an "end" relay cell, the exit relay
+      would silently ignore the end cell and not close the stream. If
+      the client never closes the circuit, then the exit relay never
+      closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
+      reported by "wood".
+    - When sending CREATED cells back for a given circuit, use a 64-bit
+      connection ID to find the right connection, rather than an addr:port
+      combination. Now that we can have multiple OR connections between
+      the same ORs, it is no longer possible to use addr:port to uniquely
+      identify a connection.
+    - Bridge relays that had DirPort set to 0 would stop fetching
+      descriptors shortly after startup, and then briefly resume
+      after a new bandwidth test and/or after publishing a new bridge
+      descriptor. Bridge users that try to bootstrap from them would
+      get a recent networkstatus but would get descriptors from up to
+      18 hours earlier, meaning most of the descriptors were obsolete
+      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
+    - Prevent bridge relays from serving their 'extrainfo' document
+      to anybody who asks, now that extrainfo docs include potentially
+      sensitive aggregated client geoip summaries. Bugfix on
+      0.2.0.13-alpha.
+    - If the cached networkstatus consensus is more than five days old,
+      discard it rather than trying to use it. In theory it could be
+      useful because it lists alternate directory mirrors, but in practice
+      it just means we spend many minutes trying directory mirrors that
+      are long gone from the network. Also discard router descriptors as
+      we load them if they are more than five days old, since the onion
+      key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
+
+  o Minor bugfixes:
+    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
+      could make gcc generate non-functional binary search code. Bugfix
+      on 0.2.0.10-alpha.
+    - Build correctly on platforms without socklen_t.
+    - Compile without warnings on solaris.
+    - Avoid potential crash on internal error during signature collection.
+      Fixes bug 864. Patch from rovv.
+    - Correct handling of possible malformed authority signing key
+      certificates with internal signature types. Fixes bug 880.
+      Bugfix on 0.2.0.3-alpha.
+    - Fix a hard-to-trigger resource leak when logging credential status.
+      CID 349.
+    - When we can't initialize DNS because the network is down, do not
+      automatically stop Tor from starting. Instead, we retry failed
+      dns_init() every 10 minutes, and change the exit policy to reject
+      *:* until one succeeds. Fixes bug 691.
+    - Use 64 bits instead of 32 bits for connection identifiers used with
+      the controller protocol, to greatly reduce risk of identifier reuse.
+    - When we're choosing an exit node for a circuit, and we have
+      no pending streams, choose a good general exit rather than one that
+      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
+    - Fix another case of assuming, when a specific exit is requested,
+      that we know more than the user about what hosts it allows.
+      Fixes one case of bug 752. Patch from rovv.
+    - Clip the MaxCircuitDirtiness config option to a minimum of 10
+      seconds. Warn the user if lower values are given in the
+      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
+    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
+      user if lower values are given in the configuration. Bugfix on
+      0.1.1.17-rc. Patch by Sebastian.
+    - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
+      the cache because we already had a v0 descriptor with the same ID.
+      Bugfix on 0.2.0.18-alpha.
+    - Fix a race condition when freeing keys shared between main thread
+      and CPU workers that could result in a memory leak. Bugfix on
+      0.1.0.1-rc. Fixes bug 889.
+    - Send a valid END cell back when a client tries to connect to a
+      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
+      840. Patch from rovv.
+    - Check which hops rendezvous stream cells are associated with to
+      prevent possible guess-the-streamid injection attacks from
+      intermediate hops. Fixes another case of bug 446. Based on patch
+      from rovv.
+    - If a broken client asks a non-exit router to connect somewhere,
+      do not even do the DNS lookup before rejecting the connection.
+      Fixes another case of bug 619. Patch from rovv.
+    - When a relay gets a create cell it can't decrypt (e.g. because it's
+      using the wrong onion key), we were dropping it and letting the
+      client time out. Now actually answer with a destroy cell. Fixes
+      bug 904. Bugfix on 0.0.2pre8.
+
+  o Minor bugfixes (hidden services):
+    - Do not throw away existing introduction points on SIGHUP. Bugfix on
+      0.0.6pre1. Patch by Karsten. Fixes bug 874.
+
+  o Minor features:
+    - Report the case where all signatures in a detached set are rejected
+      differently than the case where there is an error handling the
+      detached set.
+    - When we realize that another process has modified our cached
+      descriptors, print out a more useful error message rather than
+      triggering an assertion. Fixes bug 885. Patch from Karsten.
+    - Implement the 0x20 hack to better resist DNS poisoning: set the
+      case on outgoing DNS requests randomly, and reject responses that do
+      not match the case correctly. This logic can be disabled with the
+      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
+      of servers that do not reliably preserve case in replies. See
+      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
+      for more info.
+    - Check DNS replies for more matching fields to better resist DNS
+      poisoning.
+    - Never use OpenSSL compression: it wastes RAM and CPU trying to
+      compress cells, which are basically all encrypted, compressed, or
+      both.
+
+
+Changes in version 0.2.0.32 - 2008-11-20
+  Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
+  packages (and maybe other packages) noticed by Theo de Raadt, fixes
+  a smaller security flaw that might allow an attacker to access local
+  services, further improves hidden service performance, and fixes a
+  variety of other issues.
+
+  o Security fixes:
+    - The "User" and "Group" config options did not clear the
+      supplementary group entries for the Tor process. The "User" option
+      is now more robust, and we now set the groups to the specified
+      user's primary group. The "Group" option is now ignored. For more
+      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
+      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
+      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
+    - The "ClientDNSRejectInternalAddresses" config option wasn't being
+      consistently obeyed: if an exit relay refuses a stream because its
+      exit policy doesn't allow it, we would remember what IP address
+      the relay said the destination address resolves to, even if it's
+      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
+
+  o Major bugfixes:
+    - Fix a DOS opportunity during the voting signature collection process
+      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
+
+  o Major bugfixes (hidden services):
+    - When fetching v0 and v2 rendezvous service descriptors in parallel,
+      we were failing the whole hidden service request when the v0
+      descriptor fetch fails, even if the v2 fetch is still pending and
+      might succeed. Similarly, if the last v2 fetch fails, we were
+      failing the whole hidden service request even if a v0 fetch is
+      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
+    - When extending a circuit to a hidden service directory to upload a
+      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
+      requests failed, because the router descriptor has not been
+      downloaded yet. In these cases, do not attempt to upload the
+      rendezvous descriptor, but wait until the router descriptor is
+      downloaded and retry. Likewise, do not attempt to fetch a rendezvous
+      descriptor from a hidden service directory for which the router
+      descriptor has not yet been downloaded. Fixes bug 767. Bugfix
+      on 0.2.0.10-alpha.
+
+  o Minor bugfixes:
+    - Fix several infrequent memory leaks spotted by Coverity.
+    - When testing for libevent functions, set the LDFLAGS variable
+      correctly. Found by Riastradh.
+    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
+      bootstrapping with tunneled directory connections. Bugfix on
+      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
+    - When asked to connect to A.B.exit:80, if we don't know the IP for A
+      and we know that server B rejects most-but-not all connections to
+      port 80, we would previously reject the connection. Now, we assume
+      the user knows what they were asking for. Fixes bug 752. Bugfix
+      on 0.0.9rc5. Diagnosed by BarkerJr.
+    - If we overrun our per-second write limits a little, count this as
+      having used up our write allocation for the second, and choke
+      outgoing directory writes. Previously, we had only counted this when
+      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
+      Bugfix on 0.2.0.x (??).
+    - Remove the old v2 directory authority 'lefkada' from the default
+      list. It has been gone for many months.
+    - Stop doing unaligned memory access that generated bus errors on
+      sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
+    - Make USR2 log-level switch take effect immediately. Bugfix on
+      0.1.2.8-beta.
+
+  o Minor bugfixes (controller):
+    - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
+      0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
+
+
+Changes in version 0.2.0.31 - 2008-09-03
+  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
+  a big bug we're seeing where in rare cases traffic from one Tor stream
+  gets mixed into another stream, and fixes a variety of smaller issues.
+
+  o Major bugfixes:
+    - Make sure that two circuits can never exist on the same connection
+      with the same circuit ID, even if one is marked for close. This
+      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
+    - Relays now reject risky extend cells: if the extend cell includes
+      a digest of all zeroes, or asks to extend back to the relay that
+      sent the extend cell, tear down the circuit. Ideas suggested
+      by rovv.
+    - If not enough of our entry guards are available so we add a new
+      one, we might use the new one even if it overlapped with the
+      current circuit's exit relay (or its family). Anonymity bugfix
+      pointed out by rovv.
+
+  o Minor bugfixes:
+    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
+      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
+    - Correctly detect the presence of the linux/netfilter_ipv4.h header
+      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
+    - Pick size of default geoip filename string correctly on windows.
+      Fixes bug 806. Bugfix on 0.2.0.30.
+    - Make the autoconf script accept the obsolete --with-ssl-dir
+      option as an alias for the actually-working --with-openssl-dir
+      option. Fix the help documentation to recommend --with-openssl-dir.
+      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
+    - Disallow session resumption attempts during the renegotiation
+      stage of the v2 handshake protocol. Clients should never be trying
+      session resumption at this point, but apparently some did, in
+      ways that caused the handshake to fail. Bug found by Geoff Goodell.
+      Bugfix on 0.2.0.20-rc.
+    - When using the TransPort option on OpenBSD, and using the User
+      option to change UID and drop privileges, make sure to open
+      /dev/pf before dropping privileges. Fixes bug 782. Patch from
+      Christopher Davis. Bugfix on 0.1.2.1-alpha.
+    - Try to attach connections immediately upon receiving a RENDEZVOUS2
+      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
+      on the client side when connecting to a hidden service. Bugfix
+      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
+    - When closing an application-side connection because its circuit is
+      getting torn down, generate the stream event correctly. Bugfix on
+      0.1.2.x. Anonymous patch.
+
+
+Changes in version 0.2.0.30 - 2008-07-15
+  o Minor bugfixes:
+    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
+      warnings (occasionally), but it can also cause the compiler to
+      eliminate error-checking code. Suggested by Peter Gutmann.
+
+
+Changes in version 0.2.0.29-rc - 2008-07-08
+  Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
+  hidden-service performance bugs, and fixes a bunch of smaller bugs.
+
+  o Major bugfixes:
+    - If you have more than one bridge but don't know their keys,
+      you would only launch a request for the descriptor of the first one
+      on your list. (Tor considered launching requests for the others, but
+      found that it already had a connection on the way for $0000...0000
+      so it didn't open another.) Bugfix on 0.2.0.x.
+    - If you have more than one bridge but don't know their keys, and the
+      connection to one of the bridges failed, you would cancel all
+      pending bridge connections. (After all, they all have the same
+      digest.) Bugfix on 0.2.0.x.
+    - When a hidden service was trying to establish an introduction point,
+      and Tor had built circuits preemptively for such purposes, we
+      were ignoring all the preemptive circuits and launching a new one
+      instead. Bugfix on 0.2.0.14-alpha.
+    - When a hidden service was trying to establish an introduction point,
+      and Tor *did* manage to reuse one of the preemptively built
+      circuits, it didn't correctly remember which one it used,
+      so it asked for another one soon after, until there were no
+      more preemptive circuits, at which point it launched one from
+      scratch. Bugfix on 0.0.9.x.
+    - Make directory servers include the X-Your-Address-Is: http header in
+      their responses even for begin_dir conns. Now clients who only
+      ever use begin_dir connections still have a way to learn their IP
+      address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.
+
+  o Minor bugfixes:
+    - Fix a macro/CPP interactions that was confusing some compilers:
+      some GCCs don't like #if/#endif pairs inside macro arguments.
+      Fix for bug 707.
+    - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
+      Fixes bug 704; fix from Steven Murdoch.
+    - When opening /dev/null in finish_daemonize(), do not pass the
+      O_CREAT flag. Fortify was complaining, and correctly so. Fixes
+      bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
+    - Correctly detect transparent proxy support on Linux hosts that
+      require in.h to be included before netfilter_ipv4.h. Patch
+      from coderman.
+
+
+Changes in version 0.2.0.28-rc - 2008-06-13
+  o Anonymity fixes:
+    - Fix a bug where, when we were choosing the 'end stream reason' to
+      put in our relay end cell that we send to the exit relay, Tor
+      clients on Windows were sometimes sending the wrong 'reason'. The
+      anonymity problem is that exit relays may be able to guess whether
+      the client is running Windows, thus helping partition the anonymity
+      set. Down the road we should stop sending reasons to exit relays,
+      or otherwise prevent future versions of this bug.
+
+  o Major bugfixes:
+    - While setting up a hidden service, some valid introduction circuits
+      were overlooked and abandoned. This might be the reason for
+      the long delay in making a hidden service available. Bugfix on
+      0.2.0.14-alpha.
+
+  o Minor features:
+    - Update to the "June 9 2008" ip-to-country file.
+    - Run 'make test' as part of 'make dist', so we stop releasing so
+      many development snapshots that fail their unit tests.
+
+  o Minor bugfixes:
+    - When we're checking if we have enough dir info for each relay
+      to begin establishing circuits, make sure that we actually have
+      the descriptor listed in the consensus, not just any descriptor.
+    - Bridge relays no longer print "xx=0" in their extrainfo document
+      for every single country code in the geoip db.
+    - Only warn when we fail to load the geoip file if we were planning to
+      include geoip stats in our extrainfo document.
+    - If we change our MaxAdvertisedBandwidth and then reload torrc,
+      Tor won't realize it should publish a new relay descriptor. Fixes
+      bug 688, reported by mfr.
+    - When we haven't had any application requests lately, don't bother
+      logging that we have expired a bunch of descriptors.
+    - Make relay cells written on a connection count as non-padding when
+      tracking how long a connection has been in use. Bugfix on
+      0.2.0.1-alpha. Spotted by lodger.
+    - Fix unit tests in 0.2.0.27-rc.
+    - Fix compile on Windows.
+
+
+Changes in version 0.2.0.27-rc - 2008-06-03
+  o Major features:
+    - Include an IP-to-country GeoIP file in the tarball, so bridge
+      relays can report sanitized summaries of the usage they're seeing.
+
+  o Minor features:
+    - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
+      Robert Hogan. Fixes the first part of bug 681.
+    - Make bridge authorities never serve extrainfo docs.
+    - Add support to detect Libevent versions in the 1.4.x series
+      on mingw.
+    - Fix build on gcc 4.3 with --enable-gcc-warnings set.
+    - Include a new contrib/tor-exit-notice.html file that exit relay
+      operators can put on their website to help reduce abuse queries.
+
+  o Minor bugfixes:
+    - When tunneling an encrypted directory connection, and its first
+      circuit fails, do not leave it unattached and ask the controller
+      to deal. Fixes the second part of bug 681.
+    - Make bridge authorities correctly expire old extrainfo documents
+      from time to time.
+
+
+Changes in version 0.2.0.26-rc - 2008-05-13
+  Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
+  in Debian's OpenSSL packages. All users running any 0.2.0.x version
+  should upgrade, whether they're running Debian or not.
+
+  o Major security fixes:
+    - Use new V3 directory authority keys on the tor26, gabelmoo, and
+      moria1 V3 directory authorities. The old keys were generated with
+      a vulnerable version of Debian's OpenSSL package, and must be
+      considered compromised. Other authorities' keys were not generated
+      with an affected version of OpenSSL.
+
+  o Major bugfixes:
+    - List authority signatures as "unrecognized" based on DirServer
+      lines, not on cert cache. Bugfix on 0.2.0.x.
+
+  o Minor features:
+    - Add a new V3AuthUseLegacyKey option to make it easier for
+      authorities to change their identity keys if they have to.
+
+
+Changes in version 0.2.0.25-rc - 2008-04-23
+  Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.
+
+  o Major bugfixes:
+    - Remember to initialize threading before initializing logging.
+      Otherwise, many BSD-family implementations will crash hard on
+      startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.
+
+  o Minor bugfixes:
+    - Authorities correctly free policies on bad servers on
+      exit. Fixes bug 672. Bugfix on 0.2.0.x.
+
+
+Changes in version 0.2.0.24-rc - 2008-04-22
+  Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
+  v3 directory authority, makes relays with dynamic IP addresses and no
+  DirPort notice more quickly when their IP address changes, fixes a few
+  rare crashes and memory leaks, and fixes a few other miscellaneous bugs.
+
+  o New directory authorities:
+    - Take lefkada out of the list of v3 directory authorities, since
+      it has been down for months.
+    - Set up dizum (run by Alex de Joode) as the new sixth v3 directory
+      authority.
+
+  o Major bugfixes:
+    - Detect address changes more quickly on non-directory mirror
+      relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.
+
+  o Minor features (security):
+    - Reject requests for reverse-dns lookup of names that are in
+      a private address space. Patch from lodger.
+    - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
+      from lodger.
+
+  o Minor bugfixes (crashes):
+    - Avoid a rare assert that can trigger when Tor doesn't have much
+      directory information yet and it tries to fetch a v2 hidden
+      service descriptor. Fixes bug 651, reported by nwf.
+    - Initialize log mutex before initializing dmalloc. Otherwise,
+      running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
+    - Use recursive pthread mutexes in order to avoid deadlock when
+      logging debug-level messages to a controller. Bug spotted by nwf,
+      bugfix on 0.2.0.16-alpha.
+
+  o Minor bugfixes (resource management):
+    - Keep address policies from leaking memory: start their refcount
+      at 1, not 2. Bugfix on 0.2.0.16-alpha.
+    - Free authority certificates on exit, so they don't look like memory
+      leaks. Bugfix on 0.2.0.19-alpha.
+    - Free static hashtables for policy maps and for TLS connections on
+      shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
+    - Avoid allocating extra space when computing consensuses on 64-bit
+      platforms. Bug spotted by aakova.
+
+  o Minor bugfixes (misc):
+    - Do not read the configuration file when we've only been told to
+      generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
+      based on patch from Sebastian Hahn.
+    - Exit relays that are used as a client can now reach themselves
+      using the .exit notation, rather than just launching an infinite
+      pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
+    - When attempting to open a logfile fails, tell us why.
+    - Fix a dumb bug that was preventing us from knowing that we should
+      preemptively build circuits to handle expected directory requests.
+      Fixes bug 660. Bugfix on 0.1.2.x.
+    - Warn less verbosely about clock skew from netinfo cells from
+      untrusted sources. Fixes bug 663.
+    - Make controller stream events for DNS requests more consistent,
+      by adding "new stream" events for DNS requests, and removing
+      spurious "stream closed" events" for cached reverse resolves.
+      Patch from mwenge. Fixes bug 646.
+    - Correctly notify one-hop connections when a circuit build has
+      failed. Possible fix for bug 669. Found by lodger.
+
+
+Changes in version 0.2.0.23-rc - 2008-03-24
+  Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
+  makes bootstrapping faster if the first directory mirror you contact
+  is down. The bundles also include the new Vidalia 0.1.2 release.
+
+  o Major bugfixes:
+    - When a tunneled directory request is made to a directory server
+      that's down, notice after 30 seconds rather than 120 seconds. Also,
+      fail any begindir streams that are pending on it, so they can
+      retry elsewhere. This was causing multi-minute delays on bootstrap.
+
+
+Changes in version 0.2.0.22-rc - 2008-03-18
+  Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
+  enables encrypted directory connections by default for non-relays, fixes
+  some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
+  other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
+
+  o Major features:
+    - Enable encrypted directory connections by default for non-relays,
+      so censor tools that block Tor directory connections based on their
+      plaintext patterns will no longer work. This means Tor works in
+      certain censored countries by default again.
+
+  o Major bugfixes:
+    - Make sure servers always request certificates from clients during
+      TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
+    - Do not enter a CPU-eating loop when a connection is closed in
+      the middle of client-side TLS renegotiation. Fixes bug 622. Bug
+      diagnosed by lodger; bugfix on 0.2.0.20-rc.
+    - Fix assertion failure that could occur when a blocked circuit
+      became unblocked, and it had pending client DNS requests. Bugfix
+      on 0.2.0.1-alpha. Fixes bug 632.
+
+  o Minor bugfixes (on 0.1.2.x):
+    - Generate "STATUS_SERVER" events rather than misspelled
+      "STATUS_SEVER" events. Caught by mwenge.
+    - When counting the number of bytes written on a TLS connection,
+      look at the BIO actually used for writing to the network, not
+      at the BIO used (sometimes) to buffer data for the network.
+      Looking at different BIOs could result in write counts on the
+      order of ULONG_MAX. Fixes bug 614.
+    - On Windows, correctly detect errors when listing the contents of
+      a directory. Fix from lodger.
+
+  o Minor bugfixes (on 0.2.0.x):
+    - Downgrade "sslv3 alert handshake failure" message to INFO.
+    - If we set RelayBandwidthRate and RelayBandwidthBurst very high but
+      left BandwidthRate and BandwidthBurst at the default, we would be
+      silently limited by those defaults. Now raise them to match the
+      RelayBandwidth* values.
+    - Fix the SVK version detection logic to work correctly on a branch.
+    - Make --enable-openbsd-malloc work correctly on Linux with alpha
+      CPUs. Fixes bug 625.
+    - Logging functions now check that the passed severity is sane.
+    - Use proper log levels in the testsuite call of
+      get_interface_address6().
+    - When using a nonstandard malloc, do not use the platform values for
+      HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
+    - Make the openbsd malloc code use 8k pages on alpha CPUs and
+      16k pages on ia64.
+    - Detect mismatched page sizes when using --enable-openbsd-malloc.
+    - Avoid double-marked-for-close warning when certain kinds of invalid
+      .in-addr.arpa addresses are passed to the DNSPort. Part of a fix
+      for bug 617. Bugfix on 0.2.0.1-alpha.
+    - Make sure that the "NULL-means-reject *:*" convention is followed by
+      all the policy manipulation functions, avoiding some possible crash
+      bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
+    - Fix the implementation of ClientDNSRejectInternalAddresses so that it
+      actually works, and doesn't warn about every single reverse lookup.
+      Fixes the other part of bug 617.  Bugfix on 0.2.0.1-alpha.
+
+  o Minor features:
+    - Only log guard node status when guard node status has changed.
+    - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
+      make "INFO" 75% less verbose.
+
+
+Changes in version 0.2.0.21-rc - 2008-03-02
+  Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
+  makes Tor work well with Vidalia again, fixes a rare assert bug,
+  and fixes a pair of more minor bugs. The bundles also include Vidalia
+  0.1.0 and Torbutton 1.1.16.
+
+  o Major bugfixes:
+    - The control port should declare that it requires password auth
+      when HashedControlSessionPassword is set too. Patch from Matt Edman;
+      bugfix on 0.2.0.20-rc. Fixes bug 615.
+    - Downgrade assert in connection_buckets_decrement() to a log message.
+      This may help us solve bug 614, and in any case will make its
+      symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
+    - We were sometimes miscounting the number of bytes read from the
+      network, causing our rate limiting to not be followed exactly.
+      Bugfix on 0.2.0.16-alpha. Reported by lodger.
+
+  o Minor bugfixes:
+    - Fix compilation with OpenSSL 0.9.8 and 0.9.8a.  All other supported
+      OpenSSL versions should have been working fine.  Diagnosis and patch
+      from lodger, Karsten Loesing and Sebastian Hahn.  Fixes bug 616.
+      Bugfix on 0.2.0.20-rc.
 
 
 Changes in version 0.2.0.20-rc - 2008-02-24
@@ -77,7 +685,8 @@ Changes in version 0.2.0.20-rc - 2008-02-24
   o Minor bugfixes (memory leaks and code problems):
     - We were leaking a file descriptor if Tor started with a zero-length
       cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
-    - Detect size overflow in zlib code. Reported by Dan Kaminsky.
+    - Detect size overflow in zlib code. Reported by Justin Ferguson and
+      Dan Kaminsky.
     - We were comparing the raw BridgePassword entry with a base64'ed
       version of it, when handling a "/tor/networkstatus-bridges"
       directory request. Now compare correctly. Noticed by Veracode.

LICENSE

@@ -77,4 +77,9 @@ If you got Tor as a static binary with OpenSSL included, then you should know:
  "This product includes software developed by the OpenSSL Project
  for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 ===============================================================================
+"This program uses the IP-to-Country Database provided by
+WebHosting.Info (http://www.webhosting.info), available from
+http://ip-to-country.webhosting.info."
+See the src/config/geoip file in particular.
+===============================================================================
 

Makefile.am

@@ -26,14 +26,14 @@ dist-rpm:
 	    mkdir $$RPM_BUILD_DIR/$$subdir;                     \
 	done;                                                   \
 	mkdir $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION);           \
-        cp -R ./ $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION)/;       \
-        pushd $$RPM_BUILD_DIR/SOURCES/;                         \
-        tar zcf tor-$(VERSION).tar.gz ./;                       \
-        popd;                                                   \
-        rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
-        mv $$RPM_BUILD_DIR/SRPMS/* .;                           \
-        mv $$RPM_BUILD_DIR/RPMS/* .;                            \
-        rm -rf $$RPM_BUILD_DIR
+    cp -R ./ $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION)/;       \
+    pushd $$RPM_BUILD_DIR/SOURCES/;                         \
+    tar zcf tor-$(VERSION).tar.gz ./;                       \
+    popd;                                                   \
+    LIBS=-lrt rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
+    mv $$RPM_BUILD_DIR/SRPMS/* .;                           \
+    mv $$RPM_BUILD_DIR/RPMS/* .;                            \
+    rm -rf $$RPM_BUILD_DIR
 
 
 dist-osx:
@@ -61,6 +61,8 @@ doxygen:
 test:
 	./src/or/test
 
+dist: check
+
 # Avoid strlcpy.c, strlcat.c, tree.h
 check-spaces:
 	./contrib/checkSpace.pl -C                    \

acinclude.m4

@@ -72,7 +72,12 @@ dnl against it.
 dnl
 dnl TOR_SEARCH_LIBRARY(1:libname, 2:IGNORED, 3:linkargs, 4:headers,
 dnl                    5:prototype,
-dnl                    6:code, 7:optionname, 8:searchextra)
+dnl                    6:code, 7:IGNORED, 8:searchextra)
+dnl
+dnl Special variables:
+dnl   ALT_{libname}_WITHVAL -- another possible value for --with-$1-dir.
+dnl       Used to support renaming --with-ssl-dir to --with-openssl-dir
+dnl
 AC_DEFUN([TOR_SEARCH_LIBRARY], [
 try$1dir=""
 AC_ARG_WITH($1-dir,
@@ -82,6 +87,10 @@ AC_ARG_WITH($1-dir,
         try$1dir="$withval"
      fi
   ])
+if test "x$try$1dir" = x && test "x$ALT_$1_WITHVAL" != x ; then
+  try$1dir="$ALT_$1_WITHVAL"
+fi
+
 tor_saved_LIBS="$LIBS"
 tor_saved_LDFLAGS="$LDFLAGS"
 tor_saved_CPPFLAGS="$CPPFLAGS"
@@ -129,7 +138,7 @@ AC_CACHE_CHECK([for $1 directory], tor_cv_library_$1_dir, [
 
   if test "$tor_$1_dir_found" = no; then
     if test "$tor_$1_any_linkable" = no ; then
-      AC_MSG_WARN([Could not find a linkable $1.  If you have it installed somewhere unusal, you can specify an explicit path using $7])
+      AC_MSG_WARN([Could not find a linkable $1.  If you have it installed somewhere unusual, you can specify an explicit path using --with-$1-dir])
       TOR_WARN_MISSING_LIB($1, pkg)
       AC_MSG_ERROR([Missing libraries; unable to proceed.])
     else
@@ -178,7 +187,7 @@ if test "$cross_compiling" != yes; then
    done
 
    if test "$runnable" = no; then
-     AC_MSG_ERROR([Found linkable $1 in $tor_cv_library_$1_dir, but it does not seem to run, even with -R. Maybe specify another using $7}])
+     AC_MSG_ERROR([Found linkable $1 in $tor_cv_library_$1_dir, but it does not seem to run, even with -R. Maybe specify another using --with-$1-dir}])
    fi
    LDFLAGS="$orig_LDFLAGS"
   ]) dnl end cache check check for extra options.

configure.in

@@ -5,7 +5,7 @@ dnl Copyright (c) 2007-2008, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.2.0.20-rc-dev)
+AM_INIT_AUTOMAKE(tor, 0.2.0.35)
 AM_CONFIG_HEADER(orconfig.h)
 
 AC_CANONICAL_HOST
@@ -183,7 +183,18 @@ dnl -------------------------------------------------------------------
 dnl Check for functions before libevent, since libevent-1.2 apparently
 dnl exports strlcpy without defining it in a header.
 
-AC_CHECK_FUNCS(gettimeofday ftime socketpair uname inet_aton strptime getrlimit strlcat strlcpy strtoull ftello getaddrinfo localtime_r gmtime_r memmem strtok_r inet_pton inet_ntop mallinfo malloc_good_size malloc_usable_size)
+AC_CHECK_FUNCS(gettimeofday ftime socketpair uname inet_aton strptime getrlimit strlcat strlcpy strtoull ftello getaddrinfo localtime_r gmtime_r memmem strtok_r inet_pton inet_ntop)
+
+using_custom_malloc=no
+if test x$enable_openbsd_malloc = xyes ; then
+   using_custom_malloc=yes
+fi
+if test x$tcmalloc = xyes ; then
+   using_custom_malloc=yes
+fi                                                                             
+if test $using_custom_malloc = no ; then
+   AC_CHECK_FUNCS(mallinfo malloc_good_size malloc_usable_size)
+fi
 
 if test "$enable_threads" = "yes"; then
   AC_CHECK_HEADERS(pthread.h)
@@ -220,18 +231,30 @@ tor_libevent_devpkg_redhat="libevent-devel"
 tor_libevent_devpkg_debian="libevent-dev"
 
 TOR_SEARCH_LIBRARY(libevent, $trylibeventdir, [-levent $TOR_LIB_WS32], [
+#ifdef WIN32
+#include <winsock2.h>
+#endif
 #include <stdlib.h>
 #include <sys/time.h>
 #include <sys/types.h>
-#include <event.h>], [void exit(int); void *event_init(void);],
-    [event_init(); exit(0);], [--with-libevent-dir], [/opt/libevent])
+#include <event.h>], [
+#ifdef WIN32
+#include <winsock2.h>
+#endif
+void exit(int); void *event_init(void);],
+    [
+#ifdef WIN32
+{WSADATA d; WSAStartup(0x101,&d); }
+#endif
+event_init(); exit(0);
+], [--with-libevent-dir], [/opt/libevent])
 
 dnl Now check for particular libevent functions.
 save_LIBS="$LIBS"
 save_LDFLAGS="$LDFLAGS"
 save_CPPFLAGS="$CPPFLAGS"
 LIBS="-levent $TOR_LIB_WS32 $LIBS"
-LDFLAGS="$TOR_LDFLAGS_libevent $LIBS"
+LDFLAGS="$TOR_LDFLAGS_libevent $LDFLAGS"
 CPPFLAGS="$TOR_CPPFLAGS_libevent $CPPFLAGS"
 AC_CHECK_FUNCS(event_get_version event_get_method event_set_log_callback)
 LIBS="$save_LIBS"
@@ -246,10 +269,19 @@ tor_openssl_pkg_debian="libssl"
 tor_openssl_devpkg_redhat="openssl-devel"
 tor_openssl_devpkg_debian="libssl-dev"
 
+ALT_openssl_WITHVAL=""
+AC_ARG_WITH(ssl-dir,
+  [  --with-ssl-dir=PATH    Obsolete alias for --with-openssl-dir ],
+  [
+      if test "x$withval" != xno && test "x$withval" != "x" ; then
+         ALT_openssl_WITHVAL="$withval"
+      fi
+  ])
+
 TOR_SEARCH_LIBRARY(openssl, $tryssldir, [-lssl -lcrypto $TOR_LIB_GDI],
     [#include <openssl/rand.h>],
     [void RAND_add(const void *buf, int num, double entropy);],
-    [RAND_add((void*)0,0,0); exit(0);], [--with-ssl-dir],
+    [RAND_add((void*)0,0,0); exit(0);], [],
     [/usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/athena /opt/openssl])
 
 dnl XXXX check for OPENSSL_VERSION_NUMBER == SSLeay()
@@ -272,13 +304,13 @@ dnl Make sure to enable support for large off_t if available.
 
 AC_SYS_LARGEFILE
 
-AC_CHECK_HEADERS(unistd.h string.h signal.h ctype.h sys/stat.h sys/types.h fcntl.h sys/fcntl.h sys/time.h errno.h assert.h time.h, , AC_MSG_WARN(Some headers were not found, compilation may fail.  If compilation succeeds, please send your orconfig.h to the developers so we can fix this warning.))
+AC_CHECK_HEADERS(unistd.h string.h signal.h sys/stat.h sys/types.h fcntl.h sys/fcntl.h sys/time.h errno.h assert.h time.h, , AC_MSG_WARN(Some headers were not found, compilation may fail.  If compilation succeeds, please send your orconfig.h to the developers so we can fix this warning.))
 
 AC_CHECK_HEADERS(netdb.h sys/ioctl.h sys/socket.h arpa/inet.h netinet/in.h pwd.h grp.h sys/un.h)
 
 dnl These headers are not essential
 
-AC_CHECK_HEADERS(stdint.h sys/types.h inttypes.h sys/param.h sys/wait.h limits.h sys/limits.h netinet/in.h arpa/inet.h machine/limits.h syslog.h sys/time.h sys/resource.h inttypes.h utime.h sys/utime.h sys/mman.h netintet/in.h netinet/in6.h malloc.h sys/syslimits.h malloc/malloc.h)
+AC_CHECK_HEADERS(stdint.h sys/types.h inttypes.h sys/param.h sys/wait.h limits.h sys/limits.h netinet/in.h arpa/inet.h machine/limits.h syslog.h sys/time.h sys/resource.h inttypes.h utime.h sys/utime.h sys/mman.h netinet/in6.h malloc.h sys/syslimits.h malloc/malloc.h linux/types.h)
 
 TOR_CHECK_PROTOTYPE(malloc_good_size, HAVE_MALLOC_GOOD_SIZE_PROTOTYPE,
 [#ifdef HAVE_MALLOC_H
@@ -312,6 +344,18 @@ AC_CHECK_HEADERS(linux/netfilter_ipv4.h,
 #endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
+#endif
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifdef HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
 #endif])
 
 if test x$transparent = xtrue ; then
@@ -572,6 +616,9 @@ syslog_facility="$withval", syslog_facility="LOG_DAEMON")
 AC_DEFINE_UNQUOTED(LOGFACILITY,$syslog_facility,[name of the syslog facility])
 AC_SUBST(LOGFACILITY)
 
+# Check if we have getresuid and getresgid
+AC_CHECK_FUNCS(getresuid getresgid)
+
 # Check for gethostbyname_r in all its glorious incompatible versions.
 #   (This logic is based on that in Python's configure.in)
 AH_TEMPLATE(HAVE_GETHOSTBYNAME_R,
@@ -729,7 +776,8 @@ if test x$enable_gcc_warnings = xyes; then
     # These warnings break gcc 4.0.2 and work on gcc 4.2
     # XXXX020 Use -fstack-protector.
     # XXXX020 See if any of these work with earlier versions.
-    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=5"
+    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1"
+    # We used to use -Wstrict-overflow=5, but that breaks us heavily under 4.3.
   fi
 
   if test x$have_shorten64_flag = xyes ; then

contrib/Makefile.am

@@ -3,7 +3,7 @@ DIST_SUBDIRS = osx suse
 
 confdir = $(sysconfdir)/tor
 
-EXTRA_DIST = exitlist tor-tsocks.conf torify.1 tor.nsi.in tor.sh torctl rc.subr cross.sh tor-mingw.nsi.in package_nsis-mingw.sh tor.ico tor-ctrl.sh
+EXTRA_DIST = exitlist tor-tsocks.conf torify.1 tor.nsi.in tor.sh torctl rc.subr cross.sh tor-mingw.nsi.in package_nsis-mingw.sh tor.ico tor-ctrl.sh linux-tor-prio.sh tor-exit-notice.html
 
 conf_DATA = tor-tsocks.conf
 

contrib/checkOptionDocs.pl

@@ -55,9 +55,10 @@ while (<F>) {
     if ($considerNextLine and
         m!^\\fB([A-Za-z0-9_]+)!) {
         $manPageOptions{lc $1} = 1;
+	next;
     }
 
-    if (m!^\.(?:SH|TP)!) {
+    if (m!^\.(?:SH|TP|PP)!) {
         $considerNextLine = 1; next;
     } else {
         $considerNextLine = 0;

contrib/linux-tor-prio.sh

@@ -1,14 +1,55 @@
 #!/bin/bash
 # Written by Marco Bonetti & Mike Perry
-# Based on instructions from Dan Singletary's ADSL Bandwidth Management HOWTO
+# Based on instructions from Dan Singletary's ADSL BW Management HOWTO:
 # http://www.faqs.org/docs/Linux-HOWTO/ADSL-Bandwidth-Management-HOWTO.html
 # This script is Public Domain.
 
