Merge remote-tracking branch 'origin/maint-0.2.4' into release-0.2.4

17 files changed, 296 insertions, 138 deletions

diff --git a/changes/bug10849_023 b/changes/bug10849_023
new file mode 100644
index 0000000000..480dea3de0
--- /dev/null
+++ b/changes/bug10849_023
@@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - When running a hidden service, do not allow TunneledDirConns 0;
+      this will keep the hidden service from running, and also
+      make it publish its descriptors directly over HTTP. Fixes bug 10849;
+      bugfix on 0.2.1.1-alpha.
+
diff --git a/changes/bug11513 b/changes/bug11513
new file mode 100644
index 0000000000..820c02605f
--- /dev/null
+++ b/changes/bug11513
@@ -0,0 +1,12 @@
+  o Major bugfixes:
+    - Generate the server's preference list for ciphersuites
+      automatically based on uniform criteria, and considering all
+      OpenSSL ciphersuites with acceptable strength and forward
+      secrecy. (The sort order is: prefer AES to 3DES; break ties by
+      preferring ECDHE to DHE; break ties by preferring GCM to CBC;
+      break ties by preferring SHA384 to SHA256 to SHA1; and finally,
+      break ties by preferring AES256 to AES128.) This resolves bugs
+      #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'.
+      Bugfix on 0.2.4.8-alpha.
+
+
diff --git a/changes/bug11553 b/changes/bug11553
new file mode 100644
index 0000000000..1540f4642f
--- /dev/null
+++ b/changes/bug11553
@@ -0,0 +1,5 @@
+  o Minor features:
+    - When we run out of usable circuit IDs on a channel, log only one
+      warning for the whole channel, and include a description of
+      how many circuits there were on the channel. Fix for part of ticket
+      #11553.
diff --git a/changes/bug7164_downgrade b/changes/bug7164_downgrade
new file mode 100644
index 0000000000..4d75586bb1
--- /dev/null
+++ b/changes/bug7164_downgrade
@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - Downgrade the warning severity for the the "md was still referenced 1
+      node(s)" warning. Tor 0.2.5.4-alpha has better code for trying to
+      diagnose this bug, and the current warning in earlier versions of
+      tor achieves nothing useful. Addresses warning from bug 7164.
+
diff --git a/changes/bug9686_024 b/changes/bug9686_024
new file mode 100644
index 0000000000..8705379d32
--- /dev/null
+++ b/changes/bug9686_024
@@ -0,0 +1,5 @@
+  o Minor features (security):
+    - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but leave
+      the default at 8GBytes), to better support Raspberry Pi users. Fixes
+      bug 9686; bugfix on 0.2.4.14-alpha.
+
diff --git a/changes/ff28_ciphers b/changes/ff28_ciphers
new file mode 100644
index 0000000000..05eb4e9bcc
--- /dev/null
+++ b/changes/ff28_ciphers
@@ -0,0 +1,6 @@
+  o Minor features (performance, compatibility):
+    - Update the list of TLS cipehrsuites that a client advertises
+      to match those advertised by Firefox 28. This enables selection of
+      (fast) GCM ciphersuites, disables some strange old ciphers, and
+      disables the ECDH (not to be confused with ECDHE) ciphersuites.
+      Resolves ticket 11438.
diff --git a/changes/md_leak_bug b/changes/md_leak_bug
new file mode 100644
index 0000000000..26270aacc3
--- /dev/null
+++ b/changes/md_leak_bug
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, OOM)
+    - Fix a memory leak that could occur if a microdescriptor parse
+      fails during the tokenizing step. This could enable a memory
+      exhaustion attack by directory servers. Fixes bug #11649; bugfix
+      on 0.2.2.6-alpha.
diff --git a/changes/ticket11528 b/changes/ticket11528
new file mode 100644
index 0000000000..15daad9950
--- /dev/null
+++ b/changes/ticket11528
@@ -0,0 +1,6 @@
+  o Minor features:
+    - Servers now trust themselves to have a better view than clients of
+      which TLS ciphersuites to choose. (Thanks to #11513, the server
+      list is now well-considered, whereas the client list has been
+      chosen mainly for anti-fingerprinting purposes.) Resolves ticket
+      11528.
diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index 137d78b117..ab4ac40724 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -4,86 +4,51 @@
  *
  * This file was automatically generated by get_mozilla_ciphers.py.
  */
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#else
-   XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#else
-   XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#else
-   XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #else
-   XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+   XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
-    CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
 #else
-   XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+   XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
