[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r20913: {tor} Update svn trunk to Git version 2db0256372e02edfa517ad5b5610 (in tor/trunk: . debian doc src/common src/config src/or src/test)



Author: nickm
Date: 2009-11-06 15:28:07 -0500 (Fri, 06 Nov 2009)
New Revision: 20913

Added:
   tor/trunk/debian/src-test-test.h
Modified:
   tor/trunk/ChangeLog
   tor/trunk/debian/changelog
   tor/trunk/debian/rules
   tor/trunk/doc/tor.1.in
   tor/trunk/src/common/compat.c
   tor/trunk/src/common/compat.h
   tor/trunk/src/common/crypto.c
   tor/trunk/src/common/crypto.h
   tor/trunk/src/common/tortls.c
   tor/trunk/src/common/tortls.h
   tor/trunk/src/config/torrc.complete.in
   tor/trunk/src/or/circuitbuild.c
   tor/trunk/src/or/command.c
   tor/trunk/src/or/config.c
   tor/trunk/src/or/connection.c
   tor/trunk/src/or/connection_or.c
   tor/trunk/src/or/control.c
   tor/trunk/src/or/directory.c
   tor/trunk/src/or/dirserv.c
   tor/trunk/src/or/dirvote.c
   tor/trunk/src/or/hibernate.c
   tor/trunk/src/or/main.c
   tor/trunk/src/or/onion.c
   tor/trunk/src/or/or.h
   tor/trunk/src/or/policies.c
   tor/trunk/src/or/relay.c
   tor/trunk/src/or/rendclient.c
   tor/trunk/src/or/rendcommon.c
   tor/trunk/src/or/rendservice.c
   tor/trunk/src/or/router.c
   tor/trunk/src/test/test.c
   tor/trunk/src/test/test_crypto.c
   tor/trunk/src/test/test_dir.c
   tor/trunk/src/test/test_util.c
Log:
Update svn trunk to Git version 2db0256372e02edfa517ad5b56106f7210ddd7ab

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/ChangeLog	2009-11-06 20:28:07 UTC (rev 20913)
@@ -14,7 +14,23 @@
       algorithms for signatures and resource selection.  Newer formats are
       signed with SHA256, with a possibility for moving to a better hash
       algorithm in the future.
+    - New DisableAllSwap option. If set to 1, Tor will attempt to lock all
+      current and future memory pages. On supported platforms, this should
+      effectively disable any and all attempts to page out memory. Under the
+      hood, DisableAllSwap uses mlockall() on unix-like platforms. Windows is
+      currently unsupported. We believe that this feature works on modern
+      Gnu/Linux distributions. Mac OS X appears to be broken by design. On
+      reasonable *BSD systems it should also be supported but this is untested.
+      This option requires that you start your Tor as root. If you use
+      DisableAllSwap, please consider using the User option to properly reduce
+      the privileges of your Tor.
 
+  o Major bugfixes:
+    - Work around a security feature in OpenSSL 0.9.8l that prevents our
+      handshake from working unless we explicitly tell OpenSSL that we are
+      using SSL renegotiation safely.  We are, of course, but OpenSSL
+      0.9.8l won't work unless we say we are.
+
   o Code simplifications and refactorings:
     - Numerous changes, bugfixes, and workarounds from Nathan Freitas
       to help Tor build correctly for Android phones.
@@ -24,6 +40,24 @@
   o Minor bugfixes:
     - Fix a crash bug when trying to initialize the evdns module in
       Libevent 2.
+    - Stop logging at severity 'warn' when some other Tor client tries
+      to establish a circuit with us using weak DH keys. It's a protocol
+      violation, but that doesn't mean ordinary users need to hear about
+      it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
+    - Do not refuse to learn about authority certs and v2 networkstatus
+      documents that are older than the latest consensus.  This bug might
+      have degraded client bootstrapping.  Bugfix on 0.2.0.10-alpha.
+      Spotted and fixed by xmux.
+    - Fix numerous small code-flaws found by Coverity Scan Rung 3.
+    - If all authorities restart at once right before a consensus vote,
+      nobody will vote about "Running", and clients will get a consensus
+      with no usable relays. Instead, authorities refuse to build a
+      consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
+    - If your relay can't keep up with the number of incoming create
+      cells, it would log one warning per failure into your logs. Limit
+      warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
+    - Bridges do not use the default exit policy, but reject *:* by
+      default. Fixes bug 1113.
 
 
 Changes in version 0.2.2.5-alpha - 2009-10-11
@@ -282,6 +316,23 @@
       occurred with the upgrade to Vidalia 0.2.3.
 
 
+Changes in Version 0.2.1.21 - 20??-??-??
+  o Major bugfixes:
+    - Work around a security feature in OpenSSL 0.9.8l that prevents our
+      handshake from working unless we explicitly tell OpenSSL that we are
+      using SSL renegotiation safely.  We are, of course, but OpenSSL
+      0.9.8l won't work unless we say we are.
+
+  o Minor bugfixes:
+    - Do not refuse to learn about authority certs and v2 networkstatus
+      documents that are older than the latest consensus.  This bug might
+      have degraded client bootstrapping.  Bugfix on 0.2.0.10-alpha.
+      Spotted and fixed by xmux.
+    - Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
+      trigger platform-specific option misparsing case found by Coverity
+      Scan.
+
+
 Changes in version 0.2.1.20 - 2009-10-15
   o Major bugfixes:
     - Send circuit or stream sendme cells when our window has decreased

Modified: tor/trunk/debian/changelog
===================================================================
--- tor/trunk/debian/changelog	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/debian/changelog	2009-11-06 20:28:07 UTC (rev 20913)
@@ -1,3 +1,15 @@
+tor (0.2.2.4-alpha-1) experimental; urgency=low
+
+  * New upstream version.
+  * The testsuite moved from src/or/test to src/test/test,
+    but let's call it using "make check" now.
+  * Upstream failed to ship src/test/test.h.  Ship it in debian/ and
+    manually copy it in place during configure and clean up in clean.
+    Let's not use the patch system as this will most likely be rectified
+    by next release.
+
+ -- Peter Palfrader <weasel@xxxxxxxxxx>  Sun, 11 Oct 2009 10:38:55 +0200
+
 tor (0.2.2.3-alpha-1) experimental; urgency=low
 
   * New upstream version.