+############################### README #################################
+
+# This script provides prioritization of Tor traffic below other
+# traffic on a Linux server. It has two modes of operation: UID based 
+# and IP based. The UID based method requires that Tor be launched from 
+# a specific user ID. The "User" Tor config setting is
+# insufficient, as it sets the UID after the socket is created.
+# Here is a three line C wrapper you can use to execute Tor and drop 
+# privs to UID 501 before it creates any sockets. Change the UID 
+# to the UID for your tor server user, and compile with 
+# 'gcc tor_wrap.c -o tor_wrap':
+
+# #include <unistd.h>
+# int main(int argc, char **argv) {
+# if(setresuid(501, 501, 501) == -1) { perror("setresuid"); return 1; }
+# execl("/bin/tor", "/bin/tor", "-f", "/etc/tor/torrc", NULL);
+# perror("execl"); return 1;
+# }
+
+# The IP setting requires that a separate IP address be dedicated to Tor. 
+# Your Torrc should be set to bind to this IP for "OutboundBindAddress", 
+# "ListenAddress", and "Address".
+
+# You should also tune the individual connection rate parameters below
+# to your individual connection. In particular, you should leave *some* 
+# minimum amount of bandwidth for Tor, so that Tor users are not 
+# completely choked out when you use your server's bandwidth. 30% is 
+# probably a polite choice.
+
+# To start the shaping, run it as: 
+#   ./linux-tor-prio.sh 
+
+# To get status information (useful to verify packets are getting marked
+# and prioritized), run:
+#   ./linux-tor-prio.sh status
+
+# And to stop prioritization:
+#   ./linux-tor-prio.sh stop
+
+########################################################################
+
 # BEGIN USER TUNABLE PARAMETERS
 
 DEV=eth0
 
-# NOTE! You must START Tor under this UID. Using the Tor User/Group 
+# NOTE! You must START Tor under this UID. Using the Tor User
 # config setting is NOT sufficient.
 TOR_UID=$(id -u tor)
 
@@ -27,7 +68,10 @@ RTT_LATENCY=40
 RATE_UP=5000
 
 # RATE_UP_TOR is the minimum speed your Tor connections will have.
-# They will have at least this much bandwidth for upload
+# They will have at least this much bandwidth for upload. In general, 
+# you probably shouldn't set this too low, or else Tor users who use 
+# your node will be completely choked out whenever your machine
+# does any other network activity. That is not very fun.
 RATE_UP_TOR=1500
 
 # RATE_UP_TOR_CEIL is the maximum rate allowed for all Tor trafic
@@ -38,7 +82,7 @@ CHAIN=OUTPUT
 #CHAIN=POSTROUTING
 
 MTU=1500
-AVG_PKT=900
+AVG_PKT=900 # should be more like 600 for non-exit nodes
 
 # END USER TUNABLE PARAMETERS
 

contrib/osx/Tor

@@ -25,15 +25,16 @@ if [ -x /usr/bin/sw_vers ]; then
 # the OS version
   OSVER=`/usr/bin/sw_vers | grep ProductVersion | cut -f2 | cut -d"." -f1,2`
       case "$OSVER" in
-	"10.5") OS="leopard" ARCH="universal";;
- 	"10.4") OS="tiger" ARCH="universal";;
- 	"10.3") OS="panther" ARCH="ppc";;
- 	"10.2") OS="jaguar" ARCH="ppc";;
- 	"10.1") OS="puma" ARCH="ppc";;
- 	"10.0") OS="cheetah" ARCH="ppc";;
+    "10.6") ARCH="universal";;
+	"10.5") ARCH="universal";;
+ 	"10.4") ARCH="universal";;
+ 	"10.3") ARCH="ppc";;
+ 	"10.2") ARCH="ppc";;
+ 	"10.1") ARCH="ppc";;
+ 	"10.0") ARCH="ppc";;
       esac
 else
-	OS="unknown"
+	ARCH="unknown"
 fi
  
 if [ $ARCH != "universal" ]; then

contrib/osx/TorBundleInfo.plist.in

@@ -8,7 +8,7 @@
 	<string>Tor Bundle @VERSION@</string>
 	<key>CFBundleIdentifier</key>
 	<string>net.freehaven.torbundle</string>
-	<key>CFBundleSortVersionString</key>
+	<key>CFBundleShortVersionString</key>
 	<string>@VERSION@</string>
 	<key>IFPkgFlagComponentDirectory</key>
 	<string>../.contained_packages</string>
@@ -20,30 +20,12 @@
 			<key>IFPkgFlagPackageSelection</key>
 			<string>required</string>
 		</dict>
-		<dict>
-			<key>IFPkgFlagPackageLocation</key>
-			<string>Privoxy.pkg</string>
-			<key>IFPkgFlagPackageSelection</key>
-			<string>selected</string>
-		</dict>
-		<dict>
-			<key>IFPkgFlagPackageLocation</key>
-			<string>privoxyconf.pkg</string>
-			<key>IFPkgFlagPackageSelection</key>
-			<string>selected</string>
-		</dict>
 		<dict>
 			<key>IFPkgFlagPackageLocation</key>
 			<string>torstartup.pkg</string>
 			<key>IFPkgFlagPackageSelection</key>
 			<string>selected</string>
 		</dict>
-		<dict>
-			<key>IFPkgFlagPackageLocation</key>
-			<string>torbutton.pkg</string>
-			<key>IFPkgFlagPackageSelection</key>
-			<string>selected</string>
-		</dict>
 	</array>
         <key>IFPkgFormatVersion</key>
         <real>0.10000000149011612</real>

contrib/osx/TorInfo.plist.in

@@ -8,7 +8,7 @@
 	<string>Tor @VERSION@</string>
 	<key>CFBundleName</key>
 	<string>Tor</string>
-	<key>CFBundleSortVersionString</key>
+	<key>CFBundleShortVersionString</key>
 	<string>@VERSION@</string>
 	<key>IFPkgFlagAllowBackRev</key>
 	<true/>

contrib/osx/TorPostflight

@@ -46,7 +46,7 @@ TORGROUP=daemon
 TARGET=$2/Library/Tor
 TORDIR=$TARGET/var/lib/tor
 LOGFILE=/var/log/tor.log
-TORBUTTON_VERSION="1.1.11-alpha"
+TORBUTTON_VERSION="1.2.0-fx"
 
 # Check defaults for TARGET
 if [ "$TARGET" == "//Library/Tor" ]; then
@@ -77,6 +77,11 @@ if [ ! -f $TARGET/torrc ]; then
   cp $TARGET/torrc.sample $TARGET/torrc
 fi
 
+# Put the geoip database into the datadir
+if [ ! -f $TORDIR/geoip ]; then
+  cp $PACKAGE_PATH/Contents/Resources/geoip $TORDIR/geoip
+fi
+
 # Ensure symbolic links
 cd /usr/bin
 if [ -e /usr/bin/tor -a ! -L /usr/bin/tor ]; then
@@ -121,18 +126,11 @@ if [ -d /Library/StartupItems/Tor ]; then
    echo "$TARGET" > /Library/StartupItems/Tor/Tor.loc
 fi
 
+# This only works if the user installing us is an Admin user.
+# Otherwise, this will silently fail to install torbutton in firefox.
 if [ -f /Applications/Firefox.app/Contents/MacOS/firefox ]; then
-  if [ -f $TARGET/torbutton-$TORBUTTON_VERSION.xpi ]; then
-      /Applications/Firefox.app/Contents/MacOS/firefox -install-global-extension $TARGET/torbutton-$TORBUTTON_VERSION.xpi
-# The following is a kludge to get around the fact that the installer
-# runs as root.  This means the Torbutton extension will install with
-# root permissions; thereby making uninstalling Torbutton from inside
-# Firefox impossible.  The user will be caught in an endless loop of
-# uninstall -> automatic re-installation of Torbutton.  The OSX
-# installer doesn't tell you the owner of Firefox, therefore we have to
-# parse it.
-      USR=`ls -alrt /Applications/Firefox.app/Contents/MacOS/extensions/ | tail -1 | awk '{print $3}'`
-      GRP=`ls -alrt /Applications/Firefox.app/Contents/MacOS/extensions/ | tail -1 | awk '{print $4}'`
-      chown -R $USR:$GRP /Applications/Firefox.app/Contents/MacOS/extensions/
+  if [ -f /Library/Torbutton/torbutton-$TORBUTTON_VERSION.xpi ]; then
+# Open firefox with a prompt to install the torbutton xpi
+      su $USER open -a /Applications/Firefox.app /Library/Torbutton/torbutton-$TORBUTTON_VERSION.xpi
   fi
 fi

contrib/osx/TorStartupInfo.plist

@@ -8,7 +8,7 @@
 	<string>Tor Startup Script</string>
 	<key>CFBundleName</key>
 	<string>Tor Startup Script</string>
-	<key>CFBundleSortVersionString</key>
+	<key>CFBundleShortVersionString</key>
 	<string>0.1</string>
 	<key>IFPkgFlagAllowBackRev</key>
 	<true/>

contrib/osx/org.torproject.tor.plist

@@ -0,0 +1,26 @@
+<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
+        \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
+<plist version=\"1.0\">
+<dict>
+        <key>Label</key>
+        <string>org.torproject.tor</string>
+        <key>ProgramArguments</key>
+        <array>
+                <string>/usr/bin/tor</string>
+                <string>-f</string>
+                <string>/Library/Tor/torrc</string>
+        </array>
+        <key>RunAtLoad</key>
+        <true/>
+    <key>OnDemand</key>
+    <false/>
+
+    <key>UserName</key>
+    <string>_tor</string>
+    <key>GroupName</key>
+    <string>daemon</string>
+
+</dict>
+
+</plist>

contrib/osx/package.sh

@@ -2,14 +2,12 @@
 # $Id$
 # Copyright 2004-2005 Nick Mathewson. 
 # Copyright 2005-2007 Andrew Lewman
+# Copyright 2008 The Tor Project
 # See LICENSE in Tor distribution for licensing information.
 
-# This script builds a Macintosh OS X metapackage containing 4 packages:
+# This script builds a Macintosh OS X metapackage containing 2 packages:
 #    - One for Tor.
-#    - One for Privoxy.
-#    - One for a tor-specific privoxy configuration script.
 #    - One for Startup scripts for Tor.
-#    - One for Torbutton, an extension for FireFox
 #
 # This script expects to be run from the toplevel makefile, with VERSION
 # set to the latest Tor version, and Tor already built.
@@ -18,22 +16,13 @@
 # Read the documentation located in tor/doc/tor-osx-dmg-creation.txt on
 # how to build Tor for OSX
 
-# Where have we put the zip file containing Privoxy?  Edit this if your
-# privoxy lives somewhere else.
-PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
-
-# Where have we put the xpi and license for Torbutton? Edit this if your
-# torbutton and torbutton license live somewhere else.
-TORBUTTON_PATH=~/tmp/torbutton-1.1.14-alpha.xpi
-TORBUTTON_LIC_PATH=~/tmp/LICENSE
-
 ###
 # Helpful info on OS X packaging:
 #   http://developer.apple.com/documentation/DeveloperTools/Conceptual/SoftwareDistribution/index.html
 #   man packagemaker
 
 # Make sure VERSION is set, so we don't name the package
-# "Tor--$OS-$ARCH-Bundle.dmg"
+# "Tor--$ARCH-Bundle.dmg"
 if [ "XX$VERSION" = 'XX' ]; then
   echo "VERSION not set."
   exit 1
@@ -46,16 +35,17 @@ if [ -x /usr/bin/sw_vers ]; then
 # the OS version
   OSVER=`/usr/bin/sw_vers | grep ProductVersion | cut -f2 | cut -d"." -f1,2`
     case "$OSVER" in
-    	"10.5") OS="leopard" ARCH="universal";;
-	"10.4") OS="tiger" ARCH="universal";;
-	"10.3") OS="panther" ARCH="ppc";;
-	"10.2") OS="jaguar" ARCH="ppc";;
-	"10.1") OS="puma" ARCH="ppc";;
-	"10.0") OS="cheetah" ARCH="ppc";;
-	*) OS="unknown";;
+    "10.6") ARCH="universal";;
+    "10.5") ARCH="universal";;
+	"10.4") ARCH="universal";;
+	"10.3") ARCH="ppc";;
+	"10.2") ARCH="ppc";;
+	"10.1") ARCH="ppc";;
+	"10.0") ARCH="ppc";;
+	*) ARCH="unknown";;
     esac
 else
-  OS="unknown"
+  ARCH="unknown"
 fi
 
 # Where will we put our temporary files?
@@ -71,9 +61,7 @@ sudo rm -rf $BUILD_DIR
 mkdir $BUILD_DIR || exit 1
 for subdir in tor_packageroot tor_resources \
               torstartup_packageroot \
-              privoxyconf_packageroot \
               torbundle_resources \
-              torbutton_packageroot \
               output; do
     mkdir $BUILD_DIR/$subdir
 done
@@ -81,9 +69,7 @@ done
 ### Make Tor package.
 
 make install DESTDIR=$BUILD_DIR/tor_packageroot
-#mv $BUILD_DIR/tor_packageroot/Library/Tor/torrc.sample $BUILD_DIR/tor_packageroot/Library/Tor/torrc
 cp contrib/osx/ReadMe.rtf $BUILD_DIR/tor_resources
-#cp contrib/osx/License.rtf $BUILD_DIR/tor_resources
 chmod 755 contrib/osx/TorPostflight
 cp contrib/osx/TorPostflight $BUILD_DIR/tor_resources/postflight
 cp contrib/osx/addsysuser $BUILD_DIR/tor_resources/addsysuser
@@ -91,6 +77,7 @@ cp contrib/osx/Tor_Uninstaller.applescript $BUILD_DIR/tor_resources/Tor_Uninstal
 cp contrib/osx/uninstall_tor_bundle.sh $BUILD_DIR/tor_resources/uninstall_tor_bundle.sh
 cp contrib/osx/package_list.txt $BUILD_DIR/tor_resources/package_list.txt
 cp contrib/osx/tor_logo.gif $BUILD_DIR/tor_resources/background.gif
+cp src/config/geoip $BUILD_DIR/tor_resources/geoip
 cat <<EOF > $BUILD_DIR/tor_resources/Welcome.txt
 Tor: an anonymous Internet communication system
 
@@ -103,12 +90,6 @@ EOF
 DOC=$BUILD_DIR/tor_resources/documents
 mkdir $DOC
 mkdir $DOC/howto
-#cp doc/website/stylesheet.css doc/website/tor-doc-osx.html.* $DOC/howto
-#cp doc/website/tor-doc-server.html.* $DOC/howto
-#cp doc/website/tor-hidden-service.html.* $DOC/howto
-#cp doc/website/tor-switchproxy.html.* $DOC/howto
-#mkdir $DOC/img
-#cp doc/img/screenshot-osx* $DOC/img
 cp AUTHORS $DOC/AUTHORS.txt
 groff doc/tor.1.in -T ps -m man | pstopdf -i -o $DOC/tor-reference.pdf
 groff doc/tor-resolve.1 -T ps -m man | pstopdf -i -o $DOC/tor-resolve.pdf
@@ -134,18 +115,6 @@ $PACKAGEMAKER -build              \
     -i contrib/osx/TorInfo.plist  \
     -d contrib/osx/TorDesc.plist
 
-### Put privoxy configuration package in place.
-mkdir -p $BUILD_DIR/privoxyconf_packageroot/Library/Privoxy
-cp contrib/osx/privoxy.config $BUILD_DIR/privoxyconf_packageroot/Library/Privoxy/config
-
-find $BUILD_DIR/privoxyconf_packageroot -print0 |sudo xargs -0 chown root:wheel
-
-$PACKAGEMAKER -build                      \
-    -p $BUILD_DIR/output/privoxyconf.pkg  \
-    -f $BUILD_DIR/privoxyconf_packageroot \
-    -i contrib/osx/PrivoxyConfInfo.plist  \
-    -d contrib/osx/PrivoxyConfDesc.plist
-
 ### Make Startup Script package
 
 mkdir -p $BUILD_DIR/torstartup_packageroot/Library/StartupItems/Tor
@@ -160,55 +129,35 @@ $PACKAGEMAKER -build 		       \
   -i contrib/osx/TorStartupInfo.plist  \
   -d contrib/osx/TorStartupDesc.plist
 
-### Make Torbutton Installation package
-
-mkdir -p $BUILD_DIR/torbutton_packageroot/Library/Torbutton
-cp $TORBUTTON_PATH $BUILD_DIR/torbutton_packageroot/Library/Torbutton/
-cp $TORBUTTON_LIC_PATH $BUILD_DIR/torbutton_packageroot/Library/Torbutton/Torbutton-LICENSE.txt
-
-find $BUILD_DIR/torbutton_packageroot -print0 | sudo xargs -0 chown root:wheel
-
-$PACKAGEMAKER -build 		       	\
-  -p $BUILD_DIR/output/torbutton.pkg	\
-  -f $BUILD_DIR/torbutton_packageroot 	\
-  -i contrib/osx/TorbuttonInfo.plist  	\
-  -d contrib/osx/TorbuttonDesc.plist
-
 ### Assemble the metapackage.  Packagemaker won't buld metapackages from
 # the command line, so we need to do it by hand.
 
-MPKG=$BUILD_DIR/output/Tor-$VERSION-$OS-$ARCH-Bundle.mpkg
+MPKG=$BUILD_DIR/output/Tor-$VERSION-$ARCH-Bundle.mpkg
 mkdir -p "$MPKG/Contents/Resources"
 echo -n "pmkrpkg1" > "$MPKG/Contents/PkgInfo"
 cp contrib/osx/ReadMe.rtf "$MPKG/Contents/Resources"
-#cp contrib/osx/License.rtf "$MPKG/Contents/Resources"
 cp contrib/osx/TorBundleInfo.plist "$MPKG/Contents/Info.plist"
 cp contrib/osx/TorBundleWelcome.rtf "$MPKG/Contents/Resources/Welcome.rtf"
 cp contrib/osx/TorBundleDesc.plist "$MPKG/Contents/Resources/Description.plist"
 cp contrib/osx/tor_logo.gif "$MPKG/Contents/Resources/background.gif"
 
-# Move all the subpackages into place.  unzip Privoxy.pkg into place,
-# and fix its file permissions so we can rm -rf it later.
+# Move all the subpackages into place.  
 mkdir $BUILD_DIR/output/.contained_packages
 mv $BUILD_DIR/output/*.pkg $BUILD_DIR/OUTPUT/.contained_packages
-( cd $BUILD_DIR/output/.contained_packages && unzip $PRIVOXY_PKG_ZIP && find Privoxy.pkg -type d -print0 | xargs -0 chmod u+w )
+( cd $BUILD_DIR/output/.contained_packages )
 
 ### Copy readmes and licenses into toplevel.
-PRIVOXY_RESDIR=$BUILD_DIR/output/.contained_packages/Privoxy.pkg/Contents/Resources
-cp $PRIVOXY_RESDIR/License.html $BUILD_DIR/output/Privoxy\ License.html
-cp $PRIVOXY_RESDIR/ReadMe.txt $BUILD_DIR/output/Privoxy\ ReadMe.txt
 cp contrib/osx/ReadMe.rtf $BUILD_DIR/output/Tor\ ReadMe.rtf
 cp LICENSE $BUILD_DIR/output/Tor\ License.txt
-cp $TORBUTTON_LIC_PATH $BUILD_DIR/output/Torbutton_LICENSE.txt
 
 ### Package it all into a DMG
 
 find $BUILD_DIR/output -print0 | sudo xargs -0 chown root:wheel
 
-mv $BUILD_DIR/output "$BUILD_DIR/Tor-$VERSION-$OS-$ARCH-Bundle"
-rm -f "Tor-$VERSION-$OS-$ARCH-Bundle.dmg"
+mv $BUILD_DIR/output "$BUILD_DIR/Tor-$VERSION-$ARCH-Bundle"
+rm -f "Tor-$VERSION-$ARCH-Bundle.dmg"
 USER="`whoami`"
-sudo hdiutil create -format UDZO -srcfolder "$BUILD_DIR/Tor-$VERSION-$OS-$ARCH-Bundle" "Tor-$VERSION-$OS-$ARCH-Bundle.dmg"
-sudo chown "$USER" "Tor-$VERSION-$OS-$ARCH-Bundle.dmg"
+sudo hdiutil create -format UDZO -imagekey zlib-level=9 -srcfolder "$BUILD_DIR/Tor-$VERSION-$ARCH-Bundle" "Tor-$VERSION-$ARCH-Bundle.dmg"
+sudo chown "$USER" "Tor-$VERSION-$ARCH-Bundle.dmg"
 
 sudo rm -rf $BUILD_DIR

contrib/osx/uninstall_tor_bundle.sh

@@ -31,7 +31,7 @@
 
 ### this is the location of a file which contains all the actual package names
 ##	(ie "Tor", "torstartup", ...) the list should be new-line-delimited.
-PACKAGE_LIST_SRC=./package_list.txt
+PACKAGE_LIST_SRC=/Library/Tor/package_list.txt
 
 ### this is the name of the user created in the install process of Tor
 TOR_USER=_tor

contrib/package_nsis-mingw.sh

@@ -4,6 +4,7 @@
 # package_nsis-ming.sh is distributed under this license:
 
 # Copyright (c) 2006-2007 Andrew Lewman
+# Copyright (c) 2008 The Tor Project, Inc.
 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -56,9 +57,7 @@ mkdir win_tmp/tmp
 cp src/or/tor.exe win_tmp/bin/
 cp src/tools/tor-resolve.exe win_tmp/bin/
 cp contrib/tor.ico win_tmp/bin/
-
-# YOU must copy torbutton xpi into the contrib dir
-#cp contrib/torbutton-1.0.4-fx+tb.xpi win_tmp/bin/
+cp src/config/geoip win_tmp/bin/
 
 # There is no man2html in mingw.  
 # Maybe we should add this into make dist instead.

contrib/rc.subr

@@ -14,7 +14,6 @@
 # tor_conf (str):       Points to your tor conf file
 #                       Default: /usr/local/etc/tor/torrc
 # tor_user (str):       Tor Daemon user. Default _tor
-# tor_groupr (str):     Tor Daemon group. Default _tor
 #
 
 . /etc/rc.subr
@@ -27,7 +26,6 @@ load_rc_config ${name}
 : ${tor_enable="NO"}
 : ${tor_conf="/usr/local/etc/tor/torrc"}
 : ${tor_user="_tor"}
-: ${tor_group="_tor"}
 : ${tor_pidfile="/var/run/tor/tor.pid"}
 : ${tor_logfile="/var/log/tor"}
 : ${tor_datadir="/var/run/tor"}
@@ -35,7 +33,7 @@ load_rc_config ${name}
 required_files=${tor_conf}
 required_dirs=${tor_datadir}
 command="/usr/local/bin/${name}"
-command_args="-f ${tor_conf} --pidfile ${tor_pidfile} --runasdaemon 1 --datadirectory ${tor_datadir} --user ${tor_user} --group ${tor_group}"
+command_args="-f ${tor_conf} --pidfile ${tor_pidfile} --runasdaemon 1 --datadirectory ${tor_datadir} --user ${tor_user}"
 extra_commands="log"
 log_cmd="${name}_log"
 

contrib/tor-exit-notice.html

@@ -0,0 +1,125 @@
+<html>
+<head>
+<title>This is a Tor Exit Router</title>
+
+<!--
+
+This notice is intended to be placed on a virtual host for a domain that
+your Tor exit node IP reverse resolves to so that people who may be about
+to file an abuse complaint would check it first before bothering you or
+your ISP. Ex:
+http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org.
+
+This type of setup has proven very effective at reducing abuse complaints
+for exit node operators.
+
+There are a few places in this document that you may want to customize.
+They are marked with FIXME.
+
+-->
+
+</head>
+<body bgcolor=white text=black>
+
+<center><h1>This is a Tor Exit Router</h1></center>
+
+<p>Most likely you are accessing this website because you had some issue with
+the traffic coming from this IP. This router is part of the <a
+href="https://www.torproject.org/">Tor Anonymity Network</a>, which is
+dedicated to providing people with anonymity who need it most: average
+computer users. This router IP should be generating no other traffic, unless
+it has been compromised.
+
+<p>
+
+While Tor is not designed for malicious computer users, it is inevitable that
+some may use the network for malicious ends. In the mind of this operator,
+the social need for easily accessible censorship-resistant anonymous
+communication trumps the risk. Tor sees use by many important segments of the
+population, including whistle blowers, journalists, Chinese dissidents
+skirting the Great Firewall and oppressive censorship, abuse victims,
+stalker targets, the US military, and law enforcement, just to name a few.
+
+<p>
+
+<!-- FIXME: you should probably grab your own copy of tor-route.png
+and serve it locally -->
+<center><a href="https://www.torproject.org/overview.html.en">
+<img src="http://tor-exit.fscked.org/tor-route.png"></a></center>
+
+<p>
+
+In terms of applicable law, the best way to understand Tor is to consider it a
+network of routers operating as common carriers, much like the Internet
+backbone. However, unlike the Internet backbone routers, Tor routers
+explicitly do not contain identifiable routing information about the source of
+a packet.
+
+<p>
+
+As such, there is little the operator of this router can do to help you track
+the connection further. This router maintains no logs of any of the Tor
+traffic, so there is little that can be done to trace either legitimate or
+illegitimate traffic (or to filter one from the other).  Attempts to
+seize this router will accomplish nothing.
+<p>
+
+<!--- FIXME: US-Only section. Remove if you are a non-US operator -->
+
+Furthermore, this machine also serves as a carrier of email, which means that
+its contents are further protected under the ECPA. <a
+href="http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002707----000-.html">18
+USC 2707</a> explicitly allows for civil remedies ($1000/account
+<i><b><u>plus</u></b></i>  legal fees)
+in the event of a seizure executed without good faith or probable cause (it
+should be clear at this point that traffic with an originating IP address of
+FIXME_DNS_NAME should not constitute probable cause to seize the
+machine). Similar considerations exist for 1st amendment content on this
+machine.
+
+<p>
+
+<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in
+fact reported DMCA harassment... -->
+
+If you are a representative of a company who feels that this router is being
+used to violate the DMCA, please be aware that this machine does not host or
+contain any illegal content. Also be aware that network infrastructure
+maintainers are not liable for the type of content that passes over their
+equipment, in accordance with <a
+href="http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html">DMCA
+"safe harbor" provisions</a>. In other words, you will have just as much luck
+sending a takedown notice to the Internet backbone providers. Please consult
+<a href="https://www.torproject.org/eff/tor-dmca-response.html">EFF's prepared
+response</a> for more information on this matter.
+
+<p>For more information, please consult the following documentation:
+
+<ol>
+<li><a href="https://www.torproject.org/overview.html">Tor Overview</a></li>
+<li><a href="https://www.torproject.org/faq-abuse.html">Tor Abuse FAQ</a></li>
+<li><a href="https://www.torproject.org//eff/tor-legal-faq.html">Tor Legal FAQ</a></li>
+</ol>
+<p>
+
+That being said, if you still have a complaint about the router,  you may
+email the <a href="mailto:FIXME_YOUR_EMAIL_ADDRESS">maintainer</a>. If
+complaints are related to a particular service that is being abused, I will
+consider removing that service from my exit policy, which would prevent my
+router from allowing that traffic to exit through it. I can only do this on an
+IP+destination port basis, however. Common P2P ports are
+already blocked.
+
+<p>You also have the option of blocking this IP address and others on
+the Tor network if you so desire. The Tor project provides a <a
+href="https://www.torproject.org/cvs/tor/contrib/exitlist">python script</a> to
+extract all IP addresses of Tor exit nodes, and an official <a
+href="http://exitlist.torproject.org/">DNSRBL</a> is also available to
+determine if a given IP address is actually a Tor exit server. Please
+be considerate
+when using these options. It would be unfortunate to deny all Tor users access
+to your site indefinitely simply because of a few bad apples.
+
+</body>
+</html>
+

contrib/tor-mingw.nsi.in

@@ -1,6 +1,6 @@
 ;tor.nsi - A basic win32 installer for Tor
 ; Originally written by J Doe.
-; Modified by Steve Topletz
+; Modified by Steve Topletz, Andrew Lewman
 ; See the Tor LICENSE for licensing information
 ;-----------------------------------------
 ;
@@ -9,7 +9,7 @@
 !include "FileFunc.nsh"
 !insertmacro GetParameters
   
-!define VERSION "0.2.0.20-rc-dev"
+!define VERSION "0.2.0.35"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"
@@ -96,6 +96,11 @@ Section "Tor" Tor
 		Next:
 	${EndIf}
 	File /oname=$CONFIGFILE "..\src\config\torrc.sample"
+
+; the geoip file needs to be included and stuffed into the right directory
+; otherwise tor is unhappy
+	SetOutPath $APPDATA\Tor
+	Call ExtractGEOIP
 SectionEnd
 
 Section "Documents" Docs
@@ -113,7 +118,6 @@ Section "Start Menu" StartMenu
   ${If} ${FileExists} "$INSTDIR\Documents\*.*"
     Call CreateDocLinks
   ${EndIf}
-   endifdocs:
 SectionEnd
 
 Section "Desktop" Desktop
@@ -156,12 +160,15 @@ Function ExtractBinaries
 	File "${BIN}\tor-resolve.exe"
 FunctionEnd
 
+Function ExtractGEOIP
+	File "${BIN}\geoip"
+FunctionEnd
+
 Function ExtractIcon
 	File "${BIN}\tor.ico"
 FunctionEnd
 
 Function ExtractSpecs
-	;File "doc\FAQ"
 	File "..\doc\HACKING"
 	File "..\doc\spec\address-spec.txt"
 	File "..\doc\spec\control-spec.txt"

contrib/tor.sh.in

@@ -31,8 +31,6 @@ TORCTL=@BINDIR@/torctl
 # torctl will use these environment variables
 TORUSER=@TORUSER@
 export TORUSER
-TORGROUP=@TORGROUP@
-export TORGROUP
 
 if [ -x /bin/su ] ; then
     SUPROG=/bin/su

contrib/torctl.in

@@ -41,22 +41,18 @@ TORDATA="@LOCALSTATEDIR@/lib/tor"
 TORARGS="--pidfile $PIDFILE --log \"notice file $LOGFILE\" --runasdaemon 1"
 TORARGS="$TORARGS --datadirectory $TORDATA"
 
-# If user and group names are set in the environment, then use them;
+# If user name is set in the environment, then use it;
 # otherwise run as the invoking user (or whatever user the config
 # file says)... unless the invoking user is root. The idea here is to
 # let an unprivileged user run tor for her own use using this script,
 # while still providing for it to be used as a system daemon.
 if [ "x`id -u`" = "x0" ]; then
     TORUSER=@TORUSER@
-    TORGROUP=@TORGROUP@
 fi
 
 if [ "x$TORUSER" != "x" ]; then
     TORARGS="$TORARGS --user $TORUSER"
 fi
-if [ "x$TORGROUP" != "x" ]; then
-    TORARGS="$TORARGS --group $TORGROUP"
-fi
 
 # We no longer wrap the Tor daemon startup in an su when running as
 # root, because it's too painful to make the use of su portable.

debian/changelog

@@ -1,3 +1,175 @@
+tor (0.2.0.35-1) unstable; urgency=low
+
+  * New upstream version:
+    o security fixes:
+      - Avoid crashing in the presence of certain malformed descriptors.
+      - Fix an edge case where a malicious exit relay could convince a
+        controller that the client's DNS question resolves to an internal IP
+        address.
+    o bugfixes:
+      - Finally fix the bug where dynamic-IP relays disappear when their
+        IP address changes.
+      - Fix a DNS-related crash bug (apparently depending on everything
+        but the phase of the moon).
+      - Fix a memory leak when starting with a cache over a few days old
+      - Hidden service clients didn't use a cached service descriptor that
+        was older than 15 minutes, but wouldn't fetch a new one either.
+    [More details are in the upstream changelog.]
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 26 Jun 2009 01:56:14 +0200
+
+tor (0.2.0.34-1) unstable; urgency=high
+
+  * New upstream version:
+     - Avoid a potential crash on exit nodes when processing malformed
+       input.  Remote DoS opportunity (closes: #514579).
+     - Fix a temporary DoS vulnerability that could be performed by
+       a directory mirror (closes: #514580).
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 09 Feb 2009 09:53:48 +0100
+
+tor (0.2.0.33-1) unstable; urgency=high
+
+  * New upstream version:
+    - Fixes a possible remote heap buffer overflow bug (closes: #512728)
+      (Secunia Advisory [SA33635]).
+    - better resist DNS poisoning.
+    - and more - see upstream changelog.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 23 Jan 2009 12:05:06 +0100
+
+tor (0.2.0.32-1) unstable; urgency=high
+
+  * New upstream version.
+    - Properly drops privileges when being configured to do
+      so (closes: #505178).
+  * No longer set now obsolete Group setting in built-in debian config.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 21 Nov 2008 23:33:15 +0100
+
+tor (0.2.0.31-1) unstable; urgency=low
+
+  * New upstream version.
+  * Tweak a few error messages in the init script to use the proper variables
+    (not that it should matter, the Right One has the same value, but still)
+    and to list more possible error reasons.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 09 Sep 2008 09:56:54 +0200
+
+tor (0.2.0.30-2) unstable; urgency=low
+
+  * Stop requiring that the binary in /usr/sbin/tor is still the same as the
+    one that actually is the running tor when we try to stop or reload the
+    daemon using the init script.  If the process is called tor, running as
+    debian-tor, and the pid file agrees too then it probably is the Tor you
+    want to stop (closes: #491246).
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 18 Jul 2008 01:50:37 +0200
+
+tor (0.2.0.30-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 16 Jul 2008 02:19:08 +0200
+
+tor (0.2.0.29-rc-2) unstable; urgency=low
+
+  * Upload to unstable.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 15 Jul 2008 22:16:08 +0200
+
+tor (0.2.0.29-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Warn the admin if the number of file descriptors on his system is
+    tiny.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 09 Jul 2008 14:02:06 +0200
+
+tor (0.2.0.28-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Remove debian/patches/11_tor_as_root_more_helpful.dpatch as
+    it is no longer needed:  We now setuid() to the Tor user
+    when run as root and it all just works.
+  * Add comments to the dpatch headers so lintian shuts up.
+  * Add patches/14_fix_geoip_warning: Change geoipdb open failed message.
+  * Require unit tests to pass again.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 13 Jun 2008 10:28:36 +0200
+
+tor (0.2.0.27-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Add tor-geoipdb arch: all package for the geoip database.
+  * Update debian/rules so that there now is a binary-common target
+    and the binary-indep and binary-arch targets call make with
+    proper DH_OPTIONS options.  This is taken from the template
+    that dh_make nowadays uses for multi-binary packages.
+  * Unit tests are broken, yay.
+  * Use ${binary:Version} to depend on the right tor binary package from
+    the tor-dbg package instead of ${Source-Version}.  Some guy on the
+    internet said the latter was deprecated.
+  * Add Homepage: https://www.torproject.org/ field to control file.
+  * And mention www.tp.o instead of the old tor.eff.org in the long
+    description.
+  * No longer ignore failure of make clean in the clean target.
+  * Support passing of parallel=<n> in build options.
+  * Change declared Standards-Version to 3.8.0.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 06 Jun 2008 01:11:33 +0200
+
+tor (0.2.0.26-rc-1) experimental; urgency=critical
+
+  * New upstream version.
+  * Conflict with old libssls.
+  * On upgrading from versions prior to, including, 0.1.2.19-2, or
+    from versions later than 0.2.0 and prior to 0.2.0.26-rc do the
+    following, and if we are a server (we have a /var/lib/tor/keys
+    directory)
+    - move /var/lib/tor/keys/secret_onion_key out of the way.
+    - move /var/lib/tor/keys/secret_onion_key.old out of the way.
+    - move /var/lib/tor/keys/secret_id_key out of the way if it was
+      created on or after 2006-09-17, which is the day the bad
+      libssl was uploaded to Debian unstable.
+  * Add a NEWS file explaining this change.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 13 May 2008 16:11:21 +0200
+
+tor (0.2.0.24-rc-1) experimental; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 23 Apr 2008 02:25:22 +0200
+
+tor (0.2.0.23-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Mention OpenBSD_malloc_Linux.c in debian/copyright.
+  * Add a recommends on logrotate.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 25 Mar 2008 09:34:37 +0100
+
+tor (0.2.0.22-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Work around fig2dev failing to build the images on all archs
+    (re #457568).
+  * Build with --enable-openbsd-malloc, unless no-enable-openbsd-malloc is
+    found in DEB_BUILD_OPTIONS.  Hopefully this deals with some of the
+    horrible memory fragmentation that glibc's malloc causes.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 19 Mar 2008 08:03:47 +0100
+
+tor (0.2.0.21-rc-1) experimental; urgency=low
+
+  * New upstream version.
+  * Run --verify-config before start/reload/restart as root.  No longer
+    su - to debian-tor tor run it.  Given that we now even start Tor as
+    root (it setuids later on) this should be fine (closes: #468566).
+
+ -- Peter Palfrader <weasel@debian.org>  Mon,  3 Mar 2008 13:36:59 +0100
+
 tor (0.2.0.20-rc-1) experimental; urgency=low
 
   * New upstream version.

debian/control

@@ -3,12 +3,14 @@ Section: comm
 Priority: optional
 Maintainer: Peter Palfrader <weasel@debian.org>
 Build-Depends: debhelper (>= 4.1.65), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), texlive-base-bin, texlive-latex-base, texlive-fonts-recommended, transfig, gs, binutils (>= 2.14.90.0.7)
-Standards-Version: 3.7.2
+Standards-Version: 3.8.0
+Homepage: https://www.torproject.org/
 
 Package: tor
 Architecture: any
 Depends: ${shlibs:Depends}, adduser, tsocks
-Recommends: privoxy | polipo (>= 1), socat
+Conflicts: libssl0.9.8 (<< 0.9.8g-9)
+Recommends: privoxy | polipo (>= 1), socat, logrotate, tor-geoipdb
 Suggests: mixmaster, mixminion, anon-proxy
 Description: anonymizing overlay network for TCP
  Tor is a connection-based low-latency anonymous communication system which
@@ -43,16 +45,29 @@ Description: anonymizing overlay network for TCP
  Remember that this is development code -- don't rely on the current Tor
  network if you really need strong anonymity.
  .
- The latest information can be found at http://tor.eff.org/, or on the
+ The latest information can be found at https://www.torproject.org/, or on the
  mailing lists, archived at http://archives.seul.org/or/talk/ or
  http://archives.seul.org/or/announce/.
 