 #endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
-    CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+    CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
 #else
-   XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+   XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+    CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
 #else
-   XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+   XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
 #else
-   XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+   XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
+    CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 #else
-   XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+   XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
-    CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
+    CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+   XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
 #endif
 #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
     CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
 #else
    XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#endif
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
     CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
 #else
    XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#else
-   XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#else
-   XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#endif
 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
     CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
 #else
@@ -94,89 +59,63 @@
 #else
    XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA
-    CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#else
-   XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA
-    CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#else
-   XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+    CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #else
-   XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+   XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_SEED_SHA
-    CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
+    CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+   XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
+    CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+   XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_RC4_128_MD5
-    CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+    CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #else
-   XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+   XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_RC4_128_SHA
-    CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
+    CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+   XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
 #endif
 #ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
     CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
 #else
    XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
-    CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
+    CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #else
-   XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+   XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #endif
-#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
-    CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
+    CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+   XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
+    CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #else
-   XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+   XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
+    CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+   XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
 #endif
-/* No openssl macro found for 0xfeff */
-#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-    CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_SHA
+    CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
 #else
-   XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+   XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
-    CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_MD5
+    CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
 #else
-   XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+   XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
 #endif
diff --git a/src/common/gen_server_ciphers.py b/src/common/gen_server_ciphers.py
new file mode 100755
index 0000000000..97ed9d0469
--- /dev/null
+++ b/src/common/gen_server_ciphers.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python
+# Copyright 2014, The Tor Project, Inc
+# See LICENSE for licensing information
+
+# This script parses openssl headers to find ciphersuite names, determines
