Changes in version 0.2.1.1-alpha - 2008-??-?? o Major bugfixes: - Fix assertion failure that could occur when a blocked circuit became unblocked, and it had pending client DNS requests. Bugfix on 0.2.0.1-alpha. Fixes bug 632. o Minor bugfixes: - Stop giving double-close warn when we reject an address for client DNS. - On Windows, correctly detect errors when listing the contents of a directory. Fix from lodger. (Bugfix on 0.1.2.x.) - Fix the implementation of ClientDNSRejectInternalAddresses so that it actually works, and doesn't warn about every single reverse lookup. Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha. - Keep address policies from leaking: start their refcount at 1, not 2. Bugfix on 0.2.0.16-alpha. - Free authority certificates on exit, so they don't look like memory leaks. Bugfix on 0.2.0.19-alpha. - Free static hashtables for policy maps and for TLS connections on shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x. - Make relay cells written on a connection count as non-padding when tracking how long a connection has been in use. Bugfix on 0.2.0.1-alpha. Spotted by lodger. - Reduce the default smartlist size from 32 to 16; it turns out that most smartlists hold around 8-12 elements tops. - Avoid allocating extra space when computing consensuses on 64-bit platforms. Bug spotted by aakova. - Use recursive pthread mutexes in order to avoid deadlock when logging debug-level messages to a controller. Bug spotted by nwf, bugfix on 0.2.0.16-alpha. - Warn less verbosely about clock skew from netinfo cells from untrusted sources. Fixes bug 663. - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch from Lodger. - Make controller stream events for DNS requests more consistent, by adding "new stream" events for DNS requests, and removing spurious "stream closed" events" for cached reverse resolves. Patch from mwenge. Fixes bug 646. - Correctly notify one-hop connections when a circuit build has failed. Possible fix for bug 669. Found by lodger. - When we choose to abandon a new entry guard because we think our older ones might be better, close any circuits pending on that new entry guard connection. Bugfix on 0.1.2.8-beta; found by lodger. - Detect address changes correctly on non-directory mirror servers. Fix for bug 652. - Authorities correctly free policies on bad servers on exit. Fixes bug 672. o Minor features: - Allow separate log levels to be configured for different logging domains. For example, this allows one to log all notices, warnings, or errors, plus all memory management messages of level debug or higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor. - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c, to avoid unused RAM in buffer chunks and memory pools. - Downgrade "sslv3 alert handshake failure" message to INFO. - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3, and stop using a warning that had become unfixably verbose under GCC 4.3. - Start using OpenSSL's RAND_poll() for better (and more portable) cross-platform entropy collection again. We used to use it, then stopped using it because of a bug that could crash systems that called RAND_poll when they had a lot of fds open. It looks like the bug got fixed in late 2006. Our new behavior is to call RAND_poll() at startup, and to call RAND_poll() when we reseed later only if we have a non-buggy OpenSSL version. - Speed up parsing and cut down on memory fragmentation by using stack-style allocations for parsing directory objects. Previously, this accounted for over 40% of allocations from within Tor's code on a typical directory cache. - Lots of new unit tests. - New --hush command-line option similar to --quiet. While --quiet disables all logging to the console on startup, --hush limits the output to messages of warning and error severity. - Use a Bloom filter rather than a digest-based set to track which descriptors we need to keep around when we're cleaning out old router descriptors. This speeds up the computation significantly, and may reduce fragmentation. - Make dumpstats() log the fullness and size of openssl-internal buffers. - Servers support a new URL scheme for consensus downloads that allows the client to specify which authorities are trusted. The server then only sends the consensus if the client will trust it. Otherwise a 404 error is sent back. Clients use this new scheme when the server supports it. - Add a new V3AuthUseLegacyKey option to make it easier for authorities to change their identity keys if they have to. o Minor features (security): - Reject requests for reverse-dns lookup of names in a private address space. Patch from Lodger. o Code simplifications and refactoring: - Refactor code using connection_ap_handshake_attach_circuit() to allow that function to mark connections for close. Part of a fix for bug 617. Bugfix on 0.2.0.1-alpha. - Add a macro to implement the common pattern of iterating through two parallel lists in lockstep. Changes in version 0.2.0.25-rc - 2008-04-23 Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs. o Major bugfixes: - Remember to initialize threading before initializing logging. Otherwise, many BSD-family implementations will crash hard on startup. Fixes bug 671. Bugfix on 0.2.0.24-rc. o Minor bugfixes: - Authorities correctly free policies on bad servers on exit. Fixes bug 672. Bugfix on 0.2.0.x. Changes in version 0.2.0.24-rc - 2008-04-22 Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth v3 directory authority, makes relays with dynamic IP addresses and no DirPort notice more quickly when their IP address changes, fixes a few rare crashes and memory leaks, and fixes a few other miscellaneous bugs. o New directory authorities: - Take lefkada out of the list of v3 directory authorities, since it has been down for months. - Set up dizum (run by Alex de Joode) as the new sixth v3 directory authority. o Major bugfixes: - Detect address changes more quickly on non-directory mirror relays. Bugfix on 0.2.0.18-alpha; fixes bug 652. o Minor features (security): - Reject requests for reverse-dns lookup of names that are in a private address space. Patch from lodger. - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch from lodger. o Minor bugfixes (crashes): - Avoid a rare assert that can trigger when Tor doesn't have much directory information yet and it tries to fetch a v2 hidden service descriptor. Fixes bug 651, reported by nwf. - Initialize log mutex before initializing dmalloc. Otherwise, running with dmalloc would crash. Bugfix on 0.2.0.x-alpha. - Use recursive pthread mutexes in order to avoid deadlock when logging debug-level messages to a controller. Bug spotted by nwf, bugfix on 0.2.0.16-alpha. o Minor bugfixes (resource management): - Keep address policies from leaking memory: start their refcount at 1, not 2. Bugfix on 0.2.0.16-alpha. - Free authority certificates on exit, so they don't look like memory leaks. Bugfix on 0.2.0.19-alpha. - Free static hashtables for policy maps and for TLS connections on shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x. - Avoid allocating extra space when computing consensuses on 64-bit platforms. Bug spotted by aakova. o Minor bugfixes (misc): - Do not read the configuration file when we've only been told to generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix based on patch from Sebastian Hahn. - Exit relays that are used as a client can now reach themselves using the .exit notation, rather than just launching an infinite pile of circuits. Fixes bug 641. Reported by Sebastian Hahn. - When attempting to open a logfile fails, tell us why. - Fix a dumb bug that was preventing us from knowing that we should preemptively build circuits to handle expected directory requests. Fixes bug 660. Bugfix on 0.1.2.x. - Warn less verbosely about clock skew from netinfo cells from untrusted sources. Fixes bug 663. - Make controller stream events for DNS requests more consistent, by adding "new stream" events for DNS requests, and removing spurious "stream closed" events" for cached reverse resolves. Patch from mwenge. Fixes bug 646. - Correctly notify one-hop connections when a circuit build has failed. Possible fix for bug 669. Found by lodger. Changes in version 0.2.0.23-rc - 2008-03-24 Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It makes bootstrapping faster if the first directory mirror you contact is down. The bundles also include the new Vidalia 0.1.2 release. o Major bugfixes: - When a tunneled directory request is made to a directory server that's down, notice after 30 seconds rather than 120 seconds. Also, fail any begindir streams that are pending on it, so they can retry elsewhere. This was causing multi-minute delays on bootstrap. Changes in version 0.2.0.22-rc - 2008-03-18 Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It enables encrypted directory connections by default for non-relays, fixes some broken TLS behavior we added in 0.2.0.20-rc, and resolves many other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17. o Major features: - Enable encrypted directory connections by default for non-relays, so censor tools that block Tor directory connections based on their plaintext patterns will no longer work. This means Tor works in certain censored countries by default again. o Major bugfixes: - Make sure servers always request certificates from clients during TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc. - Do not enter a CPU-eating loop when a connection is closed in the middle of client-side TLS renegotiation. Fixes bug 622. Bug diagnosed by lodger; bugfix on 0.2.0.20-rc. - Fix assertion failure that could occur when a blocked circuit became unblocked, and it had pending client DNS requests. Bugfix on 0.2.0.1-alpha. Fixes bug 632. o Minor bugfixes (on 0.1.2.x): - Generate "STATUS_SERVER" events rather than misspelled "STATUS_SEVER" events. Caught by mwenge. - When counting the number of bytes written on a TLS connection, look at the BIO actually used for writing to the network, not at the BIO used (sometimes) to buffer data for the network. Looking at different BIOs could result in write counts on the order of ULONG_MAX. Fixes bug 614. - On Windows, correctly detect errors when listing the contents of a directory. Fix from lodger. o Minor bugfixes (on 0.2.0.x): - Downgrade "sslv3 alert handshake failure" message to INFO. - If we set RelayBandwidthRate and RelayBandwidthBurst very high but left BandwidthRate and BandwidthBurst at the default, we would be silently limited by those defaults. Now raise them to match the RelayBandwidth* values. - Fix the SVK version detection logic to work correctly on a branch. - Make --enable-openbsd-malloc work correctly on Linux with alpha CPUs. Fixes bug 625. - Logging functions now check that the passed severity is sane. - Use proper log levels in the testsuite call of get_interface_address6(). - When using a nonstandard malloc, do not use the platform values for HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE. - Make the openbsd malloc code use 8k pages on alpha CPUs and 16k pages on ia64. - Detect mismatched page sizes when using --enable-openbsd-malloc. - Avoid double-marked-for-close warning when certain kinds of invalid .in-addr.arpa addresses are passed to the DNSPort. Part of a fix for bug 617. Bugfix on 0.2.0.1-alpha. - Make sure that the "NULL-means-reject *:*" convention is followed by all the policy manipulation functions, avoiding some possible crash bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha. - Fix the implementation of ClientDNSRejectInternalAddresses so that it actually works, and doesn't warn about every single reverse lookup. Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha. o Minor features: - Only log guard node status when guard node status has changed. - Downgrade the 3 most common "INFO" messages to "DEBUG". This will make "INFO" 75% less verbose. Changes in version 0.2.0.21-rc - 2008-03-02 Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It makes Tor work well with Vidalia again, fixes a rare assert bug, and fixes a pair of more minor bugs. The bundles also include Vidalia 0.1.0 and Torbutton 1.1.16. o Major bugfixes: - The control port should declare that it requires password auth when HashedControlSessionPassword is set too. Patch from Matt Edman; bugfix on 0.2.0.20-rc. Fixes bug 615. - Downgrade assert in connection_buckets_decrement() to a log message. This may help us solve bug 614, and in any case will make its symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy. - We were sometimes miscounting the number of bytes read from the network, causing our rate limiting to not be followed exactly. Bugfix on 0.2.0.16-alpha. Reported by lodger. o Minor bugfixes: - Fix compilation with OpenSSL 0.9.8 and 0.9.8a. All other supported OpenSSL versions should have been working fine. Diagnosis and patch from lodger, Karsten Loesing and Sebastian Hahn. Fixes bug 616. Bugfix on 0.2.0.20-rc. Changes in version 0.2.0.20-rc - 2008-02-24 Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It makes more progress towards normalizing Tor's TLS handshake, makes hidden services work better again, helps relays bootstrap if they don't know their IP address, adds optional support for linking in openbsd's allocator or tcmalloc, allows really fast relays to scale past 15000 sockets, and fixes a bunch of minor bugs reported by Veracode. o Major features: - Enable the revised TLS handshake based on the one designed by Steven Murdoch in proposal 124, as revised in proposal 130. It includes version negotiation for OR connections as described in proposal 105. The new handshake is meant to be harder for censors to fingerprint, and it adds the ability to detect certain kinds of man-in-the-middle traffic analysis attacks. The version negotiation feature will allow us to improve Tor's link protocol more safely in the future. - Choose which bridge to use proportional to its advertised bandwidth, rather than uniformly at random. This should speed up Tor for bridge users. Also do this for people who set StrictEntryNodes. - When a TrackHostExits-chosen exit fails too many times in a row, stop using it. Bugfix on 0.1.2.x; fixes bug 437. o Major bugfixes: - Resolved problems with (re-)fetching hidden service descriptors. Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha and 0.2.0.19-alpha. - If we only ever used Tor for hidden service lookups or posts, we would stop building circuits and start refusing connections after 24 hours, since we falsely believed that Tor was dormant. Reported by nwf; bugfix on 0.1.2.x. - Servers that don't know their own IP address should go to the authorities for their first directory fetch, even if their DirPort is off or if they don't know they're reachable yet. This will help them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609. - When counting the number of open sockets, count not only the number of sockets we have received from the socket() call, but also the number we've gotten from accept() and socketpair(). This bug made us fail to count all sockets that we were using for incoming connections. Bugfix on 0.2.0.x. - Fix code used to find strings within buffers, when those strings are not in the first chunk of the buffer. Bugfix on 0.2.0.x. - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x. - Add a new __HashedControlSessionPassword option for controllers to use for one-off session password hashes that shouldn't get saved to disk by SAVECONF --- Vidalia users were accumulating a pile of HashedControlPassword lines in their torrc files, one for each time they had restarted Tor and then clicked Save. Make Tor automatically convert "HashedControlPassword" to this new option but only when it's given on the command line. Partial fix for bug 586. o Minor features (performance): - Tune parameters for cell pool allocation to minimize amount of RAM overhead used. - Add OpenBSD malloc code from phk as an optional malloc replacement on Linux: some glibc libraries do very poorly with Tor's memory allocation patterns. Pass --enable-openbsd-malloc to get the replacement malloc code. - Add a --with-tcmalloc option to the configure script to link against tcmalloc (if present). Does not yet search for non-system include paths. - Stop imposing an arbitrary maximum on the number of file descriptors used for busy servers. Bug reported by Olaf Selke; patch from Sebastian Hahn. o Minor features (other): - When SafeLogging is disabled, log addresses along with all TLS errors. - When building with --enable-gcc-warnings, check for whether Apple's warning "-Wshorten-64-to-32" is available. - Add a --passphrase-fd argument to the tor-gencert command for scriptability. o Minor bugfixes (memory leaks and code problems): - We were leaking a file descriptor if Tor started with a zero-length cached-descriptors file. Patch by freddy77; bugfix on 0.1.2. - Detect size overflow in zlib code. Reported by Justin Ferguson and Dan Kaminsky. - We were comparing the raw BridgePassword entry with a base64'ed version of it, when handling a "/tor/networkstatus-bridges" directory request. Now compare correctly. Noticed by Veracode. - Recover from bad tracked-since value in MTBF-history file. Should fix bug 537. - Alter the code that tries to recover from unhandled write errors, to not try to flush onto a socket that's given us unhandled errors. Bugfix on 0.1.2.x. - Make Unix controlsockets work correctly on OpenBSD. Patch from tup. Bugfix on 0.2.0.3-alpha. o Minor bugfixes (other): - If we have an extra-info document for our server, always make it available on the control port, even if we haven't gotten a copy of it from an authority yet. Patch from mwenge. - Log the correct memory chunk sizes for empty RAM chunks in mempool.c. - Directory mirrors no longer include a guess at the client's IP address if the connection appears to be coming from the same /24 network; it was producing too many wrong guesses. - Make the new hidden service code respect the SafeLogging setting. Bugfix on 0.2.0.x. Patch from Karsten. - When starting as an authority, do not overwrite all certificates cached from other authorities. Bugfix on 0.2.0.x. Fixes bug 606. - If we're trying to flush the last bytes on a connection (for example, when answering a directory request), reset the time-to-give-up timeout every time we manage to write something on the socket. Bugfix on 0.1.2.x. - Change the behavior of "getinfo status/good-server-descriptor" so it doesn't return failure when any authority disappears. - Even though the man page said that "TrackHostExits ." should work, nobody had ever implemented it. Bugfix on 0.1.0.x. - Report TLS "zero return" case as a "clean close" and "IO error" as a "close". Stop calling closes "unexpected closes": existing Tors don't use SSL_close(), so having a connection close without the TLS shutdown handshake is hardly unexpected. - Send NAMESERVER_STATUS messages for a single failed nameserver correctly. o Code simplifications and refactoring: - Remove the tor_strpartition function: its logic was confused, and it was only used for one thing that could be implemented far more easily. Changes in version 0.2.0.19-alpha - 2008-02-09 Tor 0.2.0.19-alpha makes more progress towards normalizing Tor's TLS handshake, makes path selection for relays more secure and IP address guessing more robust, and generally fixes a lot of bugs in preparation for calling the 0.2.0 branch stable. o Major features: - Do not include recognizeable strings in the commonname part of Tor's x509 certificates. o Major bugfixes: - If we're a relay, avoid picking ourselves as an introduction point, a rendezvous point, or as the final hop for internal circuits. Bug reported by taranis and lodger. Bugfix on 0.1.2.x. - Patch from "Andrew S. Lists" to catch when we contact a directory mirror at IP address X and he says we look like we're coming from IP address X. Bugfix on 0.1.2.x. o Minor features (security): - Be more paranoid about overwriting sensitive memory on free(), as a defensive programming tactic to ensure forward secrecy. o Minor features (directory authority): - Actually validate the options passed to AuthDirReject, AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit. - Reject router descriptors with out-of-range bandwidthcapacity or bandwidthburst values. o Minor features (controller): - Reject controller commands over 1MB in length. This keeps rogue processes from running us out of memory. o Minor features (misc): - Give more descriptive well-formedness errors for out-of-range hidden service descriptor/protocol versions. - Make memory debugging information describe more about history of cell allocation, so we can help reduce our memory use. o Deprecated features (controller): - The status/version/num-versioning and status/version/num-concurring GETINFO options are no longer useful in the v3 directory protocol: treat them as deprecated, and warn when they're used. o Minor bugfixes: - When our consensus networkstatus has been expired for a while, stop being willing to build circuits using it. Fixes bug 401. Bugfix on 0.1.2.x. - Directory caches now fetch certificates from all authorities listed in a networkstatus consensus, even when they do not recognize them. Fixes bug 571. Bugfix on 0.2.0.x. - When connecting to a bridge without specifying its key, insert the connection into the identity-to-connection map as soon as a key is learned. Fixes bug 574. Bugfix on 0.2.0.x. - Detect versions of OS X where malloc_good_size() is present in the library but never actually declared. Resolves bug 587. Bugfix on 0.2.0.x. - Stop incorrectly truncating zlib responses to directory authority signature download requests. Fixes bug 593. Bugfix on 0.2.0.x. - Stop recommending that every server operator send mail to tor-ops. Resolves bug 597. Bugfix on 0.1.2.x. - Don't trigger an assert if we start a directory authority with a private IP address (like 127.0.0.1). - Avoid possible failures when generating a directory with routers with over-long versions strings, or too many flags set. Bugfix on 0.1.2.x. - If an attempt to launch a DNS resolve request over the control port fails because we have overrun the limit on the number of connections, tell the controller that the request has failed. - Avoid using too little bandwidth when our clock skips a few seconds. Bugfix on 0.1.2.x. - Fix shell error when warning about missing packages in configure script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x. - Do not become confused when receiving a spurious VERSIONS-like cell from a confused v1 client. Bugfix on 0.2.0.x. - Re-fetch v2 (as well as v0) rendezvous descriptors when all introduction points for a hidden service have failed. Patch from Karsten Loesing. Bugfix on 0.2.0.x. o Code simplifications and refactoring: - Remove some needless generality from cpuworker code, for improved type-safety. - Stop overloading the circuit_t.onionskin field for both "onionskin from a CREATE cell that we are waiting for a cpuworker to be assigned" and "onionskin from an EXTEND cell that we are going to send to an OR as soon as we are connected". Might help with bug 600. - Add an in-place version of aes_crypt() so that we can avoid doing a needless memcpy() call on each cell payload. Changes in version 0.2.0.18-alpha - 2008-01-25 Tor 0.2.0.18-alpha adds a sixth v3 directory authority run by CCC, fixes a big memory leak in 0.2.0.17-alpha, and adds new config options that can warn or reject connections to ports generally associated with vulnerable-plaintext protocols. o New directory authorities: - Set up dannenberg (run by CCC) as the sixth v3 directory authority. o Major bugfixes: - Fix a major memory leak when attempting to use the v2 TLS handshake code. Bugfix on 0.2.0.x; fixes bug 589. - We accidentally enabled the under-development v2 TLS handshake code, which was causing log entries like "TLS error while renegotiating handshake". Disable it again. Resolves bug 590. - We were computing the wrong Content-Length: header for directory responses that need to be compressed on the fly, causing clients asking for those items to always fail. Bugfix on 0.2.0.x; partially fixes bug 593. o Major features: - Avoid going directly to the directory authorities even if you're a relay, if you haven't found yourself reachable yet or if you've decided not to advertise your dirport yet. Addresses bug 556. - If we've gone 12 hours since our last bandwidth check, and we estimate we have less than 50KB bandwidth capacity but we could handle more, do another bandwidth test. - New config options WarnPlaintextPorts and RejectPlaintextPorts so Tor can warn and/or refuse connections to ports commonly used with vulnerable-plaintext protocols. Currently we warn on ports 23, 109, 110, and 143, but we don't reject any. o Minor bugfixes: - When we setconf ClientOnly to 1, close any current OR and Dir listeners. Reported by mwenge. - When we get a consensus that's been signed by more people than we expect, don't log about it; it's not a big deal. Reported by Kyle Williams. o Minor features: - Don't answer "/tor/networkstatus-bridges" directory requests if the request isn't encrypted. - Make "ClientOnly 1" config option disable directory ports too. - Patches from Karsten Loesing to make v2 hidden services more robust: work even when there aren't enough HSDir relays available; retry when a v2 rend desc fetch fails; but don't retry if we already have a usable v0 rend desc. Changes in version 0.2.0.17-alpha - 2008-01-17 Tor 0.2.0.17-alpha makes the tarball build cleanly again (whoops). o Compile fixes: - Make the tor-gencert man page get included correctly in the tarball. Changes in version 0.2.0.16-alpha - 2008-01-17 Tor 0.2.0.16-alpha adds a fifth v3 directory authority run by Karsten Loesing, and generally cleans up a lot of features and minor bugs. o New directory authorities: - Set up gabelmoo (run by Karsten Loesing) as the fifth v3 directory authority. o Major performance improvements: - Switch our old ring buffer implementation for one more like that used by free Unix kernels. The wasted space in a buffer with 1mb of data will now be more like 8k than 1mb. The new implementation also avoids realloc();realloc(); patterns that can contribute to memory fragmentation. o Minor features: - Configuration files now accept C-style strings as values. This helps encode characters not allowed in the current configuration file format, such as newline or #. Addresses bug 557. - Although we fixed bug 539 (where servers would send HTTP status 503 responses _and_ send a body too), there are still servers out there that haven't upgraded. Therefore, make clients parse such bodies when they receive them. - When we're not serving v2 directory information, there is no reason to actually keep any around. Remove the obsolete files and directory on startup if they are very old and we aren't going to serve them. o Minor performance improvements: - Reference-count and share copies of address policy entries; only 5% of them were actually distinct. - Never walk through the list of logs if we know that no log is interested in a given message. o Minor bugfixes: - When an authority has not signed a consensus, do not try to download a nonexistent "certificate with key 00000000". Bugfix on 0.2.0.x. Fixes bug 569. - Fix a rare assert error when we're closing one of our threads: use a mutex to protect the list of logs, so we never write to the list as it's being freed. Bugfix on 0.1.2.x. Fixes the very rare bug 575, which is kind of the revenge of bug 222. - Patch from Karsten Loesing to complain less at both the client and the relay when a relay used to have the HSDir flag but doesn't anymore, and we try to upload a hidden service descriptor. - Stop leaking one cert per TLS context. Fixes bug 582. Bugfix on 0.2.0.15-alpha. - Do not try to download missing certificates until we have tried to check our fallback consensus. Fixes bug 583. - Make bridges round reported GeoIP stats info up to the nearest estimate, not down. Now we can distinguish between "0 people from this country" and "1 person from this country". - Avoid a spurious free on base64 failure. Bugfix on 0.1.2. - Avoid possible segfault if key generation fails in crypto_pk_hybrid_encrypt. Bugfix on 0.2.0. - Avoid segfault in the case where a badly behaved v2 versioning directory sends a signed networkstatus with missing client-versions. Bugfix on 0.1.2. - Avoid segfaults on certain complex invocations of router_get_by_hexdigest(). Bugfix on 0.1.2. - Correct bad index on array access in parse_http_time(). Bugfix on 0.2.0. - Fix possible bug in vote generation when server versions are present but client versions are not. - Fix rare bug on REDIRECTSTREAM control command when called with no port set: it could erroneously report an error when none had happened. - Avoid bogus crash-prone, leak-prone tor_realloc when we're compressing large objects and find ourselves with more than 4k left over. Bugfix on 0.2.0. - Fix a small memory leak when setting up a hidden service. - Fix a few memory leaks that could in theory happen under bizarre error conditions. - Fix an assert if we post a general-purpose descriptor via the control port but that descriptor isn't mentioned in our current network consensus. Bug reported by Jon McLachlan; bugfix on 0.2.0.9-alpha. o Minor features (controller): - Get NS events working again. Patch from tup. - The GETCONF