 Package: tor-dbg
 Architecture: any
-Depends: tor (= ${Source-Version})
+Depends: tor (= ${binary:Version})
 Suggests: gdb
 Priority: extra
 Description: debugging symbols for Tor
  This package provides the debugging symbols for Tor, The Onion Router.
  Those symbols allow your debugger to assign names to your backtraces, which
  makes it somewhat easier to interpret core dumps.
+
+Package: tor-geoipdb
+Architecture: all
+Priority: extra
+Depends: tor (>= ${source:Version})
+Description: geoIP database for Tor
+ This package provides a geoIP database for Tor, i.e. it maps IPv4 addresses
+ to countries.
+ .
+ Bridges (special Tor relays that aren't listed in the main Tor directory) use
+ this information to report which countries they get access from.  This allows
+ the Tor network operators to learn if certain countries started blocking
+ access to bridges.

debian/copyright

@@ -12,6 +12,7 @@ Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
 Copyright (c) 2007-2008, The Tor Project, Inc.
 strlcat, strlcpy: Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
 ht.h: Copyright (c) 2002, Christopher Clark, 2006 Nick Mathewson
+OpenBSD_malloc_Linux.c: phk@FreeBSD.ORG
 Modifications for Debian: Copyright (c) 2004, 2005, 2006, 2007, 2008 Peter Palfrader
 
 Tor is distributed under this license:
@@ -115,4 +116,9 @@ ht.h by Nick Mathewson is licensed as follows:
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-
+===============================================================================
+OpenBSD_malloc_Linux.c:
+ * "THE BEER-WARE LICENSE" (Revision 42):
+ * <phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
+ * can do whatever you want with this stuff. If we meet some day, and you think
+ * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp

debian/patches/00list

@@ -2,4 +2,4 @@
 03_tor_manpage_in_section_8.dpatch
 06_add_compile_time_defaults.dpatch
 07_log_to_file_by_default.dpatch
-11_tor_as_root_more_helpful.dpatch
+14_fix_geoip_warning

debian/patches/02_add_debian_files_in_manpage.dpatch

@@ -2,7 +2,7 @@
 ## 02_add_debian_files_in_manpage.dpatch by  <weasel@debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: Change the FILES section of the manpage to properly describe the situation on Debian systems.
 
 if [ $# -lt 1 ]; then
     echo "`basename $0`: script expects -patch|-unpatch as argument" >&2

debian/patches/03_tor_manpage_in_section_8.dpatch

@@ -2,7 +2,7 @@
 ## 03_tor_manpage_in_section_8.dpatch by  <weasel@debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: Move the Tor manpage from section 1 to section 8.
 
 if [ $# -lt 1 ]; then
     echo "`basename $0`: script expects -patch|-unpatch as argument" >&2

debian/patches/06_add_compile_time_defaults.dpatch

@@ -2,7 +2,7 @@
 ## 06_add_compile_time_defaults.dpatch by  <weasel@debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: Change a few compile time defaults so that Tor is better integrated on a Debian system
 
 if [ $# -lt 1 ]; then
     echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
@@ -72,7 +72,7 @@ diff -urNad trunk~/src/or/config.c trunk/src/or/config.c
    if (errmsg) {
      log(LOG_WARN,LD_CONFIG,"Failed to parse/validate config: %s", errmsg);
      tor_free(errmsg);
-@@ -5011,3 +5018,64 @@
+@@ -5011,3 +5018,60 @@
    puts(routerparse_c_id);
  }
  
@@ -131,9 +131,5 @@ diff -urNad trunk~/src/or/config.c trunk/src/or/config.c
 +  tor_assert(var);
 +  var->initvalue = tor_strdup("debian-tor");
 +
-+  var = config_find_option(&options_format, "Group");
-+  tor_assert(var);
-+  var->initvalue = tor_strdup("debian-tor");
-+
 +  return 0;
 +}

debian/patches/07_log_to_file_by_default.dpatch

@@ -2,7 +2,7 @@
 ## 07_log_to_file_by_default.dpatch by  <weasel@debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: Change default logging target from stdout to a logfile
 
 if [ $# -lt 1 ]; then
     echo "`basename $0`: script expects -patch|-unpatch as argument" >&2

debian/patches/11_tor_as_root_more_helpful.dpatch

@@ -1,36 +0,0 @@
-#! /bin/sh -e
-## 08_no_run_as_root.dpatch by  <weasel@debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
-if [ $# -lt 1 ]; then
-    echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
-    exit 1
-fi
-
-[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
-patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
-
-case "$1" in
-    -patch) patch -p1 ${patch_opts} < $0;;
-    -unpatch) patch -R -p1 ${patch_opts} < $0;;
-    *)
-        echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
-        exit 1;;
-esac
-
-exit 0
-
-@DPATCH@
---- tor~/src/or/main.c	2006-07-23 19:31:29.000000000 +0200
-+++ tor/src/or/main.c	2006-07-24 05:34:30.696138870 +0200
-@@ -1483,7 +1483,7 @@
- #ifndef MS_WINDOWS
-   if (geteuid()==0)
-     log_warn(LD_GENERAL,"You are running Tor as root. You don't need to, "
--             "and you probably shouldn't.");
-+             "and you probably shouldn't.  Maybe you are looking for the init script?  '/etc/init.d/tor start'");
- #endif
- 
-   crypto_global_init(get_options()->HardwareAccel);

debian/patches/14_fix_geoip_warning.dpatch

@@ -0,0 +1,37 @@
+#! /bin/sh -e
+## 14_fix_geoip_warning.dpatch by  <weasel@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Change geoipdb open failed message
+
+if [ $# -lt 1 ]; then
+    echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
+    exit 1
+fi
+
+[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
+patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
+
+case "$1" in
+    -patch) patch -p1 ${patch_opts} < $0;;
+    -unpatch) patch -R -p1 ${patch_opts} < $0;;
+    *)
+        echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
+        exit 1;;
+esac
+
+exit 0
+
+@DPATCH@
+diff -urNad git-stable~/src/or/geoip.c git-stable/src/or/geoip.c
+--- git-stable~/src/or/geoip.c	2008-06-06 01:00:41.000000000 +0200
++++ git-stable/src/or/geoip.c	2008-06-11 12:54:17.605150644 +0200
+@@ -147,7 +147,7 @@
+   int severity = should_record_bridge_info(options) ? LOG_WARN : LOG_INFO;
+   clear_geoip_db();
+   if (!(f = fopen(filename, "r"))) {
+-    log_fn(severity, LD_GENERAL, "Failed to open GEOIP file %s.", filename);
++    log_fn(severity, LD_GENERAL, "Failed to open GEOIP file %s.  Do you have the tor-geoipdb package installed?", filename);
+     return -1;
+   }
+   geoip_countries = smartlist_create();

debian/rules

@@ -48,11 +48,21 @@ ifneq (,$(findstring notest,$(DEB_BUILD_OPTIONS)))
 	RUN_TEST = no
 endif
 
+# Support passing of parallel=<n> in build options
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	MAKEFLAGS += -j$(NUMJOBS)
+endif
+
 CONF_OPTIONS =
 # build against libdmalloc4 - it better be installed
 ifneq (,$(findstring with-dmalloc,$(DEB_BUILD_OPTIONS)))
 	CONF_OPTIONS += --with-dmalloc
 endif
+# inhibit building with --enable-openbsd-malloc
+ifeq (,$(findstring no-enable-openbsd-malloc,$(DEB_BUILD_OPTIONS)))
+	CONF_OPTIONS += --enable-openbsd-malloc
+endif
 
 configure: patch-stamp
 config.status: configure
@@ -100,17 +110,15 @@ build-stamp:  config.status
 	#
 	# the hexdumps were built using something like
 	#   perl -e 'while (<>) { print unpack ("H*", $_); }' interaction.pdf | fold > hexdump-interaction.pdf
-	if [ "$(DEB_BUILD_GNU_TYPE)" = "s390-linux-gnu" ] || \
-	   [ "$(DEB_BUILD_GNU_TYPE)" = "sparc-linux-gnu" ] || \
-	   [ "$(DEB_BUILD_GNU_TYPE)" = "mipsel-linux" ]; then \
-		cd doc/design-paper; \
+	# 
+	# And it fails on a bunch of other archs too.
+	cd doc/design-paper; \
 		fig2dev -L pdf cell-struct.fig cell-struct.pdf || \
 			( echo "** Using shipped pdf file because fig2dev failed"; \
 			  perl -e 'while (<>) { chomp; print pack ("H*", $$_); }' ../../debian/hexdump-cell-struct.pdf > cell-struct.pdf ); \
 		fig2dev -L pdf interaction.fig interaction.pdf || \
 			( echo "** Using shipped pdf file because fig2dev failed"; \
 			  perl -e 'while (<>) { chomp; print pack ("H*", $$_); }' ../../debian/hexdump-interaction.pdf > interaction.pdf ); \
-	fi
 	# XXX ends
 
 	make -C doc/design-paper tor-design.ps tor-design.pdf
@@ -122,7 +130,7 @@ clean: unpatch
 	dh_testroot
 	rm -f build-stamp
 
-	-$(MAKE) distclean
+	[ ! -f Makefile ] || $(MAKE) distclean
 
 	dh_clean
 
@@ -154,28 +162,31 @@ install: build
 
 	rm -f $(CURDIR)/debian/tor/usr/bin/tor-control.py
 
+	# tor-dbg doc dir
 	install -d -m 755 $(CURDIR)/debian/tor-dbg/usr/share/doc
 	ln -s tor $(CURDIR)/debian/tor-dbg/usr/share/doc/tor-dbg
 
+	# tor-geoip
+	mv $(CURDIR)/debian/tor/usr/share/tor/geoip $(CURDIR)/debian/tor-geoipdb/usr/share/tor
+	rmdir $(CURDIR)/debian/tor/usr/share/tor || true
 
-# Build architecture-independent files here.
-binary-indep: build install
-# We have nothing to do by default.
+	install -d -m 755 $(CURDIR)/debian/tor-geoipdb/usr/share/doc/tor-geoipdb
+	ln -s ../tor/changelog.gz $(CURDIR)/debian/tor-geoipdb/usr/share/doc/tor-geoipdb
+	ln -s ../tor/changelog.Debian.gz $(CURDIR)/debian/tor-geoipdb/usr/share/doc/tor-geoipdb
 
-# Build architecture-dependent files here.
-binary-arch: build install
+	install -m 644 debian/tor-geoipdb.lintian-override $(CURDIR)/debian/tor-geoipdb/usr/share/lintian/overrides/tor-geoipdb
+
+# Must not depend on anything. This is to be called by
+# binary-arch/binary-indep
+# in another 'make' thread.
+binary-common:
 	dh_testdir
 	dh_testroot
-	dh_installchangelogs ChangeLog
+	dh_installchangelogs --package=tor ChangeLog
 	dh_installdocs
 	dh_installexamples
-#	dh_install
-#	dh_installdebconf
 	dh_installlogrotate
-#	dh_installemacsen
-#	dh_installmime
 	dh_installinit
-#	dh_installcron
 	dh_installman
 	dh_link
 	# Change this for debhelper compatibility level 5 or later!
@@ -187,7 +198,15 @@ binary-arch: build install
 	dh_gencontrol
 	dh_md5sums
 	dh_builddeb
+
+# Build architecture independant packages using the common target.
+binary-indep: install
+	$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
+
+# Build architecture dependant packages using the common target.
+binary-arch: install
+	$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
 	@if [ "$(LOCALHOST_IP)" != "127.0.0.1" ]; then echo; echo; echo; echo; echo; echo "######################################################################"; echo "WARNING: This system does not think localhost is 127.0.0.1.  Result of testsuite has been ignored.  Please fix your system/chroot."; echo "######################################################################"; echo; echo; echo; echo; echo "Note: 'getent hosts localhost' should return '127.0.0.1 localhost'"; echo; fi
 
 binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install 
+.PHONY: build clean binary-common binary-indep binary-arch binary install

debian/tor-geoipdb.copyright

@@ -0,0 +1,35 @@
+This geo-ip database was downloaded as part of the Tor distribution
+from <URL:https://www.torproject.org/>.
+
+
+It is the IP-to-Country Database provided by WebHosting.Info
+(http://www.webhosting.info), available from
+http://ip-to-country.webhosting.info.
+
+
+Copyright (c) 2003 Direct Information Pvt. Ltd. All Rights Reserved.
+
+All usage, reproduction, modification and derivative works created from, and
+distribution and publication of the IP-to-Country Database and your derivative
+works thereof must keep intact all copyright notices and give credit by
+displaying the following acknowledgment by replacing 'work' with one of the
+following: script, product, page, service or application:
+
+"This 'work' uses the IP-to-Country Database
+ provided by WebHosting.Info (http://www.webhosting.info),
+ available from http://ip-to-country.webhosting.info."
+
+BECAUSE THE DATABASE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
+DATABASE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
+STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
+DATABASE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES REGARDING THE CONTENTS OR
+ACCURACY OF THE WORK.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
+COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
+DATABASE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
+INABILITY TO USE THE DATABASE, EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

debian/tor-geoipdb.dirs

@@ -0,0 +1,2 @@
+usr/share/tor
+usr/share/lintian/overrides

debian/tor-geoipdb.lintian-override

@@ -0,0 +1 @@
+tor-geoipdb: debian-changelog-file-is-a-symlink

debian/tor.NEWS

@@ -0,0 +1,16 @@
+tor (0.2.0.26-rc-1) experimental; urgency=critical
+
+  * weak cryptographic keys
+
+    It has been discovered that the random number generator in Debian's
+    openssl package is predictable.  This is caused by an incorrect
+    Debian-specific change to the openssl package (CVE-2008-0166).  As a
+    result, cryptographic key material may be guessable.
+
+    See Debian Security Advisory number 1571 (DSA-1571) for more information:
+    http://lists.debian.org/debian-security-announce/2008/msg00152.html
+
+    If you run a Tor server using this package please see
+    /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 13 May 2008 12:49:05 +0200

debian/tor.init

@@ -22,6 +22,8 @@ NAME=tor
 DESC="tor daemon"
 TORPIDDIR=/var/run/tor
 TORPID=$TORPIDDIR/tor.pid
+DAEMON_USER=debian-tor
+DAEMON_NAME=tor
 DEFAULTSFILE=/etc/default/$NAME
 WAITFORDAEMON=60
 ARGS=""
@@ -36,6 +38,16 @@ if [ -r /proc/sys/fs/file-max ]; then
 		MAX_FILEDESCRIPTORS=8192
 	else
 		MAX_FILEDESCRIPTORS=1024
+		cat << EOF
+
+Warning: Your system has very few filedescriptors available in total.
+
+Maybe you should try raising that by adding 'fs.file-max=100000' to your
+/etc/sysctl.conf file.  Feel free to pick any number that you deem appropriate.
+Then run 'sysctl -p'.  See /proc/sys/fs/file-max for the current value, and
+file-nr in the same directory for how many of those are used at the moment.
+
+EOF
 	fi
 else
 	MAX_FILEDESCRIPTORS=8192
@@ -89,6 +101,14 @@ check_torpiddir () {
 	fi
 }
 
+check_config () {
+	if ! $DAEMON --verify-config > /dev/null; then
+		echo "ABORTED: Tor configuration invalid:" >&2
+		$DAEMON --verify-config >&2
+		exit 1
+	fi
+}
+
 
 case "$1" in
   start)
@@ -109,11 +129,7 @@ case "$1" in
 	check_torpiddir
 
 	echo "Starting $DESC: $NAME..."
-	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
-		echo "ABORTED: Tor configuration invalid:" >&2
-		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
-		exit 1
-	fi
+	check_config
 
 	start-stop-daemon --start --quiet --oknodo \
 		--pidfile $TORPID \
@@ -130,14 +146,14 @@ case "$1" in
 		exit 0
 	fi
 
-	if start-stop-daemon --stop --signal INT --quiet --pidfile $TORPID --exec $DAEMON; then
+	if start-stop-daemon --stop --signal INT --quiet --pidfile $TORPID --name $DAEMON_NAME --user $DAEMON_USER; then
 		wait_for_deaddaemon $pid
 		echo "$NAME."
 	elif kill -0 $pid 2>/dev/null
 	then
-		echo "FAILED (Is $pid not $NAME?  Is $DAEMON a different binary now?)."
+		echo "FAILED (Is $pid not $DAEMON_NAME or not running as $DAEMON_USER?)."
 	else
-		echo "FAILED ($DAEMON died: process $pid not running; or permission denied)."
+		echo "FAILED ($DAEMON_NAME died: process $pid not running; or permission denied)."
 	fi
 	;;
   reload|force-reload)
@@ -149,28 +165,20 @@ case "$1" in
 		exit 0
 	fi
 
-	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
-		echo "ABORTED: Tor configuration invalid:" >&2
-		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
-		exit 1
-	fi
+	check_config
 
-	if start-stop-daemon --stop --signal 1 --quiet --pidfile $TORPID --exec $DAEMON
+	if start-stop-daemon --stop --signal 1 --quiet --pidfile $TORPID --name $DAEMON_NAME --user $DAEMON_USER
 	then
 		echo "$NAME."
 	elif kill -0 $pid 2>/dev/null
 	then
-		echo "FAILED (Is $pid not $NAME?  Is $DAEMON a different binary now?)."
+		echo "FAILED (Is $pid not $DAEMON_NAME or not running as $DAEMON_USER?)."
 	else
-		echo "FAILED ($DAEMON died: process $pid not running; or permission denied)."
+		echo "FAILED ($DAEMON_NAME died: process $pid not running; or permission denied)."
 	fi
 	;;
   restart)
-	if ! su -s /bin/sh -c "$DAEMON --verify-config" debian-tor > /dev/null; then
-		echo "Restarting Tor ABORTED: Tor configuration invalid:" >&2
-		su -s /bin/sh -c "$DAEMON --verify-config" debian-tor >&2
-		exit 1
-	fi
+	check_config
 
 	$0 stop
 	sleep 1

debian/tor.postinst

@@ -51,6 +51,71 @@ find /var/log/tor \( \( ! -user debian-tor \) -o \( ! -group adm \) \) -print0 |
 find /var/log/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
 find /var/log/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00640
 
+
+move_away_keys=0
+
+if [ "$1" = "configure" ] &&
+   [ -e /var/lib/tor/keys ] &&
+   [ ! -z "$2" ]; then
+	if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
+		move_away_keys=1
+	elif dpkg --compare-versions "$2" gt 0.2.0 &&
+	     dpkg --compare-versions "$2" lt 0.2.0.26-rc; then
+		move_away_keys=1
+	fi
+fi
+if [ "$move_away_keys" = "1" ]; then
+	echo "Retiring possibly compromised keys.  See /usr/share/doc/tor/NEWS.Debian.gz"
+	echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
+	echo "further information."
+	if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
+		mkdir /var/lib/tor/keys/moved-away-by-tor-package
+		cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
+It has been discovered that the random number generator in Debian's
+openssl package is predictable.  This is caused by an incorrect
+Debian-specific change to the openssl package (CVE-2008-0166).  As a
+result, cryptographic key material may be guessable.
+
+See Debian Security Advisory number 1571 (DSA-1571) for more information:
+http://lists.debian.org/debian-security-announce/2008/msg00152.html
+
+The Debian package for Tor has moved away the onion keys upon package
+upgrade, and it will have moved away your identity key if it was created
+in the affected timeframe.  There is no sure way to automatically tell
+if your key was created with an affected openssl library, so this move
+is done unconditionally.
+
+If you have restarted Tor since this change (and the package probably
+did that for you already unless you configured your system differently)
+then the Tor daemon already created new keys for itself and in all
+likelyhood is already working just fine with new keys.
+
+If you are absolutely certain that your identity key was created with
+a non-affected version of openssl and for some reason you have to retain
+the old identity, then you can move back the copy of secret_id_key to
+/var/lib/tor/keys.  Do not move back the onion keys, they were created
+only recently since they are temporary keys with a lifetime of only a few
+days anyway.
+
+Sincerely,
+Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
+EOF
+	fi
+	for f in secret_onion_key secret_onion_key.old; do
+		if [ -e /var/lib/tor/keys/"$f" ]; then
+			mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
+		fi
+	done
+	if [ -e /var/lib/tor/keys/secret_id_key ]; then
+		id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
+		sept=`date -d '2006-09-10' +%s`
+		if [ "$id_mtime" -gt "$sept" ] ; then
+			mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
+		fi
+	fi
+fi
+
+
 #DEBHELPER#
 
 exit 0

doc/TODO

@@ -1,659 +1,4 @@
-$Id$
-Legend:
-SPEC!!  - Not specified
-SPEC    - Spec not finalized
-N       - nick claims
-R       - arma claims
-P       - phobos claims
-S       - Steven claims
-M       - Matt/Mike claims
-J       - Jeff claims
-I	- ioerror claims
-        - Not done
-        * Top priority
-        . Partially done
-        o Done
-        d Deferrable
-        D Deferred
-        X Abandoned
 
-=======================================================================
-
-External constraints:
-  - Mid Feb, blocking-resistance roll-out
-M   - Adequately stable Vidalia snapshot, or 0.1.0 release
-R   - Write some text for it
-S   - New Tor Browser Bundle with above Vidalia
-
-  - Late Feb, NGO in a box
-    - Have 0.2.0 beta or rc out
-
-  - Mid Mar, upnp
-S   - Pick a suitable-looking upnp library and begin integrating it
-
-  - Mid Apr
-    - More Torbrowser work:
-      o Get polipo into it
-?     - Resolve branding issue
-      o Make Torbrowser website
-R     - Get it integrated into the Tor download pages
-S   - Zip-splitting:
-      - Document the use of 7-zip to combine fractional files and
-        reconstruct them after download.  Host such files.
-      - If it's faster to research a self-extracting splitter
-        and use it, with simpler documentation, that's obviously fine.
-S   - Finish first cut at integrating upnp lib into Vidalia
-R   - get the geoip files onto some bridge relays, and gather stats
-J   - Translation portal
-      - Vidalia translations
-      - Vidalia installer translations
-      - Torbutton translations
-      - Centralized instructions for how to help translate
-      - Continue managing the tor-translations team to keep the Tor
-        website translated
-
-  - Mid May
-S   - More TorBrowser work
-      - Integrate pidgin and OTR
-      - move portablefirefox nsi goo into vidalia as appropriate
-      - Figure out (or give up on) how to run Tor Browser and ordinary
-        Firefox side-by-side.
-
-  - mid June
-R   - SRI stuff
-
-  - End of June
-S   - More TorBrowser work
-      - Firefox extension framework for Torbrowser build-time
-      - Progress bar during startup, including some "timeout" events to
-        indicate when Tor's unlikely to succeed at startup.
-R       - Make Tor put out appropriate events
-        - Let Vidalia notice them and change its appearance
-      - Enumerate and analyze traces left when running from USB
-R   - Finish tor-doc-bridge.wml
-    - More bridgedb work:
-R     - Get the dkimproxy patch in
-?     - Brainstorm about safe but effective ways for vidalia to
-        auto-update its user's bridges via Tor in the background.
-NR    - Include "stable" bridge and "port 443" bridge and "adequately
-        new version" bridge free in every specially marked
-        box!^W^W^Woutput batch.
-N     - Detect proxies and treat them as the same address
-    - More back-end work:
-N     - Investigate and start resolving (or declare unresolvable) the ram
-        issue for relays. Investigate and document all of, and do at
-        least one of:
-        - better buffer approaches in Tor
-        - better buffer approaches in openssl
-        - shipping Tor with its own integrated allocator.
-N     - Write a research proposal for how to safely collect and aggregate
-        some GeoIP data from non-bridge entry nodes. Deploy that if we
-        think it's safe enough, or produce a clear roadmap to getting it
-        safe if we don't think it's ready yet.
-N     - Additional TLS-camouflage work (spoofing FF cipher suite, etc.)
-        - spoof the cipher suites
-        - spoof the extensions list
-        - red-team testing (a.k.a, look at a packet dump and compare),
-        - investigate the feasibility of handing connections off to a
-          local apache if they don't look like Tor or if they don't
-          portknock or whatever.
-R     - Get closer to downloading far fewer descriptors
-        - Instrument the code to track how many descriptors we download vs how
-          many times we extend a circuit.
-        - Write a proposal for how to fetch far fewer descriptors; assess
-          anonymity attacks, like from looking at the size of the
-          descriptor you fetch.
-J     - Translation portal
-        - Torbutton webpage
-        - Torbrowser webpage
-        - Tor website
-        - check.torproject.org
-
-=======================================================================
-
-For Tor 0.2.0.x-rc:
-R - Figure out the autoconf problem with adding a fallback consensus.
-R - add a geoip file
-W   - figure out license
-R - let bridges set relaybandwidthrate as low as 5kb
-R - bug: if we launch using bridges, and then stop using bridges, we
-    still have our bridges in our entryguards section, and may use them.
-  . make it easier to set up a private tor network on your own computer
-    is very hard.
-R   . FAQ entry which is wrong
-  o Make BEGIN_DIR mandatory for asking questions of bridge authorities?
-    (but only for bridge descriptors. not for ordinary cache stuff.)
-    o Implement connection_dir_is_encrypted().
-    o set up a filter to not answer any bridge descriptors on a
-      non-encrypted request
-  o write a tor-gencert man page
-
-N . geoip caching and publishing for bridges
-    d Track consecutive time up, not time since last-forgotten IP.
-    - Mention in dir-spec.txt
-    - Mention in control-spec.txt
-    D have normal relays report geoip stats too.
-    D different thresholds for bridges than for normal relays.
-    o bridge relays round geoip stats *up*, not down.
-R - bridge communities
-    . spec
-    . deploy
-      - man page entries for Alternate*Authority config options
-
-Things we'd like to do in 0.2.0.x:
-  o if we notice a cached-status directory and we're not serving v2 dir
-    info and it's old enough, delete it.
-     o same with cached-routers*.
-N - document the "3/4 and 7/8" business in the clients fetching consensus
-    documents timeline.
-R   - then document the bridge user download timeline.
-
-N - Before the feature freeze:
-    - 105+TLS, if possible.
-      . TLS backend work
-        . Enable.
-      - Test
-        o Verify version negotiation on client
-        o Verify version negotiation on server
-        o Verify that client->server connection becomes open
-        - Verify that server->server connection becomes open and
-          authenticated.
-        - Verify that initiator sends no cert in first stage of TLS
-          handshake.
-      - NETINFO fallout
-        - Don't extend a circuit over a noncanonical connection with
-          mismatched address.
-        - Learn our outgoing IP address from netinfo cells?
-
-  - Bugs.
-     - Bug reports Roger has heard along the way that don't have enough
-        details/attention to solve them yet.
-        - arma noticed that when his network went away and he tried
-          a new guard node and the connect() syscall failed to it,
-          the guard wasn't being marked as down. 0.2.0.x.
-        - after being without network for 12 hours, arma's tor decided
-          it couldn't fetch any network statuses, and never tried again
-          even when the network came back and arma clicked on things.
-          also 0.2.0.
-R       - for above two, roger should turn them into flyspray entry.
-
-  - Proposals:
-    o 101: Voting on the Tor Directory System (plus 103)
-N     - Use if-modified-since on consensus download
-      - Controller support
-        D GETINFO to get consensus
-N       - Event when new consensus arrives
-    . 111: Prioritize local traffic over relayed.
-R     - Merge into tor-spec.txt.
-
-  - Refactoring:
-    . Make cells get buffered on circuit, not on the or_conn.
-      . Switch to pool-allocation for cells?
-N       - Benchmark pool-allocation vs straightforward malloc.
-N       - Adjust memory allocation logic in pools to favor a little less
-          slack memory.
-    . Remove socketpair-based bridges conns, and the word "bridge".  (Use
-      shared (or connected) buffers for communication, rather than sockets.)
-      . Implement
-N       - Handle rate-limiting on directory writes to linked directory
-          connections in a more sensible manner.
-          Nick thinks he did this already?
-N       - Find more ways to test this.
-          (moria doesn't rate limit, so testing on moria not so good.)
-
-  - Documentation
-    - HOWTO for DNSPort. See tup's wiki page.
-    . Document transport and natdport in a good HOWTO.
-N   - Quietly document NT Service options: revise (or create) FAQ entry
-
-R - make sure you solved bug 556
-
-P - Make documentation realize that location of system configuration file
-    will depend on location of system defaults, and isn't always /etc/torrc.
-P - Figure out why dll's compiled in mingw don't work right in WinXP.
-P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
-
-=======================================================================
-
-Planned for 0.2.1.x:
-  - Things that have been bugging Nick
-    - Make better use of multi-core machines: Do AES crypto and
-      compression in worker threads
-    - Maybe use jemalloc from freebsd via firefox 3, once its windows
-      and osx ports are more mature.
-    - MMap the cached-descriptors.new file as well as the regular ones
-    - Actually use SSL_shutdown to close our TLS connections.
-    - Refactor the HTTP logic so the functions aren't so large.
-    - Get a "use less buffer ram" patch into openssl.
-    - Get IOCP patch into libevent
-    - Use libevent's evdns code where applicable.
-    - Refactor buf_read and buf_write to have sensible ways to return
-      error codes after partial writes
-    - Improve unit test coverage
-    - Logging domains.
-
-  - bridge communities with local bridge authorities:
-    - clients who have a password configured decide to ask their bridge
-      authority for a networkstatus
-    - be able to have bridges that aren't in your torrc. save them in
-      state file, etc.
-  - router_choose_random_node() has a big pile of args. make it "flags".
-  - Consider if we can solve: the Tor client doesn't know what flags
-    its bridge has (since it only gets the descriptor), so it can't
-    make decisions based on Fast or Stable.
-  - anonymity concern: since our is-consensus-fresh-enough check is
-    sloppy so clients will actually work when a consensus wasn't formed,
-    does that mean that if users are idle for 5 hours and then click on
-    something, we will immediately use the old descriptors we've got,
-    while we try fetching the newer descriptors?
-    related to bug 401.
-  . Finish path-spec.txt
-  - More prominently, we should have a recommended apps list.
-    - recommend pidgin (gaim is renamed)
-    - unrecommend IE because of ftp:// bug.
-  - we should add a preamble to tor-design saying it's out of date.
-  - Refactor networkstatus generation:
-    - Include "v" line in getinfo values.
-  - config option __ControllerLimit that hangs up if there are a limit
-    of controller connections already.
-  - Features (other than bridges):
-    - Audit how much RAM we're using for buffers and cell pools; try to
-      trim down a lot.
-    - Base relative control socket paths on datadir.
-    - Make TrackHostExits expire TrackHostExitsExpire seconds after their
-       *last* use, not their *first* use.
-P - Plan a switch to polipo.  Perhaps we'll offer two http proxies in
-    the future.
-P - Consider creating special Tor-Polipo-Vidalia test packages,
-    requested by Dmitri Vitalev
-  - Create packages for Nokia 800, requested by Chris Soghoian
-  - mirror tor downloads on (via) tor dir caches
-    . spec
-    - deploy
-  - interface for letting soat modify flags that authorities assign
-    . spec
-  - proposal 118 if feasible and obvious
-  - Maintain a skew estimate and use ftime consistently.
-  - Tor logs the libevent version on startup, for debugging purposes.
-    This is great. But it does this before configuring the logs, so
-    it only goes to stdout and is then lost.
-  - Deprecations:
-    - can we deprecate 'getinfo network-status'?
-    - can we deprecate the FastFirstHopPK config option?
-  - Bridges:
-    . Bridges users (rudimentary version)
-      . Ask all directory questions to bridge via BEGIN_DIR.
-        - use the bridges for dir fetches even when our dirport is open.
-      - drop 'authority' queries if they're to our own identity key; accept
-        them otherwise.
-      - give extend_info_t a router_purpose again
-  d Limit to 2 dir, 2 OR, N SOCKS connections per IP.
-    - Or maybe close connections from same IP when we get a lot from one.
-    - Or maybe block IPs that connect too many times at once.
-  - Do TLS connection rotation more often than "once a week" in the
-    extra-stable case.
-  - Streamline how we pick entry nodes: Make choose_random_entry() have
-    less magic and less control logic.
-  - when somebody uses the controlport as an http proxy, give them
-    a "tor isn't an http proxy" error too like we do for the socks port.
-  - we try to build 4 test circuits to break them over different
-    servers. but sometimes our entry node is the same for multiple
-    test circuits. this defeats the point.
-  - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout.
-  - configurable timestamp granularity. defaults to 'seconds'.
-  - consider making 'safelogging' extend to info-level logs too.
-  - we should consider a single config option TorPrivateNetwork that
-    turns on all the config options for running a private test tor
-    network. having to keep updating all the tools, and the docs,
-    just isn't working.
-  - consider whether a single Guard flag lets us distinguish between
-    "was good enough to be a guard when we picked it" and "is still
-    adequate to be used as a guard even after we've picked it". We should
-    write a real proposal for this.
-  - switch out privoxy in the bundles and replace it with polipo.
-  - make the new tls handshake blocking-resistant.
-  - figure out some way to collect feedback about what countries are using
-    bridges, in a way that doesn't screw anonymity too much.
-  - let tor dir mirrors proxy connections to the tor download site, so
-    if you know a bridge you can fetch the tor software.
-  - more strategies for distributing bridge addresses in a way that
-    doesn't rely on knowing somebody who runs a bridge for you.
-  - A way to adjust router status flags from the controller.  (How do we
-    prevent the authority from clobbering them soon afterward?)
-  - Bridge authorities should do reachability testing but only on the
-    purpose==bridge descriptors they have.
-  - Clients should estimate their skew as median of skew from servers
-    over last N seconds.
-  - Investigate RAM use in Tor servers.
-  - Start on the WSAENOBUFS solution.
-  - Start on Windows auto-update for Tor
-
-Deferred from 0.2.0.x:
-  - Proposals
-    - 113: Simplifying directory authority administration
-    - 110: prevent infinite-length circuits (phase one)
-    - 118: Listen on and advertise multiple ports:
-      - Tor should be able to have a pool of outgoing IP addresses that it is
-        able to rotate through. (maybe.  Possible overlap with proposal 118.)
-      - config option to publish what ports you listen on, beyond
-        ORPort/DirPort.  It should support ranges and bit prefixes (?) too.
-        (This is very similar to proposal 118.)
-    - 117: IPv6 Exits
-      - Internal code support for ipv6:
-        o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
-        - Most address variables need to become tor_addr_t
-        - Teach resolving code how to handle ipv6.
-        - Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
-  - Features
-    - Let controller set router flags for authority to transmit, and for
-      client to use.
-    - add an 'exit-address' line in the descriptor for servers that exit
-      from something that isn't their published address.
-    - More work on AvoidDiskWrites?
-  - Features
-    - Make a TCP DNSPort
-  - Protocol work
-    - MAYBE kill stalled circuits rather than stalled connections.  This is
-      possible thanks to cell queues, but we need to consider the anonymity
-      implications.
-    - Implement TLS shutdown properly when possible.
-  - Bugs
-    - If the client's clock is too far in the past, it will drop (or just not
-      try to get) descriptors, so it'll never build circuits.
-  - Refactoring
-    - Make resolves no longer use edge_connection_t unless they are actually
-      _on_ a socks connection: have edge_connection_t and (say)
-      dns_request_t both extend an edge_stream_t, and have p_streams and
-      n_streams both be linked lists of edge_stream_t.
-    - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
-      online config documentation from a single source.
-    - Move all status info out of routerinfo into local_routerstatus.  Make
-      "who can change what" in local_routerstatus explicit.  Make
-      local_routerstatus (or equivalent) subsume all places to go for "what
-      router is this?"
-  - Blocking/scanning-resistance
-    - It would be potentially helpful to respond to https requests on
-      the OR port by acting like an HTTPS server.
-    - Do we want to maintain our own set of entryguards that we use as
-      next hop after the bridge? Open research question; let's say no
-      for 0.2.0 unless we learn otherwise.
-    - Some mechanism for specifying that we want to stop using a cached
-      bridge.
-  - Build:
-    - Detect correct version of libraries from autoconf script.
-
-=======================================================================
-
-Future versions:
-  - deprecate router_digest_is_trusted_dir() in favor of
-    router_get_trusteddirserver_by_digest()
-
-  - See also Flyspray tasks.
-  - See also all OPEN/ACCEPTED proposals.
-  - See also all items marked XXXX and FFFF in the code.
-
-  - Protocol:
-    - Our current approach to block attempts to use Tor as a single-hop proxy
-      is pretty lame; we should get a better one.
-    - Allow small cells and large cells on the same network?
-    - Cell buffering and resending. This will allow us to handle broken
-      circuits as long as the endpoints don't break, plus will allow
-      connection (tls session key) rotation.
-    - Implement Morphmix, so we can compare its behavior, complexity,
-      etc.  But see paper breaking morphmix.
-    - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
-      link crypto, unless we can bully DTLS into it.
-    - Need a relay teardown cell, separate from one-way ends.
-      (Pending a user who needs this)
-    - Handle half-open connections: right now we don't support all TCP
-      streams, at least according to the protocol. But we handle all that
-      we've seen in the wild.
-      (Pending a user who needs this)
-
-  - Directory system
-    - BEGIN_DIR items
-      X turn the received socks addr:port into a digest for setting .exit
-      - handle connect-dir streams that don't have a chosen_exit_name set.
-    - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
-    - Add an option (related to AvoidDiskWrites) to disable directory
-      caching.  (Is this actually a good idea??)
-    - Add d64 and fp64 along-side d and fp so people can paste status
-      entries into a url. since + is a valid base64 char, only allow one
-      at a time. Consider adding to controller as well.
-    - Some back-out mechanism for auto-approval on authorities
-      - a way of rolling back approvals to before a timestamp
-        - Consider minion-like fingerprint file/log combination.
-    - Have new people be in limbo and need to demonstrate usefulness
-      before we approve them.
-
-  - Hidden services:
-    - Standby/hotswap/redundant hidden services.
-    . Update the hidden service stuff for the new dir approach.  (Much
-      of this will be superseded by 114.)
-      - switch to an ascii format, maybe sexpr?
-      - authdirservers publish blobs of them.
-      - other authdirservers fetch these blobs.
-      - hidserv people have the option of not uploading their blobs.
-      - you can insert a blob via the controller.
-      - and there's some amount of backwards compatibility.
-      - teach clients, intro points, and hidservs about auth mechanisms.
-      - come up with a few more auth mechanisms.
-    - auth mechanisms to let hidden service midpoint and responder filter
-      connection requests.
-    - Let each hidden service (or other thing) specify its own
-      OutboundBindAddress?
-    - Hidserv offerers shouldn't need to define a SocksPort
-
-  - Server operation
-    X When we notice a 'Rejected: There is already a named server with
-      this nickname' message... or maybe instead when we see in the
-      networkstatuses that somebody else is Named with the name we
-      want: warn the user, send a STATUS_SERVER message, and fall back
-      to unnamed.
-    - If the server is spewing complaints about raising your ulimit -n,
-      we should add a note about this to the server descriptor so other
-      people can notice too.
-    - When we hit a funny error from a dir request (eg 403 forbidden),
-      but tor is working and happy otherwise, and we haven't seen many
-      such errors recently, then don't warn about it.
-
-  - Controller
-    - Implement missing status events and accompanying getinfos
-      - DIR_REACHABLE
-      - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
-        a firewall.)
-      - BAD_PROXY (Bad http or https proxy)
-      - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
-      - Status events related to hibernation
-      - something about failing to parse our address?
-        from resolve_my_address() in config.c
-      - sketchy OS, sketchy threading
-      - too many onions queued: threading problems or slow CPU?
-    - Implement missing status event fields:
-      - TIMEOUT on CHECKING_REACHABILITY
-    - GETINFO status/client, status/server, status/general: There should be
-      some way to learn which status events are currently "in effect."
-      We should specify which these are, what format they appear in, and so
-      on.
-    - More information in events:
-      - Include bandwidth breakdown by conn->type in BW events.
-      - Change circuit status events to give more details, like purpose,
-        whether they're internal, when they become dirty, when they become
-        too dirty for further circuits, etc.
-      - Change stream status events analogously.
-    - Expose more information via getinfo:
-      - import and export rendezvous descriptors
-      - Review all static fields for additional candidates
-    - Allow EXTENDCIRCUIT to unknown server.
-      - We need some way to adjust server status, and to tell tor not to
-        download directories/network-status, and a way to force a download.
-      - Make everything work with hidden services
-
-  - Performance/resources
-    - per-conn write buckets
-    - separate config options for read vs write limiting
-      (It's hard to support read > write, since we need better
-       congestion control to avoid overfull buffers there.  So,
-       defer the whole thing.)
-    - Look into pulling serverdescs off buffers as they arrive.
-    - Rate limit exit connections to a given destination -- this helps
-      us play nice with websites when Tor users want to crawl them; it
-      also introduces DoS opportunities.
-    - Consider truncating rather than destroying failed circuits,
-      in order to save the effort of restarting.  There are security
-      issues here that need thinking, though.
-    - Handle full buffers without totally borking
-    - Rate-limit OR and directory connections overall and per-IP and
-      maybe per subnet.
-
-  - Misc
-    - Hold-open-until-flushed now works by accident; it should work by
-      design.
-    - Display the reasons in 'destroy' and 'truncated' cells under
-      some circumstances?
-    - Make router_is_general_exit() a bit smarter once we're sure what
-      it's for.
-    - Automatically determine what ports are reachable and start using
-      those, if circuits aren't working and it's a pattern we
-      recognize ("port 443 worked once and port 9001 keeps not
-      working").
-
-  - Security
-    - some better fix for bug #516?
-    - don't do dns hijacking tests if we're reject *:* exit policy?
-      (deferred until 0.1.1.x is less common)
-    - Directory guards
-    - Mini-SoaT:
-      - Servers might check certs for known-good ssl websites, and if
-        they come back self-signed, declare themselves to be
-        non-exits.  Similar to how we test for broken/evil dns now.
-      - Authorities should try using exits for http to connect to some
-        URLS (specified in a configuration file, so as not to make the
-        List Of Things Not To Censor completely obvious) and ask them
-        for results.  Exits that don't give good answers should have
-        the BadExit flag set.
-      - Alternatively, authorities should be able to import opinions
-        from Snakes on a Tor.
-    - More consistent error checking in router_parse_entry_from_string().
-      I can say "banana" as my bandwidthcapacity, and it won't even squeak.
-    - Bind to random port when making outgoing connections to Tor servers,
-      to reduce remote sniping attacks.
-    - Audit everything to make sure rend and intro points are just as
-      likely to be us as not.
-    - Do something to prevent spurious EXTEND cells from making
-      middleman nodes connect all over.  Rate-limit failed
-      connections, perhaps?
-    - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
-
-  - Needs thinking
-    - Now that we're avoiding exits when picking non-exit positions,
-      we need to consider how to pick nodes for internal circuits. If
-      we avoid exits for all positions, we skew the load balancing. If
-      we accept exits for all positions, we leak whether it's an
-      internal circuit at every step. If we accept exits only at the
-      last hop, we reintroduce Lasse's attacks from the Oakland paper.
-
-  - Windows server usability
-    - Solve the ENOBUFS problem.
-      - make tor's use of openssl operate on buffers rather than sockets,
-        so we can make use of libevent's buffer paradigm once it has one.
-      - make tor's use of libevent tolerate either the socket or the
-        buffer paradigm; includes unifying the functions in connect.c.
-    - We need a getrlimit equivalent on Windows so we can reserve some
-      file descriptors for saving files, etc. Otherwise we'll trigger
-      asserts when we're out of file descriptors and crash.
-    - Merge code from Urz into libevent
-    - Make Tor use evbuffers.
-
-  - Documentation
-    - a way to generate the website diagrams from source, so we can
-      translate them as utf-8 text rather than with gimp. (svg? or
-      imagemagick?)
-    . Flesh out options_description array in src/or/config.c
-    . multiple sample torrc files
-    . figure out how to make nt service stuff work?
-      . Document it.
-    - Refactor tor man page to divide generally useful options from
-      less useful ones?
-    - Add a doxygen style checker to make check-spaces so nick doesn't drift
-       too far from arma's undocumented styleguide.  Also, document that
-       styleguide in HACKING.  (See r9634 for example.)
-       - exactly one space at beginning and at end of comments, except i
-         guess when there's line-length pressure.
-       - if we refer to a function name, put a () after it.
-       - only write <b>foo</b> when foo is an argument to this function.
-       - doxygen comments must always end in some form of punctuation.
-       - capitalize the first sentence in the doxygen comment, except
-         when you shouldn't.
-       - avoid spelling errors and incorrect comments. ;)
-
-  - Packaging
-    - The Debian package now uses --verify-config when (re)starting,
-      to distinguish configuration errors from other errors. Perhaps
-      the RPM and other startup scripts should too?
-    - add a "default.action" file to the tor/vidalia bundle so we can
-      fix the https thing in the default configuration:
-      http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
-
-  - Related tools
-    - Patch privoxy and socks protocol to pass strings to the browser.
-
-=======================================================================
-
-Documentation, non-version-specific.
-  - Specs
-    - Mark up spec; note unclear points about servers
-NR  - write a spec appendix for 'being nice with tor'
-    - Specify the keys and key rotation schedules and stuff
-  - Mention controller libs someplace.
-  - Remove need for HACKING file.
-  - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
-P - figure out why x86_64 won't build rpms from tor.spec
-P - figure out spec files for bundles of vidalia-tor-polipo
-P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
-  - figure out selinux policy for tor
-P - change packaging system to more automated and specific for each
-     platform, suggested by Paul Wouter
-P - Setup repos for redhat and suse rpms & start signing the rpms the
-    way package management apps prefer
-
-Website:
-J  - tor-in-the-media page
-P  - Figure out licenses for website material.
-    (Phobos reccomends the Open Publication License with Option A at
-    http://opencontent.org/openpub/)
-P  - put the logo on the website, in source form, so people can put it on
-    stickers directly, etc.
-P  - put the source image for the stickers on the website, so people can
-    print their own
-P - figure out a license for the logos and docs we publish (trademark
-figures into this)
-    (Phobos reccomends the Open Publication License with Option A at
-    http://opencontent.org/openpub/)
-R - make a page with the hidden service diagrams.
-P  - ask Jan/Jens to be the translation coordinator? add to volunteer page.
-  - add a page for localizing all tor's components.
-  - It would be neat if we had a single place that described _all_ the
-    tor-related tools you can use, and what they give you, and how well they
-    work.  Right now, we don't give a lot of guidance wrt
-    torbutton/foxproxy/privoxy/polipo in any consistent place.
-P - create a 'blog badge' for tor fans to link to and feature on their
-    blogs. A sample can be found at http://interloper.org/tmp/tor/tor-button.png
-
-  - Tor mirrors
-    - make a mailing list with the mirror operators
-    - make an automated tool to check /project/trace/ at mirrors to
-      learn which ones are lagging behind.
-    - auto (or manually) cull the mirrors that are broken; and
-      contact their operator?
-    - a set of instructions for mirror operators to make their apaches
-      serve our charsets correctly, and bonus points for language
-      negotiation.
-    - figure out how to load-balance the downloads across mirrors?
-    - ponder how to get users to learn that they should google for
-      "tor mirrors" if the main site is blocked.
-    - find a mirror volunteer to coordinate all of this
-
-Blog todo:
-  - Link to the blog from the main Tor website
+This file is obsolete. Go look at the one in trunk, e.g.
+https://www.torproject.org/svn/trunk/doc/TODO
 

doc/TODO.020

@@ -0,0 +1,25 @@
+
+(Remember to include both the revision number _AND_ an abbreviated
+description of the patch.)
+
+Backport for 0.2.0:
+  o r19291, r19292, r19295, r19296: Dir mirrors tell relays their actual
+    IP address, not just the address listed in the directory currently.
+
+Backport for 0.2.0 once better tested:
+  - r17208,r17209,r7211,r17212,r17214: Avoid gotterdammerung when an
+    authority has an expired certificate.
+  - r17886: Don't remove routerinfos as unlisted unless we have a
+    consensus.
+  - r17924: Close streams when an exit hands us a local IP.
+  - r18667: Drop BEGIN cells from wrong circuit hop.
+  - r18743: Fix alignment-related crash on Sparc.
+  - r18809: Build correctly from outside the main source tree.
+
+Backport for 0.2.0, maybe:
+  d r17945: bridges always fail dirport reachability tests. i think
+            it's cosmetic, so no need to backport.
+  d r18668: Drop duplicate extend cells to same circuit ID; prevent mem leak.
+  d r18210: Call crypto_global_init() with hardwareaccel flag set right in
+    all cases.
+

doc/spec/control-spec.txt

@@ -984,6 +984,7 @@ $Id$
       "650" SP "STREAM" SP StreamID SP StreamStatus SP CircID SP Target
           [SP "REASON=" Reason [ SP "REMOTE_REASON=" Reason ]]
           [SP "SOURCE=" Source] [ SP "SOURCE_ADDR=" Address ":" Port ]
+          [SP "PURPOSE=" Purpose]
           CRLF
 
       StreamStatus =
@@ -1033,6 +1034,13 @@ $Id$
    that requested the connection, and can be (e.g.) used to look up the
    requesting program.
 