+# which ones we should be willing to use as a server, and sorts them according
+# to preference rules.
+#
+# Run it on all the files in your openssl include directory.
+
+import re
+import sys
+
+EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ]
+BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_",
+              "_SEED_", "_CAMELLIA_", "_NULL" ]
+
+# these never get #ifdeffed.
+MANDATORY = [
+    "TLS1_TXT_DHE_RSA_WITH_AES_256_SHA",
+    "TLS1_TXT_DHE_RSA_WITH_AES_128_SHA",
+    "SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA",
+]
+
+def find_ciphers(filename):
+    with open(filename) as f:
+        for line in f:
+            m = re.search(r'(?:SSL3|TLS1)_TXT_\w+', line)
+            if m:
+                yield m.group(0)
+
+def usable_cipher(ciph):
+    ephemeral = False
+    for e in EPHEMERAL_INDICATORS:
+        if e in ciph:
+            ephemeral = True
+    if not ephemeral:
+        return False
+
+    if "_RSA_" not in ciph:
+        return False
+
+    for b in BAD_STUFF:
+        if b in ciph:
+            return False
+    return True
+
+# All fields we sort on, in order of priority.
+FIELDS = [ 'cipher', 'fwsec', 'mode',  'digest', 'bitlength' ]
+# Map from sorted fields to recognized value in descending order of goodness
+FIELD_VALS = { 'cipher' : [ 'AES', 'DES'],
+               'fwsec' : [ 'ECDHE', 'DHE' ],
+               'mode' : [ 'GCM', 'CBC' ],
+               'digest' : [ 'SHA384', 'SHA256', 'SHA' ],
+               'bitlength' : [ '256', '128', '192' ],
+}
+
+class Ciphersuite(object):
+    def __init__(self, name, fwsec, cipher, bitlength, mode, digest):
+        self.name = name
+        self.fwsec = fwsec
+        self.cipher = cipher
+        self.bitlength = bitlength
+        self.mode = mode
+        self.digest = digest
+
+        for f in FIELDS:
+            assert(getattr(self, f) in FIELD_VALS[f])
+
+    def sort_key(self):
+        return tuple(FIELD_VALS[f].index(getattr(self,f)) for f in FIELDS)
+
+
+def parse_cipher(ciph):
+    m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph)
+
+    if not m:
+        print "/* Couldn't parse %s ! */"%ciph
+        return None
+
+    fwsec, cipher, bits, mode, digest = m.groups()
+    if fwsec == 'EDH':
+        fwsec = 'DHE'
+
+    if mode in [ '_CBC3', '_CBC', '' ]:
+        mode = 'CBC'
+    elif mode == '_GCM':
+        mode = 'GCM'
+
+    return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
+
+ALL_CIPHERS = []
+
+for fname in sys.argv[1:]:
+    ALL_CIPHERS += (parse_cipher(c)
+                           for c in find_ciphers(fname)
+                           if usable_cipher(c) )
+
+ALL_CIPHERS.sort(key=Ciphersuite.sort_key)
+
+for c in ALL_CIPHERS:
+    if c is ALL_CIPHERS[-1]:
+        colon = ';'
+    else:
+        colon = ' ":"'
+
+    if c.name in MANDATORY:
+        print "       /* Required */"
+        print '       %s%s'%(c.name,colon)
+    else:
+        print "#ifdef %s"%c.name
+        print '       %s%s'%(c.name,colon)
+        print "#endif"
+
+
diff --git a/src/common/get_mozilla_ciphers.py b/src/common/get_mozilla_ciphers.py
index c7e9a84a0e..0636eb3658 100644
--- a/src/common/get_mozilla_ciphers.py
+++ b/src/common/get_mozilla_ciphers.py
@@ -41,12 +41,12 @@ fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r')
 inCipherSection = False
 cipherLines = []
 for line in fileA:
-    if line.startswith('static CipherPref CipherPrefs'):
+    if line.startswith('static const CipherPref sCipherPrefs[]'):
         # Get the starting boundary of the Cipher Preferences
         inCipherSection = True
     elif inCipherSection:
         line = line.strip()
-        if line.startswith('{NULL, 0}'):
+        if line.startswith('{ nullptr, 0}'):
             # At the ending boundary of the Cipher Prefs
             break
         else:
@@ -56,12 +56,30 @@ fileA.close()
 # Parse the lines and put them into a dict
 ciphers = {}
 cipher_pref = {}
+key_pending = None
 for line in cipherLines:
-    m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S*)\s*}', line)
+    m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line)
     if m:
-        key,value = m.groups()
-        ciphers[key] = value
-        cipher_pref[value] = key
+        assert not key_pending
+        key,value,enabled = m.groups()
+        if enabled == 'true':
+            ciphers[key] = value
+            cipher_pref[value] = key
+        continue
+    m = re.search(r'^{\s*\"([^\"]+)\",', line)
+    if m:
+        assert not key_pending
+        key_pending = m.group(1)
+        continue
+    m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line)
+    if m:
+        assert key_pending
+        key = key_pending
+        value,enabled = m.groups()
+        key_pending = None
+        if enabled == 'true':
+            ciphers[key] = value
+            cipher_pref[value] = key
 