command now escapes and quotes configuration values that don't otherwise fit into the torrc file. - The SETCONF command now handles quoted values correctly. o Minor features (directory authorities): - New configuration options to override default maximum number of servers allowed on a single IP address. This is important for running a test network on a single host. - Actually implement the -s option to tor-gencert. - Add a manual page for tor-gencert. o Minor features (bridges): - Bridge authorities no longer serve bridge descriptors over unencrypted connections. o Minor features (other): - Add hidden services and DNSPorts to the list of things that make Tor accept that it has running ports. Change starting Tor with no ports from a fatal error to a warning; we might change it back if this turns out to confuse anybody. Fixes bug 579. Changes in version 0.1.2.19 - 2008-01-17 Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default exit policy a little bit more conservative so it's safer to run an exit relay on a home system, and fixes a variety of smaller issues. o Security fixes: - Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address. o Major bugfixes: - When the clock jumps forward a lot, do not allow the bandwidth buckets to become negative. Fixes bug 544. - Fix a memory leak on exit relays; we were leaking a cached_resolve_t on every successful resolve. Reported by Mike Perry. - Purge old entries from the "rephist" database and the hidden service descriptor database even when DirPort is zero. - Stop thinking that 0.1.2.x directory servers can handle "begin_dir" requests. Should ease bugs 406 and 419 where 0.1.2.x relays are crashing or mis-answering these requests. - When we decide to send a 503 response to a request for servers, do not then also send the server descriptors: this defeats the whole purpose. Fixes bug 539. o Minor bugfixes: - Changing the ExitPolicyRejectPrivate setting should cause us to rebuild our server descriptor. - Fix handling of hex nicknames when answering controller requests for networkstatus by name, or when deciding whether to warn about unknown routers in a config option. (Patch from mwenge.) - Fix a couple of hard-to-trigger autoconf problems that could result in really weird results on platforms whose sys/types.h files define nonstandard integer types. - Don't try to create the datadir when running --verify-config or --hash-password. Resolves bug 540. - If we were having problems getting a particular descriptor from the directory caches, and then we learned about a new descriptor for that router, we weren't resetting our failure count. Reported by lodger. - Although we fixed bug 539 (where servers would send HTTP status 503 responses _and_ send a body too), there are still servers out there that haven't upgraded. Therefore, make clients parse such bodies when they receive them. - Run correctly on systems where rlim_t is larger than unsigned long. This includes some 64-bit systems. - Run correctly on platforms (like some versions of OS X 10.5) where the real limit for number of open files is OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). - Avoid a spurious free on base64 failure. - Avoid segfaults on certain complex invocations of router_get_by_hexdigest(). - Fix rare bug on REDIRECTSTREAM control command when called with no port set: it could erroneously report an error when none had happened. Changes in version 0.2.0.15-alpha - 2007-12-25 Tor 0.2.0.14-alpha and 0.2.0.15-alpha fix a bunch of bugs with the features added in 0.2.0.13-alpha. o Major bugfixes: - Fix several remotely triggerable asserts based on DirPort requests for a v2 or v3 networkstatus object before we were prepared. This was particularly bad for 0.2.0.13 and later bridge relays, who would never have a v2 networkstatus and would thus always crash when used. Bugfixes on 0.2.0.x. - Estimate the v3 networkstatus size more accurately, rather than estimating it at zero bytes and giving it artificially high priority compared to other directory requests. Bugfix on 0.2.0.x. o Minor bugfixes: - Fix configure.in logic for cross-compilation. - When we load a bridge descriptor from the cache, and it was previously unreachable, mark it as retriable so we won't just ignore it. Also, try fetching a new copy immediately. Bugfixes on 0.2.0.13-alpha. - The bridge GeoIP stats were counting other relays, for example self-reachability and authority-reachability tests. o Minor features: - Support compilation to target iPhone; patch from cjacker huang. To build for iPhone, pass the --enable-iphone option to configure. Changes in version 0.2.0.14-alpha - 2007-12-23 o Major bugfixes: - Fix a crash on startup if you install Tor 0.2.0.13-alpha fresh without a datadirectory from a previous Tor install. Reported by Zax. - Fix a crash when we fetch a descriptor that turns out to be unexpected (it used to be in our networkstatus when we started fetching it, but it isn't in our current networkstatus), and we aren't using bridges. Bugfix on 0.2.0.x. - Fix a crash when accessing hidden services: it would work the first time you use a given introduction point for your service, but on subsequent requests we'd be using garbage memory. Fixed by Karsten Loesing. Bugfix on 0.2.0.13-alpha. - Fix a crash when we load a bridge descriptor from disk but we don't currently have a Bridge line for it in our torrc. Bugfix on 0.2.0.13-alpha. o Major features: - If bridge authorities set BridgePassword, they will serve a snapshot of known bridge routerstatuses from their DirPort to anybody who knows that password. Unset by default. o Minor bugfixes: - Make the unit tests build again. - Make "GETINFO/desc-annotations/id/" actually work. - Make PublishServerDescriptor default to 1, so the default doesn't have to change as we invent new directory protocol versions. - Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to be included unless sys/time.h is already included. Fixes bug 553. Bugfix on 0.2.0.x. - If we receive a general-purpose descriptor and then receive an identical bridge-purpose descriptor soon after, don't discard the next one as a duplicate. o Minor features: - If BridgeRelay is set to 1, then the default for PublishServerDescriptor is now "bridge" rather than "v2,v3". - If the user sets RelayBandwidthRate but doesn't set RelayBandwidthBurst, then make them equal rather than erroring out. Changes in version 0.2.0.13-alpha - 2007-12-21 Tor 0.2.0.13-alpha adds a fourth v3 directory authority run by Geoff Goodell, fixes many more bugs, and adds a lot of infrastructure for upcoming features. o New directory authorities: - Set up lefkada (run by Geoff Goodell) as the fourth v3 directory authority. o Major bugfixes: - Only update guard status (usable / not usable) once we have enough directory information. This was causing us to always pick two new guards on startup (bugfix on 0.2.0.9-alpha), and it was causing us to discard all our guards on startup if we hadn't been running for a few weeks (bugfix on 0.1.2.x). Fixes bug 448. - Purge old entries from the "rephist" database and the hidden service descriptor databases even when DirPort is zero. Bugfix on 0.1.2.x. - We were ignoring our RelayBandwidthRate for the first 30 seconds after opening a circuit -- even a relayed circuit. Bugfix on 0.2.0.3-alpha. - Stop thinking that 0.1.2.x directory servers can handle "begin_dir" requests. Should ease bugs 406 and 419 where 0.1.2.x relays are crashing or mis-answering these types of requests. - Relays were publishing their server descriptor to v1 and v2 directory authorities, but they didn't try publishing to v3-only authorities. Fix this; and also stop publishing to v1 authorities. Bugfix on 0.2.0.x. - When we were reading router descriptors from cache, we were ignoring the annotations -- so for example we were reading in bridge-purpose descriptors as general-purpose descriptors. Bugfix on 0.2.0.8-alpha. - When we decided to send a 503 response to a request for servers, we were then also sending the server descriptors: this defeats the whole purpose. Fixes bug 539; bugfix on 0.1.2.x. o Major features: - Bridge relays now behave like clients with respect to time intervals for downloading new consensus documents -- otherwise they stand out. Bridge users now wait until the end of the interval, so their bridge relay will be sure to have a new consensus document. - Three new config options (AlternateDirAuthority, AlternateBridgeAuthority, and AlternateHSAuthority) that let the user selectively replace the default directory authorities by type, rather than the all-or-nothing replacement that DirServer offers. - Tor can now be configured to read a GeoIP file from disk in one of two formats. This can be used by controllers to map IP addresses to countries. Eventually, it may support exit-by-country. - When possible, bridge relays remember which countries users are coming from, and report aggregate information in their extra-info documents, so that the bridge authorities can learn where Tor is blocked. - Bridge directory authorities now do reachability testing on the bridges they know. They provide router status summaries to the controller via "getinfo ns/purpose/bridge", and also dump summaries to a file periodically. - Stop fetching directory info so aggressively if your DirPort is on but your ORPort is off; stop fetching v2 dir info entirely. You can override these choices with the new FetchDirInfoEarly config option. o Minor bugfixes: - The fix in 0.2.0.12-alpha cleared the "hsdir" flag in v3 network consensus documents when there are too many relays at a single IP address. Now clear it in v2 network status documents too, and also clear it in routerinfo_t when the relay is no longer listed in the relevant networkstatus document. - Don't crash if we get an unexpected value for the PublishServerDescriptor config option. Reported by Matt Edman; bugfix on 0.2.0.9-alpha. - Our new v2 hidden service descriptor format allows descriptors that have no introduction points. But Tor crashed when we tried to build a descriptor with no intro points (and it would have crashed if we had tried to parse one). Bugfix on 0.2.0.x; patch by Karsten Loesing. - Fix building with dmalloc 5.5.2 with glibc. - Reject uploaded descriptors and extrainfo documents if they're huge. Otherwise we'll cache them all over the network and it'll clog everything up. Reported by Aljosha Judmayer. - Check for presence of s6_addr16 and s6_addr32 fields in in6_addr via autoconf. Should fix compile on solaris. Bugfix on 0.2.0.x. - When the DANGEROUS_VERSION controller status event told us we're running an obsolete version, it used the string "OLD" to describe it. Yet the "getinfo" interface used the string "OBSOLETE". Now use "OBSOLETE" in both cases. Bugfix on 0.1.2.x. - If we can't expand our list of entry guards (e.g. because we're using bridges or we have StrictEntryNodes set), don't mark relays down when they fail a directory request. Otherwise we're too quick to mark all our entry points down. Bugfix on 0.1.2.x. - Fix handling of hex nicknames when answering controller requests for networkstatus by name, or when deciding whether to warn about unknown routers in a config option. Bugfix on 0.1.2.x. (Patch from mwenge.) - Fix a couple of hard-to-trigger autoconf problems that could result in really weird results on platforms whose sys/types.h files define nonstandard integer types. Bugfix on 0.1.2.x. - Fix compilation with --disable-threads set. Bugfix on 0.2.0.x. - Don't crash on name lookup when we have no current consensus. Fixes bug 538; bugfix on 0.2.0.x. - Only Tors that want to mirror the v2 directory info should create the "cached-status" directory in their datadir. (All Tors used to create it.) Bugfix on 0.2.0.9-alpha. - Directory authorities should only automatically download Extra Info documents if they're v1, v2, or v3 authorities. Bugfix on 0.1.2.x. o Minor features: - On the USR1 signal, when dmalloc is in use, log the top 10 memory consumers. (We already do this on HUP.) - Authorities and caches fetch the v2 networkstatus documents less often, now that v3 is encouraged. - Add a new config option BridgeRelay that specifies you want to be a bridge relay. Right now the only difference is that it makes you answer begin_dir requests, and it makes you cache dir info, even if your DirPort isn't on. - Add "GETINFO/desc-annotations/id/" so controllers can ask about source, timestamp of arrival, purpose, etc. We need something like this to help Vidalia not do GeoIP lookups on bridge addresses. - Allow multiple HashedControlPassword config lines, to support multiple controller passwords. - Authorities now decide whether they're authoritative for a given router based on the router's purpose. - New config options AuthDirBadDir and AuthDirListBadDirs for authorities to mark certain relays as "bad directories" in the networkstatus documents. Also supports the "!baddir" directive in the approved-routers file. Changes in version 0.2.0.12-alpha - 2007-11-16 This twelfth development snapshot fixes some more build problems as well as a few minor bugs. o Compile fixes: - Make it build on OpenBSD again. Patch from tup. - Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes package-building for Red Hat, OS X, etc. o Minor bugfixes (on 0.1.2.x): - Changing the ExitPolicyRejectPrivate setting should cause us to rebuild our server descriptor. o Minor bugfixes (on 0.2.0.x): - When we're lacking a consensus, don't try to perform rendezvous operations. Reported by Karsten Loesing. - Fix a small memory leak whenever we decide against using a newly picked entry guard. Reported by Mike Perry. - When authorities detected more than two relays running on the same IP address, they were clearing all the status flags but forgetting to clear the "hsdir" flag. So clients were being told that a given relay was the right choice for a v2 hsdir lookup, yet they never had its descriptor because it was marked as 'not running' in the consensus. - If we're trying to fetch a bridge descriptor and there's no way the bridge authority could help us (for example, we don't know a digest, or there is no bridge authority), don't be so eager to fall back to asking the bridge authority. - If we're using bridges or have strictentrynodes set, and our chosen exit is in the same family as all our bridges/entry guards, then be flexible about families. o Minor features: - When we negotiate a v2 link-layer connection (not yet implemented), accept RELAY_EARLY cells and turn them into RELAY cells if we've negotiated a v1 connection for their next step. Initial code for proposal 110. Changes in version 0.2.0.11-alpha - 2007-11-12 This eleventh development snapshot fixes some build