+      Purpose = "DIR_FETCH" / "UPLOAD_DESC" / "DNS_REQUEST" /
+                 "USER" /  "DIRPORT_TEST"
+
+   The "PURPOSE" field is provided only for NEW and NEWRESOLVE events, and
+   only if extended events are enabled (see 3.19).  Clients MUST accept
+   purposes not listed above.
+
 4.1.3. OR Connection status changed
 
   The syntax is:

doc/spec/proposals/125-bridges.txt

@@ -42,7 +42,7 @@ Status: Finished
   can supply their bridge users with cached copies of all the various
   Tor network information.
 
-  As for Tor 0.2.0.13-alpha, bridges will answer begin_dir questions
+  As of Tor 0.2.0.13-alpha, bridges will answer begin_dir questions
   (and cache dir info they see so the answers will be more useful)
   whether their DirPort is enabled or not. (After all, we don't care if
   they have an open or reachable DirPort to answer begin_dir questions.)

doc/tor-osx-dmg-creation.txt

@@ -7,40 +7,31 @@ OSX builds of tor.
 Summary:
 1) Compile and install a static version of the latest release of
 libevent.
-2) Acquire privoxyosx_setup_3.0.6.zip.  
-http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
-  Remember where you put this file.
-3) Acquire torbutton xpi and license file.
-4) Acquire and install your preferred version of tor. Extract.
-5) Update some variables in contrib/osx/package.sh
-6) "make dist-osx"
-7) You now have a dmg from which you can install Tor, Privoxy, and the
-Torbutton extension for Firefox.
+2) Acquire and install your preferred version of tor. Extract.
+3) "make dist-osx"
+4) You now have a dmg from which you can install Tor.
 
 ## Universal Binaries for OSX PPC and X86
-## This method works in OSX 10.4 (Tiger) and 10.5 (Leopard) only.
+## This method works in OSX 10.4 (Tiger) and newer OSX versions.
 ## See far below if you don't care about cross compiling for PPC and X86.
 ## The single architecture process starts with "###"
 
-1) Install XCode 2.4.1 updates available from http://developer.apple.com.
+1) Install the latest XCode updates available from http://developer.apple.com.
 
 ## Compiling libevent
 
-2)  Download latest libevent from
+2)  Download latest stable libevent from
 http://www.monkey.org/~provos/libevent/
 
 3) The first step of compiling libevent is to configure it as
 follows:
-CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
+CFLAGS="-O -g -mmacosx-version-min=10.4 -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
 LDFLAGS="-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk" \
 ./configure --enable-static --disable-shared --disable-dependency-tracking
 
-3) Complete the "make" and "make install".  You will need to be root,
+4) Complete the "make" and "make install".  You will need to be root,
 or sudo -s, to complete the "make install".
 
-4) If you have previouslly installed libevent, rm the old libevent.*, located
-by default, in /usr/local/lib/.  
-
 5) Check for a successful universal binary of libevent.a in, by default,
 /usr/local/lib by using the following command:
 	"file /usr/local/lib/libevent.a"
@@ -50,59 +41,36 @@ by default, in /usr/local/lib/.
 /usr/local/lib/libevent.a (for architecture i386):      current ar archive random library
 /usr/local/lib/libevent.a (for architecture ppc):       current ar archive
 
-## Acquiring privoxy
-
-6) Download osx privoxy source from
-http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
-
-7) Place the privoxyosx_setup_3.0.6.zip in a location of your choice.
-Remember this location.
-
-8) Get your preferred version of Torbutton from https://torbutton.torproject.org.
-Place into a location of your choosing, remember this location.
-
-9) Get the torbutton LICENSE file from https://torbutton.torproject.org.
-Place into a location of your choosing, remember this location.
-
-10) Get your preferred version of the tor source from https://www.torproject.org/download.  
+6) Get your preferred version of the tor source from https://www.torproject.org/download.  
 Extract the tarball.
 
-11) Update three variables in contrib/osx/package.sh:
-PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
-TORBUTTON_PATH=~/tmp/torbutton-1.1.14-alpha.xpi
-TORBUTTON_LIC_PATH=~/tmp/LICENSE
-
-Make sure the paths are correct.  The build will fail if they are not.
-
-12) In the top level, this means /path/to/tor/, not tor/contrib/osx,
+7) In the top level, this means /path/to/tor/, not tor/contrib/osx,
 do a configure with these parameters:
-CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
+CFLAGS="-O -g -mmacosx-version-min=10.4 -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc" \
 LDFLAGS="-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk" \
 CONFDIR=/Library/Tor \
 ./configure --prefix=/Library/Tor --bindir=/Library/Tor \
 --sysconfdir=/Library --disable-dependency-tracking
 
-13) "make dist-osx"
+8) "make dist-osx"
 
-14) Confirm you have created a universal binary by issuing the follow command:
+9) Confirm you have created a universal binary by issuing the follow command:
 "file src/or/tor".  Its output should be as follows:
 src/or/tor: Mach-O fat file with 2 architectures
 src/or/tor (for architecture i386):     Mach-O executable i386
 src/or/tor (for architecture ppc):      Mach-O executable ppc
 
-15) There should exist in the top-level directory a
-Tor-$VERSION-universal-$OS-Bundle.dmg
-
-16) Congrats.  You have a universal binary. You are now ready to install Tor,
-Privoxy, and the Torbutton extension for Firefox.
+10) There should exist in the top-level directory a
+Tor-$VERSION-universal-Bundle.dmg
 
+11) Congrats.  You have a universal binary. You are now ready to install Tor.
 
 ### Single Architecture Binaries for PPC or X86, not both.
-### This method works in all versions of OSX 10.1 through 10.5
+### This method works in all versions of OSX 10.3 through 10.5
 
 ### Compiling libevent
 
-1)  Download the latest libevent from
+1)  Download the latest stable libevent from
 http://www.monkey.org/~provos/libevent/
 
 2) The first step of compiling libevent is to configure it as
@@ -112,36 +80,11 @@ follows:
 3) Complete the "make" and "make install".  You will need to be root,
 or sudo -s, to complete the "make install".
 
-4) If you have previouslly installed libevent, go rm the old libevent.so*
-files so the linker doesn't get suckered into using them.
-
-### Acquiring privoxy
-
-1) Download osx privoxy source from
-http://downloads.sourceforge.net/ijbswa/privoxyosx_setup_3.0.6.zip?modtime=1164104652&big_mirror=0
-
-2) Place the privoxyosx_setup_3.0.6.zip in a location of your choice.
-Remember this location.
-
 ### Compiling Tor
 
-1) Get your preferred version of Torbutton from
-https://torbutton.torproject.org.  
-Place into a location of your choosing, remember this location.
-
-2) Get the torbutton LICENSE file from https://torbutton.torproject.org.  
-Place into a location of your choosing, remember this location.
-
-3) Get your preferred version of the tor source from https://www.torproject.org.  Extract the
+4) Get your preferred version of the tor source from https://www.torproject.org.  Extract the
 tarball.
 
-4) Update three variables in contrib/osx/package.sh:
-PRIVOXY_PKG_ZIP=~/tmp/privoxyosx_setup_3.0.6.zip
-TORBUTTON_PATH=~/tmp/torbutton-1.1.14-alpha.xpi
-TORBUTTON_LIC_PATH=~/tmp/LICENSE
-
-Make sure the paths are correct.  The build will fail if they are not.
-
 5) In the top level, this means /path/to/tor/, not tor/contrib/osx,
 do a configure with these parameters:
      CONFDIR=/Library/Tor ./configure --prefix=/Library/Tor \

doc/tor-rpm-creation.txt

@@ -1,14 +1,17 @@
 ## Instructions for building the official rpms.
-## 
-These are instructions for building Tor binaries in the rpm format on
-various cpu architectures and operating systems.  Each rpm will require
-glibc on the target system.  It is believed that any rpm-based linux
-distribution should have semi-current glibc installed by default.
-If you run into a distribution that does not work with glibc, or does
-not contain it, please let us know the details.
+##
+The process used to create the official rpms is as follows:
 
-These are the exact steps used to build the official rpms of Tor.
+Download and Extract the latest tor source code from https://www.torproject.org/.
+In the resulting directory:
+./configure
+make dist-rpm
 
+You should have at least two, maybe three, rpms.  There should be the binary
+i386.rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm.
+
+## Optional customization
+##
 If you wish to further tune Tor binaries in rpm format beyond this list,
 see the GCC doc page for further options:
 http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/
@@ -54,13 +57,5 @@ This parameter controls the target operating system.  Normally, this is
 only "linux".  If you wish to build rpms for a non-linux operating
 system, you can replace "linux" with your operating system.
 
-The process used to create the distributed rpms is as follows:
 
-Download and Extract the latest tor source code from https://www.torproject.org/.
-In the Tor directory:
-./configure
-make dist-rpm
-
-You should have at least two, maybe three, rpms.  There should be the binary
-i386.rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm.
 

doc/tor-win32-mingw-creation.txt

@@ -5,7 +5,7 @@ Stage One:  Download and Install MinGW.
 ---------------------------------------
 
 Download mingw:
-http://prdownloads.sf.net/mingw/MinGW-5.1.3.exe?download
+http://prdownloads.sf.net/mingw/MinGW-5.1.4.exe?download
 
 Download msys:
 http://prdownloads.sf.net/mingw/MSYS-1.0.10.exe?download
@@ -27,15 +27,17 @@ Stage Two:  Download, extract, compile openssl
 ----------------------------------------------
 
 Download openssl:
-http://www.openssl.org/source/openssl-0.9.8g.tar.gz
+http://www.openssl.org/source/openssl-0.9.8k.tar.gz
 
 Extract openssl:
 Copy the openssl tarball into the "tor-mingw" directory.
 Type "cd tor-mingw/"
-Type "tar zxf openssl-0.9.8g.tar.gz"
+Type "tar zxf openssl-0.9.8k.tar.gz"
+(Note:  There are many symlink errors because Windows doesn't support
+symlinks.  You can ignore these errors.)
 
 Make openssl libraries:
-Type "cd tor-mingw/openssl-0.9.8g/"
+Type "cd tor-mingw/openssl-0.9.8k/"
 Type "./Configure -no-idea -no-rc5 -no-mdc2 mingw"
 Edit Makefile and remove the "test:" and "tests:" sections.
 Type "rm -rf ./test"
@@ -45,12 +47,14 @@ Type "cd ../ssl/"
 Type "find ./ -name "*.h" -exec cp {} ../include/openssl/ \;"
 Type "cd .."
 Type "cp *.h include/openssl/"
+Type "cp fips/fips.h include/openssl/"
 # The next steps can take up to 30 minutes to complete.
 Type "make"
 Type "make install"
 
 Alternatively:
-Download the pre-compiled openssl for win32.
+Download the pre-compiled openssl for win32 from 
+http://gnuwin32.sourceforge.net/packages/openssl.htm
 Install and proceed.
 
 
@@ -83,10 +87,10 @@ Type "make -f win32/Makefile.gcc"
 Done.
 
 
-Stage Four: Download, extract, and compile libevent-1.3e
+Stage Four: Download, extract, and compile libevent
 ------------------------------------------------------
 
-Download the libevent 1.3e release:
+Download the latest libevent release:
 http://www.monkey.org/~provos/libevent/
 
 Copy the libevent tarball into the "tor-mingw" directory.
@@ -101,7 +105,7 @@ Type "make install"
 Stage Five:  Build Tor
 ----------------------
 
-Download the current Tor alpha release from https://www.torproject.org/download.html.
+Download the current Tor alpha release source code from https://torproject.org/download.html.
 Copy the Tor tarball into the "tor-mingw" directory.
 Extract Tor:
 Type "tar zxf latest-tor-alpha.tar.gz"

doc/tor.1.in

@@ -87,8 +87,8 @@ server without impacting network performance.
 If defined, a separate token bucket limits the average incoming bandwidth
 usage for _relayed traffic_ on this node to the specified number of
 bytes per second, and the average outgoing bandwidth usage to that same
-value. Relayed traffic is currently defined as answers to directory
-requests, but that may change. (Default: 0)
+value. Relayed traffic currently is calculated to include answers to directory
+requests, but that may change in future versions. (Default: 0)
 .LP
 .TP
 \fBRelayBandwidthBurst \fR\fIN\fR \fBbytes\fR|\fBKB\fR|\fBMB\fR|\fBGB\fR|\fBTB\fP
@@ -206,10 +206,11 @@ authority for old-style (v1) directories as well.  (Only directory mirrors
 care about this.)  Tor will use this server as an authority for hidden
 service information if the "hs" flag is set, or if the "v1" flag is set and
 the "no-hs" flag is \fBnot\fP set.  Tor will use this authority as a bridge
-authoritative directory if the "bridge" flag is set.  Lastly, if a flag
+authoritative directory if the "bridge" flag is set.  If a flag
 "orport=\fBport\fR" is given, Tor will use the given port when opening
-encrypted tunnels to the dirserver.
-[XXX020 also mention v3ident= flag here]
+encrypted tunnels to the dirserver.  Lastly, if a flag "v3ident=\fBfp\fR" is
+given, the dirserver is a v3 directory authority whose v3 long-term
+signing key has the fingerprint \fBfp\fR.
 
 If no \fBdirserver\fP line is given, Tor will use the default
 directory servers.  NOTE: this option is intended
@@ -218,6 +219,16 @@ you use it, you will be distinguishable from other users, because you won't
 believe the same authorities they do.
 .LP
 .TP
+\fBAlternateDirAuthority \fR[\fInickname\fR] [\fBflags\fR] \fIaddress\fR\fB:\fIport fingerprint\fP
+\fBAlternateHSAuthority \fR[\fInickname\fR] [\fBflags\fR] \fIaddress\fR\fB:\fIport fingerprint\fP
+\fBAlternateBridgeAuthority \fR[\fInickname\fR] [\fBflags\fR] \fIaddress\fR\fB:\fIport fingerprint\fP
+As DirServer, but replaces less of the default directory authorities.
+Using AlternateDirAuthority replaces the default Tor directory
+authorities, but leaves the hidden service authorities and bridge
+authorities in place.  Similarly, Using AlternatieHSAuthority replaces
+the default hidden service authorities, but not the directory or
+bridge authorities.
+
 \fBFetchDirInfoEarly \fR\fB0\fR|\fB1\fR\fP
 If set to 1, Tor will always fetch directory information like other
 directory caches, even if you don't meet the normal criteria for
@@ -248,10 +259,6 @@ script to enumerate Tor nodes that exit to certain addresses.
 (Default: 0)
 .LP
 .TP
-\fBGroup \fR\fIGID\fP
-On startup, setgid to this group.
-.LP
-.TP
 \fBHttpProxy\fR \fIhost\fR[:\fIport\fR]\fP
 Tor will make all its directory requests through this host:port
 (or host:80 if port is not specified),
@@ -334,7 +341,7 @@ about what sites a user might have visited. (Default: 1)
 .LP
 .TP
 \fBUser \fR\fIUID\fP
-On startup, setuid to this user.
+On startup, setuid to this user and setgid to their primary group.
 .LP
 .TP
 \fBHardwareAccel \fR\fB0\fR|\fB1\fP
@@ -652,11 +659,14 @@ resolved.  This helps trap accidental attempts to resolve URLs and so on.
 .LP
 .TP
 \fBFastFirstHopPK \fR\fB0\fR|\fB1\fR\fP
-When this option is enabled and we aren't running as a server, Tor
-skips the public key step for the first hop of creating circuits.  This is
-safe since we have already used TLS to authenticate the server and to
-establish forward-secure keys.  Turning this option off makes circuit
-building slower.
+When this option is disabled, Tor uses the public key step for the first
+hop of creating circuits. Skipping it is generally safe since we have
+already used TLS to authenticate the relay and to establish forward-secure
+keys. Turning this option off makes circuit building slower.
+
+Note that Tor will always use the public key step for the first hop if
+it's operating as a relay, and it will never use the public key step if
+it doesn't yet know the onion key of the first hop.
 (Default: 1)
 .LP
 .TP
@@ -740,6 +750,19 @@ If Tor doesn't have a cached networkstatus file, it starts out using
 this one instead.  Even if this file is out of date, Tor can still use
 it to learn about directory mirrors, so it doesn't need to put load on
 the authorities.  (Default: None).
+.LP
+.TP
+\fBWarnPlaintextPorts\fP \fR\fIport\fR,\fIport\fR,\fI...\fP
+Tells Tor to issue a warnings whenever the user tries to make an
+anonymous connection to one of these ports.  This option is designed
+to alert users to services that risk sending passwords in the clear.
+(Default: 23,109,110,143).
+.LP
+.TP
+\fBRejectPlaintextPorts\fP \fR\fIport\fR,\fIport\fR,\fI...\fP
+Like WarnPlaintextPorts, but instead of warning about risky port uses,
+Tor will instead refuse to make the connection.
+(Default: None).
 
 .LP
 .TP
@@ -1089,6 +1112,9 @@ directory ports.
 The policies have the same form as exit policies above.
 .LP
 .TP
+
+.SH DIRECTORY AUTHORITY SERVER OPTIONS
+.PP
 \fBRecommendedVersions \fR\fISTRING\fP
 STRING is a comma-separated list of Tor versions currently believed
 to be safe. The list is included in each directory, and nodes which
@@ -1123,6 +1149,12 @@ elements. Otherwise, if the address is not an IP address or is a private
 IP address, it will reject the router descriptor. Defaults to 0.
 .LP
 .TP
+\fBAuthDirBadDir \fR\fIAddressPattern\fR...\fP
+Authoritative directories only.  A set of address patterns for servers that
+will be listed as bad directories in any network status document this authority
+publishes, if \fBAuthDirListBadDirs\fR is set.
+.LP
+.TP
 \fBAuthDirBadExit \fR\fIAddressPattern\fR...\fP
 Authoritative directories only.  A set of address patterns for servers that
 will be listed as bad exits in any network status document this authority
@@ -1142,6 +1174,13 @@ authority publishes, or accepted as an OR address in any descriptor submitted
 for publication by this authority.
 .LP
 .TP
+\fBAuthDirListBadDirs \fR\fB0\fR|\fB1\fR\fP
+Authoritative directories only.  If set to 1, this directory has
+some opinion about which nodes are unsuitable as directory caches.  (Do not
+set this to 1 unless you plan to list nonfunctioning directories as bad;
+otherwise, you are effectively voting in favor of every declared directory.)
+.LP
+.TP
 \fBAuthDirListBadExits \fR\fB0\fR|\fB1\fR\fP
 Authoritative directories only.  If set to 1, this directory has
 some opinion about which nodes are unsuitable as exit nodes.  (Do not
@@ -1166,6 +1205,39 @@ will list as acceptable on a single IP address.  Set this to "0" for
 \fBAuthDirMaxServersPerAuthAddr\fR \fINUM\fP
 Authoritative directories only.  Like AuthDirMaxServersPerAddr, but
 applies to addresses shared with directory authorities.  (Default: 5)
+.LP
+.TP
+\fBV3AuthVotingInterval\fR \fR\fIN\fR \fBminutes\fR|\fBhours\fP
+V3 authoritative directories only.  Configures the server's preferred
+voting interval.  Note that voting will \fIactually\fP happen at an
+interval chosen by consensus from all the authorities' preferred
+intervals.  This time SHOULD divide evenly into a day. (Default: 1 hour)
+.LP
+.TP
+\fBV3AuthVoteDelay\fR \fINUM\fP
+V3 authoritative directories only.  Configures the server's preferred
+delay between publishing its vote and assuming it has all the votes
+from all the other authorities.  Note that the actual time used is not
+the server's preferred time, but the consensus of all preferences.
+(Default: 5 minutes.)
+.LP
+.TP
+\fBV3AuthDistDelay\fR \fINUM\fP
+V3 authoritative directories only.  Configures the server's preferred
+delay between publishing its consensus and signature and assuming it
+has all the signatures from all the other authorities.  Note that the
+actual time used is not the server's preferred time, but the consensus
+of all preferences.  (Default: 5 minutes.)
+.LP
+.TP
+\fBV3AuthNIntervalsValid\fR \fINUM\fP
+V3 authoritative directories only.  Configures the number of
+VotingIntervals for which each consensus should be valid for.
+Choosing high numbers increases network partitioning risks; choosing
+low numbers increases directory traffic. Note that the actual number
+of intervals used is not the server's preferred number, but the
+consensus of all preferences.  Must be at least 2.  (Default: 3.)
+
 
 .SH HIDDEN SERVICE OPTIONS
 .PP

src/common/OpenBSD_malloc_Linux.c

@@ -54,6 +54,7 @@
 #include <limits.h>
 #include <errno.h>
 #include <err.h>
+#include "torint.h"
 
 //#include "thread_private.h"
 
@@ -94,9 +95,12 @@ static pthread_mutex_t gen_mutex = PTHREAD_MUTEX_INITIALIZER;
 #define _MALLOC_LOCK() {pthread_mutex_lock(&gen_mutex);}
 #define _MALLOC_UNLOCK() {pthread_mutex_unlock(&gen_mutex);}
 
-#if defined(__sparc__)
+#if defined(__sparc__) || defined(__alpha__)
 #define	malloc_pageshift	13U
-#endif /* __sparc__ */
+#endif
+#if defined(__ia64__)
+#define	malloc_pageshift	14U
+#endif
 
 #ifndef malloc_pageshift
 #define malloc_pageshift	(PGSHIFT)
@@ -785,6 +789,13 @@ malloc_init(void)
 		    "  Will not be able to dump malloc stats on exit");
 #endif /* MALLOC_STATS */
 
+	if (malloc_pagesize != getpagesize()) {
+		wrterror("malloc() replacement compiled with a different "
+			 "page size from what we're running with.  Failing.");
+		errno = ENOMEM;
+		return;
+	}
+
 	/* Allocate one page for the page directory. */
 	page_dir = (struct pginfo **)MMAP(malloc_pagesize);
 
@@ -1926,11 +1937,14 @@ realloc(void *ptr, size_t size)
 	return (r);
 }
 
-#if defined(__i386__)||defined(__arm__)||defined(__powerpc__)
-#define SIZE_MAX 0xffffffff
-#endif
-#if defined(__x86_64__)
-#define SIZE_MAX 0xffffffffffffffff
+#ifndef SIZE_MAX
+//#if defined(__i386__)||defined(__arm__)||defined(__powerpc__)
+//#define SIZE_MAX 0xffffffff
+//#endif
+//#if defined(__x86_64__)
+//#define SIZE_MAX 0xffffffffffffffff
+//#endif
+#define SIZE_MAX SIZE_T_MAX
 #endif
 
 void *

src/common/aes.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001, Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char aes_c_id[] = "$Id$";

src/common/aes.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/compat.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char compat_c_id[] =
@@ -115,12 +115,6 @@ const char compat_c_id[] =
 #include "strlcat.c"
 #endif
 
-#ifndef INADDR_NONE
-/* This is used by inet_addr, but apparently Solaris doesn't define it
- * anyplace. */
-#define INADDR_NONE ((unsigned long) -1)
-#endif
-
 #ifdef HAVE_SYS_MMAN_H
 /** Implementation for tor_mmap_t: holds the regular tor_mmap_t, along
  * with extra fields needed for mmap()-based memory mapping. */
@@ -380,6 +374,61 @@ tor_memmem(const void *_haystack, size_t hlen,
 #endif
 }
 
+/* Tables to implement ctypes-replacement TOR_IS*() functions.  Each table
+ * has 256 bits to look up whether a character is in some set or not.  This
+ * fails on non-ASCII platforms, but it is hard to find a platform whose
+ * character set is not a superset of ASCII nowadays. */
+const uint32_t TOR_ISALPHA_TABLE[8] =
+  { 0, 0, 0x7fffffe, 0x7fffffe, 0, 0, 0, 0 };
+const uint32_t TOR_ISALNUM_TABLE[8] =
+  { 0, 0x3ff0000, 0x7fffffe, 0x7fffffe, 0, 0, 0, 0 };
+const uint32_t TOR_ISSPACE_TABLE[8] = { 0x3e00, 0x1, 0, 0, 0, 0, 0, 0 };
+const uint32_t TOR_ISXDIGIT_TABLE[8] =
+  { 0, 0x3ff0000, 0x7e, 0x7e, 0, 0, 0, 0 };
+const uint32_t TOR_ISDIGIT_TABLE[8] = { 0, 0x3ff0000, 0, 0, 0, 0, 0, 0 };
+const uint32_t TOR_ISPRINT_TABLE[8] =
+  { 0, 0xffffffff, 0xffffffff, 0x7fffffff, 0, 0, 0, 0x0 };
+const uint32_t TOR_ISUPPER_TABLE[8] = { 0, 0, 0x7fffffe, 0, 0, 0, 0, 0 };
+const uint32_t TOR_ISLOWER_TABLE[8] = { 0, 0, 0, 0x7fffffe, 0, 0, 0, 0 };
+/* Upper-casing and lowercasing tables to map characters to upper/lowercase
+ * equivalents. */
+const char TOR_TOUPPER_TABLE[256] = {
+  0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
+  16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,
+  32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,
+  48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,
+  64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,
+  80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,
+  96,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,
+  80,81,82,83,84,85,86,87,88,89,90,123,124,125,126,127,
+  128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,
+  144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,
+  160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,
+  176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,
+  192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,
+  208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,
+  224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,
+  240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,
+};
+const char TOR_TOLOWER_TABLE[256] = {
+  0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
+  16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,
+  32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,
+  48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,
+  64,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,
+  112,113,114,115,116,117,118,119,120,121,122,91,92,93,94,95,
+  96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,
+  112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,
+  128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,
+  144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,
+  160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,
+  176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,
+  192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,
+  208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,
+  224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,
+  240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,
+};
+
 #ifdef MS_WINDOWS
 /** Take a filename and return a pointer to its final element.  This
  * function is called on __FILE__ to fix a MSVC nit where __FILE__
@@ -781,7 +830,7 @@ set_max_file_descriptors(rlim_t limit, int *max_out)
     log_warn(LD_CONFIG,
              "We do not support more than %lu file descriptors "
              "on Windows. Tried to raise to %lu.",
-             DEFAULT_MAX_CONNECTIONS, limit);
+             (unsigned long)DEFAULT_MAX_CONNECTIONS, (unsigned long)limit);
     return -1;
   }
   limit = DEFAULT_MAX_CONNECTIONS;
@@ -789,7 +838,7 @@ set_max_file_descriptors(rlim_t limit, int *max_out)
   if (limit > CYGWIN_MAX_CONNECTIONS) {
     log_warn(LD_CONFIG, "We do not support more than %lu file descriptors "
              "when using Cygwin. Tried to raise to %lu.",
-             CYGWIN_MAX_CONNECTIONS, limit);
+             (unsigned long)CYGWIN_MAX_CONNECTIONS, (unsigned long)limit);
     return -1;
   }
   limit = CYGWIN_MAX_CONNECTIONS;
@@ -797,7 +846,7 @@ set_max_file_descriptors(rlim_t limit, int *max_out)
   if (limit > IPHONE_MAX_CONNECTIONS) {
     log_warn(LD_CONFIG, "We do not support more than %lu file descriptors "
              "on iPhone. Tried to raise to %lu.",
-             IPHONE_MAX_CONNECTIONS, limit);
+             (unsigned long)IPHONE_MAX_CONNECTIONS, (unsigned long)limit);
     return -1;
   }
   limit = IPHONE_MAX_CONNECTIONS;
@@ -871,62 +920,225 @@ set_max_file_descriptors(rlim_t limit, int *max_out)
   return 0;
 }
 
-/** Call setuid and setgid to run as <b>user</b>:<b>group</b>.  Return 0 on
- * success.  On failure, log and return -1.
+/** Log details of current user and group credentials. Return 0 on
+ * success. Logs and return -1 on failure.
+ */
+static int
+log_credential_status(void)
+{
+#define CREDENTIAL_LOG_LEVEL LOG_INFO
+#ifndef MS_WINDOWS
+  /* Real, effective and saved UIDs */
+  uid_t ruid, euid, suid;
+  /* Read, effective and saved GIDs */
+  gid_t rgid, egid, sgid;
+  /* Supplementary groups */
+  gid_t sup_gids[NGROUPS_MAX + 1];
+  /* Number of supplementary groups */
+  int ngids;
+
+  /* log UIDs */
+#ifdef HAVE_GETRESUID
+  if (getresuid(&ruid, &euid, &suid) != 0 ) {
+    log_warn(LD_GENERAL, "Error getting changed UIDs: %s", strerror(errno));
+    return -1;
+  } else {
+    log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL,
+           "UID is %u (real), %u (effective), %u (saved)",
+           (unsigned)ruid, (unsigned)euid, (unsigned)suid);
+  }
+#else
+  /* getresuid is not present on MacOS X, so we can't get the saved (E)UID */
+  ruid = getuid();
+  euid = geteuid();
+  (void)suid;
+
+  log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL,
+         "UID is %u (real), %u (effective), unknown (saved)",
+         (unsigned)ruid, (unsigned)euid);
+#endif
+
+  /* log GIDs */
+#ifdef HAVE_GETRESGID
+  if (getresgid(&rgid, &egid, &sgid) != 0 ) {
+    log_warn(LD_GENERAL, "Error getting changed GIDs: %s", strerror(errno));
+    return -1;
+  } else {
+    log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL,
+           "GID is %u (real), %u (effective), %u (saved)",
+           (unsigned)rgid, (unsigned)egid, (unsigned)sgid);
+  }
+#else
+  /* getresgid is not present on MacOS X, so we can't get the saved (E)GID */
+  rgid = getgid();
+  egid = getegid();
+  (void)sgid;
+  log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL,
+         "GID is %u (real), %u (effective), unknown (saved)",
+         (unsigned)rgid, (unsigned)egid);
+#endif
+
+  /* log supplementary groups */
+  if ((ngids = getgroups(NGROUPS_MAX + 1, sup_gids)) < 0) {
+    log_warn(LD_GENERAL, "Error getting supplementary GIDs: %s",
+             strerror(errno));
+    return -1;
+  } else {
+    int i;
+    char *strgid;
+    char *s = NULL;
+    int formatting_error = 0;
+    smartlist_t *elts = smartlist_create();
+
+    for (i = 0; i<ngids; i++) {
+      strgid = tor_malloc(11);
+      if (tor_snprintf(strgid, 11, "%u", (unsigned)sup_gids[i]) == -1) {
+        log_warn(LD_GENERAL, "Error printing supplementary GIDs");
+        tor_free(strgid);
+        formatting_error = 1;
+        goto error;
+      }
+      smartlist_add(elts, strgid);
+    }
+
+    s = smartlist_join_strings(elts, " ", 0, NULL);
+
+    log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL, "Supplementary groups are: %s",s);
+
+   error:
+    tor_free(s);
+    SMARTLIST_FOREACH(elts, char *, cp,
+    {
+      tor_free(cp);
+    });
+    smartlist_free(elts);
+
+    if (formatting_error)
+      return -1;
+  }
+#endif
+
+  return 0;
+}
+
+/** Call setuid and setgid to run as <b>user</b> and switch to their
+ * primary group.  Return 0 on success.  On failure, log and return -1.
  */
 int
-switch_id(const char *user, const char *group)
+switch_id(const char *user)
 {
 #ifndef MS_WINDOWS
   struct passwd *pw = NULL;
-  struct group *gr = NULL;
+  uid_t old_uid;
+  gid_t old_gid;
+  static int have_already_switched_id = 0;
 
-  if (user) {
-    pw = getpwnam(user);
-    if (pw == NULL) {
-      log_warn(LD_CONFIG,"User '%s' not found.", user);
+  tor_assert(user);
+
+  if (have_already_switched_id)
+    return 0;
+
+  /* Log the initial credential state */
+  if (log_credential_status())
+    return -1;
+
+  log_fn(CREDENTIAL_LOG_LEVEL, LD_GENERAL, "Changing user and groups");
+
+  /* Get old UID/GID to check if we changed correctly */
+  old_uid = getuid();
+  old_gid = getgid();
+
+  /* Lookup the user and group information, if we have a problem, bail out. */
+  pw = getpwnam(user);
+  if (pw == NULL) {
+    log_warn(LD_CONFIG, "Error setting configured user: %s not found", user);
+    return -1;
+  }
+
+  /* Properly switch egid,gid,euid,uid here or bail out */
+  if (setgroups(1, &pw->pw_gid)) {
+    log_warn(LD_GENERAL, "Error setting groups to gid %d: \"%s\". "
+             "If you set the \"User\" option, you must start Tor as root.",
+             (int)pw->pw_gid, strerror(errno));
+    return -1;
+  }
+
+  if (setegid(pw->pw_gid)) {
+    log_warn(LD_GENERAL, "Error setting egid to %d: %s",
+             (int)pw->pw_gid, strerror(errno));
+    return -1;
+  }
+
+  if (setgid(pw->pw_gid)) {
+    log_warn(LD_GENERAL, "Error setting gid to %d: %s",
+             (int)pw->pw_gid, strerror(errno));
+    return -1;
+  }
+
+  if (setuid(pw->pw_uid)) {
+    log_warn(LD_GENERAL, "Error setting configured uid to %s (%d): %s",
+             user, (int)pw->pw_uid, strerror(errno));
+    return -1;
+  }
+
+  if (seteuid(pw->pw_uid)) {
+    log_warn(LD_GENERAL, "Error setting configured euid to %s (%d): %s",
+             user, (int)pw->pw_uid, strerror(errno));
+    return -1;
+  }
+
+  /* This is how OpenBSD rolls:
+  if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) ||
+      setgid(pw->pw_gid) || setuid(pw->pw_uid) || seteuid(pw->pw_uid)) {
+      setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) {
+    log_warn(LD_GENERAL, "Error setting configured UID/GID: %s",
+    strerror(errno));
+    return -1;
+  }
+  */
+
+  /* We've properly switched egid, gid, euid, uid, and supplementary groups if
+   * we're here. */
+
+#if !defined(CYGWIN) && !defined(__CYGWIN__)
+  /* If we tried to drop privilege to a group/user other than root, attempt to
+   * restore root (E)(U|G)ID, and abort if the operation succeeds */
+
+  /* Only check for privilege dropping if we were asked to be non-root */
+  if (pw->pw_uid) {
+    /* Try changing GID/EGID */
+    if (pw->pw_gid != old_gid &&
+        (setgid(old_gid) != -1 || setegid(old_gid) != -1)) {
+      log_warn(LD_GENERAL, "Was able to restore group credentials even after "
+               "switching GID: this means that the setgid code didn't work.");
+      return -1;
+    }
+
+    /* Try changing UID/EUID */
+    if (pw->pw_uid != old_uid &&
+        (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) {
+      log_warn(LD_GENERAL, "Was able to restore user credentials even after "
+               "switching UID: this means that the setuid code didn't work.");
       return -1;
     }
   }
-
-  /* switch the group first, while we still have the privileges to do so */
-  if (group) {
-    gr = getgrnam(group);
-    if (gr == NULL) {
-      log_warn(LD_CONFIG,"Group '%s' not found.", group);
-      return -1;
-    }
-
-    if (setgid(gr->gr_gid) != 0) {
-      log_warn(LD_GENERAL,"Error setting to configured GID: %s",
-               strerror(errno));
-      return -1;
-    }
-  } else if (user) {
-    if (setgid(pw->pw_gid) != 0) {
-      log_warn(LD_GENERAL,"Error setting to user GID: %s", strerror(errno));
-      return -1;
-    }
-  }
-
-  /* now that the group is switched, we can switch users and lose
-     privileges */
-  if (user) {
-    if (setuid(pw->pw_uid) != 0) {
-      log_warn(LD_GENERAL,"Error setting UID: %s", strerror(errno));
-      return -1;
-    }
-  }
-
-  return 0;
-#else
-  (void)user;
-  (void)group;
 #endif
 
+  /* Check what really happened */
+  if (log_credential_status()) {
+    return -1;
+  }
+
+  have_already_switched_id = 1; /* mark success so we never try again */
+  return 0;
+
+#else
+  (void)user;
+
   log_warn(LD_CONFIG,
-           "User or group specified, but switching users is not supported.");
+           "User specified but switching users is unsupported on your OS.");
   return -1;
+#endif
 }
 
 #ifdef HAVE_PWD_H
@@ -951,24 +1163,18 @@ get_user_homedir(const char *username)
  * but works on Windows and Solaris.)
  */
 int
-tor_inet_aton(const char *c, struct in_addr* addr)
+tor_inet_aton(const char *str, struct in_addr* addr)
 {
-#ifdef HAVE_INET_ATON
-  return inet_aton(c, addr);
-#else
-  uint32_t r;
-  tor_assert(c);
-  tor_assert(addr);
-  if (strcmp(c, "255.255.255.255") == 0) {
-    addr->s_addr = 0xFFFFFFFFu;
-    return 1;
-  }
-  r = inet_addr(c);
-  if (r == INADDR_NONE)
+  int a,b,c,d;
+  char more;
+  if (sscanf(str, "%d.%d.%d.%d%c", &a,&b,&c,&d,&more) != 4)
     return 0;
-  addr->s_addr = r;
+  if (a < 0 || a > 255) return 0;
+  if (b < 0 || b > 255) return 0;
+  if (c < 0 || c > 255) return 0;
+  if (d < 0 || d > 255) return 0;
+  addr->s_addr = htonl((a<<24) | (b<<16) | (c<<8) | d);
   return 1;
-#endif
 }
 