Modified: tor/trunk/debian/rules
===================================================================
--- tor/trunk/debian/rules	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/debian/rules	2009-11-06 20:28:07 UTC (rev 20913)
@@ -66,6 +66,11 @@
 
 configure: patch-stamp
 config.status: configure
+	# clean up test.h stuff.  XXX - expected to no longer be needed after tor-0.2.2.4-alpha
+	rm -f src/test/test.h.orig
+	! [ -e src/test/test.h ] || mv src/test/test.h src/test/test.h.orig
+	cp debian/src-test-test.h src/test/test.h
+
 	@if [ "$(LOCALHOST_IP)" != "127.0.0.1" ]; then echo; echo; echo; echo; echo; echo "######################################################################"; echo "WARNING: This system does not think localhost is 127.0.0.1.  Will ignore result of testsuite.  Please fix your system/chroot."; echo "######################################################################"; echo; echo; echo; echo; echo "Note: 'getent hosts localhost' should return '127.0.0.1 localhost'"; echo; fi
 	dh_testdir
 	CFLAGS="$(CFLAGS)" ./configure \
@@ -91,11 +96,11 @@
 	@if [ "$(RUN_TEST)" != "no" ]; then \
 		if [ "$(LOCALHOST_IP)" != "127.0.0.1" ]; then \
 			echo; echo; echo "######################################################################"; echo "WARNING: This system does not think localhost is 127.0.0.1.  Will ignore result of testsuite.  Please fix your system/chroot."; echo "######################################################################"; echo; echo; \
-			echo "src/or/test || true"; \
-			src/or/test || true; \
+			echo "make check || true"; \
+			make check || true; \
 		else \
-			echo "src/or/test"; \
-			src/or/test; \
+			echo "make check"; \
+			make check; \
 		fi; \
 	else \
 		echo -e "\n\nSkipping unittests\n\n"; \
@@ -135,6 +140,10 @@
 
 	[ ! -f Makefile ] || $(MAKE) distclean
 
+	# clean up test.h stuff.  XXX - expected to no longer be needed after tor-0.2.2.4-alpha
+	rm -f src/test/test.h
+	! [ -e src/test/test.h.orig ] || mv src/test/test.h.orig src/test/test.h
+
 	# Normally the .deb wouldn't ship with a ../.git
 	if [ -d .git ] && which git >/dev/null; then \
 		echo "\"`git rev-parse --short=16 HEAD`\"" > "debian/micro-revision.i" ; \

Added: tor/trunk/debian/src-test-test.h
===================================================================
--- tor/trunk/debian/src-test-test.h	                        (rev 0)
+++ tor/trunk/debian/src-test-test.h	2009-11-06 20:28:07 UTC (rev 20913)
@@ -0,0 +1,75 @@
+/* Copyright (c) 2001-2003, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2009, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#ifndef _TOR_TEST_H
+#define _TOR_TEST_H
+
+/**
+ * \file test.h
+ * \brief Macros and functions used by unit tests.
+ */
+
+#include "compat.h"
+#include "tinytest.h"
+#define TT_EXIT_TEST_FUNCTION STMT_BEGIN goto done; STMT_END
+#include "tinytest_macros.h"
+
+#ifdef __GNUC__
+#define PRETTY_FUNCTION __PRETTY_FUNCTION__
+#else
+#define PRETTY_FUNCTION ""
+#endif
+
+#define test_fail_msg(msg) TT_DIE((msg))
+
+#define test_fail() test_fail_msg("Assertion failed.")
+
+#define test_assert(expr) tt_assert(expr)
+
+#define test_eq(expr1, expr2) tt_int_op((expr1), ==, (expr2))
+#define test_eq_ptr(expr1, expr2) tt_ptr_op((expr1), ==, (expr2))
+#define test_neq(expr1, expr2) tt_int_op((expr1), !=, (expr2))
+#define test_neq_ptr(expr1, expr2) tt_ptr_op((expr1), !=, (expr2))
+#define test_streq(expr1, expr2) tt_str_op((expr1), ==, (expr2))
+#define test_strneq(expr1, expr2) tt_str_op((expr1), !=, (expr2))
+#define test_streq(expr1, expr2) tt_str_op((expr1), ==, (expr2))
+
+#define test_mem_op(expr1, op, expr2, len)                              \
+  tt_assert_test_fmt_type(expr1,expr2,#expr1" "#op" "#expr2,            \
+                          const char *,                                 \
+                          (memcmp(_val1, _val2, len) op 0),             \
+                          char *, "%s",                                 \
+                          { size_t printlen = (len)*2+1;                \
+                            _print = tor_malloc(printlen);              \
+                            base16_encode(_print, printlen, _value,     \
+                                          (len)); },                    \
+                          { tor_free(_print); }                         \
+                          );
+
+#define test_memeq(expr1, expr2, len) test_mem_op((expr1), ==, (expr2), len)
+#define test_memneq(expr1, expr2, len) test_mem_op((expr1), !=, (expr2), len)
+
+/* As test_mem_op, but decodes 'hex' before comparing.  There must be a
+ * local char* variable called mem_op_hex_tmp for this to work. */
+#define test_mem_op_hex(expr1, op, hex)                                 \
+  STMT_BEGIN                                                            \
+  size_t length = strlen(hex);                                          \
+  tor_free(mem_op_hex_tmp);                                             \
+  mem_op_hex_tmp = tor_malloc(length/2);                                \
+  tor_assert((length&1)==0);                                            \
+  base16_decode(mem_op_hex_tmp, length/2, hex, length);                 \
+  test_mem_op(expr1, op, mem_op_hex_tmp, length/2);                     \
+  STMT_END
+
+#define test_memeq_hex(expr1, hex) test_mem_op_hex(expr1, ==, hex)
+
+const char *get_fname(const char *name);
+crypto_pk_env_t *pk_generate(int idx);
+
+void legacy_test_helper(void *data);
+extern const struct testcase_setup_t legacy_setup;
+
+#endif
+


Property changes on: tor/trunk/debian/src-test-test.h
___________________________________________________________________
Added: svn:keywords
   + Author Date Id Revision