problems with the previous snapshot. It also includes a more secure-by-default exit policy for relays, fixes an enormous memory leak for exit relays, and fixes another bug where servers were falling out of the directory list. o Security fixes: - Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address. Bugfix on 0.1.2.x. o Major bugfixes: - Fix a memory leak on exit relays; we were leaking a cached_resolve_t on every successful resolve. Reported by Mike Perry; bugfix on 0.1.2.x. - On authorities, never downgrade to old router descriptors simply because they're listed in the consensus. This created a catch-22 where we wouldn't list a new descriptor because there was an old one in the consensus, and we couldn't get the new one in the consensus because we wouldn't list it. Possible fix for bug 548. Also, this might cause bug 543 to appear on authorities; if so, we'll need a band-aid for that. Bugfix on 0.2.0.9-alpha. o Packaging fixes on 0.2.0.10-alpha: - We were including instructions about what to do with the src/config/fallback-consensus file, but we weren't actually including it in the tarball. Disable all of that for now. o Minor features: - Allow people to say PreferTunnelledDirConns rather than PreferTunneledDirConns, for those alternate-spellers out there. o Minor bugfixes: - Don't reevaluate all the information from our consensus document just because we've downloaded a v2 networkstatus that we intend to cache. Fixes bug 545; bugfix on 0.2.0.x. Changes in version 0.2.0.10-alpha - 2007-11-10 This tenth development snapshot adds a third v3 directory authority run by Mike Perry, adds most of Karsten Loesing's new hidden service descriptor format, fixes a bad crash bug and new bridge bugs introduced in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation, fixes some minor memory leaks in previous 0.2.0.x snapshots, and addresses many more minor issues. o New directory authorities: - Set up ides (run by Mike Perry) as the third v3 directory authority. o Major features: - Allow tunnelled directory connections to ask for an encrypted "begin_dir" connection or an anonymized "uses a full Tor circuit" connection independently. Now we can make anonymized begin_dir connections for (e.g.) more secure hidden service posting and fetching. - More progress on proposal 114: code from Karsten Loesing to implement new hidden service descriptor format. - Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to accommodate the growing number of servers that use the default and are reaching it. - Directory authorities use a new formula for selecting which nodes to advertise as Guards: they must be in the top 7/8 in terms of how long we have known about them, and above the median of those nodes in terms of weighted fractional uptime. - Make "not enough dir info yet" warnings describe *why* Tor feels it doesn't have enough directory info yet. o Major bugfixes: - Stop servers from crashing if they set a Family option (or maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported by Fabian Keil. - Make bridge users work again -- the move to v3 directories in 0.2.0.9-alpha had introduced a number of bugs that made bridges no longer work for clients. - When the clock jumps forward a lot, do not allow the bandwidth buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544. o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha): - When the consensus lists a router descriptor that we previously were mirroring, but that we considered non-canonical, reload the descriptor as canonical. This fixes bug 543 where Tor servers would start complaining after a few days that they don't have enough directory information to build a circuit. - Consider replacing the current consensus when certificates arrive that make the pending consensus valid. Previously, we were only considering replacement when the new certs _didn't_ help. - Fix an assert error on startup if we didn't already have the consensus and certs cached in our datadirectory: we were caching the consensus in consensus_waiting_for_certs but then free'ing it right after. - Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad Request) if we need more v3 certs but we've already got pending requests for all of them. - Correctly back off from failing certificate downloads. Fixes bug 546. - Authorities don't vote on the Running flag if they have been running for less than 30 minutes themselves. Fixes bug 547, where a newly started authority would vote that everyone was down. o New requirements: - Drop support for OpenSSL version 0.9.6. Just about nobody was using it, it had no AES, and it hasn't seen any security patches since 2004. o Minor features: - Clients now hold circuitless TLS connections open for 1.5 times MaxCircuitDirtiness (15 minutes), since it is likely that they'll rebuild a new circuit over them within that timeframe. Previously, they held them open only for KeepalivePeriod (5 minutes). - Use "If-Modified-Since" to avoid retrieving consensus networkstatuses that we already have. - When we have no consensus, check FallbackNetworkstatusFile (defaults to $PREFIX/share/tor/fallback-consensus) for a consensus. This way we start knowing some directory caches. - When we receive a consensus from the future, warn about skew. - Improve skew reporting: try to give the user a better log message about how skewed they are, and how much this matters. - When we have a certificate for an authority, believe that certificate's claims about the authority's IP address. - New --quiet command-line option to suppress the default console log. Good in combination with --hash-password. - Authorities send back an X-Descriptor-Not-New header in response to an accepted-but-discarded descriptor upload. Partially implements fix for bug 535. - Make the log message for "tls error. breaking." more useful. - Better log messages about certificate downloads, to attempt to track down the second incarnation of bug 546. o Minor features (bridges): - If bridge users set UpdateBridgesFromAuthority, but the digest they ask for is a 404 from the bridge authority, they now fall back to trying the bridge directly. - Bridges now use begin_dir to publish their server descriptor to the bridge authority, even when they haven't set TunnelDirConns. o Minor features (controller): - When reporting clock skew, and we know that the clock is _at least as skewed_ as some value, but we don't know the actual value, report the value as a "minimum skew." o Utilities: - Update linux-tor-prio.sh script to allow QoS based on the uid of the Tor process. Patch from Marco Bonetti with tweaks from Mike Perry. o Minor bugfixes: - Refuse to start if both ORPort and UseBridges are set. Bugfix on 0.2.0.x, suggested by Matt Edman. - Don't stop fetching descriptors when FetchUselessDescriptors is set, even if we stop asking for circuits. Bugfix on 0.1.2.x; reported by tup and ioerror. - Better log message on vote from unknown authority. - Don't log "Launching 0 request for 0 router" message. o Minor bugfixes (memory leaks): - Stop leaking memory every time we parse a v3 certificate. Bugfix on 0.2.0.1-alpha. - Stop leaking memory every time we load a v3 certificate. Bugfix on 0.2.0.1-alpha. Fixes Bug 536. - Stop leaking a cached networkstatus on exit. Bugfix on 0.2.0.3-alpha. - Stop leaking voter information every time we free a consensus. Bugfix on 0.2.0.3-alpha. - Stop leaking signed data every time we check a voter signature. Bugfix on 0.2.0.3-alpha. - Stop leaking a signature every time we fail to parse a consensus or a vote. Bugfix on 0.2.0.3-alpha. - Stop leaking v2_download_status_map on shutdown. Bugfix on 0.2.0.9-alpha. - Stop leaking conn->nickname every time we make a connection to a Tor relay without knowing its expected identity digest (e.g. when using bridges). Bugfix on 0.2.0.3-alpha. - Minor bugfixes (portability): - Run correctly on platforms where rlim_t is larger than unsigned long, and/or where the real limit for number of open files is OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In particular, these may be needed for OS X 10.5. Changes in version 0.1.2.18 - 2007-10-28 Tor 0.1.2.18 fixes many problems including crash bugs, problems with hidden service introduction that were causing huge delays, and a big bug that was causing some servers to disappear from the network status lists for a few hours each day. o Major bugfixes (crashes): - If a connection is shut down abruptly because of something that happened inside connection_flushed_some(), do not call connection_finished_flushing(). Should fix bug 451: "connection_stop_writing: Assertion conn->write_event failed" Bugfix on 0.1.2.7-alpha. - Fix possible segfaults in functions called from rend_process_relay_cell(). o Major bugfixes (hidden services): - Hidden services were choosing introduction points uniquely by hexdigest, but when constructing the hidden service descriptor they merely wrote the (potentially ambiguous) nickname. - Clients now use the v2 intro format for hidden service connections: they specify their chosen rendezvous point by identity digest rather than by (potentially ambiguous) nickname. These changes could speed up hidden service connections dramatically. o Major bugfixes (other): - Stop publishing a new server descriptor just because we get a HUP signal. This led (in a roundabout way) to some servers getting dropped from the networkstatus lists for a few hours each day. - When looking for a circuit to cannibalize, consider family as well as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced circuit cannibalization). - When a router wasn't listed in a new networkstatus, we were leaving the flags for that router alone -- meaning it remained Named, Running, etc -- even though absence from the networkstatus means that it shouldn't be considered to exist at all anymore. Now we clear all the flags for routers that fall out of the networkstatus consensus. Fixes bug 529. o Minor bugfixes: - Don't try to access (or alter) the state file when running --list-fingerprint or --verify-config or --hash-password. Resolves bug 499. - When generating information telling us how to extend to a given router, do not try to include the nickname if it is absent. Resolves bug 467. - Fix a user-triggerable segfault in expand_filename(). (There isn't a way to trigger this remotely.) - When sending a status event to the controller telling it that an OR address is readable, set the port correctly. (Previously we were reporting the dir port.) - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO command. Bugfix on 0.1.2.17. - When loading bandwidth history, do not believe any information in the future. Fixes bug 434. - When loading entry guard information, do not believe any information in the future. - When we have our clock set far in the future and generate an onion key, then re-set our clock to be correct, we should not stop the onion key from getting rotated. - On some platforms, accept() can return a broken address. Detect this more quietly, and deal accordingly. Fixes bug 483. - It's not actually an error to find a non-pending entry in the DNS cache when canceling a pending resolve. Don't log unless stuff is fishy. Resolves bug 463. - Don't reset trusted dir server list when we set a configuration option. Patch from Robert Hogan. - Don't try to create the datadir when running --verify-config or --hash-password. Resolves bug 540. Changes in version 0.2.0.9-alpha - 2007-10-24 This ninth development snapshot switches clients to the new v3 directory system; allows servers to be listed in the network status even when they have the same nickname as a registered server; and fixes many other bugs including a big one that was causing some servers to disappear from the network status lists for a few hours each day. o Major features (directory system): - Clients now download v3 consensus networkstatus documents instead of v2 networkstatus documents. Clients and caches now base their opinions about routers on these consensus documents. Clients only download router descriptors listed in the consensus. - Authorities now list servers who have the same nickname as a different named server, but list them with a new flag, "Unnamed". Now we can list servers that happen to pick the same nickname as a server that registered two years ago and then disappeared. Partially implements proposal 122. - If the consensus list a router as "Unnamed", the name is assigned to a different router: do not identify the router by that name. Partially implements proposal 122. - Authorities can now come to a consensus on which method to use to compute the consensus. This gives us forward compatibility. o Major bugfixes: - Stop publishing a new server descriptor just because we HUP or when we find our DirPort to be reachable but won't actually publish it. New descriptors without any real changes are dropped by the authorities, and can screw up our "publish every 18 hours" schedule. Bugfix on 0.1.2.x. - When a router wasn't listed in a new networkstatus, we were leaving the flags for that router alone -- meaning it remained Named, Running, etc -- even though absence from the networkstatus means that it shouldn't be considered to exist at all anymore. Now we clear all the flags for routers that fall out of the networkstatus consensus. Fixes bug 529; bugfix on 0.1.2.x. - Fix awful behavior in DownloadExtraInfo option where we'd fetch extrainfo documents and then discard them immediately for not matching the latest router. Bugfix on 0.2.0.1-alpha. o Minor features (v3 directory protocol): - Allow tor-gencert to generate a new certificate without replacing the signing key. - Allow certificates to include an address. - When we change our directory-cache settings, reschedule all voting and download operations. - Reattempt certificate downloads immediately on failure, as long as we haven't failed a threshold number of times yet. - Delay retrying consensus downloads while we're downloading certificates to verify the one we just got. Also, count getting a consensus that we already have (or one that isn't valid) as a failure, and count failing to get the certificates after 20 minutes as a failure. - Build circuits and download descriptors even if our consensus is a little expired. (This feature will go away once authorities are more reliable.) o Minor features (router descriptor cache): - If we find a cached-routers file that's been sitting around for more than 28 days unmodified, then most likely it's a leftover from when we upgraded to 0.2.0.8-alpha. Remove it. It has no good routers anyway. - When we (as a cache) download a descriptor because it was listed in a consensus, remember when the consensus was supposed to expire, and don't expire the