 /** Given <b>af</b>==AF_INET and <b>src</b> a struct in_addr, or
@@ -1746,13 +1952,17 @@ tor_get_thread_id(void)
 struct tor_mutex_t {
   pthread_mutex_t mutex;
 };
+static pthread_mutexattr_t attr_reentrant;
+static int threads_initialized = 0;
 /** Allocate and return new lock. */
 tor_mutex_t *
 tor_mutex_new(void)
 {
   int err;
   tor_mutex_t *mutex = tor_malloc_zero(sizeof(tor_mutex_t));
-  err = pthread_mutex_init(&mutex->mutex, NULL);
+  if (PREDICT_UNLIKELY(!threads_initialized))
+    tor_threads_init();
+  err = pthread_mutex_init(&mutex->mutex, &attr_reentrant);
   if (PREDICT_UNLIKELY(err)) {
     log_err(LD_GENERAL, "Error %d creating a mutex.", err);
     tor_fragile_assert();
@@ -1868,6 +2078,11 @@ tor_cond_signal_all(tor_cond_t *cond)
 void
 tor_threads_init(void)
 {
+  if (!threads_initialized) {
+    pthread_mutexattr_init(&attr_reentrant);
+    pthread_mutexattr_settype(&attr_reentrant, PTHREAD_MUTEX_RECURSIVE);
+    threads_initialized = 1;
+  }
 }
 #elif defined(USE_WIN32_THREADS)
 #if 0

src/common/compat.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledinex
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 
@@ -33,9 +33,6 @@
 #ifdef HAVE_STRING_H
 #include <string.h>
 #endif
-#ifdef HAVE_CTYPE_H
-#include <ctype.h>
-#endif
 #include <stdarg.h>
 #ifdef HAVE_SYS_RESOURCE_H
 #include <sys/resource.h>
@@ -122,7 +119,17 @@ extern INLINE double U64_TO_DBL(uint64_t x) {
 #define ATTR_CONST __attribute__((const))
 #define ATTR_MALLOC __attribute__((malloc))
 #define ATTR_NORETURN __attribute__((noreturn))
-#define ATTR_NONNULL(x) __attribute__((nonnull x))
+/* Alas, nonnull is not at present a good idea for us.  We'd like to get
+ * warnings when we pass NULL where we shouldn't (which nonnull does, albeit
+ * spottily), but we don't want to tell the compiler to make optimizations
+ * with the assumption that the argument can't be NULL (since this would make
+ * many of our checks go away, and make our code less robust against
+ * programming errors).  Unfortunately, nonnull currently does both of these
+ * things, and there's no good way to split them up.
+ *
+ * #define ATTR_NONNULL(x) __attribute__((nonnull x)) */
+#define ATTR_NONNULL(x)
+
 /** Macro: Evaluates to <b>exp</b> and hints the compiler that the value
  * of <b>exp</b> will probably be true. */
 #define PREDICT_LIKELY(exp) __builtin_expect((exp), 1)
@@ -207,17 +214,27 @@ tor_memstr(const void *haystack, size_t hlen, const char *needle)
   return tor_memmem(haystack, hlen, needle, strlen(needle));
 }
 
-#define TOR_ISALPHA(c)   isalpha((int)(unsigned char)(c))
-#define TOR_ISALNUM(c)   isalnum((int)(unsigned char)(c))
-#define TOR_ISSPACE(c)   isspace((int)(unsigned char)(c))
-#define TOR_ISXDIGIT(c) isxdigit((int)(unsigned char)(c))
-#define TOR_ISDIGIT(c)   isdigit((int)(unsigned char)(c))
-#define TOR_ISPRINT(c)   isprint((int)(unsigned char)(c))
-#define TOR_ISLOWER(c)   islower((int)(unsigned char)(c))
-#define TOR_ISUPPER(c)   isupper((int)(unsigned char)(c))
-
-#define TOR_TOLOWER(c)   ((char)tolower((int)(unsigned char)(c)))
-#define TOR_TOUPPER(c)   ((char)toupper((int)(unsigned char)(c)))
+/* Much of the time when we're checking ctypes, we're doing spec compliance,
+ * which all assumes we're doing ASCII. */
+#define DECLARE_CTYPE_FN(name)                                          \
+  static int TOR_##name(char c);                                        \
+  extern const uint32_t TOR_##name##_TABLE[];                           \
+  static INLINE int TOR_##name(char c) {                                \
+    uint8_t u = c;                                                      \
+    return !!(TOR_##name##_TABLE[(u >> 5) & 7] & (1 << (u & 31)));      \
+  }
+DECLARE_CTYPE_FN(ISALPHA)
+DECLARE_CTYPE_FN(ISALNUM)
+DECLARE_CTYPE_FN(ISSPACE)
+DECLARE_CTYPE_FN(ISDIGIT)
+DECLARE_CTYPE_FN(ISXDIGIT)
+DECLARE_CTYPE_FN(ISPRINT)
+DECLARE_CTYPE_FN(ISLOWER)
+DECLARE_CTYPE_FN(ISUPPER)
+extern const char TOR_TOUPPER_TABLE[];
+extern const char TOR_TOLOWER_TABLE[];
+#define TOR_TOLOWER(c) (TOR_TOLOWER_TABLE[(uint8_t)c])
+#define TOR_TOUPPER(c) (TOR_TOUPPER_TABLE[(uint8_t)c])
 
 #ifdef MS_WINDOWS
 #define _SHORT_FILE_ (tor_fix_source_file(__FILE__))
@@ -261,6 +278,10 @@ int touch_file(const char *fname);
 
 /* ===== Net compatibility */
 
+#if (SIZEOF_SOCKLEN_T == 0)
+typedef int socklen_t;
+#endif
+
 int tor_close_socket(int s);
 int tor_open_socket(int domain, int type, int protocol);
 int tor_accept_socket(int sockfd, struct sockaddr *addr, socklen_t *len);
@@ -274,10 +295,6 @@ int get_n_open_sockets(void);
 #define tor_socket_recv(s, buf, len, flags) recv(s, buf, len, flags)
 #endif
 
-#if (SIZEOF_SOCKLEN_T == 0)
-typedef int socklen_t;
-#endif
-
 /* Define struct in6_addr on platforms that do not have it.  Generally,
  * these platforms are ones without IPv6 support, but we want to have
  * a working in6_addr there anyway, so we can use it to parse IPv6
@@ -453,7 +470,7 @@ void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1));
 typedef unsigned long rlim_t;
 #endif
 int set_max_file_descriptors(rlim_t limit, int *max);
-int switch_id(const char *user, const char *group);
+int switch_id(const char *user);
 #ifdef HAVE_PWD_H
 char *get_user_homedir(const char *username);
 #endif

src/common/container.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char container_c_id[] =
@@ -20,9 +20,6 @@ const char container_c_id[] =
 #include "container.h"
 #include "crypto.h"
 
-#ifdef HAVE_CTYPE_H
-#include <ctype.h>
-#endif
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>

src/common/container.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 
@@ -108,8 +108,7 @@ void *smartlist_bsearch(smartlist_t *sl, const void *key,
  ATTR_PURE;
 int smartlist_bsearch_idx(const smartlist_t *sl, const void *key,
                           int (*compare)(const void *key, const void **member),
-                          int *found_out)
- ATTR_PURE;
+                          int *found_out);
 
 void smartlist_pqueue_add(smartlist_t *sl,
                           int (*compare)(const void *a, const void *b),

src/common/crypto.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001, Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char crypto_c_id[] =
@@ -21,6 +21,9 @@ const char crypto_c_id[] =
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>
 #include <wincrypt.h>
+/* Windows defines this; so does openssl 0.9.8h and later. We don't actually
+ * use either definition. */
+#undef OCSP_RESPONSE
 #endif
 
 #include <openssl/err.h>
@@ -628,6 +631,23 @@ crypto_pk_dup_key(crypto_pk_env_t *env)
   return env;
 }
 
+/** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
+crypto_pk_env_t *
+crypto_pk_copy_full(crypto_pk_env_t *env)
+{
+  RSA *new_key;
+  tor_assert(env);
+  tor_assert(env->key);
+
+  if (PRIVATE_KEY_OK(env)) {
+    new_key = RSAPrivateKey_dup(env->key);
+  } else {
+    new_key = RSAPublicKey_dup(env->key);
+  }
+
+  return _crypto_new_pk_env_rsa(new_key);
+}
+
 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
  * in <b>env</b>, using the padding method <b>padding</b>.  On success,
  * write the result to <b>to</b>, and return the number of bytes

src/common/crypto.h

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001, Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 
@@ -88,6 +88,7 @@ int crypto_pk_check_key(crypto_pk_env_t *env);
 int crypto_pk_cmp_keys(crypto_pk_env_t *a, crypto_pk_env_t *b);
 size_t crypto_pk_keysize(crypto_pk_env_t *env);
 crypto_pk_env_t *crypto_pk_dup_key(crypto_pk_env_t *orig);
+crypto_pk_env_t *crypto_pk_copy_full(crypto_pk_env_t *orig);
 
 int crypto_pk_public_encrypt(crypto_pk_env_t *env, char *to,
                              const char *from, size_t fromlen, int padding);

src/common/ht.h

@@ -1,5 +1,6 @@
-/* Copyright 2002 Christopher Clark */
-/* Copyright 2005 Nick Mathewson */
+/* Copyright (c) 2002, Christopher Clark.
+ * Copyright (c) 2005-2006, Nick Mathewson.
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See license at end. */
 /* $Id$ */
 
@@ -420,6 +421,7 @@ ht_string_hash(const char *s)
 #define _HT_FOI_INSERT(field, head, elm, newent, var)       \
   {                                                         \
     newent->field.hte_hash = (elm)->field.hte_hash;         \
+    newent->field.hte_next = NULL;                          \
     *var = newent;                                          \
     ++((head)->hth_n_entries);                              \
   }

src/common/log.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001, Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char log_c_id[] = "$Id$";
@@ -255,6 +255,9 @@ logv(int severity, uint32_t domain, const char *funcname, const char *format,
   char *end_of_prefix=NULL;
 
   assert(format);
+  /* check that severity is sane.  Overrunning the masks array leads to
+   * interesting and hard to diagnose effects */
+  assert(severity >= LOG_ERR && severity <= LOG_DEBUG);
   LOCK_LOGS();
   lf = logfiles;
   while (lf) {
@@ -698,6 +701,7 @@ switch_logs_debug(void)
   for (lf = logfiles; lf; lf=lf->next) {
     lf->min_loglevel = LOG_DEBUG;
   }
+  _log_global_min_severity = get_min_log_level();
   UNLOCK_LOGS();
 }
 

src/common/log.h

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001, Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/mempool.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2008, The Tor Project, Inc. */
+/* Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 #if 1
@@ -144,7 +144,7 @@ struct mp_chunk_t {
 };
 
 /** Number of extra bytes needed beyond mem_size to allocate a chunk. */
-#define CHUNK_OVERHEAD (sizeof(mp_chunk_t)-1)
+#define CHUNK_OVERHEAD STRUCT_OFFSET(mp_chunk_t, mem[0])
 
 /** Given a pointer to a mp_allocated_t, return a pointer to the memory
  * item it holds. */

src/common/mempool.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2008, The Tor Project, Inc. */
+/* Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/test.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2003, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/torgzip.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char torgzip_c_id[] =
@@ -143,7 +143,16 @@ tor_gzip_compress(char **out, size_t *out_len,
   }
  done:
   *out_len = stream->total_out;
-  if (stream->total_out > out_size + 4097) {
+#ifdef OPENBSD
+  /* "Hey Rocky!  Watch me change an unsigned field to a signed field in a
+   *    third-party API!"
+   * "Oh, that trick will just make people do unsafe casts to the unsigned
+   *    type in their cross-platform code!"
+   * "Don't be foolish.  I'm _sure_ they'll have the good sense to make sure
+   *    the newly unsigned field isn't negative." */
+  tor_assert(stream->total_out >= 0);
+#endif
+  if (((size_t)stream->total_out) > out_size + 4097) {
     /* If we're wasting more than 4k, don't. */
     *out = tor_realloc(*out, stream->total_out + 1);
   }

src/common/torgzip.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/torint.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 
@@ -290,6 +290,8 @@ typedef uint32_t uintptr_t;
 #define TIME_MAX ((time_t)INT_MAX)
 #elif (SIZEOF_TIME_T == SIZEOF_LONG)
 #define TIME_MAX ((time_t)LONG_MAX)
+#elif (SIZEOF_TIME_T == 8)
+#define TIME_MAX ((time_t)INT64_MAX)
 #else
 #error "Can't define (signed) TIME_MAX"
 #endif

src/common/tortls.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char tortls_c_id[] =
@@ -314,6 +314,10 @@ tor_tls_free_all(void)
     tor_tls_context_decref(global_tls_context);
     global_tls_context = NULL;
   }
+  if (!HT_EMPTY(&tlsmap_root)) {
+    log_warn(LD_MM, "Still have entries in the tlsmap at shutdown.");
+  }
+  HT_CLEAR(tlsmap, &tlsmap_root);
 }
 
 /** We need to give OpenSSL a callback to verify certificates. This is
@@ -432,7 +436,7 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
  * SSL3_TXT_RSA_NULL_SHA.  If you do this, you won't be able to communicate
  * with any of the "real" Tors, though. */
 
-#if OPENSSL_VERSION_NUMBER >= 0x00908000l
+#if OPENSSL_VERSION_NUMBER >= 0x00908020l
 #define CLIENT_CIPHER_LIST                         \
   (TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ":"   \
    TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"     \
@@ -560,6 +564,14 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  /* Don't actually allow compression; it uses RAM and time, but the data
+   * we transmit is all encrypted anyway. */
+  result->ctx->comp_methods = NULL;
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  SSL_CTX_set_options(result->ctx,
+                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
   if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
     goto error;
   X509_free(cert); /* We just added a reference to cert. */
@@ -622,7 +634,7 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
 
 #ifdef V2_HANDSHAKE_SERVER
 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
- * a list that indicates that the client know how to do the v2 TLS connection
+ * a list that indicates that the client knows how to do the v2 TLS connection
  * handshake. */
 static int
 tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
@@ -666,7 +678,7 @@ tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
     }
     s = smartlist_join_strings(elts, ":", 0, NULL);
     log_info(LD_NET, "Got a non-version-1 cipher list from %s.  It is: '%s'",
-             s, address);
+             address, s);
     tor_free(s);
     smartlist_free(elts);
   }
@@ -759,6 +771,12 @@ tor_tls_new(int sock, int isServer)
   result->state = TOR_TLS_ST_HANDSHAKE;
   result->isServer = isServer;
   result->wantwrite_n = 0;
+  result->last_write_count = BIO_number_written(bio);
+  result->last_read_count = BIO_number_read(bio);
+  if (result->last_write_count || result->last_read_count) {
+    log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
+             result->last_read_count, result->last_write_count);
+  }
 #ifdef V2_HANDSHAKE_SERVER
   if (isServer) {
     SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
@@ -930,7 +948,7 @@ tor_tls_handshake(tor_tls_t *tls)
     tls->state = TOR_TLS_ST_OPEN;
     if (tls->isServer) {
       SSL_set_info_callback(tls->ssl, NULL);
-      SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb);
+      SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
       /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
       tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
 #ifdef V2_HANDSHAKE_SERVER
@@ -986,8 +1004,7 @@ tor_tls_renegotiate(tor_tls_t *tls)
   if (tls->state != TOR_TLS_ST_RENEGOTIATE) {
     int r = SSL_renegotiate(tls->ssl);
     if (r <= 0) {
-      return tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO,
-                               "renegotiating", LOG_WARN);
+      return tor_tls_get_error(tls, r, 0, "renegotiating", LOG_WARN);
     }
     tls->state = TOR_TLS_ST_RENEGOTIATE;
   }
@@ -996,8 +1013,7 @@ tor_tls_renegotiate(tor_tls_t *tls)
     tls->state = TOR_TLS_ST_OPEN;
     return TOR_TLS_DONE;
   } else
-    return tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO,
-                             "renegotiating handshake", LOG_WARN);
+    return tor_tls_get_error(tls, r, 0, "renegotiating handshake", LOG_INFO);
 }
 
 /** Shut down an open tls connection <b>tls</b>.  When finished, returns
@@ -1278,18 +1294,33 @@ tor_tls_get_forced_write_size(tor_tls_t *tls)
 void
 tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
 {
+  BIO *wbio, *tmpbio;
   unsigned long r, w;
   r = BIO_number_read(SSL_get_rbio(tls->ssl));
-  w = BIO_number_written(SSL_get_wbio(tls->ssl));
+  /* We want the number of bytes actually for real written.  Unfortunately,
+   * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
+   * which makes the answer turn out wrong.  Let's cope with that.  Note
+   * that this approach will fail if we ever replace tls->ssl's BIOs with
+   * buffering bios for reasons of our own.  As an alternative, we could
+   * save the original BIO for  tls->ssl in the tor_tls_t structure, but
+   * that would be tempting fate. */
+  wbio = SSL_get_wbio(tls->ssl);
+  if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
+    wbio = tmpbio;
+  w = BIO_number_written(wbio);
 
   /* We are ok with letting these unsigned ints go "negative" here:
    * If we wrapped around, this should still give us the right answer, unless
    * we wrapped around by more than ULONG_MAX since the last time we called
    * this function.
    */
-
   *n_read = (size_t)(r - tls->last_read_count);
   *n_written = (size_t)(w - tls->last_write_count);
+  if (*n_read > INT_MAX || *n_written > INT_MAX) {
+    log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
+             "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
+             r, tls->last_read_count, w, tls->last_write_count);
+  }
   tls->last_read_count = r;
   tls->last_write_count = w;
 }

src/common/tortls.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/common/util.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char util_c_id[] = "$Id$";
@@ -31,9 +31,6 @@ const char util_c_id[] = "$Id$";
 #include <pwd.h>
 #endif
 
-#ifdef HAVE_CTYPE_H
-#include <ctype.h>
-#endif
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -73,8 +70,13 @@ const char util_c_id[] = "$Id$";
 #include <malloc/malloc.h>
 #endif
 #ifdef HAVE_MALLOC_H
+#ifndef OPENBSD
+/* OpenBSD has a malloc.h, but for our purposes, it only exists in order to
+ * scold us for being so stupid as to autodetect its presence.  To be fair,
+ * they've done this since 1996, when autoconf was only 5 years old. */
 #include <malloc.h>
 #endif
+#endif
 
 /* =====
  * Memory management
@@ -1009,7 +1011,7 @@ tor_timegm(struct tm *tm)
   hours = days*24 + tm->tm_hour;
 
   minutes = hours*60 + tm->tm_min;
-  ret = minutes*60 + tm->tm_sec;
+  ret = ((time_t)minutes)*60 + tm->tm_sec;
   return ret;
 }
 
@@ -2096,7 +2098,7 @@ tor_listdir(const char *dirname)
   size_t pattern_len = strlen(dirname)+16;
   pattern = tor_malloc(pattern_len);
   tor_snprintf(pattern, pattern_len, "%s\\*", dirname);
-  if (!(handle = FindFirstFile(pattern, &findData))) {
+  if (INVALID_HANDLE_VALUE == (handle = FindFirstFile(pattern, &findData))) {
     tor_free(pattern);
     return NULL;
   }
@@ -3092,8 +3094,7 @@ finish_daemon(const char *desired_cwd)
     exit(1);
   }
 
-  nullfd = open("/dev/null",
-                O_CREAT | O_RDWR | O_APPEND);
+  nullfd = open("/dev/null", O_RDWR | O_APPEND);
   if (nullfd < 0) {
     log_err(LD_GENERAL,"/dev/null can't be opened. Exiting.");
     exit(1);

src/common/util.h

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/config/Makefile.am

@@ -1,11 +1,13 @@
 confdir = $(sysconfdir)/tor
+tordatadir = $(datadir)/tor
 
-#EXTRA_DIST = fallback-consensus
+EXTRA_DIST = geoip
 
 conf_DATA = torrc.sample
 
-#data_DATA = fallback-consensus
+tordata_DATA = geoip
 
 # If we don't have it, fake it.
 fallback-consensus:
 	touch fallback-consensus
+

src/or/Makefile.am

@@ -74,7 +74,8 @@ micro-revision.i: FORCE
 	      break;						\
 	    else						\
 	      loc=`svk info $$location |			\
-		sed -n 's/^Copied From: \(.*\), Rev\. [0-9][0-9]*/\1/p'`; \
+		sed -n 's/^Copied From: \(.*\), Rev\. [0-9][0-9]*/\1/p' | \
+                head -1`; 					\
 	      if test x$$loc = x; then				\
 		break;						\
 	      else						\

src/or/buffers.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char buffers_c_id[] =
@@ -63,12 +63,14 @@ typedef struct chunk_t {
                 * more than one byte long. */
 } chunk_t;
 
+#define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0])
+
 /** Return the number of bytes needed to allocate a chunk to hold
  * <b>memlen</b> bytes. */
-#define CHUNK_ALLOC_SIZE(memlen) (sizeof(chunk_t) + (memlen) - 1)
+#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_HEADER_LEN + (memlen))
 /** Return the number of usable bytes in a chunk allocated with
  * malloc(<b>memlen</b>). */
-#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - sizeof(chunk_t) + 1)
+#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_HEADER_LEN)
 
 /** Return the next character in <b>chunk</b> onto which data can be appended.
  * If the chunk is full, this might be off the end of chunk->mem. */
@@ -635,13 +637,13 @@ read_to_buf(int s, size_t at_most, buf_t *buf, int *reached_eof)
     check();
     if (r < 0)
       return r; /* Error */
-    else if ((size_t)r < readlen) { /* eof, block, or no more to read. */
-      tor_assert(r+total_read < INT_MAX);
-      return (int)(r + total_read);
-    }
+    tor_assert(total_read+r < INT_MAX);
     total_read += r;
+    if ((size_t)r < readlen) { /* eof, block, or no more to read. */
+      break;
+    }
   }
-  return r;
+  return (int)total_read;
 }
 
 /** As read_to_buf, but reads from a TLS connection, and returns a TLS
@@ -689,11 +691,12 @@ read_to_buf_tls(tor_tls_t *tls, size_t at_most, buf_t *buf)
     check();
     if (r < 0)
       return r; /* Error */
-    else if ((size_t)r < readlen) /* eof, block, or no more to read. */
-      return r;
+    tor_assert(total_read+r < INT_MAX);
     total_read += r;
+    if ((size_t)r < readlen) /* eof, block, or no more to read. */
+      break;
   }
-  return r;
+  return (int)total_read;
 }
 
 /** Helper for flush_buf(): try to write <b>sz</b> bytes from chunk
@@ -963,7 +966,7 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto)
     return 1;
   result = var_cell_new(length);
   result->command = command;
-  result->circ_id = ntohs(*(uint16_t*)hdr);
+  result->circ_id = ntohs(get_uint16(hdr));
 
   buf_remove_from_front(buf, VAR_CELL_HEADER_SIZE);
   peek_from_buf(result->payload, length, buf);

src/or/circuitbuild.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char circuitbuild_c_id[] =
@@ -99,7 +99,7 @@ get_unique_circ_id_by_conn(or_connection_t *conn)
       return 0;
     }
     test_circ_id |= high_bit;
-  } while (circuit_get_by_circid_orconn(test_circ_id, conn));
+  } while (circuit_id_in_use_on_orconn(test_circ_id, conn));
   return test_circ_id;
 }
 
@@ -412,8 +412,9 @@ circuit_n_conn_done(or_connection_t *or_conn, int status)
   smartlist_t *pending_circs;
   int err_reason = 0;
 
-  log_debug(LD_CIRC,"or_conn to %s, status=%d",
-            or_conn->nickname ? or_conn->nickname : "NULL", status);
+  log_debug(LD_CIRC,"or_conn to %s/%s, status=%d",
+            or_conn->nickname ? or_conn->nickname : "NULL",
+            or_conn->_base.address, status);
 
   pending_circs = smartlist_create();
   circuit_get_all_pending_on_or_conn(pending_circs, or_conn);
@@ -540,23 +541,20 @@ inform_testing_reachability(void)
   return 1;
 }
 
-/** Return true iff we should send a create_fast cell to build a circuit
- * starting at <b>router</b>. (If <b>router</b> is NULL, we don't have
- * information on the router, so assume true.) */
+/** Return true iff we should send a create_fast cell to start building a given
+ * circuit */
 static INLINE int
-should_use_create_fast_for_router(routerinfo_t *router,
-                                  origin_circuit_t *circ)
+should_use_create_fast_for_circuit(origin_circuit_t *circ)
 {
   or_options_t *options = get_options();
+  tor_assert(circ->cpath);
+  tor_assert(circ->cpath->extend_info);
 
-  if (!options->FastFirstHopPK) /* create_fast is disabled */
-    return 0;
-  if (router && router->platform &&
-      !tor_version_as_new_as(router->platform, "0.1.0.6-rc")) {
-    /* known not to work */
-    return 0;
-  }
-  if (server_mode(options) && circ->cpath->extend_info->onion_key) {
+  if (!circ->cpath->extend_info->onion_key)
+    return 1; /* our hand is forced: only a create_fast will work. */
+  if (!options->FastFirstHopPK)
+    return 0; /* we prefer to avoid create_fast */
+  if (server_mode(options)) {
     /* We're a server, and we know an onion key. We can choose.
      * Prefer to blend in. */
     return 0;
@@ -592,14 +590,9 @@ circuit_send_next_onion_skin(origin_circuit_t *circ)
     log_debug(LD_CIRC,"First skin; sending create cell.");
 
     router = router_get_by_digest(circ->_base.n_conn->identity_digest);
-    fast = should_use_create_fast_for_router(router, circ);
-    if (!fast && !circ->cpath->extend_info->onion_key) {
-      log_warn(LD_CIRC,
-               "Can't send create_fast, but have no onion key. Failing.");
-      return - END_CIRC_REASON_INTERNAL;
-    }
+    fast = should_use_create_fast_for_circuit(circ);
     if (!fast) {
-      /* We are an OR, or we are connecting to an old Tor: we should
+      /* We are an OR and we know the right onion key: we should
        * send an old slow create cell.
        */
       cell_type = CELL_CREATE;
@@ -704,10 +697,13 @@ circuit_note_clock_jumped(int seconds_elapsed)
   circuit_expire_all_dirty_circs();
 }
 
-/** Take the 'extend' cell, pull out addr/port plus the onion skin. Make
- * sure we're connected to the next hop, and pass it the onion skin using
- * a create cell. Return -1 if we want to warn and tear down the circuit,
- * else return 0.
+/** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
+ * skin and identity digest for the next hop. If we're already connected,
+ * pass the onion skin to the next hop using a create cell; otherwise
+ * launch a new OR connection, and <b>circ</b> will notice when the
+ * connection succeeds or fails.
+ *
+ * Return -1 if we want to warn and tear down the circuit, else return 0.
  */
 int
 circuit_extend(cell_t *cell, circuit_t *circ)
@@ -743,6 +739,29 @@ circuit_extend(cell_t *cell, circuit_t *circ)
 
   onionskin = cell->payload+RELAY_HEADER_SIZE+4+2;
   id_digest = cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
+
+  /* First, check if they asked us for 0000..0000. We support using
+   * an empty fingerprint for the first hop (e.g. for a bridge relay),
+   * but we don't want to let people send us extend cells for empty
+   * fingerprints -- a) because it opens the user up to a mitm attack,
+   * and b) because it lets an attacker force the relay to hold open a
+   * new TLS connection for each extend request. */
+  if (tor_digest_is_zero(id_digest)) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to extend without specifying an id_digest.");
+    return -1;
+  }
+
+  /* Next, check if we're being asked to connect to the hop that the
+   * extend cell came from. There isn't any reason for that, and it can
+   * assist circular-path attacks. */
+  if (!memcmp(id_digest, TO_OR_CIRCUIT(circ)->p_conn->identity_digest,
+              DIGEST_LEN)) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to extend back to the previous hop.");
+    return -1;
+  }
+
   n_conn = connection_or_get_by_identity_digest(id_digest);
 
   /* If we don't have an open conn, or the conn we have is obsolete
@@ -755,8 +774,8 @@ circuit_extend(cell_t *cell, circuit_t *circ)
     char tmpbuf[INET_NTOA_BUF_LEN];
     in.s_addr = htonl(circ->n_addr);
     tor_inet_ntoa(&in,tmpbuf,sizeof(tmpbuf));
-    log_info(LD_CIRC|LD_OR,"Next router (%s:%d) not connected. Connecting.",
-             tmpbuf, circ->n_port);
+    log_debug(LD_CIRC|LD_OR,"Next router (%s:%d) not connected. Connecting.",
+              tmpbuf, circ->n_port);
 
     circ->n_conn_onionskin = tor_malloc(ONIONSKIN_CHALLENGE_LEN);
     memcpy(circ->n_conn_onionskin, onionskin, ONIONSKIN_CHALLENGE_LEN);
@@ -1045,11 +1064,11 @@ new_route_len(uint8_t purpose, extend_info_t *exit,
       purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)
     routelen++;
 
-  log_debug(LD_CIRC,"Chosen route length %d (%d routers available).",
-            routelen, smartlist_len(routers));
-
   num_acceptable_routers = count_acceptable_routers(routers);
 
+  log_debug(LD_CIRC,"Chosen route length %d (%d/%d routers available).",
+            routelen, num_acceptable_routers, smartlist_len(routers));
+
   if (num_acceptable_routers < 2) {
     log_info(LD_CIRC,
              "Not enough acceptable routers (%d). Discarding this circuit.",
@@ -1143,6 +1162,9 @@ ap_stream_wants_exit_attention(connection_t *conn)
   if (conn->type == CONN_TYPE_AP &&
       conn->state == AP_CONN_STATE_CIRCUIT_WAIT &&
       !conn->marked_for_close &&
+      !(TO_EDGE_CONN(conn)->want_onehop) && /* ignore one-hop streams */
+      !(TO_EDGE_CONN(conn)->use_begindir) && /* ignore targeted dir fetches */
+      !(TO_EDGE_CONN(conn)->chosen_exit_name) && /* ignore defined streams */
       !connection_edge_is_rendezvous_stream(TO_EDGE_CONN(conn)) &&
       !circuit_stream_is_being_handled(TO_EDGE_CONN(conn), 0,
                                        MIN_CIRCUITS_HANDLING_STREAM))
@@ -1236,6 +1258,11 @@ choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
 //               router->nickname, i);
       }
     }); /* End looping over connections. */
+    if (n_pending_connections > 0 && n_supported[i] == 0) {
+      /* Leave best_support at -1 if that's where it is, so we can
+       * distinguish it later. */
+      continue;
+    }
     if (n_supported[i] > best_support) {
       /* If this router is better than previous ones, remember its index
        * and goodness, and start counting how many routers are this good. */
@@ -1961,7 +1988,7 @@ log_entry_guards(int severity)
     {
       tor_snprintf(buf, sizeof(buf), "%s (%s%s)",
                    e->nickname,
-                   e->bad_since ? "down " : "up ",
+                   entry_is_live(e, 0, 1, 0) ? "up " : "down ",
                    e->made_contact ? "made-contact" : "never-contacted");
       smartlist_add(elements, tor_strdup(buf));
     });
@@ -2169,7 +2196,7 @@ entry_guards_compute_status(void)
 {
   time_t now;
   int changed = 0;
-  int severity = LOG_INFO;
+  int severity = LOG_DEBUG;
   or_options_t *options;
   if (! entry_guards)
     return;
@@ -2182,26 +2209,28 @@ entry_guards_compute_status(void)
     {
       routerinfo_t *r = router_get_by_digest(entry->identity);
       const char *reason = NULL;
+      /*XXX021 log reason again. */
       if (entry_guard_set_status(entry, r, now, options, &reason))
         changed = 1;
 
       if (entry->bad_since)
         tor_assert(reason);
-
-      log_info(LD_CIRC, "Summary: Entry '%s' is %s, %s%s, and %s.",
-               entry->nickname,
-               entry->unreachable_since ? "unreachable" : "reachable",
-               entry->bad_since ? "unusable: " : "usable",
-               entry->bad_since ? reason : "",
-               entry_is_live(entry, 0, 1, 0) ? "live" : "not live");
     });
 
   if (remove_dead_entry_guards())
     changed = 1;
 
+  severity = changed ? LOG_DEBUG : LOG_INFO;
+
   if (changed) {
-    log_fn(severity, LD_CIRC, "    (%d/%d entry guards are usable/new)",
-           num_live_entry_guards(), smartlist_len(entry_guards));
+    SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
+        log_info(LD_CIRC, "Summary: Entry '%s' is %s, %s, and %s.",
+               entry->nickname,
+               entry->unreachable_since ? "unreachable" : "reachable",
+               entry->bad_since ? "unusable" : "usable",
+               entry_is_live(entry, 0, 1, 0) ? "live" : "not live"));
+    log_info(LD_CIRC, "    (%d/%d entry guards are usable/new)",
+             num_live_entry_guards(), smartlist_len(entry_guards));
     log_entry_guards(LOG_INFO);
     entry_guards_changed();
   }
@@ -2474,8 +2503,13 @@ choose_random_entry(cpath_build_state_t *state)
        * be a long time til we get it. -RD */
       r = add_an_entry_guard(NULL, 0);
       if (r) {
-        smartlist_add(live_entry_guards, r);
         entry_guards_changed();
+        /* XXX we start over here in case the new node we added shares
+         * a family with our exit node. There's a chance that we'll just
+         * load up on entry guards here, if the network we're using is
+         * one big family. Perhaps we should teach add_an_entry_guard()
+         * to understand nodes-to-avoid-if-possible? -RD */
+        goto retry;
       }
     }
     if (!r && need_uptime) {

src/or/circuitlist.c

@@ -1,7 +1,7 @@
 /* Copyright 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char circuitlist_c_id[] =
@@ -661,6 +661,14 @@ circuit_get_by_circid_orconn(uint16_t circ_id, or_connection_t *conn)
     return circ;
 }
 
+/** Return true iff the circuit ID <b>circ_id</b> is currently used by a
+ * circuit, marked or not, on <b>conn</b>. */
+int
+circuit_id_in_use_on_orconn(uint16_t circ_id, or_connection_t *conn)
+{
+  return circuit_get_by_circid_orconn_impl(circ_id, conn) != NULL;
+}
+
 /** Return the circuit that a given edge connection is using. */
 circuit_t *
 circuit_get_by_edge_conn(edge_connection_t *conn)
@@ -814,9 +822,9 @@ circuit_find_to_cannibalize(uint8_t purpose, extend_info_t *info,
 
   circuit_t *_circ;
   origin_circuit_t *best=NULL;
-  int need_uptime = flags & CIRCLAUNCH_NEED_UPTIME;
-  int need_capacity = flags & CIRCLAUNCH_NEED_CAPACITY;
-  int internal = flags & CIRCLAUNCH_IS_INTERNAL;
+  int need_uptime = (flags & CIRCLAUNCH_NEED_UPTIME) != 0;
+  int need_capacity = (flags & CIRCLAUNCH_NEED_CAPACITY) != 0;
+  int internal = (flags & CIRCLAUNCH_IS_INTERNAL) != 0;
 
   log_debug(LD_CIRC,
             "Hunting for a circ to cannibalize: purpose %d, uptime %d, "

src/or/circuituse.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char circuituse_c_id[] =
@@ -95,10 +95,19 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
       tor_assert(conn->chosen_exit_name);
       if (build_state->chosen_exit) {
         char digest[DIGEST_LEN];
-        if (hexdigest_to_digest(conn->chosen_exit_name, digest) < 0 ||
-            memcmp(digest, build_state->chosen_exit->identity_digest,
-                   DIGEST_LEN))
+        if (hexdigest_to_digest(conn->chosen_exit_name, digest) < 0)
+          return 0; /* broken digest, we don't want it */
+        if (memcmp(digest, build_state->chosen_exit->identity_digest,
+                          DIGEST_LEN))
           return 0; /* this is a circuit to somewhere else */
+        if (tor_digest_is_zero(digest)) {
+          /* we don't know the digest; have to compare addr:port */
+          struct in_addr in;
+          if (!tor_inet_aton(conn->socks_request->address, &in) ||
+              build_state->chosen_exit->addr != ntohl(in.s_addr) ||
+              build_state->chosen_exit->port != conn->socks_request->port)
+            return 0;
+        }
       }
     } else {
       if (conn->want_onehop) {
@@ -210,15 +219,22 @@ circuit_expire_building(time_t now)
 {
   circuit_t *victim, *circ = global_circuitlist;
   time_t cutoff = now - get_options()->CircuitBuildTimeout;
+  time_t begindir_cutoff = now - get_options()->CircuitBuildTimeout/2;
+  cpath_build_state_t *build_state;
 
   while (circ) {
     victim = circ;
     circ = circ->next;
     if (!CIRCUIT_IS_ORIGIN(victim) || /* didn't originate here */
-        victim->timestamp_created > cutoff || /* Not old enough to expire */
         victim->marked_for_close) /* don't mess with marked circs */
       continue;
 
+    build_state = TO_ORIGIN_CIRCUIT(victim)->build_state;
+    if (victim->timestamp_created >
+        ((build_state && build_state->onehop_tunnel) ?
+         begindir_cutoff : cutoff))
+      continue; /* it's still young, leave it alone */
+
 #if 0
     /* some debug logs, to help track bugs */
     if (victim->purpose >= CIRCUIT_PURPOSE_C_INTRODUCING &&
@@ -456,7 +472,7 @@ circuit_predict_and_launch_new(void)
 void
 circuit_build_needed_circs(time_t now)
 {
-  static long time_to_new_circuit = 0;
+  static time_t time_to_new_circuit = 0;
   or_options_t *options = get_options();
 
   /* launch a new circ for any pending streams that need one */
@@ -739,6 +755,9 @@ circuit_build_failed(origin_circuit_t *circ)
       entry_guard_register_connect_status(n_conn->identity_digest, 0,
                                           time(NULL));
     }
+    /* if there are any one-hop streams waiting on this circuit, fail
+     * them now so they can retry elsewhere. */
+    connection_ap_fail_onehop(circ->_base.n_conn_id_digest, circ->build_state);
   }
 
   switch (circ->_base.purpose) {
@@ -833,7 +852,7 @@ circuit_launch_by_extend_info(uint8_t purpose,
                               int flags)
 {
   origin_circuit_t *circ;
-  int onehop_tunnel = flags & CIRCLAUNCH_ONEHOP_TUNNEL;
+  int onehop_tunnel = (flags & CIRCLAUNCH_ONEHOP_TUNNEL) != 0;
 
   if (!onehop_tunnel && !router_have_minimum_dir_info()) {
     log_debug(LD_CIRC,"Haven't fetched enough directory info yet; canceling "
@@ -996,17 +1015,40 @@ circuit_get_open_circ_or_launch(edge_connection_t *conn,
 