Modified: tor/trunk/doc/tor.1.in
===================================================================
--- tor/trunk/doc/tor.1.in	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/doc/tor.1.in	2009-11-06 20:28:07 UTC (rev 20913)
@@ -234,6 +234,19 @@
 bridge authorities.
 .LP
 .TP
+\fBDisableAllSwap \fR\fB0\fR|\fB1\fR\fP
+If set to 1, Tor will attempt to lock all current and future memory pages.
+On supported platforms, this should effectively disable any and all attempts
+to page out memory. Under the hood, DisableAllSwap uses mlockall() on unix-like
+platforms. Windows is currently unsupported. We believe that this feature works
+on modern Gnu/Linux distributions. Mac OS X appears to be broken by design. On
+reasonable *BSD systems it should also be supported but this is untested. This
+option requires that you start your Tor as root. If you use DisableAllSwap,
+please consider using the User option to properly reduce the privileges of
+your Tor.
+(Default: 0)
+.LP
+.TP
 \fBFetchDirInfoEarly \fR\fB0\fR|\fB1\fR\fP
 If set to 1, Tor will always fetch directory information like other
 directory caches, even if you don't meet the normal criteria for

Modified: tor/trunk/src/common/compat.c
===================================================================
--- tor/trunk/src/common/compat.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/compat.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -2204,6 +2204,105 @@
 }
 #endif
 
+#ifdef HAVE_SYS_MMAN_H
+/** Attempt to raise the current and max rlimit to infinity for our process.
+ * This only needs to be done once and can probably only be done when we have
+ * not already dropped privileges.
+ */
+static int
+tor_set_max_memlock(void)
+{
+  /* Future consideration for Windows is probably SetProcessWorkingSetSize
+   * This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
+   * http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
+   */
+
+  struct rlimit limit;
+  int ret;
+
+  /* Do we want to report current limits first? This is not really needed. */
+  ret = getrlimit(RLIMIT_MEMLOCK, &limit);
+  if (ret == -1) {
+    log_warn(LD_GENERAL, "Could not get RLIMIT_MEMLOCK: %s", strerror(errno));
+    return -1;
+  }
+
+  /* RLIM_INFINITY is -1 on some platforms. */
+  limit.rlim_cur = RLIM_INFINITY;
+  limit.rlim_max = RLIM_INFINITY;
+
+  ret = setrlimit(RLIMIT_MEMLOCK, &limit);
+  if (ret == -1) {
+    if (errno == EPERM) {
+      log_warn(LD_GENERAL, "You appear to lack permissions to change memory "
+                           "limits. Are you root?");
+      log_warn(LD_GENERAL, "Unable to raise RLIMIT_MEMLOCK: %s",
+               strerror(errno));
+    } else {
+      log_warn(LD_GENERAL, "Could not raise RLIMIT_MEMLOCK: %s",
+               strerror(errno));
+    }
+    return -1;
+  }
+
+  return 0;
+}
+#endif
+
+/** Attempt to lock all current and all future memory pages.
+ * This should only be called once and while we're privileged.
+ * Like mlockall() we return 0 when we're successful and -1 when we're not.
+ * Unlike mlockall() we return 1 if we've already attempted to lock memory.
+ */
+int
+tor_mlockall(void)
+{
+  static int memory_lock_attempted = 0;
+  int ret;
+
+  if (memory_lock_attempted) {
+    return 1;
+  }
+
+  memory_lock_attempted = 1;
+
+  /*
+   * Future consideration for Windows may be VirtualLock
+   * VirtualLock appears to implement mlock() but not mlockall()
+   *
+   * http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
+   */
+
+#ifdef HAVE_SYS_MMAN_H
+  ret = tor_set_max_memlock();
+  if (ret == 0) {
+    /* Perhaps we only want to log this if we're in a verbose mode? */
+    log_notice(LD_GENERAL, "RLIMIT_MEMLOCK is now set to RLIM_INFINITY.");
+  }
+
+  ret = mlockall(MCL_CURRENT|MCL_FUTURE);
+  if (ret == 0) {
+    log_notice(LD_GENERAL, "Insecure OS paging is effectively disabled.");
+    return 0;
+  } else {
+    if (errno == ENOSYS) {
+      /* Apple - it's 2009! I'm looking at you. Grrr. */
+      log_notice(LD_GENERAL, "It appears that mlockall() is not available on "
+                             "your platform.");
+    } else if (errno == EPERM) {
+      log_notice(LD_GENERAL, "It appears that you lack the permissions to "
+                             "lock memory. Are you root?");
+    }
+    log_notice(LD_GENERAL, "Unable to lock all current and future memory "
+                           "pages: %s", strerror(errno));
+    return -1;
+  }
+#else
+  log_warn(LD_GENERAL, "Unable to lock memory pages. mlockall() unsupported?");
+  return -1;
+#endif
+}
+
 /** Identity of the "main" thread */
 static unsigned long main_thread_id = -1;
 

Modified: tor/trunk/src/common/compat.h
===================================================================
--- tor/trunk/src/common/compat.h	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/compat.h	2009-11-06 20:28:07 UTC (rev 20913)
@@ -509,6 +509,8 @@
 #endif
 } tor_mutex_t;
 
+int tor_mlockall(void);
+
 #ifdef TOR_IS_MULTITHREADED
 tor_mutex_t *tor_mutex_new(void);
 void tor_mutex_init(tor_mutex_t *m);

Modified: tor/trunk/src/common/crypto.c
===================================================================
--- tor/trunk/src/common/crypto.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/crypto.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -122,7 +122,7 @@
 };
 
 static int setup_openssl_threading(void);
-static int tor_check_dh_key(BIGNUM *bn);
+static int tor_check_dh_key(int severity, BIGNUM *bn);
 
 /** Return the number of bytes added by padding method <b>padding</b>.
  */
@@ -1260,9 +1260,6 @@
   tor_assert(env);
   tor_assert(key);
 