 ####
 # Now find the correct order for the ciphers
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 886ee0ddac..8f3f6a7130 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -714,31 +714,47 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
 /** List of ciphers that servers should select from when we actually have
  * our choice of what cipher to use. */
 const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA
-       TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
-#endif
+  /* This list is autogenerated with the gen_server_ciphers.py script;
+   * don't hand-edit it. */
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
 #endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+       TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
+#endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
+       TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
+#endif
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
        TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
 #endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
+       TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
+#endif
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
        TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
 #endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-       TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
+       TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
+#endif
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
+       TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
 #endif
-//#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
-//    TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":"
-//#endif
-  /* These next two are mandatory. */
-  TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
-  TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
+       TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
+#endif
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
+       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
+#endif
+       /* Required */
+       TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
+       /* Required */
+       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
        TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
 #endif
-  SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
+       /* Required */
+       SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
 
 /* Note: to set up your own private testing network with link crypto
  * disabled, set your Tors' cipher list to
@@ -1261,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     goto error;
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
+  /* Prefer the server's ordering of ciphers: the client's ordering has
+  * historically been chosen for fingerprinting resistance. */
+  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
   /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
    * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
    * June 2012), wherein renegotiating while using one of these TLS
diff --git a/src/or/channel.h b/src/or/channel.h
index 2dca81705f..29ba40e326 100644
--- a/src/or/channel.h
+++ b/src/or/channel.h
@@ -148,6 +148,8 @@ struct channel_s {
   ENUM_BF(circ_id_type_t) circ_id_type:2;
   /** DOCDOC*/
   unsigned wide_circ_ids:1;
+  /** Have we logged a warning about circID exhaustion on this channel? */
+  unsigned warned_circ_ids_exhausted:1;
   /*
    * Which circ_id do we try to use next on this connection?  This is
    * always in the range 0..1<<15-1.
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index e47a2780af..2b4d3c3118 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -127,7 +127,14 @@ get_unique_circ_id_by_chan(channel_t *chan)
       /* Make sure we don't loop forever if all circ_id's are used. This
        * matters because it's an external DoS opportunity.
        */
-      log_warn(LD_CIRC,"No unused circ IDs. Failing.");
+      if (! chan->warned_circ_ids_exhausted) {
+        chan->warned_circ_ids_exhausted = 1;
+        log_warn(LD_CIRC,"No unused circIDs found on channel %s wide "
+                 "circID support, with %u inbound and %u outbound circuits. "
+                 "Failing a circuit.",
+                 chan->wide_circ_ids ? "with" : "without",
+                 chan->num_p_circuits, chan->num_n_circuits);
+      }
       return 0;
     }
     test_circ_id |= high_bit;
diff --git a/src/or/config.c b/src/or/config.c
index ef02946267..09fdc0c493 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2616,10 +2616,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
     REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
   }
 
-  if (options->MaxMemInCellQueues < (500 << 20)) {
-    log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 500 MB for now. "
+  if (options->MaxMemInCellQueues < (256 << 20)) {
+    log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 256 MB for now. "
              "Ideally, have it as large as you can afford.");
-    options->MaxMemInCellQueues = (500 << 20);
+    options->MaxMemInCellQueues = (256 << 20);
   }
 
   options->AllowInvalid_ = 0;
@@ -3062,6 +3062,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
     REJECT("If you set UseBridges, you must specify at least one bridge.");
   if (options->UseBridges && !options->TunnelDirConns)
     REJECT("If you set UseBridges, you must set TunnelDirConns.");
+  if (options->RendConfigLines &&
+      (!options->TunnelDirConns || !options->PreferTunneledDirConns))
+    REJECT("If you are running a hidden service, you must set TunnelDirConns "
+           "and PreferTunneledDirConns");
 
   for (cl = options->Bridges; cl; cl = cl->next) {
     if (parse_bridge_line(cl->value, 1)<0)
diff --git a/src/or/microdesc.c b/src/or/microdesc.c
index 90ac0ac649..0e72c0b89b 100644
--- a/src/or/microdesc.c
+++ b/src/or/microdesc.c
@@ -614,7 +614,7 @@ microdesc_free_(microdesc_t *md, const char *fname, int lineno)
         }
       });
     if (found) {
-      log_warn(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
+      log_info(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
                "referenced %d node(s); held_by_nodes == %u",
                fname, lineno, found, md->held_by_nodes);
     } else {
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index a9c711be05..01f65f262b 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4374,11 +4374,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
     microdesc_free(md);
     md = NULL;
 
+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
   }
 
+  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
   memarea_drop_all(area);
   smartlist_free(tokens);