   /* Do we need to check exit policy? */
   if (check_exit_policy) {
-    struct in_addr in;
-    uint32_t addr = 0;
-    if (tor_inet_aton(conn->socks_request->address, &in))
-      addr = ntohl(in.s_addr);
-    if (router_exit_policy_all_routers_reject(addr, conn->socks_request->port,
-                                              need_uptime)) {
-      log_notice(LD_APP,
-                 "No Tor server exists that allows exit to %s:%d. Rejecting.",
-                 safe_str(conn->socks_request->address),
-                 conn->socks_request->port);
-      return -1;
+    if (!conn->chosen_exit_name) {
+      struct in_addr in;
+      uint32_t addr = 0;
+      if (tor_inet_aton(conn->socks_request->address, &in))
+        addr = ntohl(in.s_addr);
+      if (router_exit_policy_all_routers_reject(addr,
+                                                conn->socks_request->port,
+                                                need_uptime)) {
+        log_notice(LD_APP,
+                   "No Tor server exists that allows exit to %s:%d. "
+                   "Rejecting.",
+                   safe_str(conn->socks_request->address),
+                   conn->socks_request->port);
+        return -1;
+      }
+    } else {
+      /* XXXX021 Duplicates checks in connection_ap_handshake_attach_circuit
+       * XXXX021 Fix this, then backport it? */
+      routerinfo_t *router = router_get_by_nickname(conn->chosen_exit_name, 1);
+      int opt = conn->_base.chosen_exit_optional;
+      if (router && !connection_ap_can_use_exit(conn, router)) {
+        log_fn(opt ? LOG_INFO : LOG_WARN, LD_APP,
+               "Requested exit point '%s' would refuse request. %s.",
+               conn->chosen_exit_name, opt ? "Trying others" : "Closing");
+        if (opt) {
+          conn->_base.chosen_exit_optional = 0;
+          tor_free(conn->chosen_exit_name);
+          /* Try again. */
+          return circuit_get_open_circ_or_launch(conn,
+                                                 desired_circuit_purpose,
+                                                 circp);
+        }
+        return -1;
+      }
     }
   }
 

src/or/command.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char command_c_id[] =
@@ -252,7 +252,7 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
-  if (circuit_get_by_circid_orconn(cell->circ_id, conn)) {
+  if (circuit_id_in_use_on_orconn(cell->circ_id, conn)) {
     routerinfo_t *router = router_get_by_digest(conn->identity_digest);
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "Received CREATE cell (circID %d) for known circ. "
@@ -577,8 +577,11 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
   if (labs(apparent_skew) > NETINFO_NOTICE_SKEW &&
       router_get_by_digest(conn->identity_digest)) {
     char dbuf[64];
-    /*XXXX This should check the trustedness of the other side. */
-    int severity = server_mode(get_options()) ? LOG_INFO : LOG_WARN;
+    int severity;
+    if (router_digest_is_trusted_dir(conn->identity_digest))
+      severity = LOG_WARN;
+    else
+      severity = LOG_INFO;
     format_time_interval(dbuf, sizeof(dbuf), apparent_skew);
     log_fn(severity, LD_GENERAL, "Received NETINFO cell with skewed time from "
            "server at %s:%d.  It seems that our clock is %s by %s, or "

src/or/config.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char config_c_id[] = \
@@ -198,8 +198,13 @@ static config_var_t _option_vars[] = {
   V(FetchServerDescriptors,      BOOL,     "1"),
   V(FetchHidServDescriptors,     BOOL,     "1"),
   V(FetchUselessDescriptors,     BOOL,     "0"),
-  V(GeoIPFile,                   STRING,   NULL),
-  V(Group,                       STRING,   NULL),
+#ifdef WIN32
+  V(GeoIPFile,                   STRING,   "<default>"),
+#else
+  V(GeoIPFile,                   STRING,
+    SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"),
+#endif
+  OBSOLETE("Group"),
   V(HardwareAccel,               BOOL,     "0"),
   V(HashedControlPassword,       LINELIST, NULL),
   V(HidServDirectoryV2,          BOOL,     "0"),
@@ -243,7 +248,7 @@ static config_var_t _option_vars[] = {
   V(OutboundBindAddress,         STRING,   NULL),
   OBSOLETE("PathlenCoinWeight"),
   V(PidFile,                     STRING,   NULL),
-  V(PreferTunneledDirConns,      BOOL,     "0"),
+  V(PreferTunneledDirConns,      BOOL,     "1"),
   V(ProtocolWarnings,            BOOL,     "0"),
   V(PublishServerDescriptor,     CSV,      "1"),
   V(PublishHidServDescriptors,   BOOL,     "1"),
@@ -266,9 +271,10 @@ static config_var_t _option_vars[] = {
   V(RunTesting,                  BOOL,     "0"),
   V(SafeLogging,                 BOOL,     "1"),
   V(SafeSocks,                   BOOL,     "0"),
-  V(ServerDNSAllowBrokenResolvConf, BOOL,  "0"),
+  V(ServerDNSAllowBrokenResolvConf, BOOL,  "1"),
   V(ServerDNSAllowNonRFC953Hostnames, BOOL,"0"),
   V(ServerDNSDetectHijacking,    BOOL,     "1"),
+  V(ServerDNSRandomizeCase,      BOOL,     "1"),
   V(ServerDNSResolvConfFile,     STRING,   NULL),
   V(ServerDNSSearchDomains,      BOOL,     "0"),
   V(ServerDNSTestAddresses,      CSV,
@@ -289,7 +295,7 @@ static config_var_t _option_vars[] = {
   OBSOLETE("TrafficShaping"),
   V(TransListenAddress,          LINELIST, NULL),
   V(TransPort,                   UINT,     "0"),
-  V(TunnelDirConns,              BOOL,     "0"),
+  V(TunnelDirConns,              BOOL,     "1"),
   V(UpdateBridgesFromAuthority,  BOOL,     "0"),
   V(UseBridges,                  BOOL,     "0"),
   V(UseEntryGuards,              BOOL,     "1"),
@@ -301,6 +307,7 @@ static config_var_t _option_vars[] = {
   V(V3AuthVoteDelay,             INTERVAL, "5 minutes"),
   V(V3AuthDistDelay,             INTERVAL, "5 minutes"),
   V(V3AuthNIntervalsValid,       UINT,     "3"),
+  V(V3AuthUseLegacyKey,          BOOL,     "0"),
   VAR("VersioningAuthoritativeDirectory",BOOL,VersioningAuthoritativeDir, "0"),
   V(VirtualAddrNetwork,          STRING,   "127.192.0.0/10"),
   V(WarnPlaintextPorts,          CSV,      "23,109,110,143"),
@@ -385,7 +392,6 @@ static config_var_description_t options_description[] = {
   /* { "FastFirstHopPK", "" }, */
   /* FetchServerDescriptors, FetchHidServDescriptors,
    * FetchUselessDescriptors */
-  { "Group", "On startup, setgid to this group." },
   { "HardwareAccel", "If set, Tor tries to use hardware crypto accelerators "
     "when it can." },
   /* HashedControlPassword */
@@ -599,6 +605,9 @@ typedef struct {
                *(uint32_t*)STRUCT_VAR_P(cfg,fmt->magic_offset));        \
   STMT_END
 
+#ifdef MS_WINDOWS
+static char *get_windows_conf_root(void);
+#endif
 static void config_line_append(config_line_t **lst,
                                const char *key, const char *val);
 static void option_clear(config_format_t *fmt, or_options_t *options,
@@ -822,23 +831,21 @@ add_default_trusted_dir_authorities(authority_type_t type)
 {
   int i;
   const char *dirservers[] = {
-    "moria1 v1 orport=9001 v3ident=5420FD8EA46BD4290F1D07A1883C9D85ECC486C4 "
+    "moria1 v1 orport=9001 v3ident=E2A2AF570166665D738736D0DD58169CC61D8A8B "
       "128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441",
     "moria2 v1 orport=9002 128.31.0.34:9032 "
       "719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF",
-    "tor26 v1 orport=443 v3ident=A9AC67E64B200BBF2FA26DF194AC0469E2A948C6 "
+    "tor26 v1 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 "
       "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
-    "lefkada orport=443 v3ident=0D95B91896E6089AB9A3C6CB56E724CAF898C43F "
-      "140.247.60.64:80 38D4 F5FC F7B1 0232 28B8 95EA 56ED E7D5 CCDC AF32",
-    "dizum 194.109.206.212:80 "
-      "7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
+    "dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 "
+      "194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
     "Tonga orport=443 bridge no-v2 82.94.251.206:80 "
       "4A0C CD2D DC79 9508 3D73 F5D6 6710 0C8A 5831 F16D",
     "ides orport=9090 no-v2 v3ident=27B6B5996C426270A5C95488AA5BCEB6BCC86956 "
       "216.224.124.114:9030 F397 038A DC51 3361 35E7 B80B D99C A384 4360 292B",
     "gabelmoo orport=443 no-v2 "
-      "v3ident=EAA879B5C75032E462CB018630D2D0DF46EBA606 "
-      "88.198.7.215:80 6833 3D07 61BC F397 A587 A0C0 B963 E4A9 E99E C4D3",
+      "v3ident=81349FC1F2DBA2C2C11B45CB9706637D480AB913 "
+      "80.190.246.100:80 6833 3D07 61BC F397 A587 A0C0 B963 E4A9 E99E C4D3",
     "dannenberg orport=443 no-v2 "
       "v3ident=585769C78764D58426B8B52B6651A5A71137189A "
       "213.73.91.31:80 7BE6 83E6 5D48 1413 21C5 ED92 F075 C553 64AC 7123",
@@ -1013,14 +1020,21 @@ options_act_reversible(or_options_t *old_options, char **msg)
     }
   }
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+  /* Open /dev/pf before dropping privileges. */
+  if (options->TransPort) {
+    if (get_pf_socket() < 0) {
+      *msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
+      goto rollback;
+    }
+  }
+#endif
+
   /* Setuid/setgid as appropriate */
-  if (options->User || options->Group) {
-    /* XXXX021 We should only do this the first time through, not on
-     * every setconf. */
-    if (switch_id(options->User, options->Group) != 0) {
+  if (options->User) {
+    if (switch_id(options->User) != 0) {
       /* No need to roll back, since you can't change the value. */
-      *msg = tor_strdup("Problem with User or Group value. "
-                        "See logs for details.");
+      *msg = tor_strdup("Problem with User value. See logs for details.");
       goto done;
     }
   }
@@ -1250,7 +1264,20 @@ options_act(or_options_t *old_options)
   if (options->GeoIPFile &&
       ((!old_options || !opt_streq(old_options->GeoIPFile, options->GeoIPFile))
        || !geoip_is_loaded())) {
-    geoip_load_file(options->GeoIPFile);
+    /* XXXX021 Don't use this "<default>" junk; make our filename options
+     * understand prefixes somehow. -NM */
+    char *actual_fname = tor_strdup(options->GeoIPFile);
+#ifdef WIN32
+    if (!strcmp(actual_fname, "<default>")) {
+      const char *conf_root = get_windows_conf_root();
+      size_t len = strlen(conf_root)+16;
+      tor_free(actual_fname);
+      actual_fname = tor_malloc(len+1);
+      tor_snprintf(actual_fname, len, "%s\\geoip", conf_root);
+    }
+#endif
+    geoip_load_file(actual_fname, options);
+    tor_free(actual_fname);
   }
   /* Check if we need to parse and add the EntryNodes config option. */
   if (options->EntryNodes &&
@@ -1838,9 +1865,9 @@ get_assigned_option(config_format_t *fmt, or_options_t *options,
         result->value = tor_strdup("");
       break;
     case CONFIG_TYPE_OBSOLETE:
-      log_warn(LD_CONFIG,
-               "You asked me for the value of an obsolete config option '%s'.",
-               key);
+      log_fn(LOG_PROTOCOL_WARN, LD_CONFIG,
+             "You asked me for the value of an obsolete config option '%s'.",
+             key);
       tor_free(result->key);
       tor_free(result);
       return NULL;
@@ -2086,7 +2113,7 @@ print_usage(void)
   printf(
 "Copyright (c) 2001-2004, Roger Dingledine\n"
 "Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson\n"
-"Copyright (c) 2007-2008, The Tor Project, Inc.\n\n"
+"Copyright (c) 2007-2009, The Tor Project, Inc.\n\n"
 "tor -f <torrc> [args]\n"
 "See man page for options, or https://www.torproject.org/ for "
 "documentation.\n");
@@ -2654,6 +2681,15 @@ compute_publishserverdescriptor(or_options_t *options)
 /** Highest allowable value for RendPostPeriod. */
 #define MAX_DIR_PERIOD (MIN_ONION_KEY_LIFETIME/2)
 
+/** Lowest allowable value for CircuitBuildTimeout; values too low will
+ * increase network load because of failing connections being retried, and
+ * might prevent users from connecting to the network at all. */
+#define MIN_CIRCUIT_BUILD_TIMEOUT 30
+
+/** Lowest allowable value for MaxCircuitDirtiness; if this is too low, Tor
+ * will generate too many circuits and potentially overload the network. */
+#define MIN_MAX_CIRCUIT_DIRTINESS 10
+
 /** Return 0 if every setting in <b>options</b> is reasonable, and a
  * permissible transition from <b>old_options</b>. Else return -1.
  * Should have no side effects, except for normalizing the contents of
@@ -3057,6 +3093,18 @@ options_validate(or_options_t *old_options, or_options_t *options,
     options->RendPostPeriod = MAX_DIR_PERIOD;
   }
 
+  if (options->CircuitBuildTimeout < MIN_CIRCUIT_BUILD_TIMEOUT) {
+    log(LOG_WARN, LD_CONFIG, "CircuitBuildTimeout option is too short; "
+      "raising to %d seconds.", MIN_CIRCUIT_BUILD_TIMEOUT);
+    options->CircuitBuildTimeout = MIN_CIRCUIT_BUILD_TIMEOUT;
+  }
+
+  if (options->MaxCircuitDirtiness < MIN_MAX_CIRCUIT_DIRTINESS) {
+    log(LOG_WARN, LD_CONFIG, "MaxCircuitDirtiness option is too short; "
+      "raising to %d seconds.", MIN_MAX_CIRCUIT_DIRTINESS);
+    options->MaxCircuitDirtiness = MIN_MAX_CIRCUIT_DIRTINESS;
+  }
+
   if (options->KeepalivePeriod < 1)
     REJECT("KeepalivePeriod option must be positive.");
 
@@ -3117,6 +3165,13 @@ options_validate(or_options_t *old_options, or_options_t *options,
   if (options->BandwidthRate > options->BandwidthBurst)
     REJECT("BandwidthBurst must be at least equal to BandwidthRate.");
 
+  /* if they set relaybandwidth* really high but left bandwidth*
+   * at the default, raise the defaults. */
+  if (options->RelayBandwidthRate > options->BandwidthRate)
+    options->BandwidthRate = options->RelayBandwidthRate;
+  if (options->RelayBandwidthBurst > options->BandwidthBurst)
+    options->BandwidthBurst = options->RelayBandwidthBurst;
+
   if (accounting_parse_options(options, 1)<0)
     REJECT("Failed to parse accounting options. See logs for details.");
 
@@ -3417,6 +3472,8 @@ options_transition_affects_descriptor(or_options_t *old_options,
         new_options->_PublishServerDescriptor ||
       old_options->BandwidthRate != new_options->BandwidthRate ||
       old_options->BandwidthBurst != new_options->BandwidthBurst ||
+      old_options->MaxAdvertisedBandwidth !=
+        new_options->MaxAdvertisedBandwidth ||
       !opt_streq(old_options->ContactInfo, new_options->ContactInfo) ||
       !opt_streq(old_options->MyFamily, new_options->MyFamily) ||
       !opt_streq(old_options->AccountingStart, new_options->AccountingStart) ||
@@ -3528,6 +3585,7 @@ options_init_from_torrc(int argc, char **argv)
   int i, retval;
   int using_default_torrc;
   int ignore_missing_torrc;
+  int ignore_torrc = 0;
   static char **backup_argv;
   static int backup_argc;
 
@@ -3590,11 +3648,12 @@ options_init_from_torrc(int argc, char **argv)
       newoptions->command = CMD_HASH_PASSWORD;
       newoptions->command_arg = tor_strdup( (i < argc-1) ? argv[i+1] : "");
       ++i;
+      ignore_torrc = 1;
     } else if (!strcmp(argv[i],"--verify-config")) {
       newoptions->command = CMD_VERIFY_CONFIG;
     }
   }
-  if (using_default_torrc) {
+  if (using_default_torrc && !ignore_torrc) {
     /* didn't find one, try CONFDIR */
     const char *dflt = get_default_conf_file();
     if (dflt && file_status(dflt) == FN_FILE) {
@@ -3614,16 +3673,20 @@ options_init_from_torrc(int argc, char **argv)
 #endif
     }
   }
-  tor_assert(fname);
-  log(LOG_DEBUG, LD_CONFIG, "Opening config file \"%s\"", fname);
+  if (!ignore_torrc) {
+    tor_assert(fname);
+    log(LOG_DEBUG, LD_CONFIG, "Opening config file \"%s\"", fname);
 
-  tor_free(torrc_fname);
-  torrc_fname = fname;
+    tor_free(torrc_fname);
+    torrc_fname = fname;
+  }
 
   /* get config lines, assign them */
-  if (file_status(fname) != FN_FILE ||
+  if (ignore_torrc) {
+    cf = tor_strdup("");
+  } else if (file_status(fname) != FN_FILE ||
       !(cf = read_file_to_str(fname,0,NULL))) {
-    if (using_default_torrc == 1 || ignore_missing_torrc ) {
+    if (using_default_torrc == 1 || ignore_missing_torrc) {
       log(LOG_NOTICE, LD_CONFIG, "Configuration file \"%s\" not present, "
           "using reasonable defaults.", fname);
       tor_free(fname); /* sets fname to NULL */
@@ -3633,7 +3696,8 @@ options_init_from_torrc(int argc, char **argv)
           "Unable to open configuration file \"%s\".", fname);
       goto err;
     }
-  } else { /* it opened successfully. use it. */
+  }
+  if (cf) { /* It opened successfully. use it. */
     retval = config_get_lines(cf, &cl);
     tor_free(cf);
     if (retval < 0)
@@ -3824,7 +3888,8 @@ options_init_logs(or_options_t *options, int validate_only)
       }
       if (!validate_only) {
         if (add_file_log(levelMin, levelMax, smartlist_get(elts, 2)) < 0) {
-          log_warn(LD_CONFIG, "Couldn't open file for 'Log %s'", opt->value);
+          log_warn(LD_CONFIG, "Couldn't open file for 'Log %s': %s",
+                   opt->value, strerror(errno));
           ok = 0;
         }
       }
@@ -3836,6 +3901,9 @@ options_init_logs(or_options_t *options, int validate_only)
       ok = 0; goto cleanup;
     }
     if (!strcasecmp(smartlist_get(elts,1), "stdout")) {
+      /* Starting in 0.2.1.x, we will just decline to open the log file
+       * to stdout, rather than failing the whole program. But I'm leaving
+       * this intact for here so we can stabilize 0.2.0.x. -RD */
       if (daemon) {
         log_warn(LD_CONFIG, "Can't log to stdout with RunAsDaemon set.");
         ok = 0; goto cleanup;

src/or/connection.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char connection_c_id[] =
@@ -166,7 +166,8 @@ conn_state_to_string(int type, int state)
 connection_t *
 connection_new(int type, int socket_family)
 {
-  static uint32_t n_connections_allocated = 1;
+  static uint64_t n_connections_allocated = 1;
+
   connection_t *conn;
   time_t now = time(NULL);
   size_t length;
@@ -200,6 +201,7 @@ connection_new(int type, int socket_family)
   conn->magic = magic;
   conn->s = -1; /* give it a default of 'not used' */
   conn->conn_array_index = -1; /* also default to 'not used' */
+  conn->global_identifier = n_connections_allocated++;
 
   conn->type = type;
   conn->socket_family = socket_family;
@@ -211,9 +213,6 @@ connection_new(int type, int socket_family)
     TO_EDGE_CONN(conn)->socks_request =
       tor_malloc_zero(sizeof(socks_request_t));
   }
-  if (CONN_IS_EDGE(conn)) {
-    TO_EDGE_CONN(conn)->global_identifier = n_connections_allocated++;
-  }
   if (type == CONN_TYPE_OR) {
     TO_OR_CONN(conn)->timestamp_last_added_nonpadding = now;
     TO_OR_CONN(conn)->next_circ_id = crypto_rand_int(1<<15);
@@ -479,13 +478,20 @@ connection_about_to_close_connection(connection_t *conn)
          * failed: forget about this router, and maybe try again. */
         connection_dir_request_failed(dir_conn);
       }
-      if (conn->purpose == DIR_PURPOSE_FETCH_RENDDESC)
-        rend_client_desc_here(dir_conn->rend_query); /* give it a try */
+      if (conn->purpose == DIR_PURPOSE_FETCH_RENDDESC) {
+        /* Give it a try. However, there is no re-fetching for v0 rend
+         * descriptors; if the response is empty or the descriptor is
+         * unusable, close pending connections (unless a v2 request is
+         * still in progress). */
+        rend_client_desc_trynow(dir_conn->rend_query, 0);
+      }
       /* If we were trying to fetch a v2 rend desc and did not succeed,
        * retry as needed. (If a fetch is successful, the connection state
        * is changed to DIR_PURPOSE_HAS_FETCHED_RENDDESC to mark that
        * refetching is unnecessary.) */
-      if (conn->purpose == DIR_PURPOSE_FETCH_RENDDESC_V2)
+      if (conn->purpose == DIR_PURPOSE_FETCH_RENDDESC_V2 &&
+          dir_conn->rend_query &&
+          strlen(dir_conn->rend_query) == REND_SERVICE_ID_LEN_BASE32)
         rend_client_refetch_v2_renddesc(dir_conn->rend_query);
       break;
     case CONN_TYPE_OR:
@@ -1576,8 +1582,16 @@ connection_buckets_decrement(connection_t *conn, time_t now,
 {
   if (!connection_is_rate_limited(conn))
     return; /* local IPs are free */
-  tor_assert(num_read < INT_MAX);
-  tor_assert(num_written < INT_MAX);
+  if (num_written >= INT_MAX || num_read >= INT_MAX) {
+    log_err(LD_BUG, "Value out of range. num_read=%lu, num_written=%lu, "
+             "connection type=%s, state=%s",
+             (unsigned long)num_read, (unsigned long)num_written,
+             conn_type_to_string(conn->type),
+             conn_state_to_string(conn->type, conn->state));
+    if (num_written >= INT_MAX) num_written = 1;
+    if (num_read >= INT_MAX) num_read = 1;
+    tor_fragile_assert();
+  }
 
   if (num_read > 0)
     rep_hist_note_bytes_read(num_read, now);
@@ -1708,7 +1722,7 @@ connection_bucket_refill(int seconds_elapsed, time_t now)
   tor_assert(seconds_elapsed >= 0);
 
   write_buckets_empty_last_second =
-    global_relayed_write_bucket == 0 || global_write_bucket == 0;
+    global_relayed_write_bucket <= 0 || global_write_bucket <= 0;
 
   /* refill the global buckets */
   connection_bucket_refill_helper(&global_read_bucket,
@@ -1832,13 +1846,13 @@ loop_again:
   before = buf_datalen(conn->inbuf);
   if (connection_read_to_buf(conn, &max_to_read) < 0) {
     /* There's a read error; kill the connection.*/
-    connection_close_immediate(conn); /* Don't flush; connection is dead. */
     if (CONN_IS_EDGE(conn)) {
       edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
       connection_edge_end_errno(edge_conn);
       if (edge_conn->socks_request) /* broken, don't send a socks reply back */
         edge_conn->socks_request->has_finished = 1;
     }
+    connection_close_immediate(conn); /* Don't flush; connection is dead. */
     connection_mark_for_close(conn);
     return -1;
   }
@@ -1957,14 +1971,14 @@ connection_read_to_buf(connection_t *conn, int *max_to_read)
     switch (result) {
       case TOR_TLS_CLOSE:
       case TOR_TLS_ERROR_IO:
-        log_info(LD_NET,"TLS connection closed %son read. Closing. "
+        log_debug(LD_NET,"TLS connection closed %son read. Closing. "
                  "(Nickname %s, address %s",
                  result == TOR_TLS_CLOSE ? "cleanly " : "",
                  or_conn->nickname ? or_conn->nickname : "not set",
                  conn->address);
         return result;
       CASE_TOR_TLS_ERROR_ANY_NONIO:
-        log_info(LD_NET,"tls error [%s]. breaking (nickname %s, address %s).",
+        log_debug(LD_NET,"tls error [%s]. breaking (nickname %s, address %s).",
                  tor_tls_err_to_string(result),
                  or_conn->nickname ? or_conn->nickname : "not set",
                  conn->address);
@@ -2365,26 +2379,6 @@ _connection_write_to_buf_impl(const char *string, size_t len,
   }
 }
 
-/** Return the conn to addr/port that has the most recent
- * timestamp_created, or NULL if no such conn exists. */
-or_connection_t *
-connection_or_exact_get_by_addr_port(uint32_t addr, uint16_t port)
-{
-  or_connection_t *best=NULL;
-  smartlist_t *conns = get_connection_array();
-
-  SMARTLIST_FOREACH(conns, connection_t *, conn,
-  {
-    if (conn->type == CONN_TYPE_OR &&
-        conn->addr == addr &&
-        conn->port == port &&
-        !conn->marked_for_close &&
-        (!best || best->_base.timestamp_created < conn->timestamp_created))
-      best = TO_OR_CONN(conn);
-  });
-  return best;
-}
-
 /** Return a connection with given type, address, port, and purpose;
  * or NULL if no such connection exists. */
 connection_t *
@@ -2408,18 +2402,14 @@ connection_get_by_type_addr_port_purpose(int type,
 /** Return the stream with id <b>id</b> if it is not already marked for
  * close.
  */
-edge_connection_t *
-connection_get_by_global_id(uint32_t id)
+connection_t *
+connection_get_by_global_id(uint64_t id)
 {
   smartlist_t *conns = get_connection_array();
   SMARTLIST_FOREACH(conns, connection_t *, conn,
   {
-    if (CONN_IS_EDGE(conn) && TO_EDGE_CONN(conn)->global_identifier == id) {
-      if (!conn->marked_for_close)
-        return TO_EDGE_CONN(conn);
-      else
-        return NULL;
-    }
+    if (conn->global_identifier == id)
+      return conn;
   });
   return NULL;
 }

src/or/connection_edge.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char connection_edge_c_id[] =
@@ -14,6 +14,9 @@ const char connection_edge_c_id[] =
 
 #include "or.h"
 
+#ifdef HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
 #include <linux/netfilter_ipv4.h>
 #define TRANS_NETFILTER
@@ -160,14 +163,14 @@ connection_edge_destroy(uint16_t circ_id, edge_connection_t *conn)
              "CircID %d: At an edge. Marking connection for close.", circ_id);
     if (conn->_base.type == CONN_TYPE_AP) {
       connection_mark_unattached_ap(conn, END_STREAM_REASON_DESTROY);
+      control_event_stream_status(conn, STREAM_EVENT_CLOSED,
+                                  END_STREAM_REASON_DESTROY);
+      conn->end_reason |= END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED;
     } else {
       /* closing the circuit, nothing to send an END to */
       conn->_base.edge_has_sent_end = 1;
       conn->end_reason = END_STREAM_REASON_DESTROY;
       conn->end_reason |= END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED;
-      if (conn->_base.type == CONN_TYPE_AP)
-        control_event_stream_status(conn, STREAM_EVENT_CLOSED,
-                                    END_STREAM_REASON_DESTROY);
       connection_mark_for_close(TO_CONN(conn));
       conn->_base.hold_open_until_flushed = 1;
     }
@@ -358,7 +361,7 @@ connection_ap_expire_beginning(void)
 
   SMARTLIST_FOREACH(conns, connection_t *, c,
   {
-    if (c->type != CONN_TYPE_AP)
+    if (c->type != CONN_TYPE_AP || c->marked_for_close)
       continue;
     conn = TO_EDGE_CONN(c);
     /* if it's an internal linked connection, don't yell its status. */
@@ -457,6 +460,44 @@ connection_ap_attach_pending(void)
   });
 }
 
+/** Tell any AP streams that are waiting for a onehop tunnel to
+ * <b>failed_digest</b> that they are going to fail. */
+void
+connection_ap_fail_onehop(const char *failed_digest,
+                          cpath_build_state_t *build_state)
+{
+  edge_connection_t *edge_conn;
+  char digest[DIGEST_LEN];
+  smartlist_t *conns = get_connection_array();
+  SMARTLIST_FOREACH(conns, connection_t *, conn,
+  {
+    if (conn->marked_for_close ||
+        conn->type != CONN_TYPE_AP ||
+        conn->state != AP_CONN_STATE_CIRCUIT_WAIT)
+      continue;
+    edge_conn = TO_EDGE_CONN(conn);
+    if (!edge_conn->want_onehop)
+      continue;
+    if (hexdigest_to_digest(edge_conn->chosen_exit_name, digest) < 0 ||
+        memcmp(digest, failed_digest, DIGEST_LEN))
+      continue;
+    if (tor_digest_is_zero(digest)) {
+      /* we don't know the digest; have to compare addr:port */
+      struct in_addr in;
+      if (!build_state || !build_state->chosen_exit ||
+          !edge_conn->socks_request || !edge_conn->socks_request->address ||
+          !tor_inet_aton(edge_conn->socks_request->address, &in) ||
+          build_state->chosen_exit->addr != ntohl(in.s_addr) ||
+          build_state->chosen_exit->port != edge_conn->socks_request->port)
+        continue;
+    }
+    log_info(LD_APP, "Closing onehop stream to '%s/%s' because the OR conn "
+                     "just failed.", edge_conn->chosen_exit_name,
+                     edge_conn->socks_request->address);
+    connection_mark_unattached_ap(edge_conn, END_STREAM_REASON_TIMEOUT);
+  });
+}
+
 /** A circuit failed to finish on its last hop <b>info</b>. If there
  * are any streams waiting with this exit node in mind, but they
  * don't absolutely require it, make them give up on it.
@@ -517,7 +558,9 @@ connection_ap_detach_retriable(edge_connection_t *conn, origin_circuit_t *circ,
 {
   control_event_stream_status(conn, STREAM_EVENT_FAILED_RETRIABLE, reason);
   conn->_base.timestamp_lastread = time(NULL);
-  if (! get_options()->LeaveStreamsUnattached) {
+  if (!get_options()->LeaveStreamsUnattached || conn->use_begindir) {
+    /* If we're attaching streams ourself, or if this connection is
+     * a tunneled directory connection, then just attach it. */
     conn->_base.state = AP_CONN_STATE_CIRCUIT_WAIT;
     circuit_detach_stream(TO_CIRCUIT(circ),conn);
     return connection_ap_handshake_attach_circuit(conn);
@@ -653,6 +696,8 @@ clear_trackexithost_mappings(const char *exitname)
       MAP_DEL_CURRENT(address);
     }
   } STRMAP_FOREACH_END;
+
+  tor_free(suffix);
 }
 
 /** Remove all entries from the addressmap that were set via the
@@ -1316,20 +1361,30 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
                                    &map_expires)) {
       char *result = tor_strdup(socks->address);
       /* remember _what_ is supposed to have been resolved. */
-      strlcpy(socks->address, orig_address, sizeof(socks->address));
+      tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]",
+                  orig_address);
       connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME,
                                              strlen(result), result, -1,
                                              map_expires);
       connection_mark_unattached_ap(conn,
-                                 END_STREAM_REASON_DONE |
-                                 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+                                END_STREAM_REASON_DONE |
+                                END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
       return 0;
     }
     if (options->ClientDNSRejectInternalAddresses) {
       /* Don't let people try to do a reverse lookup on 10.0.0.1. */
       tor_addr_t addr;
-      if (tor_addr_from_str(&addr, socks->address) >= 0 &&
-          tor_addr_is_internal(&addr, 0)) {
+      struct in_addr in;
+      int ok;
+      if (!strcasecmpend(socks->address, ".in-addr.arpa"))
+        ok = !parse_inaddr_arpa_address(socks->address, &in);
+      else
+        ok = tor_inet_aton(socks->address, &in);
+      /*XXXX021 make this a function. */
+      addr.family = AF_INET;
+      memcpy(&addr.addr.in_addr, &in, sizeof(struct in_addr));
+
+      if (ok && tor_addr_is_internal(&addr, 0)) {
         connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,
                                                0, NULL, -1, TIME_MAX);
         connection_mark_unattached_ap(conn,
@@ -1555,9 +1610,6 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
       rend_client_refetch_v2_renddesc(conn->rend_query);
       rend_client_refetch_renddesc(conn->rend_query);
     } else { /* r > 0 */
-/** How long after we receive a hidden service descriptor do we consider
- * it valid? */
-#define NUM_SECONDS_BEFORE_HS_REFETCH (60*15)
       if (now - entry->received < NUM_SECONDS_BEFORE_HS_REFETCH) {
         conn->_base.state = AP_CONN_STATE_CIRCUIT_WAIT;
         log_info(LD_REND, "Descriptor is here and fresh enough. Great.");
@@ -1582,11 +1634,11 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
 
 #ifdef TRANS_PF
 static int pf_socket = -1;
-static int
+int
 get_pf_socket(void)
 {
   int pf;
-  /*  Ideally, this should be opened before dropping privs. */
+  /* This should be opened before dropping privs. */
   if (pf_socket >= 0)
     return pf_socket;
 
@@ -2012,7 +2064,10 @@ connection_ap_handshake_send_resolve(edge_connection_t *ap_conn)
       ap_conn->socks_request->address[len-13] = '\0';
     }
     if (tor_inet_aton(ap_conn->socks_request->address, &in) == 0) {
-      connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
+      /* Do not mark here; every caller of
+       * connection_ap_attach_{chosen_}circuit() [which calls this function
+       * will also mark on a -1 return value. */
+      // connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
       return -1;
     }
     if (c) {
@@ -2041,9 +2096,11 @@ connection_ap_handshake_send_resolve(edge_connection_t *ap_conn)
                            string_addr, payload_len) < 0)
     return -1; /* circuit is closed, don't continue */
 
+  ap_conn->_base.address = tor_strdup("(Tor_internal)");
   ap_conn->_base.state = AP_CONN_STATE_RESOLVE_WAIT;
   log_info(LD_APP,"Address sent for resolve, ap socket %d, n_circ_id %d",
            ap_conn->_base.s, circ->_base.n_circ_id);
+  control_event_stream_status(ap_conn, STREAM_EVENT_NEW, 0);
   control_event_stream_status(ap_conn, STREAM_EVENT_SENT_RESOLVE, 0);
   return 0;
 }
@@ -2398,8 +2455,12 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
                                    end_payload, 1, NULL);
       return 0;
     }
-    if (or_circ && or_circ->p_conn && or_circ->p_conn->_base.address)
-      address = tor_strdup(or_circ->p_conn->_base.address);
+    /* Make sure to get the 'real' address of the previous hop: the
+     * caller might want to know whether his IP address has changed, and
+     * we might already have corrected _base.addr[ess] for the relay's
+     * canonical IP address. */
+    if (or_circ && or_circ->p_conn)
+      address = tor_dup_addr(or_circ->p_conn->real_addr);
     else
       address = tor_strdup("127.0.0.1");
     port = 1; /* XXXX This value is never actually used anywhere, and there
@@ -2437,7 +2498,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
                n_stream->_base.port);
       end_payload[0] = END_STREAM_REASON_EXITPOLICY;
       relay_send_command_from_edge(rh.stream_id, circ, RELAY_COMMAND_END,
-                                   end_payload, 1, NULL);
+                                   end_payload, 1, origin_circ->cpath->prev);
       connection_free(TO_CONN(n_stream));
       tor_free(address);
       return 0;
@@ -2473,8 +2534,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
 
   if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
     tor_assert(or_circ);
-    if (or_circ->p_conn && or_circ->p_conn->_base.addr)
-      n_stream->_base.addr = or_circ->p_conn->_base.addr;
+    if (or_circ->p_conn && &or_circ->p_conn->real_addr)
+      n_stream->_base.addr = or_circ->p_conn->real_addr;
     return connection_exit_connect_dir(n_stream);
   }
 
@@ -2656,9 +2717,9 @@ connection_exit_connect_dir(edge_connection_t *exitconn)
 
   dirconn = TO_DIR_CONN(connection_new(CONN_TYPE_DIR, AF_INET));
 
-  dirconn->_base.addr = 0x7f000001;
+  dirconn->_base.addr = exitconn->_base.addr;
   dirconn->_base.port = 0;
-  dirconn->_base.address = tor_strdup("Tor network");
+  dirconn->_base.address = tor_strdup(exitconn->_base.address);
   dirconn->_base.type = CONN_TYPE_DIR;
   dirconn->_base.purpose = DIR_PURPOSE_SERVER;
   dirconn->_base.state = DIR_CONN_STATE_SERVER_COMMAND_WAIT;
@@ -2726,7 +2787,10 @@ connection_ap_can_use_exit(edge_connection_t *conn, routerinfo_t *exit)
    * make sure the exit node of the existing circuit matches exactly.
    */
   if (conn->chosen_exit_name) {
-    if (router_get_by_nickname(conn->chosen_exit_name, 1) != exit) {
+    routerinfo_t *chosen_exit =
+      router_get_by_nickname(conn->chosen_exit_name, 1);
+    if (!chosen_exit || memcmp(chosen_exit->cache_info.identity_digest,
+                               exit->cache_info.identity_digest, DIGEST_LEN)) {
       /* doesn't match */
 //      log_debug(LD_APP,"Requested node '%s', considering node '%s'. No.",
 //                conn->chosen_exit_name, exit->nickname);
@@ -2743,8 +2807,12 @@ connection_ap_can_use_exit(edge_connection_t *conn, routerinfo_t *exit)
       addr = ntohl(in.s_addr);
     r = compare_addr_to_addr_policy(addr, conn->socks_request->port,
                                     exit->exit_policy);
-    if (r == ADDR_POLICY_REJECTED || r == ADDR_POLICY_PROBABLY_REJECTED)
-      return 0;
+    if (r == ADDR_POLICY_REJECTED)
+      return 0; /* We know the address, and the exit policy rejects it. */
+    if (r == ADDR_POLICY_PROBABLY_REJECTED && !conn->chosen_exit_name)
+      return 0; /* We don't know the addr, but the exit policy rejects most
+                 * addresses with this port. Since the user didn't ask for
+                 * this node, err on the side of caution. */
   } else if (SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)) {
     /* Can't support reverse lookups without eventdns. */
     if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR &&

src/or/connection_or.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char connection_or_c_id[] =
@@ -157,7 +157,7 @@ cell_unpack(cell_t *dest, const char *src)
 void
 var_cell_pack_header(const var_cell_t *cell, char *hdr_out)
 {
-  *(uint16_t*)(hdr_out) = htons(cell->circ_id);
+  set_uint16(hdr_out, htons(cell->circ_id));
   *(uint8_t*)(hdr_out+2) = cell->command;
   set_uint16(hdr_out+3, htons(cell->payload_len));
 }
@@ -285,13 +285,15 @@ int
 connection_or_flushed_some(or_connection_t *conn)
 {
   size_t datalen = buf_datalen(conn->_base.outbuf);
+  time_t now = time(NULL);
   /* If we're under the low water mark, add cells until we're just over the
    * high water mark. */
   if (datalen < OR_CONN_LOWWATER) {
     ssize_t n = (OR_CONN_HIGHWATER - datalen + CELL_NETWORK_SIZE-1)
       / CELL_NETWORK_SIZE;
     while (conn->active_circuits && n > 0) {
-      int flushed = connection_or_flush_from_first_active_circuit(conn, 1);
+      int flushed;
+      flushed = connection_or_flush_from_first_active_circuit(conn, 1, now);
       n -= flushed;
     }
   }

src/or/control.c

@@ -1,5 +1,5 @@
 /* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char control_c_id[] =
@@ -643,16 +643,16 @@ get_circ(const char *id)
 static edge_connection_t *
 get_stream(const char *id)
 {
-  uint32_t n_id;
+  uint64_t n_id;
   int ok;
-  edge_connection_t *conn;
-  n_id = (uint32_t) tor_parse_ulong(id, 10, 0, UINT32_MAX, &ok, NULL);
+  connection_t *conn;
+  n_id = tor_parse_uint64(id, 10, 0, UINT64_MAX, &ok, NULL);
   if (!ok)
     return NULL;
   conn = connection_get_by_global_id(n_id);
-  if (!conn || conn->_base.type != CONN_TYPE_AP)
+  if (!conn || conn->type != CONN_TYPE_AP || conn->marked_for_close)
     return NULL;
-  return conn;
+  return TO_EDGE_CONN(conn);
 }
 