-  if (!env->key)
-    return -1;
-
   memcpy(env->key, key, CIPHER_KEY_LEN);
   return 0;
 }
@@ -1723,7 +1720,7 @@
     crypto_log_errors(LOG_WARN, "generating DH key");
     return -1;
   }
-  if (tor_check_dh_key(dh->dh->pub_key)<0) {
+  if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) {
     log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid.  I guess once-in-"
              "the-universe chances really do happen.  Trying again.");
     /* Free and clear the keys, so OpenSSL will actually try again. */
@@ -1770,7 +1767,7 @@
  * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
  */
 static int
-tor_check_dh_key(BIGNUM *bn)
+tor_check_dh_key(int severity, BIGNUM *bn)
 {
   BIGNUM *x;
   char *s;
@@ -1781,13 +1778,13 @@
     init_dh_param();
   BN_set_word(x, 1);
   if (BN_cmp(bn,x)<=0) {
-    log_warn(LD_CRYPTO, "DH key must be at least 2.");
+    log_fn(severity, LD_CRYPTO, "DH key must be at least 2.");
     goto err;
   }
   BN_copy(x,dh_param_p);
   BN_sub_word(x, 1);
   if (BN_cmp(bn,x)>=0) {
-    log_warn(LD_CRYPTO, "DH key must be at most p-2.");
+    log_fn(severity, LD_CRYPTO, "DH key must be at most p-2.");
     goto err;
   }
   BN_free(x);
@@ -1795,7 +1792,7 @@
  err:
   BN_free(x);
   s = BN_bn2hex(bn);
-  log_warn(LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
+  log_fn(severity, LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
   OPENSSL_free(s);
   return -1;
 }
@@ -1813,7 +1810,7 @@
  * where || is concatenation.)
  */
 ssize_t
-crypto_dh_compute_secret(crypto_dh_env_t *dh,
+crypto_dh_compute_secret(int severity, crypto_dh_env_t *dh,
                          const char *pubkey, size_t pubkey_len,
                          char *secret_out, size_t secret_bytes_out)
 {
@@ -1828,9 +1825,9 @@
   if (!(pubkey_bn = BN_bin2bn((const unsigned char*)pubkey,
                               (int)pubkey_len, NULL)))
     goto error;
-  if (tor_check_dh_key(pubkey_bn)<0) {
+  if (tor_check_dh_key(severity, pubkey_bn)<0) {
     /* Check for invalid public keys. */
-    log_warn(LD_CRYPTO,"Rejected invalid g^x");
+    log_fn(severity, LD_CRYPTO,"Rejected invalid g^x");
     goto error;
   }
   secret_tmp = tor_malloc(crypto_dh_get_bytes(dh));

Modified: tor/trunk/src/common/crypto.h
===================================================================
--- tor/trunk/src/common/crypto.h	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/crypto.h	2009-11-06 20:28:07 UTC (rev 20913)
@@ -198,7 +198,7 @@
 int crypto_dh_generate_public(crypto_dh_env_t *dh);
 int crypto_dh_get_public(crypto_dh_env_t *dh, char *pubkey_out,
                          size_t pubkey_out_len);
-ssize_t crypto_dh_compute_secret(crypto_dh_env_t *dh,
+ssize_t crypto_dh_compute_secret(int severity, crypto_dh_env_t *dh,
                              const char *pubkey, size_t pubkey_len,
                              char *secret_out, size_t secret_out_len);
 void crypto_dh_free(crypto_dh_env_t *dh);

Modified: tor/trunk/src/common/tortls.c
===================================================================
--- tor/trunk/src/common/tortls.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/tortls.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -154,6 +154,7 @@
                                         const char *cname,
                                         const char *cname_sign,
                                         unsigned int lifetime);
+static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
 
 /** Global tls context. We keep it here because nobody else needs to
  * touch it. */
@@ -927,6 +928,36 @@
 #endif
 }
 
+/** If this version of openssl requires it, turn on renegotiation on
+ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
+ * to use belt-and-suspenders here.)
+ */
+static void
+tor_tls_unblock_renegotiation(tor_tls_t *tls)
+{
+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+  /* Yes, we know what we are doing here.  No, we do not treat a renegotiation
+   * as authenticating any earlier-received data. */
+  tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#else
+  (void)tls;
+#endif
+}
+
+/** If this version of openssl supports it, turn off renegotiation on
+ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
+ * to use belt-and-suspenders here.)
+ */
+void
+tor_tls_block_renegotiation(tor_tls_t *tls)
+{
+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+  tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#else
+  (void)tls;
+#endif
+}
+
 /** Return whether this tls initiated the connect (client) or
  * received it (server). */
 int
@@ -1058,6 +1089,9 @@
   if (oldstate != tls->ssl->state)
     log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
               tls, ssl_state_to_string(tls->ssl->state));
+  /* We need to call this here and not earlier, since OpenSSL has a penchant
+   * for clearing its flags when you say accept or connect. */
+  tor_tls_unblock_renegotiation(tls);
   r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
   if (ERR_peek_error() != 0) {
     tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,

Modified: tor/trunk/src/common/tortls.h
===================================================================
--- tor/trunk/src/common/tortls.h	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/common/tortls.h	2009-11-06 20:28:07 UTC (rev 20913)
@@ -65,6 +65,7 @@
 int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
 int tor_tls_handshake(tor_tls_t *tls);
 int tor_tls_renegotiate(tor_tls_t *tls);
+void tor_tls_block_renegotiation(tor_tls_t *tls);
 int tor_tls_shutdown(tor_tls_t *tls);
 int tor_tls_get_pending_bytes(tor_tls_t *tls);
 size_t tor_tls_get_forced_write_size(tor_tls_t *tls);

Modified: tor/trunk/src/config/torrc.complete.in
===================================================================
--- tor/trunk/src/config/torrc.complete.in	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/config/torrc.complete.in	2009-11-06 20:28:07 UTC (rev 20913)
@@ -79,6 +79,9 @@
 #DirServer moria2 v1 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF
 #DirServer tor26 v1 86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D
 
+## Attempt to lock current and future memory pages and effectively disable swap
+# DisableAllSwap 0|1
+
 ## On startup, setgid to this user.
 #Group GID
 