descriptor until then. o Minor features (performance): - Call routerlist_remove_old_routers() much less often. This should speed startup, especially on directory caches. - Don't try to launch new descriptor downloads quite so often when we already have enough directory information to build circuits. - Base64 decoding was actually showing up on our profile when parsing the initial descriptor file; switch to an in-process all-at-once implementation that's about 3.5x times faster than calling out to OpenSSL. o Minor features (compilation): - Detect non-ASCII platforms (if any still exist) and refuse to build there: some of our code assumes that 'A' is 65 and so on. o Minor bugfixes (v3 directory authorities, bugfixes on 0.2.0.x): - Make the "next period" votes into "current period" votes immediately after publishing the consensus; avoid a heisenbug that made them stick around indefinitely. - When we discard a vote as a duplicate, do not report this as an error. - Treat missing v3 keys or certificates as an error when running as a v3 directory authority. - When we're configured to be a v3 authority, but we're only listed as a non-v3 authority in our DirServer line for ourself, correct the listing. - If an authority doesn't have a qualified hostname, just put its address in the vote. This fixes the problem where we referred to "moria on moria:9031." - Distinguish between detached signatures for the wrong period, and detached signatures for a divergent vote. - Fix a small memory leak when computing a consensus. - When there's no concensus, we were forming a vote every 30 minutes, but writing the "valid-after" line in our vote based on our configured V3AuthVotingInterval: so unless the intervals matched up, we immediately rejected our own vote because it didn't start at the voting interval that caused us to construct a vote. o Minor bugfixes (v3 directory protocol, bugfixes on 0.2.0.x): - Delete unverified-consensus when the real consensus is set. - Consider retrying a consensus networkstatus fetch immediately after one fails: don't wait 60 seconds to notice. - When fetching a consensus as a cache, wait until a newer consensus should exist before trying to replace the current one. - Use a more forgiving schedule for retrying failed consensus downloads than for other types. o Minor bugfixes (other directory issues): - Correct the implementation of "download votes by digest." Bugfix on 0.2.0.8-alpha. - Authorities no longer send back "400 you're unreachable please fix it" errors to Tor servers that aren't online all the time. We're supposed to tolerate these servers now. Bugfix on 0.1.2.x. o Minor bugfixes (controller): - Don't reset trusted dir server list when we set a configuration option. Patch from Robert Hogan; bugfix on 0.1.2.x. - Respond to INT and TERM SIGNAL commands before we execute the signal, in case the signal shuts us down. We had a patch in 0.1.2.1-alpha that tried to do this by queueing the response on the connection's buffer before shutting down, but that really isn't the same thing at all. Bug located by Matt Edman. o Minor bugfixes (misc): - Correctly check for bad options to the "PublishServerDescriptor" config option. Bugfix on 0.2.0.1-alpha; reported by Matt Edman. - Stop leaking memory on failing case of base32_decode, and make it accept upper-case letters. Bugfixes on 0.2.0.7-alpha. - Don't try to download extrainfo documents when we're trying to fetch enough directory info to build a circuit: having enough info should get priority. Bugfix on 0.2.0.x. - Don't complain that "your server has not managed to confirm that its ports are reachable" if we haven't been able to build any circuits yet. Bug found by spending four hours without a v3 consensus. Bugfix on 0.1.2.x. - Detect the reason for failing to mmap a descriptor file we just wrote, and give a more useful log message. Fixes bug 533. Bugfix on 0.1.2.x. o Code simplifications and refactoring: - Remove support for the old bw_accounting file: we've been storing bandwidth accounting information in the state file since 0.1.2.5-alpha. This may result in bandwidth accounting errors if you try to upgrade from 0.1.1.x or earlier, or if you try to downgrade to 0.1.1.x or earlier. - New convenience code to locate a file within the DataDirectory. - Move non-authority functionality out of dirvote.c. - Refactor the arguments for router_pick_{directory_|trusteddir}server so that they all take the same named flags. o Utilities - Include the "tor-ctrl.sh" bash script by Stefan Behte to provide Unix users an easy way to script their Tor process (e.g. by adjusting bandwidth based on the time of the day). Changes in version 0.2.0.8-alpha - 2007-10-12 This eighth development snapshot fixes a crash bug that's been bothering us since February 2007, lets bridge authorities store a list of bridge descriptors they've seen, gets v3 directory voting closer to working, starts caching v3 directory consensus documents on directory mirrors, and fixes a variety of smaller issues including some minor memory leaks. o Major features (router descriptor cache): - Store routers in a file called cached-descriptors instead of in cached-routers. Initialize cached-descriptors from cached-routers if the old format is around. The new format allows us to store annotations along with descriptors. - Use annotations to record the time we received each descriptor, its source, and its purpose. - Disable the SETROUTERPURPOSE controller command: it is now obsolete. - Controllers should now specify cache=no or cache=yes when using the +POSTDESCRIPTOR command. - Bridge authorities now write bridge descriptors to disk, meaning we can export them to other programs and begin distributing them to blocked users. o Major features (directory authorities): - When a v3 authority is missing votes or signatures, it now tries to fetch them. - Directory authorities track weighted fractional uptime as well as weighted mean-time-between failures. WFU is suitable for deciding whether a node is "usually up", while MTBF is suitable for deciding whether a node is "likely to stay up." We need both, because "usually up" is a good requirement for guards, while "likely to stay up" is a good requirement for long-lived connections. o Major features (v3 directory system): - Caches now download v3 network status documents as needed, and download the descriptors listed in them. - All hosts now attempt to download and keep fresh v3 authority certificates, and re-attempt after failures. - More internal-consistency checks for vote parsing. o Major bugfixes (crashes): - If a connection is shut down abruptly because of something that happened inside connection_flushed_some(), do not call connection_finished_flushing(). Should fix bug 451. Bugfix on 0.1.2.7-alpha. o Major bugfixes (performance): - Fix really bad O(n^2) performance when parsing a long list of routers: Instead of searching the entire list for an "extra-info " string which usually wasn't there, once for every routerinfo we read, just scan lines forward until we find one we like. Bugfix on 0.2.0.1. - When we add data to a write buffer in response to the data on that write buffer getting low because of a flush, do not consider the newly added data as a candidate for immediate flushing, but rather make it wait until the next round of writing. Otherwise, we flush and refill recursively, and a single greedy TLS connection can eat all of our bandwidth. Bugfix on 0.1.2.7-alpha. o Minor features (v3 authority system): - Add more ways for tools to download the votes that lead to the current consensus. - Send a 503 when low on bandwidth and a vote, consensus, or certificate is requested. - If-modified-since is now implemented properly for all kinds of certificate requests. o Minor bugfixes (network statuses): - Tweak the implementation of proposal 109 slightly: allow at most two Tor servers on the same IP address, except if it's the location of a directory authority, in which case allow five. Bugfix on 0.2.0.3-alpha. o Minor bugfixes (controller): - When sending a status event to the controller telling it that an OR address is reachable, set the port correctly. (Previously we were reporting the dir port.) Bugfix on 0.1.2.x. o Minor bugfixes (v3 directory system): - Fix logic to look up a cert by its signing key digest. Bugfix on 0.2.0.7-alpha. - Only change the reply to a vote to "OK" if it's not already set. This gets rid of annoying "400 OK" log messages, which may have been masking some deeper issue. Bugfix on 0.2.0.7-alpha. - When we get a valid consensus, recompute the voting schedule. - Base the valid-after time of a vote on the consensus voting schedule, not on our preferred schedule. - Make the return values and messages from signature uploads and downloads more sensible. - Fix a memory leak when serving votes and consensus documents, and another when serving certificates. o Minor bugfixes (performance): - Use a slightly simpler string hashing algorithm (copying Python's instead of Java's) and optimize our digest hashing algorithm to take advantage of 64-bit platforms and to remove some possibly-costly voodoo. - Fix a minor memory leak whenever we parse guards from our state file. Bugfix on 0.2.0.7-alpha. - Fix a minor memory leak whenever we write out a file. Bugfix on 0.2.0.7-alpha. - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO command. Bugfix on 0.2.0.5-alpha. o Minor bugfixes (portability): - On some platforms, accept() can return a broken address. Detect this more quietly, and deal accordingly. Fixes bug 483. - Stop calling tor_strlower() on uninitialized memory in some cases. Bugfix in 0.2.0.7-alpha. o Minor bugfixes (usability): - Treat some 403 responses from directory servers as INFO rather than WARN-severity events. - It's not actually an error to find a non-pending entry in the DNS cache when canceling a pending resolve. Don't log unless stuff is fishy. Resolves bug 463. o Minor bugfixes (anonymity): - Never report that we've used more bandwidth than we're willing to relay: it leaks how much non-relay traffic we're using. Resolves bug 516. - When looking for a circuit to cannibalize, consider family as well as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced circuit cannibalization). o Code simplifications and refactoring: - Make a bunch of functions static. Remove some dead code. - Pull out about a third of the really big routerlist.c; put it in a new module, networkstatus.c. - Merge the extra fields in local_routerstatus_t back into routerstatus_t: we used to need one routerstatus_t for each authority's opinion, plus a local_routerstatus_t for the locally computed consensus opinion. To save space, we put the locally modified fields into local_routerstatus_t, and only the common stuff into routerstatus_t. But once v3 directories are in use, clients and caches will no longer need to hold authority opinions; thus, the rationale for keeping the types separate is now gone. - Make the code used to reschedule and reattempt downloads more uniform. - Turn all 'Are we a directory server/mirror?' logic into a call to dirserver_mode(). - Remove the code to generate the oldest (v1) directory format. The code has been disabled since 0.2.0.5-alpha. Changes in version 0.2.0.7-alpha - 2007-09-21 This seventh development snapshot makes bridges work again, makes bridge authorities work for the first time, fixes two huge performance flaws in hidden services, and fixes a variety of minor issues. o New directory authorities: - Set up moria1 and tor26 as the first v3 directory authorities. See doc/spec/dir-spec.txt for details on the new directory design. o Major bugfixes (crashes): - Fix possible segfaults in functions called from rend_process_relay_cell(). Bugfix on 0.1.2.x. o Major bugfixes (bridges): - Fix a bug that made servers send a "404 Not found" in response to attempts to fetch their server descriptor. This caused Tor servers to take many minutes to establish reachability for their DirPort, and it totally crippled bridges. Bugfix on 0.2.0.5-alpha. - Make "UpdateBridgesFromAuthority" torrc option work: when bridge users configure that and specify a bridge with an identity fingerprint, now they will lookup the bridge descriptor at the default bridge authority via a one-hop tunnel, but once circuits are established they will switch to a three-hop tunnel for later connections to the bridge authority. Bugfix in 0.2.0.3-alpha. o Major bugfixes (hidden services): - Hidden services were choosing introduction points uniquely by hexdigest, but when constructing the hidden service descriptor they merely wrote the (potentially ambiguous) nickname. - Clients now use the v2 intro format for hidden service connections: they specify their chosen rendezvous point by identity digest rather than by (potentially ambiguous) nickname. Both are bugfixes on 0.1.2.x, and they could speed up hidden service connections dramatically. Thanks to Karsten Loesing. o Minor features (security): - As a client, do not believe any server that tells us that an address maps to an internal address space. - Make it possible to enable HashedControlPassword and CookieAuthentication at the same time. o Minor features (guard nodes): - Tag every guard node in our state file with the version that we believe added it, or with our own version if we add it. This way, if a user temporarily runs an old version of Tor and then switches back to a new one, she doesn't automatically lose her guards. o Minor features (speed): - When implementing AES counter mode, update only the portions of the counter buffer that need to change, and don't keep separate network-order and host-order counters when they are the same (i.e., on big-endian hosts.) o Minor features (controller): - Accept LF instead of CRLF on controller, since some software has a hard time generating real Internet newlines. - Add GETINFO values for the server status events "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from Robert Hogan. o Removed features: - Routers no longer include bandwidth-history lines in their descriptors; this information is already available in extra-info documents, and including it in router descriptors took up 60% (!) of compressed router descriptor downloads. Completes implementation of proposal 104. - Remove the contrib scripts ExerciseServer.py, PathDemo.py, and TorControl.py, as they use the old v0 controller protocol, and are obsoleted by TorFlow anyway. - Drop support for v1 rendezvous descriptors, since we never used them anyway, and the code has probably rotted by now. Based on patch from Karsten Loesing. - On OSX, stop warning the user that kqueue support in libevent is "experimental", since it seems to have worked fine for ages. o Minor bugfixes: - When generating information telling us how to extend to a given router, do not try to include the nickname if it is absent. Fixes bug 467. Bugfix on 0.2.0.3-alpha. - Fix a user-triggerable (but not remotely-triggerable) segfault in expand_filename(). Bugfix on 0.1.2.x. - Fix a memory leak when freeing incomplete requests from DNSPort. Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha. - Don't try to access (or alter) the state file when running --list-fingerprint or --verify-config or --hash-password. (Resolves bug 499.) Bugfix on 0.1.2.x. - Servers used to decline to publish their DirPort if their BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth were below a threshold. Now they only look at BandwidthRate and RelayBandwidthRate. Bugfix on 0.1.2.x. - Remove an optimization in the AES counter-mode code that assumed that the counter never exceeded 2^68. When the counter can be set arbitrarily as an IV (as it is by Karsten's new hidden services code), this assumption no longer holds. Bugfix on 0.1.2.x. - Resume listing "AUTHORITY" flag for authorities in network status. Bugfix on 0.2.0.3-alpha; reported by Alex de Joode. o Code simplifications and refactoring: - Revamp file-writing logic so we don't need to have the entire contents of a file in memory at once before we write to disk. Tor, meet stdio. - Turn "descriptor store" into a full-fledged type. - Move all NT services code into a separate source file. - Unify all code that computes medians, percentile elements, etc. - Get rid of a needless malloc when parsing address policies. Changes in version 0.1.2.17 - 2007-08-30 Tor 0.1.2.17 features a new Vidalia version in the Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for the ControlPort in the default configuration, which addresses important security risks. Everybody who uses Vidalia (or another controller) should upgrade. In addition, this Tor update fixes major load balancing problems with path selection, which should speed things up a lot once many people have upgraded. o Major bugfixes (security): - We removed support for the old (v0) control protocol. It has been deprecated since Tor 0.1.1.1-alpha, and keeping it secure has become more of a headache than it's worth. o Major bugfixes (load balancing): - When choosing nodes for non-guard positions, weight guards proportionally less, since they already have enough load. Patch from Mike Perry. - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This will allow fast Tor servers to get more attention. - When we're upgrading from an old Tor version, forget our current guards and pick new ones according to the new weightings. These three load balancing patches could raise effective network capacity by a factor of four. Thanks to Mike Perry for measurements. o Major bugfixes (stream expiration): - Expire not-yet-successful application streams in all cases if they've been around longer than SocksTimeout. Right now there are some cases where the stream will live forever, demanding a new circuit every 15 seconds. Fixes bug 454; reported by lodger. o Minor features (controller): - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it is valid before any authentication has been received. It tells a controller what kind of authentication is expected, and what protocol is spoken. Implements proposal 119. o Minor bugfixes (performance): - Save on most routerlist_assert_ok() calls in routerlist.c, thus greatly speeding up loading cached-routers from disk on startup. - Disable sentinel-based debugging for buffer code: we squashed all the bugs that this was supposed to detect a long time ago, and now its only effect is to change our buffer sizes from nice powers of two (which platform mallocs tend to like) to values slightly over powers of two (which make some platform mallocs sad). o Minor bugfixes (misc): - If exit bandwidth ever exceeds one third of total bandwidth, then use the correct formula to weight exit nodes when choosing paths. Based on patch from Mike Perry. - Choose perfectly fairly among routers when choosing by bandwidth and weighting by fraction of bandwidth provided by exits. Previously, we would choose with only approximate fairness, and correct ourselves if we ran off the end of the list. - If we require CookieAuthentication but we fail to write the cookie file, we would warn but not exit, and end up in a state where no controller could authenticate. Now we exit. - If we require CookieAuthentication, stop generating a new cookie every time we change any piece of our config. - Refuse to start with certain directory authority keys, and encourage people using them to stop. - Terminate multi-line control events properly. Original patch from tup. - Fix a minor memory leak when we fail to find enough suitable servers to choose a circuit. - Stop leaking part of the descriptor when we run into a particularly unparseable piece of it. Changes in version 0.2.0.6-alpha - 2007-08-26 This sixth development snapshot features a new Vidalia version in the Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for the ControlPort in the default configuration, which addresses important security risks. In addition, this snapshot fixes major load balancing problems with path selection, which should speed things up a lot once many people have upgraded. The directory authorities also use a new mean-time-between-failure approach to tracking which servers are stable, rather than just looking at the most recent uptime. o New directory authorities: - Set up Tonga as the default bridge directory authority. o Major features: - Directory authorities now track servers by weighted mean-times-between-failures. When we have 4 or more days of data, use measured MTBF rather than declared uptime to decide whether to call a router Stable. Implements proposal 108. o Major bugfixes (load balancing): - When choosing nodes for non-guard positions, weight guards proportionally less, since they already have enough load. Patch from Mike Perry. - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This will allow fast Tor servers to get more attention. - When we're upgrading from an old Tor version, forget our current guards and pick new ones according to the new weightings. These three load balancing patches could raise effective network capacity by a factor of four. Thanks to Mike Perry for measurements. o Major bugfixes (descriptor parsing): - Handle unexpected whitespace better in malformed descriptors. Bug found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x. o Minor features: - There is now an ugly, temporary "desc/all-recent-extrainfo-hack" GETINFO for Torstat to use until it can switch to using extrainfos. - Optionally (if built with -DEXPORTMALLINFO) export the output of mallinfo via http, as tor/mallinfo.txt. Only accessible from localhost. o Minor bugfixes: - Do not intermix bridge routers with controller-added routers. (Bugfix on 0.2.0.x) - Do not fail with an assert when accept() returns an unexpected address family. Addresses but does not wholly fix bug 483. (Bugfix on 0.2.0.x) - Let directory authorities startup even when they can't generate a descriptor immediately, e.g. because they don't know their address. - Stop putting the authentication cookie in a file called "0" in your working directory if you don't specify anything for the new CookieAuthFile option. Reported by Matt Edman. - Make it possible to read the PROTOCOLINFO response in a way that conforms to our control-spec. Reported by Matt Edman. - Fix a minor memory leak when we fail to find enough suitable servers to choose a circuit. Bugfix on 0.1.2.x. - Stop leaking part of the descriptor when we run into a particularly unparseable piece of it. Bugfix on 0.1.2.x. - Unmap the extrainfo cache file on exit. Changes in version 0.2.0.5-alpha - 2007-08-19 This fifth development snapshot fixes compilation on Windows again; fixes an obnoxious client-side bug that slowed things down and put extra load on the network; gets us closer to using the v3 directory voting scheme; makes it easier for Tor controllers to use cookie-based authentication; and fixes a variety of other bugs. o Removed features: - Version 1 directories are no longer generated in full. Instead, authorities generate and serve "stub" v1 directories that list no servers. This will stop Tor versions 0.1.0.x and earlier from working, but (for security reasons) nobody should be running those versions anyway. o Major bugfixes (compilation, 0.2.0.x): - Try to fix Win32 compilation again: improve checking for IPv6 types. - Try to fix MSVC compilation: build correctly on platforms that do not define s6_addr16 or s6_addr32. - Fix compile on platforms without getaddrinfo: bug found by Li-Hui Zhou. o Major bugfixes (stream expiration): - Expire not-yet-successful application streams in all cases if they've been around longer than SocksTimeout. Right now there are some cases where the stream will live forever, demanding a new circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454; reported by lodger. o Minor features (directory servers): - When somebody requests a list of statuses or servers, and we have none of those, return a 404 rather than an empty 200. o Minor features (directory voting): - Store v3 consensus status consensuses on disk, and reload them on startup. o Minor features (security): - Warn about unsafe ControlPort configurations. - Refuse to start with certain directory authority keys, and encourage people using them to stop. o Minor features (controller): - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it is valid before any authentication has been received. It tells a controller what kind of authentication is expected, and what protocol is spoken. Implements proposal 119. - New config option CookieAuthFile to choose a new location for the cookie authentication file, and config option CookieAuthFileGroupReadable to make it group-readable. o Minor features (unit testing): - Add command-line arguments to unit-test executable so that we can invoke any chosen test from the command line rather than having to run the whole test suite at once; and so that we can turn on logging for the unit tests. o Minor bugfixes (on 0.1.2.x): - If we require CookieAuthentication but we fail to write the cookie file, we would warn but not exit, and end up in a state where no controller could authenticate. Now we exit. - If we require CookieAuthentication, stop generating a new cookie every time we change any piece of our config. - When loading bandwidth history, do not believe any information in the future. Fixes bug 434. - When loading entry guard information, do not believe any information in the future. - When we have our clock set far in the future and generate an onion key, then re-set our clock to be correct, we should not stop the onion key from getting rotated. - Clean up torrc sample config file. - Do not automatically run configure from autogen.sh. This non-standard behavior tended to annoy people who have built other programs. o Minor bugfixes (on 0.2.0.x): - Fix a bug with AutomapHostsOnResolve that would always cause the second request to fail. Bug reported by Kate. Bugfix on 0.2.0.3-alpha. - Fix a bug in ADDRMAP controller replies that would sometimes try to print a NULL. Patch from tup. - Read v3 directory authority keys from the right location. - Numerous bugfixes to directory voting code. Changes in version 0.1.2.16 - 2007-08-01 Tor 0.1.2.16 fixes a critical security vulnerability that allows a remote attacker in certain situations to rewrite the user's torrc configuration file. This can completely compromise anonymity of users in most configurations, including those running the Vidalia bundles, TorK, etc. Or worse. o Major security fixes: - Close immediately after missing authentication on control port; do not allow multiple authentication attempts. Changes in version 0.2.0.4-alpha - 2007-08-01 This fourth development snapshot fixes a critical security vulnerability for most users, specifically those running Vidalia, TorK, etc. Everybody should upgrade to either 0.1.2.16 or 0.2.0.4-alpha. o Major security fixes: - Close immediately after missing authentication on control port; do not allow multiple authentication attempts. o Major bugfixes (compilation): - Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already defined there. o Minor features (performance): - Be even more aggressive about releasing RAM from small empty buffers. Thanks to our free-list code, this shouldn't be too performance-intensive. - Disable sentinel-based debugging for buffer code: we squashed all the bugs that this was supposed to detect a long time ago, and now its only effect is to change our buffer sizes from nice powers of two (which platform mallocs tend to like) to values siightly over powers of two (which make some platform mallocs sad). - Log malloc statistics from mallinfo() on platforms where it exists. Changes in version 0.2.0.3-alpha - 2007-07-29 This third development snapshot introduces new experimental blocking-resistance features and a preliminary version of the v3 directory voting design, and includes many other smaller features and bugfixes. o Major features: - The first pieces of our "bridge" design for blocking-resistance are implemented. People can run bridge directory authorities; people can run bridges; and people can configure their Tor clients with a set of bridges to use as the first hop into the Tor network. See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for details. - Create listener connections before we setuid to the configured User and Group. Now non-Windows users can choose port values under 1024, start Tor as root, and have Tor bind those ports before it changes to another UID. (Windows users could already pick these ports.) - Added a new ConstrainedSockets config option to set SO_SNDBUF and SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running on "vserver" accounts. (Patch from coderman.) - Be even more aggressive about separating local traffic from relayed traffic when RelayBandwidthRate is set. (Refines proposal 111.) o Major features (experimental): - First cut of code for "v3 dir voting": directory authorities will vote on a common network status document rather than each publishing their own opinion. This code needs more testing and more corner-case handling before it's ready for use. o Security fixes: - Directory authorities now call routers Fast if their bandwidth is at least 100KB/s, and consider their bandwidth adequate to be a Guard if it is at least 250KB/s, no matter the medians. This fix complements proposal 107. [Bugfix on 0.1.2.x] - Directory authorities now never mark more than 3 servers per IP as Valid and Running. (Implements