 /** Helper for setconf and resetconf. Acts like setconf, except
@@ -1586,8 +1586,7 @@ getinfo_helper_events(control_connection_t *control_conn,
     smartlist_t *conns = get_connection_array();
     smartlist_t *status = smartlist_create();
     char buf[256];
-    SMARTLIST_FOREACH(conns, connection_t *, base_conn,
-    {
+    SMARTLIST_FOREACH(conns, connection_t *, base_conn, {
       const char *state;
       edge_connection_t *conn;
       char *s;
@@ -1629,7 +1628,7 @@ getinfo_helper_events(control_connection_t *control_conn,
       slen = strlen(buf)+strlen(state)+32;
       s = tor_malloc(slen+1);
       tor_snprintf(s, slen, "%lu %s %lu %s",
-                   (unsigned long) conn->global_identifier,state,
+                   (unsigned long) conn->_base.global_identifier,state,
                    origin_circ?
                          (unsigned long)origin_circ->global_identifier : 0ul,
                    buf);
@@ -2541,7 +2540,8 @@ handle_control_protocolinfo(control_connection_t *conn, uint32_t len,
     char *esc_cfile = esc_for_log(cfile);
     char *methods;
     {
-      int passwd = (options->HashedControlPassword != NULL);
+      int passwd = (options->HashedControlPassword != NULL ||
+                    options->HashedControlSessionPassword != NULL);
       smartlist_t *mlist = smartlist_create();
       if (cookies)
         smartlist_add(mlist, (char*)"COOKIE");
@@ -3047,6 +3047,7 @@ control_event_stream_status(edge_connection_t *conn, stream_status_event_t tp,
   circuit_t *circ;
   origin_circuit_t *origin_circ = NULL;
   char buf[256];
+  const char *purpose = "";
   tor_assert(conn->socks_request);
 
   if (!EVENT_IS_INTERESTING(EVENT_STREAM_STATUS))
@@ -3114,15 +3115,35 @@ control_event_stream_status(edge_connection_t *conn, stream_status_event_t tp,
     addrport_buf[0] = '\0';
   }
 
+  if (tp == STREAM_EVENT_NEW_RESOLVE) {
+    purpose = " PURPOSE=DNS_REQUEST";
+  } else if (tp == STREAM_EVENT_NEW) {
+    if (conn->is_dns_request ||
+        (conn->socks_request &&
+         SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)))
+      purpose = " PURPOSE=DNS_REQUEST";
+    else if (conn->use_begindir) {
+      connection_t *linked = TO_CONN(conn)->linked_conn;
+      int linked_dir_purpose = -1;
+      if (linked && linked->type == CONN_TYPE_DIR)
+        linked_dir_purpose = linked->purpose;
+      if (DIR_PURPOSE_IS_UPLOAD(linked_dir_purpose))
+        purpose = " PURPOSE=DIR_UPLOAD";
+      else
+        purpose = " PURPOSE=DIR_FETCH";
+    } else
+      purpose = " PURPOSE=USER";
+  }
+
   circ = circuit_get_by_edge_conn(conn);
   if (circ && CIRCUIT_IS_ORIGIN(circ))
     origin_circ = TO_ORIGIN_CIRCUIT(circ);
   send_control_event_extended(EVENT_STREAM_STATUS, ALL_NAMES,
-                        "650 STREAM %lu %s %lu %s@%s%s\r\n",
-                        (unsigned long)conn->global_identifier, status,
+                        "650 STREAM "U64_FORMAT" %s %lu %s@%s%s%s\r\n",
+                        U64_PRINTF_ARG(conn->_base.global_identifier), status,
                         origin_circ?
                            (unsigned long)origin_circ->global_identifier : 0ul,
-                        buf, reason_buf, addrport_buf);
+                        buf, reason_buf, addrport_buf, purpose);
 
   /* XXX need to specify its intended exit, etc? */
 
@@ -3275,8 +3296,7 @@ control_event_stream_bandwidth_used(void)
     smartlist_t *conns = get_connection_array();
     edge_connection_t *edge_conn;
 
-    SMARTLIST_FOREACH(conns, connection_t *, conn,
-    {
+    SMARTLIST_FOREACH(conns, connection_t *, conn, {
         if (conn->type != CONN_TYPE_AP)
           continue;
         edge_conn = TO_EDGE_CONN(conn);
@@ -3284,8 +3304,8 @@ control_event_stream_bandwidth_used(void)
           continue;
 
         send_control_event(EVENT_STREAM_BANDWIDTH_USED, ALL_NAMES,
-                            "650 STREAM_BW %lu %lu %lu\r\n",
-                            (unsigned long)edge_conn->global_identifier,
+                            "650 STREAM_BW "U64_FORMAT" %lu %lu\r\n",
+                            U64_PRINTF_ARG(edge_conn->_base.global_identifier),
                             (unsigned long)edge_conn->n_read,
                             (unsigned long)edge_conn->n_written);
 
@@ -3580,7 +3600,7 @@ control_event_status(int type, int severity, const char *format, va_list args)
       status = "STATUS_CLIENT";
       break;
     case EVENT_STATUS_SERVER:
-      status = "STATUS_SEVER";
+      status = "STATUS_SERVER";
       break;
     default:
       log_warn(LD_BUG, "Unrecognized status type %d", type);

src/or/cpuworker.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char cpuworker_c_id[] =
@@ -23,7 +23,7 @@ const char cpuworker_c_id[] =
 #define MIN_CPUWORKERS 1
 
 /** The tag specifies which circuit this onionskin was from. */
-#define TAG_LEN 8
+#define TAG_LEN 10
 /** How many bytes are sent from the cpuworker back to tor? */
 #define LEN_ONION_RESPONSE \
   (1+TAG_LEN+ONIONSKIN_REPLY_LEN+CPATH_KEY_MATERIAL_LEN)
@@ -60,32 +60,22 @@ connection_cpu_finished_flushing(connection_t *conn)
   return 0;
 }
 
-/** Pack addr,port,and circ_id; set *tag to the result. (See note on
+/** Pack global_id and circ_id; set *tag to the result. (See note on
  * cpuworker_main for wire format.) */
 static void
-tag_pack(char *tag, uint32_t addr, uint16_t port, uint16_t circ_id)
+tag_pack(char *tag, uint64_t conn_id, uint16_t circ_id)
 {
-  *(uint32_t *)tag     = addr;
-  *(uint16_t *)(tag+4) = port;
-  *(uint16_t *)(tag+6) = circ_id;
+  *(uint64_t*)tag = conn_id;
+  *(uint16_t*)(tag+8) = circ_id;
 }
 
 /** Unpack <b>tag</b> into addr, port, and circ_id.
  */
 static void
-tag_unpack(const char *tag, uint32_t *addr, uint16_t *port, uint16_t *circ_id)
+tag_unpack(const char *tag, uint64_t *conn_id, uint16_t *circ_id)
 {
-  struct in_addr in;
-  char addrbuf[INET_NTOA_BUF_LEN];
-
-  *addr    = *(const uint32_t *)tag;
-  *port    = *(const uint16_t *)(tag+4);
-  *circ_id = *(const uint16_t *)(tag+6);
-
-  in.s_addr = htonl(*addr);
-  tor_inet_ntoa(&in, addrbuf, sizeof(addrbuf));
-  log_debug(LD_OR,
-            "onion was from %s:%d, circ_id %d.", addrbuf, *port, *circ_id);
+  *conn_id = *(const uint64_t *)tag;
+  *circ_id = *(const uint16_t *)(tag+8);
 }
 
 /** Called when the onion key has changed and we need to spawn new
@@ -135,10 +125,10 @@ connection_cpu_process_inbuf(connection_t *conn)
 {
   char success;
   char buf[LEN_ONION_RESPONSE];
-  uint32_t addr;
-  uint16_t port;
+  uint64_t conn_id;
   uint16_t circ_id;
-  or_connection_t *p_conn;
+  connection_t *tmp_conn;
+  or_connection_t *p_conn = NULL;
   circuit_t *circ;
 
   tor_assert(conn);
@@ -156,12 +146,13 @@ connection_cpu_process_inbuf(connection_t *conn)
     connection_fetch_from_buf(buf,LEN_ONION_RESPONSE-1,conn);
 
     /* parse out the circ it was talking about */
-    tag_unpack(buf, &addr, &port, &circ_id);
+    tag_unpack(buf, &conn_id, &circ_id);
     circ = NULL;
-    /* (Here we use connection_or_exact_get_by_addr_port rather than
-     * get_by_identity_digest: we want a specific port here in
-     * case there are multiple connections.) */
-    p_conn = connection_or_exact_get_by_addr_port(addr,port);
+    tmp_conn = connection_get_by_global_id(conn_id);
+    if (tmp_conn && !tmp_conn->marked_for_close &&
+        tmp_conn->type == CONN_TYPE_OR)
+      p_conn = TO_OR_CONN(tmp_conn);
+
     if (p_conn)
       circ = circuit_get_by_circid_orconn(circ_id, p_conn);
 
@@ -285,7 +276,10 @@ cpuworker_main(void *data)
           reply_to_proxy, keys, CPATH_KEY_MATERIAL_LEN) < 0) {
         /* failure */
         log_debug(LD_OR,"onion_skin_server_handshake failed.");
-        memset(buf,0,LEN_ONION_RESPONSE); /* send all zeros for failure */
+        *buf = 0; /* indicate failure in first byte */
+        memcpy(buf+1,tag,TAG_LEN);
+        /* send all zeros as answer */
+        memset(buf+1+TAG_LEN, 0, LEN_ONION_RESPONSE-(1+TAG_LEN));
       } else {
         /* success */
         log_debug(LD_OR,"onion_skin_server_handshake succeeded.");
@@ -468,7 +462,7 @@ assign_onionskin_to_cpuworker(connection_t *cpuworker,
       tor_free(onionskin);
       return -1;
     }
-    tag_pack(tag, circ->p_conn->_base.addr, circ->p_conn->_base.port,
+    tag_pack(tag, circ->p_conn->_base.global_identifier,
              circ->p_circ_id);
 
     cpuworker->state = CPUWORKER_STATE_BUSY_ONION;

src/or/directory.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char directory_c_id[] =
@@ -8,8 +8,10 @@ const char directory_c_id[] =
 
 #include "or.h"
 #if defined(EXPORTMALLINFO) && defined(HAVE_MALLOC_H) && defined(HAVE_MALLINFO)
+#ifndef OPENBSD
 #include <malloc.h>
 #endif
+#endif
 
 /**
  * \file directory.c
@@ -454,7 +456,12 @@ directory_initiate_command_routerstatus(routerstatus_t *status,
   char address_buf[INET_NTOA_BUF_LEN+1];
   struct in_addr in;
   const char *address;
-  if ((router = router_get_by_digest(status->identity_digest))) {
+  router = router_get_by_digest(status->identity_digest);
+  if (!router && anonymized_connection) {
+    log_info(LD_DIR, "Not sending anonymized request to directory '%s'; we "
+                     "don't have its router descriptor.", status->nickname);
+    return;
+  } else if (router) {
     address = router->address;
   } else {
     in.s_addr = htonl(status->addr);
@@ -611,6 +618,32 @@ connection_dir_download_cert_failed(dir_connection_t *conn, int status)
   update_certificate_downloads(time(NULL));
 }
 
+/** Evaluate the situation and decide if we should use an encrypted
+ * "begindir-style" connection for this directory request.
+ * 1) If or_port is 0, or it's a direct conn and or_port is firewalled
+ *    or we're a dir mirror, no.
+ * 2) If we prefer to avoid begindir conns, and we're not fetching or
+ * publishing a bridge relay descriptor, no.
+ * 3) Else yes.
+ */
+static int
+directory_command_should_use_begindir(or_options_t *options, uint32_t addr,
+                                      int or_port, uint8_t router_purpose,
+                                      int anonymized_connection)
+{
+  if (!or_port)
+    return 0; /* We don't know an ORPort -- no chance. */
+  if (!anonymized_connection)
+    if (!fascist_firewall_allows_address_or(addr, or_port) ||
+        directory_fetches_from_authorities(options) ||
+        (server_mode(options) && !options->Address))
+      return 0; /* We're firewalled or are acting like a relay -- also no. */
+  if (!options->TunnelDirConns &&
+      router_purpose != ROUTER_PURPOSE_BRIDGE)
+    return 0; /* We prefer to avoid using begindir conns. Fine. */
+  return 1;
+}
+
 /** Helper for directory_initiate_command_routerstatus: send the
  * command to a server whose address is <b>address</b>, whose IP is
  * <b>addr</b>, whose directory port is <b>dir_port</b>, whose tor version
@@ -627,11 +660,9 @@ directory_initiate_command(const char *address, uint32_t addr,
 {
   dir_connection_t *conn;
   or_options_t *options = get_options();
-  int use_begindir = supports_begindir && or_port &&
-                     (options->TunnelDirConns ||
-                      router_purpose == ROUTER_PURPOSE_BRIDGE) &&
-                     (anonymized_connection ||
-                      fascist_firewall_allows_address_or(addr, or_port));
+  int use_begindir = supports_begindir &&
+                     directory_command_should_use_begindir(options, addr,
+                       or_port, router_purpose, anonymized_connection);
 
   tor_assert(address);
   tor_assert(addr);
@@ -696,7 +727,7 @@ directory_initiate_command(const char *address, uint32_t addr,
     if (anonymized_connection && use_begindir)
       rep_hist_note_used_internal(time(NULL), 0, 1);
     else if (anonymized_connection && !use_begindir)
-      rep_hist_note_used_port(time(NULL), conn->_base.port);
+      rep_hist_note_used_port(conn->_base.port, time(NULL));
 
     /* make an AP connection
      * populate it and add it at the right state
@@ -1511,7 +1542,8 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
     if ((r=networkstatus_set_current_consensus(body, 0))<0) {
       log_fn(r<-1?LOG_WARN:LOG_INFO, LD_DIR,
              "Unable to load consensus directory downloaded from "
-             "server '%s:%d'", conn->_base.address, conn->_base.port);
+             "server '%s:%d'. I'll try again soon.",
+             conn->_base.address, conn->_base.port);
       tor_free(body); tor_free(headers); tor_free(reason);
       networkstatus_consensus_download_failed(0);
       return -1;
@@ -1781,7 +1813,7 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
         } else {
           /* success. notify pending connections about this. */
           conn->_base.purpose = DIR_PURPOSE_HAS_FETCHED_RENDDESC;
-          rend_client_desc_here(conn->rend_query);
+          rend_client_desc_trynow(conn->rend_query, -1);
         }
         break;
       case 404:
@@ -1827,7 +1859,7 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
             log_info(LD_REND, "Successfully fetched v2 rendezvous "
                      "descriptor.");
             conn->_base.purpose = DIR_PURPOSE_HAS_FETCHED_RENDDESC;
-            rend_client_desc_here(conn->rend_query);
+            rend_client_desc_trynow(conn->rend_query, -1);
             break;
         }
         break;
@@ -2191,8 +2223,8 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
     cached_dir_t *d = dirserv_get_directory();
 
     if (!d) {
-      log_notice(LD_DIRSERV,"Client asked for the mirrored directory, but we "
-                 "don't have a good one yet. Sending 503 Dir not available.");
+      log_info(LD_DIRSERV,"Client asked for the mirrored directory, but we "
+               "don't have a good one yet. Sending 503 Dir not available.");
       write_http_status_line(conn, 503, "Directory unavailable");
       /* try to get a new one now */
       if (!already_fetching_directory(DIR_PURPOSE_FETCH_DIR) &&
@@ -2209,7 +2241,7 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
     dlen = compressed ? d->dir_z_len : d->dir_len;
 
     if (global_write_bucket_low(TO_CONN(conn), dlen, 1)) {
-      log_info(LD_DIRSERV,
+      log_debug(LD_DIRSERV,
                "Client asked for the mirrored directory, but we've been "
                "writing too many bytes lately. Sending 503 Dir busy.");
       write_http_status_line(conn, 503, "Directory busy, try again later");
@@ -2314,7 +2346,7 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
 
     dlen = dirserv_estimate_data_size(dir_fps, 0, compressed);
     if (global_write_bucket_low(TO_CONN(conn), dlen, 2)) {
-      log_info(LD_DIRSERV,
+      log_debug(LD_DIRSERV,
                "Client asked for network status lists, but we've been "
                "writing too many bytes lately. Sending 503 Dir busy.");
       write_http_status_line(conn, 503, "Directory busy, try again later");
@@ -2437,7 +2469,9 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
   }
 
   if (!strcmpstart(url,"/tor/server/") ||
-      !strcmpstart(url,"/tor/extra/")) {
+      (!options->BridgeAuthoritativeDir &&
+       !options->BridgeRelay &&
+       !strcmpstart(url,"/tor/extra/"))) {
     int res;
     const char *msg;
     const char *request_type = NULL;
@@ -2782,7 +2816,7 @@ directory_handle_command_post(dir_connection_t *conn, const char *headers,
      * receive anything. */
     write_http_status_line(conn, 400, "Nonauthoritative directory does not "
                            "accept posted server descriptors");
-    return 0;
+    goto done;
   }
 
   if (authdir_mode_handles_descs(options, -1) &&

src/or/dirserv.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char dirserv_c_id[] =
@@ -702,7 +702,8 @@ dirserv_add_descriptor(routerinfo_t *ri, const char **msg)
     return r == -1 ? 0 : -1;
   } else {
     smartlist_t *changed;
-    control_event_or_authdir_new_descriptor("ACCEPTED", desc, desclen, *msg);
+    if (desc)
+      control_event_or_authdir_new_descriptor("ACCEPTED", desc, desclen, *msg);
 
     changed = smartlist_create();
     smartlist_add(changed, ri);
@@ -1198,7 +1199,8 @@ directory_permits_controller_requests(or_options_t *options)
 int
 directory_too_idle_to_fetch_descriptors(or_options_t *options, time_t now)
 {
-  return !options->DirPort && !options->FetchUselessDescriptors &&
+  return !directory_caches_dir_info(options) &&
+         !options->FetchUselessDescriptors &&
          rep_hist_circbuilding_dormant(now);
 }
 
@@ -2285,6 +2287,13 @@ dirserv_generate_networkstatus_vote_obj(crypto_pk_env_t *private_key,
   voter->or_port = options->ORPort;
   voter->contact = tor_strdup(contact);
   memcpy(voter->signing_key_digest, signing_key_digest, DIGEST_LEN);
+  if (options->V3AuthUseLegacyKey) {
+    authority_cert_t *c = get_my_v3_legacy_cert();
+    if (c) {
+      crypto_pk_get_digest(c->identity_key, voter->legacy_id_digest);
+    }
+  }
+
   v3_out->voters = smartlist_create();
   smartlist_add(v3_out->voters, voter);
   v3_out->cert = authority_cert_dup(cert);

src/or/dirvote.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char dirvote_c_id[] =
@@ -105,7 +105,7 @@ format_networkstatus_vote(crypto_pk_env_t *private_signing_key,
     tor_snprintf(status, len,
                  "network-status-version 3\n"
                  "vote-status vote\n"
-                 "consensus-methods 1 2\n"
+                 "consensus-methods 1 2 3\n"
                  "published %s\n"
                  "valid-after %s\n"
                  "fresh-until %s\n"
@@ -125,6 +125,14 @@ format_networkstatus_vote(crypto_pk_env_t *private_signing_key,
     tor_free(flags);
     outp = status + strlen(status);
     endp = status + len;
+
+    if (!tor_digest_is_zero(voter->legacy_id_digest)) {
+      char fpbuf[HEX_DIGEST_LEN+1];
+      base16_encode(fpbuf, sizeof(fpbuf), voter->legacy_id_digest, DIGEST_LEN);
+      tor_snprintf(outp, endp-outp, "legacy-dir-key %s\n", fpbuf);
+      outp += strlen(outp);
+    }
+
     tor_assert(outp + cert->cache_info.signed_descriptor_len < endp);
     memcpy(outp, cert->cache_info.signed_descriptor_body,
            cert->cache_info.signed_descriptor_len);
@@ -207,6 +215,12 @@ get_voter(const networkstatus_t *vote)
   return smartlist_get(vote->voters, 0);
 }
 
+typedef struct {
+  networkstatus_t *v;
+  const char *digest;
+  int is_legacy;
+} dir_src_ent_t;
+
 /** Helper for sorting networkstatus_t votes (not consensuses) by the
  * hash of their voters' identity digests. */
 static int
@@ -217,6 +231,19 @@ _compare_votes_by_authority_id(const void **_a, const void **_b)
                 get_voter(b)->identity_digest, DIGEST_LEN);
 }
 
+static int
+_compare_dir_src_ents_by_authority_id(const void **_a, const void **_b)
+{
+  const dir_src_ent_t *a = *_a, *b = *_b;
+  const networkstatus_voter_info_t *a_v = get_voter(a->v),
+    *b_v = get_voter(b->v);
+  const char *a_id, *b_id;
+  a_id = a->is_legacy ? a_v->legacy_id_digest : a_v->identity_digest;
+  b_id = b->is_legacy ? b_v->legacy_id_digest : b_v->identity_digest;
+
+  return memcmp(a_id, b_id, DIGEST_LEN);
+}
+
 /** Given a sorted list of strings <b>in</b>, add every member to <b>out</b>
  * that occurs more than <b>min</b> times. */
 static void
@@ -416,7 +443,7 @@ compute_consensus_method(smartlist_t *votes)
 static int
 consensus_method_is_supported(int method)
 {
-  return (method >= 1) && (method <= 2);
+  return (method >= 1) && (method <= 3);
 }
 
 /** Given a list of vote networkstatus_t in <b>votes</b>, our public
@@ -431,7 +458,9 @@ char *
 networkstatus_compute_consensus(smartlist_t *votes,
                                 int total_authorities,
                                 crypto_pk_env_t *identity_key,
-                                crypto_pk_env_t *signing_key)
+                                crypto_pk_env_t *signing_key,
+                                const char *legacy_id_key_digest,
+                                crypto_pk_env_t *legacy_signing_key)
 {
   smartlist_t *chunks;
   char *result = NULL;
@@ -581,33 +610,64 @@ networkstatus_compute_consensus(smartlist_t *votes,
   /* Sort the votes. */
   smartlist_sort(votes, _compare_votes_by_authority_id);
   /* Add the authority sections. */
-  SMARTLIST_FOREACH(votes, networkstatus_t *, v,
   {
-    char buf[1024];
-    struct in_addr in;
-    char ip[INET_NTOA_BUF_LEN];
-    char fingerprint[HEX_DIGEST_LEN+1];
-    char votedigest[HEX_DIGEST_LEN+1];
-    networkstatus_voter_info_t *voter = get_voter(v);
+    smartlist_t *dir_sources = smartlist_create();
+    SMARTLIST_FOREACH(votes, networkstatus_t *, v,
+    {
+      dir_src_ent_t *e = tor_malloc_zero(sizeof(dir_src_ent_t));
+      e->v = v;
+      e->digest = get_voter(v)->identity_digest;
+      e->is_legacy = 0;
+      smartlist_add(dir_sources, e);
+      if (consensus_method >= 3 &&
+          !tor_digest_is_zero(get_voter(v)->legacy_id_digest)) {
+        dir_src_ent_t *e_legacy = tor_malloc_zero(sizeof(dir_src_ent_t));
+        e_legacy->v = v;
+        e_legacy->digest = get_voter(v)->legacy_id_digest;
+        e_legacy->is_legacy = 1;
+        smartlist_add(dir_sources, e_legacy);
+      }
+    });
+    smartlist_sort(dir_sources, _compare_dir_src_ents_by_authority_id);
 
-    in.s_addr = htonl(voter->addr);
-    tor_inet_ntoa(&in, ip, sizeof(ip));
-    base16_encode(fingerprint, sizeof(fingerprint), voter->identity_digest,
-                  DIGEST_LEN);
-    base16_encode(votedigest, sizeof(votedigest), voter->vote_digest,
-                  DIGEST_LEN);
+    SMARTLIST_FOREACH(dir_sources, const dir_src_ent_t *, e,
+    {
+      char buf[1024];
+      struct in_addr in;
+      char ip[INET_NTOA_BUF_LEN];
+      char fingerprint[HEX_DIGEST_LEN+1];
+      char votedigest[HEX_DIGEST_LEN+1];
+      networkstatus_t *v = e->v;
+      networkstatus_voter_info_t *voter = get_voter(v);
 
-    tor_snprintf(buf, sizeof(buf),
-                 "dir-source %s %s %s %s %d %d\n"
-                 "contact %s\n"
-                 "vote-digest %s\n",
-                 voter->nickname, fingerprint, voter->address, ip,
-                    voter->dir_port,
-                    voter->or_port,
-                 voter->contact,
-                 votedigest);
-    smartlist_add(chunks, tor_strdup(buf));
-  });
+      if (e->is_legacy)
+        tor_assert(consensus_method >= 2);
+
+      in.s_addr = htonl(voter->addr);
+      tor_inet_ntoa(&in, ip, sizeof(ip));
+      base16_encode(fingerprint, sizeof(fingerprint), e->digest, DIGEST_LEN);
+      base16_encode(votedigest, sizeof(votedigest), voter->vote_digest,
+                    DIGEST_LEN);
+
+      tor_snprintf(buf, sizeof(buf),
+                   "dir-source %s%s %s %s %s %d %d\n",
+                   voter->nickname, e->is_legacy ? "-legacy" : "",
+                   fingerprint, voter->address, ip,
+                   voter->dir_port,
+                   voter->or_port);
+      smartlist_add(chunks, tor_strdup(buf));
+      if (! e->is_legacy) {
+        tor_snprintf(buf, sizeof(buf),
+                     "contact %s\n"
+                     "vote-digest %s\n",
+                     voter->contact,
+                     votedigest);
+        smartlist_add(chunks, tor_strdup(buf));
+      }
+    });
+    SMARTLIST_FOREACH(dir_sources, dir_src_ent_t *, e, tor_free(e));
+    smartlist_free(dir_sources);
+  }
 
   /* Add the actual router entries. */
   {
@@ -641,8 +701,8 @@ networkstatus_compute_consensus(smartlist_t *votes,
     n_voter_flags = tor_malloc_zero(sizeof(int) * smartlist_len(votes));
     n_flag_voters = tor_malloc_zero(sizeof(int) * smartlist_len(flags));
     flag_map = tor_malloc_zero(sizeof(int*) * smartlist_len(votes));
-    named_flag = tor_malloc_zero(sizeof(int*) * smartlist_len(votes));
-    unnamed_flag = tor_malloc_zero(sizeof(int*) * smartlist_len(votes));
+    named_flag = tor_malloc_zero(sizeof(int) * smartlist_len(votes));
+    unnamed_flag = tor_malloc_zero(sizeof(int) * smartlist_len(votes));
     for (i = 0; i < smartlist_len(votes); ++i)
       unnamed_flag[i] = named_flag[i] = -1;
     chosen_named_idx = smartlist_string_pos(flags, "Named");
@@ -904,6 +964,22 @@ networkstatus_compute_consensus(smartlist_t *votes,
       return NULL; /* This leaks, but it should never happen. */
     }
     smartlist_add(chunks, tor_strdup(buf));
+
+    if (legacy_id_key_digest && legacy_signing_key && consensus_method >= 3) {
+      smartlist_add(chunks, tor_strdup("directory-signature "));
+      base16_encode(fingerprint, sizeof(fingerprint),
+                    legacy_id_key_digest, DIGEST_LEN);
+      crypto_pk_get_fingerprint(legacy_signing_key,
+                                signing_key_fingerprint, 0);
+      tor_snprintf(buf, sizeof(buf), "%s %s\n", fingerprint,
+                   signing_key_fingerprint);
+      if (router_append_dirobj_signature(buf, sizeof(buf), digest,
+                                         legacy_signing_key)) {
+        log_warn(LD_BUG, "Couldn't sign consensus networkstatus.");
+        return NULL; /* This leaks, but it should never happen. */
+      }
+      smartlist_add(chunks, tor_strdup(buf));
+    }
   }
 
   result = smartlist_join_strings(chunks, "", 0, NULL);
@@ -1013,8 +1089,8 @@ networkstatus_add_detached_signatures(networkstatus_t *target,
         memcpy(target_voter->signing_key_digest, src_voter->signing_key_digest,
                DIGEST_LEN);
         target_voter->signature_len = src_voter->signature_len;
-        target_voter->good_signature = 1;
-        target_voter->bad_signature = 0;
+        target_voter->good_signature = src_voter->good_signature;
+        target_voter->bad_signature = src_voter->bad_signature;
       } else {
         log_info(LD_DIR, "Not adding signature from %s", voter_identity);
       }
@@ -1677,10 +1753,23 @@ dirvote_compute_consensus(void)
   SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v,
                     smartlist_add(votes, v->vote));
 
-  consensus_body = networkstatus_compute_consensus(
+  {
+    char legacy_dbuf[DIGEST_LEN];
+    crypto_pk_env_t *legacy_sign=NULL;
+    char *legacy_id_digest = NULL;
+    if (get_options()->V3AuthUseLegacyKey) {
+      authority_cert_t *cert = get_my_v3_legacy_cert();
+      legacy_sign = get_my_v3_legacy_signing_key();
+      if (cert) {
+        crypto_pk_get_digest(cert->identity_key, legacy_dbuf);
+        legacy_id_digest = legacy_dbuf;
+      }
+    }
+    consensus_body = networkstatus_compute_consensus(
         votes, n_voters,
         my_cert->identity_key,
-        get_my_v3_authority_signing_key());
+        get_my_v3_authority_signing_key(), legacy_id_digest, legacy_sign);
+  }
   if (!consensus_body) {
     log_warn(LD_DIR, "Couldn't generate a consensus at all!");
     goto err;
@@ -1783,12 +1872,17 @@ dirvote_add_signatures_to_pending_consensus(
                                             sigs, msg_out);
   log_info(LD_DIR,"Added %d signatures to consensus.", r);
 
-  if (r >= 0) {
+  if (r >= 1) {
     char *new_detached =
       networkstatus_get_detached_signatures(pending_consensus);
     const char *src;
     char *dst, *dst_end;
-    size_t new_consensus_len =
+    size_t new_consensus_len;
+    if (!new_detached) {
+      *msg_out = "No signatures to add";
+      goto err;
+    }
+    new_consensus_len =
       strlen(pending_consensus_body) + strlen(new_detached) + 1;
     pending_consensus_body = tor_realloc(pending_consensus_body,
                                          new_consensus_len);
@@ -1815,13 +1909,15 @@ dirvote_add_signatures_to_pending_consensus(
     tor_free(pending_consensus_signatures);
     pending_consensus_signatures = new_detached;
     *msg_out = "Signatures added";
+  } else if (r == 0) {
+    *msg_out = "Signatures ignored";
   } else {
     goto err;
   }
 
   goto done;
  err:
-  if (!msg_out)
+  if (!*msg_out)
     *msg_out = "Unrecognized error while adding detached signatures.";
  done:
   if (sigs)

src/or/dns.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2003-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char dns_c_id[] =
@@ -33,6 +33,8 @@ const char dns_c_id[] =
 
 /** Have we currently configured nameservers with eventdns? */
 static int nameservers_configured = 0;
+/** Did our most recent attempt to configure nameservers with eventdns fail? */
+static int nameserver_config_failed = 0;
 /** What was the resolv_conf fname we last used when configuring the
  * nameservers? Used to check whether we need to reconfigure. */
 static char *resolv_conf_fname = NULL;
@@ -196,6 +198,10 @@ dns_init(void)
 {
   init_cache_map();
   evdns_set_transaction_id_fn(dns_get_transaction_id);
+  if (get_options()->ServerDNSRandomizeCase)
+    evdns_set_option("randomize-case:", "1", DNS_OPTIONS_ALL);
+  else
+    evdns_set_option("randomize-case:", "0", DNS_OPTIONS_ALL);
   if (server_mode(get_options()))
     return configure_nameservers(1);
   return 0;
@@ -214,12 +220,20 @@ dns_reset(void)
     tor_free(resolv_conf_fname);
     resolv_conf_mtime = 0;
   } else {
-    if (configure_nameservers(0) < 0)
+    if (configure_nameservers(0) < 0) {
       return -1;
+    }
   }
   return 0;
 }
 
+/**DOCDOC*/
+int
+has_dns_init_failed(void)
+{
+  return nameserver_config_failed;
+}
+
 /** Helper: Given a TTL from a DNS response, determine what TTL to give the
  * OP that asked us to resolve it. */
 uint32_t
@@ -481,7 +495,8 @@ send_resolved_hostname_cell(edge_connection_t *conn, const char *hostname)
  * parse it and place the address in <b>in</b> if present. Return 1 on success;
  * 0 if the address is not in in-addr.arpa format, and -1 if the address is
  * malformed. */
-static int
+/* XXXX021 move this to util.c. */
+int
 parse_inaddr_arpa_address(const char *address, struct in_addr *in)
 {
   char buf[INET_NTOA_BUF_LEN];
@@ -551,6 +566,7 @@ dns_resolve(edge_connection_t *exitconn)
   is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;
 
   r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
+
   switch (r) {
     case 1:
       /* We got an answer without a lookup -- either the answer was
@@ -625,6 +641,7 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
   cached_resolve_t *resolve;
   cached_resolve_t search;
   pending_connection_t *pending_connection;
+  routerinfo_t *me;
   struct in_addr in;
   time_t now = time(NULL);
   uint8_t is_reverse = 0;
@@ -641,6 +658,11 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
     exitconn->address_ttl = DEFAULT_DNS_TTL;
     return 1;
   }
+  /* If we're a non-exit, don't even do DNS lookups. */
+  if (!(me = router_get_my_routerinfo()) ||
+      policy_is_reject_star(me->exit_policy)) {
+    return -1;
+  }
   if (address_is_invalid_destination(exitconn->_base.address, 0)) {
     log(LOG_PROTOCOL_WARN, LD_EXIT,
         "Rejecting invalid destination address %s",
@@ -659,9 +681,12 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
    * .in-addr.arpa address but this isn't a resolve request, kill the
    * connection.
    */
-  if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) {
-    if (r == 1)
+  if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) {
+    if (r == 1) {
       is_reverse = 1;
+         if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */
+           return -1;
+    }
 
     if (!is_reverse || !is_resolve) {
       if (!is_reverse)
@@ -1091,10 +1116,11 @@ evdns_err_is_transient(int err)
 }
 
 /** Configure eventdns nameservers if force is true, or if the configuration
- * has changed since the last time we called this function.  On Unix, this
- * reads from options->ServerDNSResolvConfFile or /etc/resolv.conf; on
- * Windows, this reads from options->ServerDNSResolvConfFile or the registry.
- * Return 0 on success or -1 on failure. */
+ * has changed since the last time we called this function, or if we failed on
+ * our last attempt.  On Unix, this reads from /etc/resolv.conf or
+ * options->ServerDNSResolvConfFile; on Windows, this reads from
+ * options->ServerDNSResolvConfFile or the registry.  Return 0 on success or
+ * -1 on failure. */
 static int
 configure_nameservers(int force)
 {
@@ -1114,7 +1140,7 @@ configure_nameservers(int force)
     if (stat(conf_fname, &st)) {
       log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s",
                conf_fname, strerror(errno));
-      return options->ServerDNSAllowBrokenResolvConf ? 0 : -1;
+      goto err;
     }
     if (!force && resolv_conf_fname && !strcmp(conf_fname,resolv_conf_fname)
         && st.st_mtime == resolv_conf_mtime) {
@@ -1129,11 +1155,11 @@ configure_nameservers(int force)
     if ((r = evdns_resolv_conf_parse(DNS_OPTIONS_ALL, conf_fname))) {
       log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers in '%s' (%d)",
                conf_fname, conf_fname, r);
-      return options->ServerDNSAllowBrokenResolvConf ? 0 : -1;
+      goto err;
     }
     if (evdns_count_nameservers() == 0) {
       log_warn(LD_EXIT, "Unable to find any nameservers in '%s'.", conf_fname);
-      return options->ServerDNSAllowBrokenResolvConf ? 0 : -1;
+      goto err;
     }
     tor_free(resolv_conf_fname);
     resolv_conf_fname = tor_strdup(conf_fname);
@@ -1149,13 +1175,12 @@ configure_nameservers(int force)
     }
     if (evdns_config_windows_nameservers())  {
       log_warn(LD_EXIT,"Could not config nameservers.");
-      return options->ServerDNSAllowBrokenResolvConf ? 0 : -1;
+      goto err;
     }
     if (evdns_count_nameservers() == 0) {
       log_warn(LD_EXIT, "Unable to find any platform nameservers in "
-               "your Windows configuration.  Perhaps you should list a "
-               "ServerDNSResolvConfFile file in your torrc?");
-      return options->ServerDNSAllowBrokenResolvConf ? 0 : -1;
+               "your Windows configuration.");
+      goto err;
     }
     if (nameservers_configured)
       evdns_resume();
@@ -1175,7 +1200,18 @@ configure_nameservers(int force)
   dns_servers_relaunch_checks();
 
   nameservers_configured = 1;
+  if (nameserver_config_failed) {
+    nameserver_config_failed = 0;
+    mark_my_descriptor_dirty();
+  }
   return 0;
+ err:
+  nameservers_configured = 0;
+  if (! nameserver_config_failed) {
+    nameserver_config_failed = 1;
+    mark_my_descriptor_dirty();
+  }
+  return -1;
 }
 
 /** For eventdns: Called when we get an answer for a request we launched.
@@ -1266,8 +1302,9 @@ launch_resolve(edge_connection_t *exitconn)
   if (!nameservers_configured) {
     log_warn(LD_EXIT, "(Harmless.) Nameservers not configured, but resolve "
              "launched.  Configuring.");
-    if (configure_nameservers(1) < 0)
+    if (configure_nameservers(1) < 0) {
       return -1;
+    }
   }
 
   r = parse_inaddr_arpa_address(exitconn->_base.address, &in);

src/or/dnsserv.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2008, The Tor Project, Inc. */
+/* Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char dnsserv_c_id[] =

src/or/eventdns.c

@@ -176,6 +176,7 @@ struct request {
 	struct event timeout_event;
 
 	u16 trans_id;  /* the transaction id */
+	char timeout_event_added; /* True iff timeout_event is added. */
 	char request_appended;	/* true if the request pointer is data which follows this struct */
 	char transmit_me;  /* needs to be transmitted */
 };
@@ -215,6 +216,7 @@ struct nameserver {
 	struct event timeout_event; /* used to keep the timeout for */
 								/* when we next probe this server. */
 								/* Valid if state == 0 */
+	char timeout_event_added; /* True iff timeout_event is added. */
 	char state;	 /* zero if we think that this server is down */
 	char choked;  /* true if we have an EAGAIN from this server's socket */
 	char write_waiting;	 /* true if we are waiting for EV_WRITE events */
@@ -307,6 +309,9 @@ static int global_max_retransmits = 3;	/* number of times we'll retransmit a req
 /* number of timeouts in a row before we consider this server to be down */
 static int global_max_nameserver_timeout = 3;
 
+/* DOCDOC */
+static int global_randomize_case = 1;
+
 /* These are the timeout values for nameservers. If we find a nameserver is down */
 /* we try to probe it at intervals as given below. Values are in seconds. */
 static const struct timeval global_nameserver_timeouts[] = {{10, 0}, {60, 0}, {300, 0}, {900, 0}, {3600, 0}};
@@ -354,20 +359,7 @@ error_is_eagain(int err)
 {
 	return err == EAGAIN || err == WSAEWOULDBLOCK;
 }
-static int
-inet_aton(const char *c, struct in_addr *addr)
-{
-	uint32_t r;
-	if (strcmp(c, "255.255.255.255") == 0) {
-		addr->s_addr = 0xffffffffu;
-	} else {
-		r = inet_addr(c);
-		if (r == INADDR_NONE)
-			return 0;
-		addr->s_addr = r;
-	}
-	return 1;
-}
+#define inet_aton(c, addr) tor_inet_aton((c), (addr))
 #define CLOSE_SOCKET(x) closesocket(x)
 #else
 #define last_error(sock) (errno)
@@ -375,8 +367,11 @@ inet_aton(const char *c, struct in_addr *addr)
 #define CLOSE_SOCKET(x) close(x)
 #endif
 
-#define ISSPACE(c) isspace((int)(unsigned char)(c))
-#define ISDIGIT(c) isdigit((int)(unsigned char)(c))
+#define ISSPACE(c) TOR_ISSPACE(c)
+#define ISDIGIT(c) TOR_ISDIGIT(c)
+#define ISALPHA(c) TOR_ISALPHA(c)
+#define TOLOWER(c) TOR_TOLOWER(c)
+#define TOUPPER(c) TOR_TOUPPER(c)
 
 #ifndef NDEBUG
 static const char *
@@ -407,6 +402,31 @@ evdns_set_log_fn(evdns_debug_log_fn_type fn)
 #define EVDNS_LOG_CHECK
 #endif
 