Modified: tor/trunk/src/or/circuitbuild.c
===================================================================
--- tor/trunk/src/or/circuitbuild.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/circuitbuild.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -1015,8 +1015,7 @@
         router_get_verbose_nickname(elt, ri);
       } else if ((rs = router_get_consensus_status_by_id(id))) {
         routerstatus_get_verbose_nickname(elt, rs);
-      } else if (hop->extend_info->nickname &&
-                 is_legal_nickname(hop->extend_info->nickname)) {
+      } else if (is_legal_nickname(hop->extend_info->nickname)) {
         elt[0] = '$';
         base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
         elt[HEX_DIGEST_LEN+1]= '~';
@@ -1228,7 +1227,7 @@
 
   if (!n_conn) {
     /* not currently connected in a useful way. */
-    const char *name = firsthop->extend_info->nickname ?
+    const char *name = strlen(firsthop->extend_info->nickname) ?
       firsthop->extend_info->nickname : fmt_addr(&firsthop->extend_info->addr);
     log_info(LD_CIRC, "Next router is %s: %s ", safe_str(name), msg?msg:"???");
     circ->_base.n_hop = extend_info_dup(firsthop->extend_info);

Modified: tor/trunk/src/or/command.c
===================================================================
--- tor/trunk/src/or/command.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/command.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -395,8 +395,10 @@
    * gotten no more than MAX_RELAY_EARLY_CELLS_PER_CIRCUIT of them. */
   if (cell->command == CELL_RELAY_EARLY) {
     if (direction == CELL_DIRECTION_IN) {
-      /* XXX Allow an unlimited number of inbound relay_early cells for
-       * now, for hidden service compatibility. See bug 1038. -RD */
+      /* Allow an unlimited number of inbound relay_early cells,
+       * for hidden service compatibility. There isn't any way to make
+       * a long circuit through inbound relay_early cells anyway. See
+       * bug 1038. -RD */
     } else {
       or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
       if (or_circ->remaining_relay_early_cells == 0) {

Modified: tor/trunk/src/or/config.c
===================================================================
--- tor/trunk/src/or/config.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/config.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -195,6 +195,7 @@
   OBSOLETE("DirRecordUsageSaveInterval"),
   V(DirReqStatistics,            BOOL,     "0"),
   VAR("DirServer",               LINELIST, DirServers, NULL),
+  V(DisableAllSwap,              BOOL,     "0"),
   V(DNSPort,                     UINT,     "0"),
   V(DNSListenAddress,            LINELIST, NULL),
   V(DownloadExtraInfo,           BOOL,     "0"),
@@ -456,6 +457,8 @@
   { "DirServer", "Tor only trusts directories signed with one of these "
     "servers' keys.  Used to override the standard list of directory "
     "authorities." },
+  { "DisableAllSwap", "Tor will attempt a simple memory lock that "
+    "will prevent leaking of all information in memory to the swap file." },
   /* { "FastFirstHopPK", "" }, */
   /* FetchServerDescriptors, FetchHidServDescriptors,
    * FetchUselessDescriptors */
@@ -1115,6 +1118,15 @@
   }
 #endif
 
+  /* Attempt to lock all current and future memory with mlockall() only once */
+  if (options->DisableAllSwap) {
+    if (tor_mlockall() == -1) {
+      *msg = tor_strdup("DisableAllSwap failure. Do you have proper "
+                        "permissions?");
+      goto done;
+    }
+  }
+
   /* Setuid/setgid as appropriate */
   if (options->User) {
     if (switch_id(options->User) != 0) {
@@ -2254,6 +2266,7 @@
       break;
     case CONFIG_TYPE_ISOTIME:
       *(time_t*)lvalue = 0;
+      break;
     case CONFIG_TYPE_INTERVAL:
     case CONFIG_TYPE_UINT:
     case CONFIG_TYPE_BOOL:
@@ -2267,6 +2280,7 @@
         routerset_free(*(routerset_t**)lvalue);
         *(routerset_t**)lvalue = NULL;
       }
+      break;
     case CONFIG_TYPE_CSV:
       if (*(smartlist_t**)lvalue) {
         SMARTLIST_FOREACH(*(smartlist_t **)lvalue, char *, cp, tor_free(cp));
@@ -3832,6 +3846,12 @@
     return -1;
   }
 
+  if (old->DisableAllSwap != new_val->DisableAllSwap) {
+    *msg = tor_strdup("While Tor is running, changing DisableAllSwap "
+                      "is not allowed.");
+    return -1;
+  }
+
   return 0;
 }
 

Modified: tor/trunk/src/or/connection.c
===================================================================
--- tor/trunk/src/or/connection.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/connection.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -566,7 +566,7 @@
         rep_hist_note_disconnect(or_conn->identity_digest, now);
         control_event_or_conn_status(or_conn, OR_CONN_EVENT_CLOSED,
                 tls_error_to_orconn_end_reason(or_conn->tls_error));
-      } else if (or_conn->identity_digest) {
+      } else if (!tor_digest_is_zero(or_conn->identity_digest)) {
         rep_hist_note_connection_died(or_conn->identity_digest, now);
         control_event_or_conn_status(or_conn, OR_CONN_EVENT_CLOSED,
                 tls_error_to_orconn_end_reason(or_conn->tls_error));

Modified: tor/trunk/src/or/connection_or.c
===================================================================
--- tor/trunk/src/or/connection_or.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/connection_or.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -799,6 +799,7 @@
 
   /* Don't invoke this again. */
   tor_tls_set_renegotiate_callback(tls, NULL, NULL);
+  tor_tls_block_renegotiation(tls);
 
   if (connection_tls_finish_handshake(conn) < 0) {
     /* XXXX_TLS double-check that it's ok to do this from inside read. */
@@ -1045,6 +1046,7 @@
       connection_or_init_conn_from_address(conn, &conn->_base.addr,
                                            conn->_base.port, digest_rcvd, 0);
     }
+    tor_tls_block_renegotiation(conn->tls);
     return connection_or_set_state_open(conn);
   } else {
     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;

Modified: tor/trunk/src/or/control.c
===================================================================
--- tor/trunk/src/or/control.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/control.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -830,36 +830,37 @@
 
   retval = options_init_from_string(body, CMD_RUN_TOR, NULL, &errstring);
 