proposal 109, by Kevin Bauer and Damon McCoy.) - Minor change to organizationName and commonName generation procedures in TLS certificates during Tor handshakes, to invalidate some earlier censorware approaches. This is not a long-term solution, but applying it will give us a bit of time to look into the epidemiology of countermeasures as they spread. o Major bugfixes (directory): - Rewrite directory tokenization code to never run off the end of a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x] o Minor features (controller): - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can match requests to applications. (Patch from Robert Hogan.) - Report address and port correctly on connections to DNSPort. (Patch from Robert Hogan.) - Add a RESOLVE command to launch hostname lookups. (Original patch from Robert Hogan.) - Add GETINFO status/enough-dir-info to let controllers tell whether Tor has downloaded sufficient directory information. (Patch from Tup.) - You can now use the ControlSocket option to tell Tor to listen for controller connections on Unix domain sockets on systems that support them. (Patch from Peter Palfrader.) - STREAM NEW events are generated for DNSPort requests and for tunneled directory connections. (Patch from Robert Hogan.) - New "GETINFO address-mappings/*" command to get address mappings with expiry information. "addr-mappings/*" is now deprecated. (Patch from Tup.) o Minor features (misc): - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch from croup.) - The tor-gencert tool for v3 directory authorities now creates all files as readable to the file creator only, and write-protects the authority identity key. - When dumping memory usage, list bytes used in buffer memory free-lists. - When running with dmalloc, dump more stats on hup and on exit. - Directory authorities now fail quickly and (relatively) harmlessly if they generate a network status document that is somehow malformed. o Traffic load balancing improvements: - If exit bandwidth ever exceeds one third of total bandwidth, then use the correct formula to weight exit nodes when choosing paths. (Based on patch from Mike Perry.) - Choose perfectly fairly among routers when choosing by bandwidth and weighting by fraction of bandwidth provided by exits. Previously, we would choose with only approximate fairness, and correct ourselves if we ran off the end of the list. [Bugfix on 0.1.2.x] o Performance improvements: - Be more aggressive with freeing buffer RAM or putting it on the memory free lists. - Use Critical Sections rather than Mutexes for synchronizing threads on win32; Mutexes are heavier-weight, and designed for synchronizing between processes. o Deprecated and removed features: - RedirectExits is now deprecated. - Stop allowing address masks that do not correspond to bit prefixes. We have warned about these for a really long time; now it's time to reject them. (Patch from croup.) o Minor bugfixes (directory): - Fix another crash bug related to extra-info caching. (Bug found by Peter Palfrader.) [Bugfix on 0.2.0.2-alpha] - Directories no longer return a "304 not modified" when they don't have the networkstatus the client asked for. Also fix a memory leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha] - We had accidentally labelled 0.1.2.x directory servers as not suitable for begin_dir requests, and had labelled no directory servers as suitable for uploading extra-info documents. [Bugfix on 0.2.0.1-alpha] o Minor bugfixes (dns): - Fix a crash when DNSPort is set more than once. (Patch from Robert Hogan.) [Bugfix on 0.2.0.2-alpha] - Add DNSPort connections to the global connection list, so that we can time them out correctly. (Bug found by Robert Hogan.) [Bugfix on 0.2.0.2-alpha] - Fix a dangling reference that could lead to a crash when DNSPort is changed or closed (Patch from Robert Hogan.) [Bugfix on 0.2.0.2-alpha] o Minor bugfixes (controller): - Provide DNS expiry times in GMT, not in local time. For backward compatibility, ADDRMAP events only provide GMT expiry in an extended field. "GETINFO address-mappings" always does the right thing. - Use CRLF line endings properly in NS events. - Terminate multi-line control events properly. (Original patch from tup.) [Bugfix on 0.1.2.x-alpha] - Do not include spaces in SOURCE_ADDR fields in STREAM events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha] Changes in version 0.1.2.15 - 2007-07-17 Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related problems, fixes compilation on BSD, and fixes a variety of other bugs. Everybody should upgrade. o Major bugfixes (compilation): - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops. o Major bugfixes (crashes): - Try even harder not to dereference the first character after an mmap(). Reported by lodger. - Fix a crash bug in directory authorities when we re-number the routerlist while inserting a new router. - When the cached-routers file is an even multiple of the page size, don't run off the end and crash. (Fixes bug 455; based on idea from croup.) - Fix eventdns.c behavior on Solaris: It is critical to include orconfig.h _before_ sys/types.h, so that we can get the expected definition of _FILE_OFFSET_BITS. o Major bugfixes (security): - Fix a possible buffer overrun when using BSD natd support. Bug found by croup. - When sending destroy cells from a circuit's origin, don't include the reason for tearing down the circuit. The spec says we didn't, and now we actually don't. Reported by lodger. - Keep streamids from different exits on a circuit separate. This bug may have allowed other routers on a given circuit to inject cells into streams. Reported by lodger; fixes bug 446. - If there's a never-before-connected-to guard node in our list, never choose any guards past it. This way we don't expand our guard list unless we need to. o Minor bugfixes (guard nodes): - Weight guard selection by bandwidth, so that low-bandwidth nodes don't get overused as guards. o Minor bugfixes (directory): - Correctly count the number of authorities that recommend each version. Previously, we were under-counting by 1. - Fix a potential crash bug when we load many server descriptors at once and some of them make others of them obsolete. Fixes bug 458. o Minor bugfixes (hidden services): - Stop tearing down the whole circuit when the user asks for a connection to a port that the hidden service didn't configure. Resolves bug 444. o Minor bugfixes (misc): - On Windows, we were preventing other processes from reading cached-routers while Tor was running. Reported by janbar. - Fix a possible (but very unlikely) bug in picking routers by bandwidth. Add a log message to confirm that it is in fact unlikely. Patch from lodger. - Backport a couple of memory leak fixes. - Backport miscellaneous cosmetic bugfixes. Changes in version 0.2.0.2-alpha - 2007-06-02 o Major bugfixes on 0.2.0.1-alpha: - Fix an assertion failure related to servers without extra-info digests. Resolves bugs 441 and 442. o Minor features (directory): - Support "If-Modified-Since" when answering HTTP requests for directories, running-routers documents, and network-status documents. (There's no need to support it for router descriptors, since those are downloaded by descriptor digest.) o Minor build issues: - Clear up some MIPSPro compiler warnings. - When building from a tarball on a machine that happens to have SVK installed, report the micro-revision as whatever version existed in the tarball, not as "x". Changes in version 0.2.0.1-alpha - 2007-06-01 This early development snapshot provides new features for people running Tor as both a client and a server (check out the new RelayBandwidth config options); lets Tor run as a DNS proxy; and generally moves us forward on a lot of fronts. o Major features, server usability: - New config options RelayBandwidthRate and RelayBandwidthBurst: a separate set of token buckets for relayed traffic. Right now relayed traffic is defined as answers to directory requests, and OR connections that don't have any local circuits on them. o Major features, client usability: - A client-side DNS proxy feature to replace the need for dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen for DNS requests on port 9999, use the Tor network to resolve them anonymously, and send the reply back like a regular DNS server. The code still only implements a subset of DNS. - Make PreferTunneledDirConns and TunnelDirConns work even when we have no cached directory info. This means Tor clients can now do all of their connections protected by TLS. o Major features, performance and efficiency: - Directory authorities accept and serve "extra info" documents for routers. These documents contain fields from router descriptors that aren't usually needed, and that use a lot of excess bandwidth. Once these fields are removed from router descriptors, the bandwidth savings should be about 60%. [Partially implements proposal 104.] - Servers upload extra-info documents to any authority that accepts them. Authorities (and caches that have been configured to download extra-info documents) download them as needed. [Partially implements proposal 104.] - Change the way that Tor buffers data that it is waiting to write. Instead of queueing data cells in an enormous ring buffer for each client->OR or OR->OR connection, we now queue cells on a separate queue for each circuit. This lets us use less slack memory, and will eventually let us be smarter about prioritizing different kinds of traffic. - Use memory pools to allocate cells with better speed and memory efficiency, especially on platforms where malloc() is inefficient. - Stop reading on edge connections when their corresponding circuit buffers are full; start again as the circuits empty out. o Major features, other: - Add an HSAuthorityRecordStats option that hidden service authorities can use to track statistics of overall hidden service usage without logging information that would be very useful to an attacker. - Start work implementing multi-level keys for directory authorities: Add a standalone tool to generate key certificates. (Proposal 103.) o Security fixes: - Directory authorities now call routers Stable if they have an uptime of at least 30 days, even if that's not the median uptime in the network. Implements proposal 107, suggested by Kevin Bauer and Damon McCoy. o Minor fixes (resource management): - Count the number of open sockets separately from the number of active connection_t objects. This will let us avoid underusing our allocated connection limit. - We no longer use socket pairs to link an edge connection to an anonymous directory connection or a DirPort test connection. Instead, we track the link internally and transfer the data in-process. This saves two sockets per "linked" connection (at the client and at the server), and avoids the nasty Windows socketpair() workaround. - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k for every single inactive connection_t. Free items from the 4k/16k-buffer free lists when they haven't been used for a while. o Minor features (build): - Make autoconf search for libevent, openssl, and zlib consistently. - Update deprecated macros in configure.in. - When warning about missing headers, tell the user to let us know if the compile succeeds anyway, so we can downgrade the warning. - Include the current subversion revision as part of the version string: either fetch it directly if we're in an SVN checkout, do some magic to guess it if we're in an SVK checkout, or use the last-detected version if we're building from a .tar.gz. Use this version consistently in log messages. o Minor features (logging): - Always prepend "Bug: " to any log message about a bug. - Put a platform string (e.g. "Linux i686") in the startup log message, so when people paste just their logs, we know if it's OpenBSD or Windows or what. - When logging memory usage, break down memory used in buffers by buffer type. o Minor features (directory system): - New config option V2AuthoritativeDirectory that all directory authorities should set. This will let future authorities choose not to serve V2 directory information. - Directory authorities allow multiple router descriptors and/or extra info documents to be uploaded in a single go. This will make implementing proposal 104 simpler. o Minor features (controller): - Add a new config option __DisablePredictedCircuits designed for use by the controller, when we don't want Tor to build any circuits preemptively. - Let the controller specify HOP=%d as an argument to ATTACHSTREAM, so we can exit from the middle of the circuit. - Implement "getinfo status/circuit-established". - Implement "getinfo status/version/..." so a controller can tell whether the current version is recommended, and whether any versions are good, and how many authorities agree. (Patch from shibz.) o Minor features (hidden services): - Allow multiple HiddenServicePort directives with the same virtual port; when they occur, the user is sent round-robin to one of the target ports chosen at random. Partially fixes bug 393 by adding limited ad-hoc round-robining. o Minor features (other): - More unit tests. - Add a new AutomapHostsOnResolve option: when it is enabled, any resolve request for hosts matching a given pattern causes Tor to generate an internal virtual address mapping for that host. This allows DNSPort to work sensibly with hidden service users. By default, .exit and .onion addresses are remapped; the list of patterns can be reconfigured with AutomapHostsSuffixes. - Add an "-F" option to tor-resolve to force a resolve for a .onion address. Thanks to the AutomapHostsOnResolve option, this is no longer a completely silly thing to do. - If Tor is invoked from something that isn't a shell (e.g. Vidalia), now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman. - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb, minus 1 byte: the actual maximum declared bandwidth. o Removed features: - Removed support for the old binary "version 0" controller protocol. This has been deprecated since 0.1.1, and warnings have been issued since 0.1.2. When we encounter a v0 control message, we now send back an error and close the connection. - Remove the old "dns worker" server DNS code: it hasn't been default since 0.1.2.2-alpha, and all the servers seem to be using the new eventdns code. o Minor bugfixes (portability): - Even though Windows is equally happy with / and \ as path separators, try to use \ consistently on Windows and / consistently on Unix: it makes the log messages nicer. - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE. - Read resolv.conf files correctly on platforms where read() returns partial