+#define del_timeout_event(item)							\
+	do {												\
+		if ((item)->timeout_event_added)				\
+			(void)event_del(&(item)->timeout_event);	\
+		(item)->timeout_event_added = 0;				\
+	} while(0)
+
+
+static int
+_add_timeout_event(struct event *ev, char *flagptr, struct timeval *tv)
+{
+	int r = 0;
+	if (!*flagptr) {
+		r = event_add(ev, tv);
+		if (r >= 0)
+			*flagptr = 1;
+	}
+	return r;
+}
+
+#define add_timeout_event(item, tv)						\
+	_add_timeout_event(&(item)->timeout_event,			\
+					   &(item)->timeout_event_added,	\
+					   (tv))
+
 static void _evdns_log(int warn, const char *fmt, ...) EVDNS_LOG_CHECK;
 static void
 _evdns_log(int warn, const char *fmt, ...)
@@ -462,7 +482,7 @@ nameserver_prod_callback(int fd, short events, void *arg) {
 static void
 nameserver_probe_failed(struct nameserver *const ns) {
 	const struct timeval * timeout;
-	(void) evtimer_del(&ns->timeout_event);
+	del_timeout_event(ns);
 	CLEAR(&ns->timeout_event);
 	if (ns->state == 1) {
 		/* This can happen if the nameserver acts in a way which makes us mark */
@@ -476,7 +496,7 @@ nameserver_probe_failed(struct nameserver *const ns) {
 	ns->failed_times++;
 
 	evtimer_set(&ns->timeout_event, nameserver_prod_callback, ns);
-	if (evtimer_add(&ns->timeout_event, (struct timeval *) timeout) < 0) {
+	if (add_timeout_event(ns, (struct timeval *) timeout) < 0) {
 		log(EVDNS_LOG_WARN,
 			"Error from libevent when adding timer event for %s",
 			debug_ntoa(ns->address));
@@ -504,8 +524,10 @@ nameserver_failed(struct nameserver *const ns, const char *msg) {
 	ns->state = 0;
 	ns->failed_times = 1;
 
+	del_timeout_event(ns); /* in case it's added. */
+
 	evtimer_set(&ns->timeout_event, nameserver_prod_callback, ns);
-	if (evtimer_add(&ns->timeout_event, (struct timeval *) &global_nameserver_timeouts[0]) < 0) {
+	if (add_timeout_event(ns, (struct timeval *) &global_nameserver_timeouts[0]) < 0) {
 		log(EVDNS_LOG_WARN,
 			"Error from libevent when adding timer event for %s",
 			debug_ntoa(ns->address));
@@ -539,7 +561,7 @@ nameserver_up(struct nameserver *const ns) {
 	if (ns->state) return;
 	log(EVDNS_LOG_WARN, "Nameserver %s is back up",
 		debug_ntoa(ns->address));
-	evtimer_del(&ns->timeout_event);
+	del_timeout_event(ns);
 	CLEAR(&ns->timeout_event);
 	ns->state = 1;
 	ns->failed_times = 0;
@@ -571,7 +593,7 @@ request_finished(struct request *const req, struct request **head) {
 
 	log(EVDNS_LOG_DEBUG, "Removing timeout for request %lx",
 		(unsigned long) req);
-	evtimer_del(&req->timeout_event);
+	del_timeout_event(req);
 	CLEAR(&req->timeout_event);
 
 	search_request_finished(req);
@@ -813,9 +835,10 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, size_t name_out_len
 static int
 reply_parse(u8 *packet, int length) {
 	int j = 0;	/* index into packet */
+	int k;
 	u16 _t;	 /* used by the macros */
 	u32 _t32;  /* used by the macros */
-	char tmp_name[256]; /* used by the macros */
+	char tmp_name[256], cmp_name[256]; /* used by the macros */
 
 	u16 trans_id, questions, answers, authority, additional, datalength;
 	u16 flags = 0;
@@ -823,6 +846,7 @@ reply_parse(u8 *packet, int length) {
 	struct reply reply;
 	struct request *req = NULL;
 	unsigned int i;
+	int name_matches = 0;
 
 	GET16(trans_id);
 	GET16(flags);
@@ -848,11 +872,28 @@ reply_parse(u8 *packet, int length) {
 	/* if (!answers) return; */  /* must have an answer of some form */
 
 	/* This macro skips a name in the DNS reply. */
-#define SKIP_NAME														\
+#define GET_NAME														\
 	do { tmp_name[0] = '\0';											\
 		if (name_parse(packet, length, &j, tmp_name, sizeof(tmp_name))<0) \
 			goto err;													\
 	} while(0);
+#define TEST_NAME														\
+	do { tmp_name[0] = '\0';											\
+		cmp_name[0] = '\0';												\
+		k = j;															\
+		if (name_parse(packet, length, &j, tmp_name, sizeof(tmp_name))<0) \
+			goto err;													\
+		if (name_parse(req->request, req->request_len, &k, cmp_name, sizeof(cmp_name))<0) \
+			goto err;													\
+		if (global_randomize_case) {									\
+			if (strcmp(tmp_name, cmp_name) == 0)						\
+				name_matches = 1; /* we ignore mismatching names */		\
+		} else {														\
+			if (strcasecmp(tmp_name, cmp_name) == 0)					\
+				name_matches = 1;										\
+		}																\
+	} while(0)
+
 
 	reply.type = req->request_type;
 
@@ -861,11 +902,14 @@ reply_parse(u8 *packet, int length) {
 		/* the question looks like
 		 * <label:name><u16:type><u16:class>
 		 */
-		SKIP_NAME;
+	    TEST_NAME;
 		j += 4;
 		if (j >= length) goto err;
 	}
 
+	if (!name_matches)
+		goto err;
+
 	/* now we have the answer section which looks like
 	 * <label:name><u16:type><u16:class><u32:ttl><u16:len><data...>
 	 */
@@ -875,7 +919,7 @@ reply_parse(u8 *packet, int length) {
 
 		/* XXX I'd be more comfortable if we actually checked the name */
 		/* here. -NM */
-		SKIP_NAME;
+		GET_NAME;
 		GET16(type);
 		GET16(class);
 		GET32(ttl);
@@ -1082,6 +1126,19 @@ evdns_set_transaction_id_fn(uint16_t (*fn)(void))
 		trans_id_function = default_transaction_id_fn;
 }
 
+
+static void
+get_random_bytes(char *buf, size_t n)
+{
+	unsigned i;
+	for (i = 0; i < n; i += 2) {
+		u16 tid = trans_id_function();
+		buf[i] = (tid >> 8) & 0xff;
+		if (i+1<n)
+			buf[i+1] = tid & 0xff;
+	}
+}
+
 /* Try to choose a strong transaction id which isn't already in flight */
 static u16
 transaction_id_pick(void) {
@@ -1143,17 +1200,34 @@ nameserver_pick(void) {
 /* this is called when a namesever socket is ready for reading */
 static void
 nameserver_read(struct nameserver *ns) {
+	struct sockaddr_storage ss;
+	struct sockaddr *sa = (struct sockaddr *)&ss;
+	struct sockaddr_in *sin;
+	socklen_t addrlen = sizeof(ss);
 	u8 packet[1500];
 
 	for (;;) {
 		const int r =
-            (int)recv(ns->socket, packet,(socklen_t)sizeof(packet), 0);
+            (int)recvfrom(ns->socket, packet,(socklen_t)sizeof(packet), 0,
+						  sa, &addrlen);
 		if (r < 0) {
 			int err = last_error(ns->socket);
 			if (error_is_eagain(err)) return;
 			nameserver_failed(ns, strerror(err));
 			return;
 		}
+		if (sa->sa_family != AF_INET) {
+			log(EVDNS_LOG_WARN,
+				"Address family mismatch on received DNS packet.");
+			return;
+		}
+		sin = (struct sockaddr_in *)sa;
+		if (sin->sin_addr.s_addr != ns->address) {
+			log(EVDNS_LOG_WARN,
+				"Address mismatch on received DNS packet.  Address was %s.",
+				debug_ntoa(sin->sin_addr.s_addr));
+			return;
+		}
 		ns->timedout = 0;
 		reply_parse(packet, r);
 	}
@@ -1880,7 +1954,7 @@ evdns_request_timeout_callback(int fd, short events, void *arg) {
 		nameserver_failed(req->ns, "request timed out.");
 	}
 
-	(void) evtimer_del(&req->timeout_event);
+	del_timeout_event(req);
 	CLEAR(&req->timeout_event);
 	if (req->tx_count >= global_max_retransmits) {
 		/* this request has failed */
@@ -1949,8 +2023,9 @@ evdns_request_transmit(struct request *req) {
 		/* transmitted; we need to check for timeout. */
 		log(EVDNS_LOG_DEBUG,
 			"Setting timeout for request %lx", (unsigned long) req);
+		del_timeout_event(req); /* In case it's added. */
 		evtimer_set(&req->timeout_event, evdns_request_timeout_callback, req);
-		if (evtimer_add(&req->timeout_event, &global_timeout) < 0) {
+		if (add_timeout_event(req, &global_timeout) < 0) {
 			log(EVDNS_LOG_WARN,
 				"Error from libevent when adding timer for request %lx",
 				(unsigned long) req);
@@ -2044,7 +2119,7 @@ evdns_clear_nameservers_and_suspend(void)
 		struct nameserver *next = server->next;
 		(void) event_del(&server->event);
 		CLEAR(&server->event);
-		(void) evtimer_del(&server->timeout_event);
+		del_timeout_event(server);
 		CLEAR(&server->timeout_event);
 		if (server->socket >= 0)
 			CLOSE_SOCKET(server->socket);
@@ -2062,7 +2137,7 @@ evdns_clear_nameservers_and_suspend(void)
 		req->tx_count = req->reissue_count = 0;
 		req->ns = NULL;
 		/* ???? What to do about searches? */
-		(void) evtimer_del(&req->timeout_event);
+		del_timeout_event(req);
 		CLEAR(&req->timeout_event);
 		req->trans_id = 0;
 		req->transmit_me = 0;
@@ -2243,12 +2318,35 @@ request_new(int type, const char *name, int flags,
 	/* the request data is alloced in a single block with the header */
 	struct request *const req =
 		(struct request *) malloc(sizeof(struct request) + request_max_len);
+	char namebuf[256];
 	int rlen;
 	(void) flags;
 
 	if (!req) return NULL;
+
+	if (name_len >= sizeof(namebuf)) {
+		_free(req);
+		return NULL;
+	}
+
 	memset(req, 0, sizeof(struct request));
 
+	if (global_randomize_case) {
+		unsigned i;
+		char randbits[32];
+		strlcpy(namebuf, name, sizeof(namebuf));
+		get_random_bytes(randbits, (name_len+7)/8);
+		for (i = 0; i < name_len; ++i) {
+			if (ISALPHA(namebuf[i])) {
+				if ((randbits[i >> 3] & (1<<(i%7))))
+					namebuf[i] = TOLOWER(namebuf[i]);
+				else
+					namebuf[i] = TOUPPER(namebuf[i]);
+			}
+		}
+		name = namebuf;
+	}
+
 	/* request data lives just after the header */
 	req->request = ((u8 *) req) + sizeof(struct request);
 	/* denotes that the request data shouldn't be free()ed */
@@ -2690,7 +2788,13 @@ evdns_set_option(const char *option, const char *val, int flags)
 		if (!(flags & DNS_OPTION_MISC)) return 0;
 		log(EVDNS_LOG_DEBUG, "Setting retries to %d", retries);
 		global_max_retransmits = retries;
+	} else if (!strncmp(option, "randomize-case:", 15)) {
+		int randcase = strtoint(val);
+		if (!(flags & DNS_OPTION_MISC)) return 0;
+		log(EVDNS_LOG_DEBUG, "Setting randomize_case to %d", randcase);
+		global_randomize_case = randcase;
 	}
+
 	return 0;
 }
 
@@ -3060,7 +3164,7 @@ evdns_shutdown(int fail_requests)
 			CLOSE_SOCKET(server->socket);
 		(void) event_del(&server->event);
 		if (server->state == 0)
-			(void) event_del(&server->timeout_event);
+			del_timeout_event(server);
 		CLEAR(server);
 		free(server);
 		if (server_next == server_head)
@@ -3127,7 +3231,7 @@ evdns_server_callback(struct evdns_server_request *req, void *data)
 		}
 	}
 
-	r = evdns_request_respond(req, 0);
+	r = evdns_server_request_respond(req, 0);
 	if (r<0)
 		printf("eeek, couldn't send reply.\n");
 }

src/or/eventdns_tor.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2008, The Tor Project, Inc. */
+/* Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 
 #include "orconfig.h"

src/or/geoip.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2008, The Tor Project, Inc. */
+/* Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id: /tor/trunk/src/or/networkstatus.c 15493 2007-12-16T18:33:25.055570Z nickm  $ */
 const char geoip_c_id[] =
@@ -76,6 +76,10 @@ geoip_parse_entry(const char *line)
     geoip_entries = smartlist_create();
     country_idxplus1_by_lc_code = strmap_new();
   }
+  while (TOR_ISSPACE(*line))
+    ++line;
+  if (*line == '#')
+    return 0;
   if (sscanf(line,"%u,%u,%2s", &low, &high, b) == 3) {
     geoip_add_entry(low, high, b);
     return 0;
@@ -118,6 +122,14 @@ _geoip_compare_key_to_entry(const void *_key, const void **_member)
     return 0;
 }
 
+/** Return 1 if we should collect geoip stats on bridge users, and
+ * include them in our extrainfo descriptor. Else return 0. */
+int
+should_record_bridge_info(or_options_t *options)
+{
+  return options->BridgeRelay && options->BridgeRecordUsageByCountry;
+}
+
 /** Clear the GeoIP database and reload it from the file
  * <b>filename</b>. Return 0 on success, -1 on failure.
  *
@@ -129,12 +141,13 @@ _geoip_compare_key_to_entry(const void *_key, const void **_member)
  * integers, and CC is a country code.
  */
 int
-geoip_load_file(const char *filename)
+geoip_load_file(const char *filename, or_options_t *options)
 {
   FILE *f;
+  int severity = should_record_bridge_info(options) ? LOG_WARN : LOG_INFO;
   clear_geoip_db();
   if (!(f = fopen(filename, "r"))) {
-    log_warn(LD_GENERAL, "Failed to open GEOIP file %s.", filename);
+    log_fn(severity, LD_GENERAL, "Failed to open GEOIP file %s.", filename);
     return -1;
   }
   geoip_countries = smartlist_create();
@@ -235,7 +248,7 @@ geoip_note_client_seen(uint32_t addr, time_t now)
 {
   or_options_t *options = get_options();
   clientmap_entry_t lookup, *ent;
-  if (!(options->BridgeRelay && options->BridgeRecordUsageByCountry))
+  if (!should_record_bridge_info(options))
     return;
   lookup.ipaddr = addr;
   ent = HT_FIND(clientmap, &client_history, &lookup);
@@ -277,13 +290,13 @@ geoip_remove_old_clients(time_t cutoff)
 }
 
 /** Do not mention any country from which fewer than this number of IPs have
- * connected.  This avoids reporting information that could deanonymize
- * users. */
-#define MIN_IPS_TO_NOTE_COUNTRY 8
+ * connected.  This conceivably avoids reporting information that could
+ * deanonymize users, though analysis is lacking. */
+#define MIN_IPS_TO_NOTE_COUNTRY 0
 /** Do not report any geoip data at all if we have fewer than this number of
  * IPs to report about. */
-#define MIN_IPS_TO_NOTE_ANYTHING 16
-/** When reporting geoip data about countries, round down to the nearest
+#define MIN_IPS_TO_NOTE_ANYTHING 0
+/** When reporting geoip data about countries, round up to the nearest
  * multiple of this value. */
 #define IP_GRANULARITY 8
 
@@ -344,8 +357,10 @@ geoip_get_client_history(time_t now)
       ++total;
     }
     /* Don't record anything if we haven't seen enough IPs. */
+#if MIN_IPS_TO_NOTE_ANYTHING > 0
     if (total < MIN_IPS_TO_NOTE_ANYTHING)
       goto done;
+#endif
     /* Make a list of c_hist_t */
     entries = smartlist_create();
     for (i = 0; i < n_countries; ++i) {
@@ -353,7 +368,11 @@ geoip_get_client_history(time_t now)
       const char *countrycode;
       c_hist_t *ent;
       /* Only report a country if it has a minimum number of IPs. */
+#if MIN_IPS_TO_NOTE_COUNTRY > 0
       if (c >= MIN_IPS_TO_NOTE_COUNTRY) {
+#else
+      if (c > 0) {
+#endif
         /* Round up to the next multiple of IP_GRANULARITY */
         c += IP_GRANULARITY-1;
         c -= c % IP_GRANULARITY;
@@ -375,7 +394,9 @@ geoip_get_client_history(time_t now)
         smartlist_add(chunks, tor_strdup(buf));
       });
     result = smartlist_join_strings(chunks, ",", 0, NULL);
+#if MIN_IPS_TO_NOTE_ANYTHING > 0
   done:
+#endif
     tor_free(counts);
     if (chunks) {
       SMARTLIST_FOREACH(chunks, char *, c, tor_free(c));

src/or/hibernate.c

@@ -1,5 +1,5 @@
 /* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char hibernate_c_id[] =

src/or/main.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char main_c_id[] =
@@ -640,7 +640,8 @@ directory_info_has_arrived(time_t now, int from_cache)
   or_options_t *options = get_options();
 
   if (!router_have_minimum_dir_info()) {
-    log(LOG_NOTICE, LD_DIR,
+    int quiet = directory_too_idle_to_fetch_descriptors(options, now);
+    log(quiet ? LOG_INFO : LOG_NOTICE, LD_DIR,
         "I learned some more directory information, but not enough to "
         "build a circuit: %s", get_dir_info_status_string());
     update_router_descriptor_downloads(now);
@@ -831,6 +832,7 @@ run_scheduled_events(time_t now)
   static time_t time_to_clean_caches = 0;
   static time_t time_to_recheck_bandwidth = 0;
   static time_t time_to_check_for_expired_networkstatus = 0;
+  static time_t time_to_retry_dns_init = 0;
   or_options_t *options = get_options();
   int i;
   int have_dir_info;
@@ -993,6 +995,14 @@ run_scheduled_events(time_t now)
     time_to_clean_caches = now + CLEAN_CACHES_INTERVAL;
   }
 
+#define RETRY_DNS_INTERVAL (10*60)
+  /* If we're a server and initializing dns failed, retry periodically. */
+  if (time_to_retry_dns_init < now) {
+    time_to_retry_dns_init = now + RETRY_DNS_INTERVAL;
+    if (server_mode(options) && has_dns_init_failed())
+      dns_init();
+  }
+
 /** How often do we check whether part of our router info has changed in a way
  * that would require an upload? */
 #define CHECK_DESCRIPTOR_INTERVAL (60)
@@ -1112,8 +1122,10 @@ run_scheduled_events(time_t now)
   circuit_close_all_marked();
 
   /** 7. And upload service descriptors if necessary. */
-  if (has_completed_circuit && !we_are_hibernating())
+  if (has_completed_circuit && !we_are_hibernating()) {
     rend_consider_services_upload(now);
+    rend_consider_descriptor_republication();
+  }
 
   /** 8. and blow away any connections that need to die. have to do this now,
    * because if we marked a conn for close and left its socket -1, then
@@ -1166,7 +1178,7 @@ second_elapsed_callback(int fd, short event, void *args)
    * could use libevent's timers for this rather than checking the current
    * time against a bunch of timeouts every second. */
   static struct timeval one_second;
-  static long current_second = 0;
+  static time_t current_second = 0;
   struct timeval now;
   size_t bytes_written;
   size_t bytes_read;
@@ -1374,8 +1386,13 @@ do_main_loop(void)
 
   /* initialize dns resolve map, spawn workers if needed */
   if (dns_init() < 0) {
-    log_err(LD_GENERAL,"Error initializing dns subsystem; exiting");
-    return -1;
+    if (get_options()->ServerDNSAllowBrokenResolvConf)
+      log_warn(LD_GENERAL, "Couldn't set up any working nameservers. "
+               "Network not up yet?  Will try again soon.");
+    else {
+      log_err(LD_GENERAL,"Error initializing dns subsystem; exiting.  To "
+              "retry instead, set the ServerDNSAllowBrokenResolvConf option.");
+    }
   }
 
   handle_signals(1);
@@ -1768,8 +1785,6 @@ tor_init(int argc, char *argv[])
   /* Have the log set up with our application name. */
   tor_snprintf(buf, sizeof(buf), "Tor %s", get_version());
   log_set_application_name(buf);
-  /* Initialize threading. */
-  tor_threads_init();
   /* Initialize the history structures. */
   rep_hist_init();
   /* Initialize the service cache. */
@@ -1849,13 +1864,15 @@ tor_free_all(int postfork)
   entry_guards_free_all();
   connection_free_all();
   buf_shrink_freelists(1);
-  policies_free_all();
   if (!postfork) {
     config_free_all();
     router_free_all();
+    policies_free_all();
   }
   free_cell_pool();
-  tor_tls_free_all();
+  if (!postfork) {
+    tor_tls_free_all();
+  }
   /* stuff in main.c */
   smartlist_free(connection_array);
   smartlist_free(closeable_connection_lst);
@@ -1963,12 +1980,15 @@ int
 tor_main(int argc, char *argv[])
 {
   int result = 0;
-#ifdef USE_DMALLOC
-  int r = CRYPTO_set_mem_ex_functions(_tor_malloc, _tor_realloc,
-                                      _tor_dmalloc_free);
-  log_notice(LD_CONFIG, "Set up dmalloc; returned %d", r);
-#endif
+  tor_threads_init();
   init_logging();
+#ifdef USE_DMALLOC
+  {
+    int r = CRYPTO_set_mem_ex_functions(_tor_malloc, _tor_realloc,
+                                        _tor_dmalloc_free);
+    log_notice(LD_CONFIG, "Set up dmalloc; returned %d", r);
+  }
+#endif
 #ifdef NT_SERVICE
   {
      int done = 0;

src/or/networkstatus.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char networkstatus_c_id[] =
@@ -211,7 +211,8 @@ router_reload_consensus_networkstatus(void)
     s = read_file_to_str(options->FallbackNetworkstatusFile,
                          RFTS_IGNORE_MISSING, NULL);
     if (s) {
-      if (networkstatus_set_current_consensus(s, flags)) {
+      if (networkstatus_set_current_consensus(s,
+                                              flags|NSSET_ACCEPT_OBSOLETE)) {
         log_info(LD_FS, "Couldn't load consensus networkstatus from \"%s\"",
                  options->FallbackNetworkstatusFile);
       } else {
@@ -392,17 +393,18 @@ networkstatus_check_consensus_signature(networkstatus_t *consensus,
   {
     if (!voter->good_signature && !voter->bad_signature && voter->signature) {
       /* we can try to check the signature. */
+      int is_v3_auth = trusteddirserver_get_by_v3_auth_digest(
+                                          voter->identity_digest) != NULL;
       authority_cert_t *cert =
         authority_cert_get_by_digests(voter->identity_digest,
                                       voter->signing_key_digest);
-      if (! cert) {
-        if (!trusteddirserver_get_by_v3_auth_digest(voter->identity_digest)) {
-          smartlist_add(unrecognized, voter);
-          ++n_unknown;
-        } else {
-          smartlist_add(need_certs_from, voter);
-          ++n_missing_key;
-        }
+      if (!is_v3_auth) {
+        smartlist_add(unrecognized, voter);
+        ++n_unknown;
+        continue;
+      } else if (!cert) {
+        smartlist_add(need_certs_from, voter);
+        ++n_missing_key;
         continue;
       }
       if (networkstatus_check_voter_signature(consensus, voter, cert) < 0) {
@@ -452,10 +454,10 @@ networkstatus_check_consensus_signature(networkstatus_t *consensus,
       });
     SMARTLIST_FOREACH(missing_authorities, trusted_dir_server_t *, ds,
       {
-        log(severity, LD_DIR, "Consensus does not include configured "
-            "authority '%s' at %s:%d (identity %s)",
-            ds->nickname, ds->address, (int)ds->dir_port,
-            hex_str(ds->v3_identity_digest, DIGEST_LEN));
+        log_info(LD_DIR, "Consensus does not include configured "
+                 "authority '%s' at %s:%d (identity %s)",
+                 ds->nickname, ds->address, (int)ds->dir_port,
+                 hex_str(ds->v3_identity_digest, DIGEST_LEN));
       });
     log(severity, LD_DIR,
         "%d unknown, %d missing key, %d good, %d bad, %d no signature, "
@@ -1371,6 +1373,7 @@ networkstatus_set_current_consensus(const char *consensus, unsigned flags)
   const unsigned from_cache = flags & NSSET_FROM_CACHE;
   const unsigned was_waiting_for_certs = flags & NSSET_WAS_WAITING_FOR_CERTS;
   const unsigned dl_certs = !(flags & NSSET_DONT_DOWNLOAD_CERTS);
+  const unsigned accept_obsolete = flags & NSSET_ACCEPT_OBSOLETE;
 
   /* Make sure it's parseable. */
   c = networkstatus_parse_vote_from_string(consensus, NULL, 0);
@@ -1380,6 +1383,15 @@ networkstatus_set_current_consensus(const char *consensus, unsigned flags)
     goto done;
   }
 
+  if (from_cache && !accept_obsolete &&
+      c->valid_until < now-OLD_ROUTER_DESC_MAX_AGE) {
+    /* XXX022 when we try to make fallbackconsensus work again, we should
+     * consider taking this out. Until then, believing obsolete consensuses
+     * is causing more harm than good. See also bug 887. */
+    log_info(LD_DIR, "Loaded an obsolete consensus. Discarding.");
+    goto done;
+  }
+
   if (current_consensus &&
       !memcmp(c->networkstatus_digest, current_consensus->networkstatus_digest,
               DIGEST_LEN)) {
@@ -1403,10 +1415,8 @@ networkstatus_set_current_consensus(const char *consensus, unsigned flags)
     if (r == -1) {
       /* Okay, so it _might_ be signed enough if we get more certificates. */
       if (!was_waiting_for_certs) {
-        /* XXX020 eventually downgrade this log severity, or make it so
-         * users know why they're being told. */
-        log_notice(LD_DIR, "Not enough certificates to check networkstatus "
-                   "consensus");
+        log_info(LD_DIR,
+                 "Not enough certificates to check networkstatus consensus");
       }
       if (!current_consensus ||
           c->valid_after > current_consensus->valid_after) {

src/or/ntmain.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 

src/or/onion.c

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char onion_c_id[] =

src/or/or.h

@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 
@@ -328,8 +328,8 @@ typedef enum {
 /** A connection to a directory server: set after a rendezvous
  * descriptor is downloaded. */
 #define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4
-/** A connection to a directory server: download one or more network-status
- * objects */
+/** A connection to a directory server: download one or more v2
+ * network-status objects */
 #define DIR_PURPOSE_FETCH_NETWORKSTATUS 5
 /** A connection to a directory server: download one or more server
  * descriptors. */
@@ -369,6 +369,12 @@ typedef enum {
 #define DIR_PURPOSE_FETCH_RENDDESC_V2 18
 #define _DIR_PURPOSE_MAX 18
 
+#define DIR_PURPOSE_IS_UPLOAD(p)                \
+  ((p)==DIR_PURPOSE_UPLOAD_DIR ||               \
+   (p)==DIR_PURPOSE_UPLOAD_RENDDESC ||          \
+   (p)==DIR_PURPOSE_UPLOAD_VOTE ||              \
+   (p)==DIR_PURPOSE_UPLOAD_SIGNATURES)
+
 #define _EXIT_PURPOSE_MIN 1
 /** This exit stream wants to do an ordinary connect. */
 #define EXIT_PURPOSE_CONNECT 1
@@ -607,6 +613,10 @@ typedef enum {
 /** Length of a binary-encoded rendezvous service ID. */
 #define REND_SERVICE_ID_LEN 10
 
+/** How long after we receive a hidden service descriptor do we consider
+ * it fresh? */
+#define NUM_SECONDS_BEFORE_HS_REFETCH (60*15)
+
 /** Time period for which a v2 descriptor will be valid. */
 #define REND_TIME_PERIOD_V2_DESC_VALIDITY (24*60*60)
 
@@ -869,6 +879,9 @@ typedef struct connection_t {
   /** Another connection that's connected to this one in lieu of a socket. */
   struct connection_t *linked_conn;
 
+  /** Unique identifier for this connection. */
+  uint64_t global_identifier;
+
   /* XXXX021 move this into a subtype. */
   struct evdns_server_port *dns_server_port;
 
@@ -976,10 +989,6 @@ typedef struct edge_connection_t {
   /** The reason why this connection is closing; passed to the controller. */
   uint16_t end_reason;
 
-  /** Quasi-global identifier for this connection; used for control.c */
-  /* XXXX NM This can get re-used after 2**32 streams */
-  uint32_t global_identifier;
-
   /** Bytes read since last call to control_event_stream_bandwidth_used() */
   uint32_t n_read;
 
@@ -994,7 +1003,7 @@ typedef struct edge_connection_t {
    * already retried several times. */
   uint8_t num_socks_retries;
 
-  /** True iff this connection is for a dns request only. */
+  /** True iff this connection is for a dnsserv request only. */
   unsigned int is_dns_request:1;
 
   /** True iff this stream must attach to a one-hop circuit (e.g. for
@@ -1118,7 +1127,7 @@ typedef enum {
   ADDR_POLICY_REJECT=2,
 } addr_policy_action_t;
 
-/** A linked list of policy rules */
+/** A reference-counted address policy rule. */
 typedef struct addr_policy_t {
   int refcnt; /**< Reference count */
   addr_policy_action_t policy_type:2;/**< What to do when the policy matches.*/
@@ -1452,6 +1461,7 @@ typedef struct networkstatus_voter_info_t {
   uint16_t or_port; /**< OR port of this voter */
   char *contact; /**< Contact information for this voter. */
   char vote_digest[DIGEST_LEN]; /**< Digest of this voter's vote, as signed. */
+  char legacy_id_digest[DIGEST_LEN]; /**< From vote only. DOCDOC */
 
   /* Nothing from here on is signed. */
   char signing_key_digest[DIGEST_LEN]; /**< Declared digest of signing key
@@ -2291,6 +2301,8 @@ typedef struct {
                       * the local domains. */
   int ServerDNSDetectHijacking; /**< Boolean: If true, check for DNS failure
                                  * hijacking. */
+  int ServerDNSRandomizeCase; /**< Boolean: Use the 0x20-hack to prevent
+                               * DNS poisoning attacks. */
   char *ServerDNSResolvConfFile; /**< If provided, we configure our internal
                      * resolver from the file here rather than from
                      * /etc/resolv.conf (Unix) or the registry (Windows). */
@@ -2330,6 +2342,10 @@ typedef struct {
   /** The number of intervals we think a consensus should be valid. */
   int V3AuthNIntervalsValid;
 
+  /** Should advertise and sign consensuses with a legacy key, for key
+   * migration purposes? */
+  int V3AuthUseLegacyKey;
+
   /** File to check for a consensus networkstatus, if we don't have one
    * cached. */
   char *FallbackNetworkstatusFile;
@@ -2557,6 +2573,7 @@ origin_circuit_t *origin_circuit_new(void);
 or_circuit_t *or_circuit_new(uint16_t p_circ_id, or_connection_t *p_conn);
 circuit_t *circuit_get_by_circid_orconn(uint16_t circ_id,
                                         or_connection_t *conn);
+int circuit_id_in_use_on_orconn(uint16_t circ_id, or_connection_t *conn);
 circuit_t *circuit_get_by_edge_conn(edge_connection_t *conn);
 void circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason);
 origin_circuit_t *circuit_get_by_global_id(uint32_t id);
@@ -2737,9 +2754,7 @@ connection_write_to_buf_zlib(const char *string, size_t len,
   _connection_write_to_buf_impl(string, len, TO_CONN(conn), done ? -1 : 1);
 }
 
-or_connection_t *connection_or_exact_get_by_addr_port(uint32_t addr,
-                                                   uint16_t port);
-edge_connection_t *connection_get_by_global_id(uint32_t id);
+connection_t *connection_get_by_global_id(uint64_t id);
 
 connection_t *connection_get_by_type(int type);
 connection_t *connection_get_by_type_purpose(int type, int purpose);
@@ -2801,6 +2816,8 @@ int connection_edge_is_rendezvous_stream(edge_connection_t *conn);
 int connection_ap_can_use_exit(edge_connection_t *conn, routerinfo_t *exit);
 void connection_ap_expire_beginning(void);
 void connection_ap_attach_pending(void);
+void connection_ap_fail_onehop(const char *failed_digest,
+                               cpath_build_state_t *build_state);
 void circuit_discard_optional_exit_enclaves(extend_info_t *info);
 int connection_ap_detach_retriable(edge_connection_t *conn,
                                    origin_circuit_t *circ,
@@ -2842,6 +2859,10 @@ typedef enum hostname_type_t {
 } hostname_type_t;
 hostname_type_t parse_extended_hostname(char *address);
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+int get_pf_socket(void);
+#endif
+
 /********************************* connection_or.c ***************************/
 
 void connection_or_remove_from_identity_map(or_connection_t *conn);
@@ -3168,7 +3189,9 @@ void dirvote_free_all(void);
 char *networkstatus_compute_consensus(smartlist_t *votes,
                                       int total_authorities,
                                       crypto_pk_env_t *identity_key,
-                                      crypto_pk_env_t *signing_key);
+                                      crypto_pk_env_t *signing_key,
+                                      const char *legacy_identity_key_digest,
+                                      crypto_pk_env_t *legacy_signing_key);
 int networkstatus_add_detached_signatures(networkstatus_t *target,
                                           ns_detached_signatures_t *sigs,
                                           const char **msg_out);
@@ -3224,6 +3247,7 @@ format_networkstatus_vote(crypto_pk_env_t *private_key,
 /********************************* dns.c ***************************/
 
 int dns_init(void);
+int has_dns_init_failed(void);
 void dns_free_all(void);
 uint32_t dns_clip_ttl(uint32_t ttl);
 int dns_reset(void);
@@ -3235,6 +3259,7 @@ int dns_resolve(edge_connection_t *exitconn);
 void dns_launch_correctness_checks(void);
 int dns_seems_to_be_broken(void);
 void dns_reset_correctness_checks(void);
+int parse_inaddr_arpa_address(const char *address, struct in_addr *in);
 
 /********************************* dnsserv.c ************************/
 
@@ -3253,7 +3278,8 @@ int dnsserv_launch_request(const char *name, int is_reverse);
 #ifdef GEOIP_PRIVATE
 int geoip_parse_entry(const char *line);
 #endif
-int geoip_load_file(const char *filename);
+int should_record_bridge_info(or_options_t *options);
+int geoip_load_file(const char *filename, or_options_t *options);
 int geoip_get_country_by_ip(uint32_t ipaddr);
 int geoip_get_n_countries(void);
 const char *geoip_get_country_name(int num);
@@ -3393,6 +3419,7 @@ networkstatus_t *networkstatus_get_reasonably_live_consensus(time_t now);
 #define NSSET_FROM_CACHE 1
 #define NSSET_WAS_WAITING_FOR_CERTS 2
 #define NSSET_DONT_DOWNLOAD_CERTS 4
+#define NSSET_ACCEPT_OBSOLETE 8
 int networkstatus_set_current_consensus(const char *consensus, unsigned flags);
 void networkstatus_note_certs_arrived(void);
 void routers_update_all_from_networkstatus(time_t now, int dir_version);
@@ -3541,7 +3568,7 @@ void append_cell_to_circuit_queue(circuit_t *circ, or_connection_t *orconn,
                                   cell_t *cell, int direction);
 void connection_or_unlink_all_active_circs(or_connection_t *conn);
 int connection_or_flush_from_first_active_circuit(or_connection_t *conn,
-                                                  int max);
+                                                  int max, time_t now);
 void assert_active_circuits_ok(or_connection_t *orconn);
 void make_circuit_inactive_on_conn(circuit_t *circ, or_connection_t *conn);
 void make_circuit_active_on_conn(circuit_t *circ, or_connection_t *conn);
@@ -3623,7 +3650,7 @@ int rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
                                  size_t request_len);
 int rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
                                    size_t request_len);
-void rend_client_desc_here(const char *query);
+void rend_client_desc_trynow(const char *query, int rend_version);
 
 extend_info_t *rend_client_get_random_intro(const char *query);
 
@@ -3655,12 +3682,19 @@ typedef struct rend_service_descriptor_t {
   /** List of the service's introduction points.  Elements are removed if
    * introduction attempts fail. */
   smartlist_t *intro_nodes;
+  /** Has descriptor been uploaded to all hidden service directories? */
+  int all_uploads_performed;
+  /** List of hidden service directories to which an upload request for
+   * this descriptor could be sent. Smartlist exists only when at least one
+   * of the previous upload requests failed (otherwise it's not important
+   * to know which uploads succeeded and which not). */
+  smartlist_t *successful_uploads;
 } rend_service_descriptor_t;
 
 int rend_cmp_service_ids(const char *one, const char *two);
 
-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
-                             const char *payload);
+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+                             int command, size_t length, const char *payload);
 
 void rend_service_descriptor_free(rend_service_descriptor_t *desc);
 int rend_encode_service_descriptor(rend_service_descriptor_t *desc,
@@ -3716,6 +3750,8 @@ int rend_service_load_keys(void);
 void rend_services_init(void);
 void rend_services_introduce(void);
 void rend_consider_services_upload(time_t now);
+void rend_hsdir_routers_changed(void);
+void rend_consider_descriptor_republication(void);
 
 void rend_service_intro_has_opened(origin_circuit_t *circuit);
 int rend_service_intro_established(origin_circuit_t *circuit,
@@ -3749,6 +3785,8 @@ crypto_pk_env_t *get_identity_key(void);
 int identity_key_is_set(void);
 authority_cert_t *get_my_v3_authority_cert(void);
 crypto_pk_env_t *get_my_v3_authority_signing_key(void);
+authority_cert_t *get_my_v3_legacy_cert(void);
+crypto_pk_env_t *get_my_v3_legacy_signing_key(void);
 void dup_onion_keys(crypto_pk_env_t **key, crypto_pk_env_t **last);
 void rotate_onion_key(void);
 crypto_pk_env_t *init_key_from_file(const char *fname, int generate,

src/or/policies.c

@@ -1,6 +1,6 @@
 /* Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2008, The Tor Project, Inc. */
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 /* $Id$ */
 const char policies_c_id[] = \
@@ -446,7 +446,7 @@ typedef struct policy_map_ent_t {
   addr_policy_t *policy;
 } policy_map_ent_t;
 
-static HT_HEAD(policy_map, policy_map_ent_t) policy_root;
+static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
 
 /** Return true iff a and b are equal. */
 static INLINE int
@@ -495,7 +495,7 @@ addr_policy_get_canonical_entry(addr_policy_t *e)
     found = tor_malloc_zero(sizeof(policy_map_ent_t));
     found->policy = tor_memdup(e, sizeof(addr_policy_t));
     found->policy->is_canonical = 1;
-    found->policy->refcnt = 1;
+    found->policy->refcnt = 0;
     HT_INSERT(policy_map, &policy_root, found);
   }
 
@@ -764,6 +764,9 @@ exit_policy_is_general_exit(smartlist_t *policy)
   static const int ports[] = { 80, 443, 6667 };
   int n_allowed = 0;
   int i;
+  if (!policy)
+    return 0;
+
   for (i = 0; i < 3; ++i) {
     SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
       if (p->prt_min > ports[i] || p->prt_max < ports[i])
@@ -787,6 +790,8 @@ exit_policy_is_general_exit(smartlist_t *policy)
 int
 policy_is_reject_star(smartlist_t *policy)
 {
+  if (!policy)
+    return 1;
   SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
     if (p->policy_type == ADDR_POLICY_ACCEPT)
       return 0;
@@ -917,5 +922,13 @@ policies_free_all(void)
   authdir_reject_policy = NULL;
   addr_policy_list_free(authdir_invalid_policy);
   authdir_invalid_policy = NULL;
+  addr_policy_list_free(authdir_baddir_policy);
+  authdir_baddir_policy = NULL;
+  addr_policy_list_free(authdir_badexit_policy);
+  authdir_badexit_policy = NULL;
+
+  if (!HT_EMPTY(&policy_root))
+    log_warn(LD_MM, "Still had some address policies cached at shutdown.");
+  HT_CLEAR(policy_map, &policy_root);
 }