-  if (retval != SETOPT_OK) {
+  if (retval != SETOPT_OK)
     log_warn(LD_CONTROL,
              "Controller gave us config file that didn't validate: %s",
              errstring);
-    switch (retval) {
-      case SETOPT_ERR_PARSE:
-        msg = "552 Invalid config file";
-        break;
-      case SETOPT_ERR_TRANSITION:
-        msg = "553 Transition not allowed";
-        break;
-      case SETOPT_ERR_SETTING:
-        msg = "553 Unable to set option";
-        break;
-      case SETOPT_ERR_MISC:
-      default:
-        msg = "550 Unable to load config";
-        break;
-      case SETOPT_OK:
-        tor_fragile_assert();
-        break;
-    }
-    if (*errstring)
+
+  switch (retval) {
+  case SETOPT_ERR_PARSE:
+    msg = "552 Invalid config file";
+    break;
+  case SETOPT_ERR_TRANSITION:
+    msg = "553 Transition not allowed";
+    break;
+  case SETOPT_ERR_SETTING:
+    msg = "553 Unable to set option";
+    break;
+  case SETOPT_ERR_MISC:
+  default:
+    msg = "550 Unable to load config";
+    break;
+  case SETOPT_OK:
+    break;
+  }
+  if (msg) {
+    if (errstring)
       connection_printf_to_buf(conn, "%s: %s\r\n", msg, errstring);
     else
       connection_printf_to_buf(conn, "%s\r\n", msg);
-    tor_free(errstring);
-    return 0;
+  } else {
+    send_control_done(conn);
   }
-  send_control_done(conn);
+  tor_free(errstring);
   return 0;
 }
 
@@ -1456,6 +1457,7 @@
     if (res) {
       log_warn(LD_CONTROL, "getinfo '%s': %s", question, msg);
       smartlist_free(descs);
+      tor_free(url);
       return -1;
     }
     SMARTLIST_FOREACH(descs, signed_descriptor_t *, sd,
@@ -2262,7 +2264,7 @@
     char* exit_digest;
     if (circ->build_state &&
         circ->build_state->chosen_exit &&
-        circ->build_state->chosen_exit->identity_digest) {
+        !tor_digest_is_zero(circ->build_state->chosen_exit->identity_digest)) {
       exit_digest = circ->build_state->chosen_exit->identity_digest;
       r = router_get_by_digest(exit_digest);
     }

Modified: tor/trunk/src/or/directory.c
===================================================================
--- tor/trunk/src/or/directory.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/directory.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -333,7 +333,7 @@
       return;
   }
 
-  if (DIR_PURPOSE_FETCH_CONSENSUS) {
+  if (dir_purpose == DIR_PURPOSE_FETCH_CONSENSUS) {
     networkstatus_t *v = networkstatus_get_latest_consensus();
     if (v)
       if_modified_since = v->valid_after + 180;
@@ -1689,8 +1689,8 @@
              (int) body_len, conn->_base.address, conn->_base.port);
     if (status_code != 200) {
       log_warn(LD_DIR,
-        "Received http status code %d (%s) from server "
-        "'%s:%d' while fetching \"/tor/status-vote/consensus-signatures.z\".",
+        "Received http status code %d (%s) from server '%s:%d' while fetching "
+        "\"/tor/status-vote/next/consensus-signatures.z\".",
              status_code, escaped(reason), conn->_base.address,
              conn->_base.port);
       tor_free(body); tor_free(headers); tor_free(reason);

Modified: tor/trunk/src/or/dirserv.c
===================================================================
--- tor/trunk/src/or/dirserv.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/dirserv.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -2609,11 +2609,6 @@
   voter->nickname = tor_strdup(options->Nickname);
   memcpy(voter->identity_digest, identity_digest, DIGEST_LEN);
   voter->sigs = smartlist_create();
-  {
-    document_signature_t *sig = tor_malloc_zero(sizeof(document_signature_t));
-    memcpy(sig->identity_digest, identity_digest, DIGEST_LEN);
-    memcpy(sig->signing_key_digest, signing_key_digest, DIGEST_LEN);
-  }
   voter->address = hostname;
   voter->addr = addr;
   voter->dir_port = options->DirPort;

Modified: tor/trunk/src/or/dirvote.c
===================================================================
--- tor/trunk/src/or/dirvote.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/dirvote.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -2304,7 +2304,7 @@
 dirvote_compute_consensuses(void)
 {
   /* Have we got enough votes to try? */
-  int n_votes, n_voters;
+  int n_votes, n_voters, n_vote_running = 0;
   smartlist_t *votes = NULL, *votestrings = NULL;
   char *consensus_body = NULL, *signatures = NULL, *votefile;
   networkstatus_t *consensus = NULL;
@@ -2324,6 +2324,19 @@
              "%d of %d", n_votes, n_voters/2);
     goto err;
   }
+  tor_assert(pending_vote_list);
+  SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v, {
+    if (smartlist_string_isin(v->vote->known_flags, "Running"))
+      n_vote_running++;
+  });
+  if (!n_vote_running) {
+    /* See task 1066. */
+    log_warn(LD_DIR, "Nobody has voted on the Running flag. Generating "
+                     "and publishing a consensus without Running nodes "
+                     "would make many clients stop working. Not "
+                     "generating a consensus!");
+    goto err;
+  }
 
   if (!(my_cert = get_my_v3_authority_cert())) {
     log_warn(LD_DIR, "Can't generate consensus without a certificate.");

Modified: tor/trunk/src/or/hibernate.c
===================================================================
--- tor/trunk/src/or/hibernate.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/hibernate.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -182,6 +182,9 @@
   case UNIT_DAY:
     d = 0;
     break;
+    /* Coverity dislikes unreachable default cases; some compilers warn on
+     * switch statements missing a case.  Tell Coverity not to worry. */
+    /* coverity[dead_error_begin] */
   default:
     tor_assert(0);
   }

Modified: tor/trunk/src/or/main.c
===================================================================
--- tor/trunk/src/or/main.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/main.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -731,6 +731,7 @@
     return; /* we're all done here, the rest is just for OR conns */
 
   or_conn = TO_OR_CONN(conn);
+  tor_assert(conn->outbuf);
 
   if (or_conn->is_bad_for_new_circs && !or_conn->n_circuits) {
     /* It's bad for new circuits, and has no unmarked circuits on it:

Modified: tor/trunk/src/or/onion.c
===================================================================
--- tor/trunk/src/or/onion.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/onion.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -58,11 +58,17 @@
   tor_assert(!ol_tail->next);
 
   if (ol_length >= get_options()->MaxOnionsPending) {
-    log_warn(LD_GENERAL,
-             "Your computer is too slow to handle this many circuit "
-             "creation requests! Please consider using the "
-             "MaxAdvertisedBandwidth config option or choosing a more "
-             "restricted exit policy.");
+#define WARN_TOO_MANY_CIRC_CREATIONS_INTERVAL (60)
+    static time_t last_warned = 0;
+    time_t now = time(NULL);
+    if (last_warned + WARN_TOO_MANY_CIRC_CREATIONS_INTERVAL < now) {
+      log_warn(LD_GENERAL,
+               "Your computer is too slow to handle this many circuit "
+               "creation requests! Please consider using the "
+               "MaxAdvertisedBandwidth config option or choosing a more "
+               "restricted exit policy.");
+      last_warned = now;
+    }
     tor_free(tmp);
     return -1;
   }
@@ -253,8 +259,9 @@
 
   key_material_len = DIGEST_LEN+key_out_len;
   key_material = tor_malloc(key_material_len);
-  len = crypto_dh_compute_secret(dh, challenge, DH_KEY_LEN,
-                                 key_material, key_material_len);
+  len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, challenge,
+                                 DH_KEY_LEN, key_material,
+                                 key_material_len);
   if (len < 0) {
     log_info(LD_GENERAL, "crypto_dh_compute_secret failed.");
     goto err;
@@ -304,8 +311,9 @@
 
   key_material_len = DIGEST_LEN + key_out_len;
   key_material = tor_malloc(key_material_len);
-  len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
-                                 key_material, key_material_len);
+  len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, handshake_state,
+                                 handshake_reply, DH_KEY_LEN, key_material,
+                                 key_material_len);
   if (len < 0)
     goto err;
 

Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/or.h	2009-11-06 20:28:07 UTC (rev 20913)
@@ -2287,6 +2287,9 @@
                         * stop building circuits? */
   int StrictEntryNodes; /**< Boolean: When none of our EntryNodes are up, do we
                          * stop building circuits? */
+  int DisableAllSwap; /**< Boolean: Attempt to call mlockall() on our
+                               * process for all current and future memory. */
+
   routerset_t *ExcludeNodes;/**< Structure containing nicknames, digests,
                              * country codes and IP address patterns of ORs
                              * not to use in circuits. */
@@ -4353,7 +4356,8 @@
 addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr,
                               uint16_t port, const smartlist_t *policy);
 int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
-                               int rejectprivate, const char *local_address);
+                               int rejectprivate, const char *local_address,
+                               int add_default_policy);
 void policies_set_router_exitpolicy_to_reject_all(routerinfo_t *exitrouter);
 int exit_policy_is_general_exit(smartlist_t *policy);
 int policy_is_reject_star(const smartlist_t *policy);

Modified: tor/trunk/src/or/policies.c
===================================================================
--- tor/trunk/src/or/policies.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/policies.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -344,7 +344,8 @@
   *msg = NULL;
 
   if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
-                                 options->ExitPolicyRejectPrivate, NULL))
+                                 options->ExitPolicyRejectPrivate, NULL,
+                                 !options->BridgeRelay))
     REJECT("Error in ExitPolicy entry.");
 
   /* The rest of these calls *append* to addr_policy. So don't actually
@@ -829,14 +830,16 @@
   "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
 
 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
- * cfg doesn't end in an absolute accept or reject, add the default exit
+ * cfg doesn't end in an absolute accept or reject and if
+ * <b>add_default_policy</b> is true, add the default exit
  * policy afterwards. If <b>rejectprivate</b> is true, prepend
  * "reject private:*" to the policy. Return -1 if we can't parse cfg,
  * else return 0.
  */
 int
 policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
-                           int rejectprivate, const char *local_address)
+                           int rejectprivate, const char *local_address,
+                           int add_default_policy)
 {
   if (rejectprivate) {
     append_exit_policy_string(dest, "reject private:*");
@@ -848,8 +851,10 @@
   }
   if (parse_addr_policy(cfg, dest, -1))
     return -1;
-  append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
-
+  if (add_default_policy)
+    append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
+  else
+    append_exit_policy_string(dest, "reject *:*");
   exit_policy_remove_redundancies(*dest);
 
   return 0;

Modified: tor/trunk/src/or/relay.c
===================================================================
--- tor/trunk/src/or/relay.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/relay.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -556,9 +556,9 @@
        * Don't worry about the conn protocol version:
        * append_cell_to_circuit_queue will fix it up. */
       /* XXX For now, clients don't use RELAY_EARLY cells when sending
-       * relay cells on rendezvous circuits. See bug 1038. Eventually,
-       * we can take this behavior away in favor of having clients avoid
-       * rendezvous points running 0.2.1.3-alpha through 0.2.1.18. -RD */
+       * relay cells on rendezvous circuits. See bug 1038. Once no relays
+       * (and thus no rendezvous points) are running 0.2.1.3-alpha through
+       * 0.2.1.18, we can take out that exception. -RD */
       cell.command = CELL_RELAY_EARLY;
       --origin_circ->remaining_relay_early_cells;
       log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.",

Modified: tor/trunk/src/or/rendclient.c
===================================================================
--- tor/trunk/src/or/rendclient.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/rendclient.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -621,8 +621,9 @@
   tor_assert(circ->build_state->pending_final_cpath);
   hop = circ->build_state->pending_final_cpath;
   tor_assert(hop->dh_handshake_state);
-  if (crypto_dh_compute_secret(hop->dh_handshake_state, request, DH_KEY_LEN,
-                               keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
+  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->dh_handshake_state,
+                               request, DH_KEY_LEN, keys,
+                               DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
     log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
     goto err;
   }

Modified: tor/trunk/src/or/rendcommon.c
===================================================================
--- tor/trunk/src/or/rendcommon.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/rendcommon.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -1245,7 +1245,8 @@
   /* Decode/decrypt introduction points. */
   if (intro_content) {
     if (rend_query->auth_type != REND_NO_AUTH &&
-        rend_query->descriptor_cookie) {
+        !tor_mem_is_zero(rend_query->descriptor_cookie,
+                         sizeof(rend_query->descriptor_cookie))) {
       char *ipos_decrypted = NULL;
       size_t ipos_decrypted_size;
       if (rend_decrypt_introduction_points(&ipos_decrypted,

Modified: tor/trunk/src/or/rendservice.c
===================================================================
--- tor/trunk/src/or/rendservice.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/rendservice.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -1090,7 +1090,8 @@
     reason = END_CIRC_REASON_INTERNAL;
     goto err;
   }
-  if (crypto_dh_compute_secret(dh, ptr+REND_COOKIE_LEN, DH_KEY_LEN, keys,
+  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, ptr+REND_COOKIE_LEN,
+                               DH_KEY_LEN, keys,
                                DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
     log_warn(LD_BUG, "Internal error: couldn't complete DH handshake");
     reason = END_CIRC_REASON_INTERNAL;
@@ -1552,6 +1553,7 @@
     }
     for (j = 0; j < smartlist_len(responsible_dirs); j++) {
       char desc_id_base32[REND_DESC_ID_V2_LEN_BASE32 + 1];
+      char *hs_dir_ip;
       hs_dir = smartlist_get(responsible_dirs, j);
       if (smartlist_digest_isin(renddesc->successful_uploads,
                                 hs_dir->identity_digest))
@@ -1573,15 +1575,18 @@
                                               strlen(desc->desc_str), 0);
       base32_encode(desc_id_base32, sizeof(desc_id_base32),
                     desc->desc_id, DIGEST_LEN);
+      hs_dir_ip = tor_dup_ip(hs_dir->addr);
       log_info(LD_REND, "Sending publish request for v2 descriptor for "
                         "service '%s' with descriptor ID '%s' with validity "
                         "of %d seconds to hidden service directory '%s' on "
-                        "port %d.",
+                        "%s:%d.",
                safe_str(service_id),
                safe_str(desc_id_base32),
                seconds_valid,
                hs_dir->nickname,
-               hs_dir->dir_port);
+               hs_dir_ip,
+               hs_dir->or_port);
+      tor_free(hs_dir_ip);
       /* Remember successful upload to this router for next time. */
       if (!smartlist_digest_isin(successful_uploads, hs_dir->identity_digest))
         smartlist_add(successful_uploads, hs_dir->identity_digest);

Modified: tor/trunk/src/or/router.c
===================================================================
--- tor/trunk/src/or/router.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/or/router.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -590,6 +590,7 @@
     if (write_str_to_file(keydir, fingerprint_line, 0)) {
       log_err(LD_FS, "Error writing fingerprint line to file");
       tor_free(keydir);
+      tor_free(cp);
       return -1;
     }
   }
@@ -1311,7 +1312,7 @@
 
   policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
                              options->ExitPolicyRejectPrivate,
-                             ri->address);
+                             ri->address, !options->BridgeRelay);
 
   if (desc_routerinfo) { /* inherit values */
     ri->is_valid = desc_routerinfo->is_valid;

Modified: tor/trunk/src/test/test.c
===================================================================
--- tor/trunk/src/test/test.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/test/test.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -629,7 +629,7 @@
   line.value = (char *)policy_str;
   line.next = NULL;
 
-  r = policies_parse_exit_policy(&line, &policy, 0, NULL);
+  r = policies_parse_exit_policy(&line, &policy, 0, NULL, 1);
   test_eq(r, 0);
   summary = policy_summarize(policy);
 
@@ -675,7 +675,7 @@
           compare_addr_to_addr_policy(0xc0a80102, 2, policy));
 
   policy2 = NULL;
-  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL));
+  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL, 1));
   test_assert(policy2);
 
   test_assert(!exit_policy_is_general_exit(policy));
@@ -699,7 +699,7 @@
   line.key = (char*)"foo";
   line.value = (char*)"accept *:80,reject private:*,reject *:*";
   line.next = NULL;
-  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL));
+  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL, 1));
   test_assert(policy);
   //test_streq(policy->string, "accept *:80");
   //test_streq(policy->next->string, "reject *:*");

Modified: tor/trunk/src/test/test_crypto.c
===================================================================
--- tor/trunk/src/test/test_crypto.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/test/test_crypto.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -33,8 +33,8 @@
 
   memset(s1, 0, DH_BYTES);
   memset(s2, 0xFF, DH_BYTES);
-  s1len = crypto_dh_compute_secret(dh1, p2, DH_BYTES, s1, 50);
-  s2len = crypto_dh_compute_secret(dh2, p1, DH_BYTES, s2, 50);
+  s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
+  s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
   test_assert(s1len > 0);
   test_eq(s1len, s2len);
   test_memeq(s1, s2, s1len);
@@ -455,6 +455,7 @@
   strlcat(data1, " 2nd string that contains 35 chars.", 1024);
 
   i = base64_encode(data2, 1024, data1, 71);
+  test_assert(i >= 0);
   j = base64_decode(data3, 1024, data2, i);
   test_eq(j, 71);
   test_streq(data3, data1);

Modified: tor/trunk/src/test/test_dir.c
===================================================================
--- tor/trunk/src/test/test_dir.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/test/test_dir.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -837,7 +837,7 @@
   rs->published_on = now-1000;
   strlcpy(rs->nickname, "router4", sizeof(rs->nickname));
   memset(rs->identity_digest, 34, DIGEST_LEN);
-  memset(rs->descriptor_digest, 48, DIGEST_LEN);
+  memset(rs->descriptor_digest, 47, DIGEST_LEN);
   rs->addr = 0xC0000203;
   rs->or_port = 500;
   rs->dir_port = 1999;

Modified: tor/trunk/src/test/test_util.c
===================================================================
--- tor/trunk/src/test/test_util.c	2009-11-06 08:39:26 UTC (rev 20912)
+++ tor/trunk/src/test/test_util.c	2009-11-06 20:28:07 UTC (rev 20913)
@@ -88,7 +88,7 @@
 test_util_config_line(void)
 {
   char buf[1024];
-  char *k, *v;
+  char *k=NULL, *v=NULL;
   const char *str;
 
   /* Test parse_config_line_from_str */
@@ -161,7 +161,8 @@
   tor_free(k); tor_free(v);
   test_streq(str, "");
  done:
-  ;
+  tor_free(k);
+  tor_free(v);
 }
 
 /** Test basic string functionality. */