results on small file reads. o Minor bugfixes (directory): - Correctly enforce that elements of directory objects do not appear more often than they are allowed to appear. - When we are reporting the DirServer line we just parsed, we were logging the second stanza of the key fingerprint, not the first. o Minor bugfixes (logging): - When we hit an EOF on a log (probably because we're shutting down), don't try to remove the log from the list: just mark it as unusable. (Bulletproofs against bug 222.) o Minor bugfixes (other): - In the exitlist script, only consider the most recently published server descriptor for each server. Also, when the user requests a list of servers that _reject_ connections to a given address, explicitly exclude the IPs that also have servers that accept connections to that address. (Resolves bug 405.) - Stop allowing hibernating servers to be "stable" or "fast". - On Windows, we were preventing other processes from reading cached-routers while Tor was running. (Reported by janbar) - Make the NodeFamilies config option work. (Reported by lodger -- it has never actually worked, even though we added it in Oct 2004.) - Check return values from pthread_mutex functions. - Don't save non-general-purpose router descriptors to the disk cache, because we have no way of remembering what their purpose was when we restart. - Add even more asserts to hunt down bug 417. - Build without verbose warnings even on (not-yet-released) gcc 4.2. - Fix a possible (but very unlikely) bug in picking routers by bandwidth. Add a log message to confirm that it is in fact unlikely. o Minor bugfixes (controller): - Make 'getinfo fingerprint' return a 551 error if we're not a server, so we match what the control spec claims we do. Reported by daejees. - Fix a typo in an error message when extendcircuit fails that caused us to not follow the \r\n-based delimiter protocol. Reported by daejees. o Code simplifications and refactoring: - Stop passing around circuit_t and crypt_path_t pointers that are implicit in other procedure arguments. - Drop the old code to choke directory connections when the corresponding OR connections got full: thanks to the cell queue feature, OR conns don't get full any more. - Make dns_resolve() handle attaching connections to circuits properly, so the caller doesn't have to. - Rename wants_to_read and wants_to_write to read/write_blocked_on_bw. - Keep the connection array as a dynamic smartlist_t, rather than as a fixed-sized array. This is important, as the number of connections is becoming increasingly decoupled from the number of sockets. Changes in version 0.1.2.14 - 2007-05-25 Tor 0.1.2.14 changes the addresses of two directory authorities (this change especially affects those who serve or use hidden services), and fixes several other crash- and security-related bugs. o Directory authority changes: - Two directory authorities (moria1 and moria2) just moved to new IP addresses. This change will particularly affect those who serve or use hidden services. o Major bugfixes (crashes): - If a directory server runs out of space in the connection table as it's processing a begin_dir request, it will free the exit stream but leave it attached to the circuit, leading to unpredictable behavior. (Reported by seeess, fixes bug 425.) - Fix a bug in dirserv_remove_invalid() that would cause authorities to corrupt memory under some really unlikely scenarios. - Tighten router parsing rules. (Bugs reported by Benedikt Boss.) - Avoid segfaults when reading from mmaped descriptor file. (Reported by lodger.) o Major bugfixes (security): - When choosing an entry guard for a circuit, avoid using guards that are in the same family as the chosen exit -- not just guards that are exactly the chosen exit. (Reported by lodger.) o Major bugfixes (resource management): - If a directory authority is down, skip it when deciding where to get networkstatus objects or descriptors. Otherwise we keep asking every 10 seconds forever. Fixes bug 384. - Count it as a failure if we fetch a valid network-status but we don't want to keep it. Otherwise we'll keep fetching it and keep not wanting to keep it. Fixes part of bug 422. - If all of our dirservers have given us bad or no networkstatuses lately, then stop hammering them once per minute even when we think they're failed. Fixes another part of bug 422. o Minor bugfixes: - Actually set the purpose correctly for descriptors inserted with purpose=controller. - When we have k non-v2 authorities in our DirServer config, we ignored the last k authorities in the list when updating our network-statuses. - Correctly back-off from requesting router descriptors that we are having a hard time downloading. - Read resolv.conf files correctly on platforms where read() returns partial results on small file reads. - Don't rebuild the entire router store every time we get 32K of routers: rebuild it when the journal gets very large, or when the gaps in the store get very large. o Minor features: - When routers publish SVN revisions in their router descriptors, authorities now include those versions correctly in networkstatus documents. - Warn when using a version of libevent before 1.3b to run a server on OSX or BSD: these versions interact badly with userspace threads. Changes in version 0.1.2.13 - 2007-04-24 This release features some major anonymity fixes, such as safer path selection; better client performance; faster bootstrapping, better address detection, and better DNS support for servers; write limiting as well as read limiting to make servers easier to run; and a huge pile of other features and bug fixes. The bundles also ship with Vidalia 0.0.11. Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo of the Freenode IRC network, remembering his patience and vision for free speech on the Internet. o Minor fixes: - Fix a memory leak when we ask for "all" networkstatuses and we get one we don't recognize. - Add more asserts to hunt down bug 417. - Disable kqueue on OS X 10.3 and earlier, to fix bug 371. Changes in version 0.1.2.12-rc - 2007-03-16 o Major bugfixes: - Fix an infinite loop introduced in 0.1.2.7-alpha when we serve directory information requested inside Tor connections (i.e. via begin_dir cells). It only triggered when the same connection was serving other data at the same time. Reported by seeess. o Minor bugfixes: - When creating a circuit via the controller, send a 'launched' event when we're done, so we follow the spec better. Changes in version 0.1.2.11-rc - 2007-03-15 o Minor bugfixes (controller), reported by daejees: - Correct the control spec to match how the code actually responds to 'getinfo addr-mappings/*'. - The control spec described a GUARDS event, but the code implemented a GUARD event. Standardize on GUARD, but let people ask for GUARDS too. Changes in version 0.1.2.10-rc - 2007-03-07 o Major bugfixes (Windows): - Do not load the NT services library functions (which may not exist) just to detect if we're a service trying to shut down. Now we run on Win98 and friends again. o Minor bugfixes (other): - Clarify a couple of log messages. - Fix a misleading socks5 error number. Changes in version 0.1.2.9-rc - 2007-03-02 o Major bugfixes (Windows): - On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead of the usual GCC "%llu". This prevents a bug when saving 64-bit int configuration values: the high-order 32 bits would get truncated. In particular, we were being bitten by the default MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400 and maybe also bug 397.) o Minor bugfixes (performance): - Use OpenSSL's AES implementation on platforms where it's faster. This could save us as much as 10% CPU usage. o Minor bugfixes (server): - Do not rotate onion key immediately after setting it for the first time. o Minor bugfixes (directory authorities): - Stop calling servers that have been hibernating for a long time "stable". Also, stop letting hibernating or obsolete servers affect uptime and bandwidth cutoffs. - Stop listing hibernating servers in the v1 directory. o Minor bugfixes (hidden services): - Upload hidden service descriptors slightly less often, to reduce load on authorities. o Minor bugfixes (other): - Fix an assert that could trigger if a controller quickly set then cleared EntryNodes. (Bug found by Udo van den Heuvel.) - On architectures where sizeof(int)>4, still clamp declarable bandwidth to INT32_MAX. - Fix a potential race condition in the rpm installer. Found by Stefan Nordhausen. - Try to fix eventdns warnings once and for all: do not treat a dns rcode of 2 as indicating that the server is completely bad; it sometimes means that the server is just bad for the request in question. (may fix the last of bug 326.) - Disable encrypted directory connections when we don't have a server descriptor for the destination. We'll get this working again in the 0.2.0 branch. Changes in version 0.1.2.8-beta - 2007-02-26 o Major bugfixes (crashes): - Stop crashing when the controller asks us to resetconf more than one config option at once. (Vidalia 0.0.11 does this.) - Fix a crash that happened on Win98 when we're given command-line arguments: don't try to load NT service functions from advapi32.dll except when we need them. (Bug introduced in 0.1.2.7-alpha; resolves bug 389.) - Fix a longstanding obscure crash bug that could occur when we run out of DNS worker processes. (Resolves bug 390.) o Major bugfixes (hidden services): - Correctly detect whether hidden service descriptor downloads are in-progress. (Suggested by Karsten Loesing; fixes bug 399.) o Major bugfixes (accounting): - When we start during an accounting interval before it's time to wake up, remember to wake up at the correct time. (May fix bug 342.) o Minor bugfixes (controller): - Give the controller END_STREAM_REASON_DESTROY events _before_ we clear the corresponding on_circuit variable, and remember later that we don't need to send a redundant CLOSED event. (Resolves part 3 of bug 367.) - Report events where a resolve succeeded or where we got a socks protocol error correctly, rather than calling both of them "INTERNAL". - Change reported stream target addresses to IP consistently when we finally get the IP from an exit node. - Send log messages to the controller even if they happen to be very long. o Minor bugfixes (other): - Display correct results when reporting which versions are recommended, and how recommended they are. (Resolves bug 383.) - Improve our estimates for directory bandwidth to be less random: guess that an unrecognized directory will have the average bandwidth from all known directories, not that it will have the average bandwidth from those directories earlier than it on the list. - If we start a server with ClientOnly 1, then set ClientOnly to 0 and hup, stop triggering an assert based on an empty onion_key. - On platforms with no working mmap() equivalent, don't warn the user when cached-routers doesn't exist. - Warn the user when mmap() [or its equivalent] fails for some reason other than file-not-found. - Don't warn the user when cached-routers.new doesn't exist: that's perfectly fine when starting up for the first time. - When EntryNodes are configured, rebuild the guard list to contain, in order: the EntryNodes that were guards before; the rest of the EntryNodes; the nodes that were guards before. - Mask out all signals in sub-threads; only the libevent signal handler should be processing them. This should prevent some crashes on some machines using pthreads. (Patch from coderman.) - Fix switched arguments on memset in the implementation of tor_munmap() for systems with no mmap() call. - When Tor receives a router descriptor that it asked for, but no longer wants (because it has received fresh networkstatuses in the meantime), do not warn the user. Cache the descriptor if we're a cache; drop it if we aren't. - Make earlier entry guards _really_ get retried when the network comes back online. - On a malformed DNS reply, always give an error to the corresponding DNS request. - Build with recent libevents on platforms that do not define the nonstandard types "u_int8_t" and friends. o Minor features (controller): - Warn the user when an application uses the obsolete binary v0 control protocol. We're planning to remove support for it during the next development series, so it's good to give people some advance warning. - Add STREAM_BW events to report per-entry-stream bandwidth use. (Patch from Robert Hogan.) - Rate-limit SIGNEWNYM signals in response to controllers that impolitely generate them for every single stream. (Patch from mwenge; closes bug 394.) - Make REMAP stream events have a SOURCE (cache or exit), and make them generated in every case where we get a successful connected or resolved cell. o Minor bugfixes (performance): - Call router_have_min_dir_info half as often. (This is showing up in some profiles, but not others.) - When using GCC, make log_debug never get called at all, and its arguments never get evaluated, when no debug logs are configured. (This is showing up in some profiles, but not others.) o Minor features: - Remove some never-implemented options. Mark PathlenCoinWeight as obsolete. - Implement proposal 106: Stop requiring clients to have well-formed certificates; stop checking nicknames in certificates. (Clients have certificates so that they can look like Tor servers, but in the future we might want to allow them to look like regular TLS clients instead. Nicknames in certificates serve no purpose other than making our protocol easier to recognize on the wire.) - Revise messages on handshake failure again to be even more clear about which are incoming connections and which are outgoing. - Discard any v1 directory info that's over 1 month old (for directories) or over 1 week old (for running-routers lists). - Do not warn when individual nodes in the configuration's EntryNodes, ExitNodes, etc are down: warn only when all possible nodes are down. (Fixes bug 348.) - Always remove expired routers and networkstatus docs before checking whether we have enough information to build circuits. (Fixes bug 373.) - Put a lower-bound on MaxAdvertisedBandwidth. Changes in version 0.1.2.7-alpha - 2007-02-06 o Major bugfixes (rate limiting): - Servers decline directory requests much more aggressively when they're low on bandwidth. Otherwise they end up queueing more and more directory responses, which can't be good for latency. - But never refuse directory requests from local addresses. - Fix a memory leak when sending a 503 response for a networkstatus request. - Be willing to read or write on local connections (e.g. controller connections) even when the global rate limiting buckets are empty. - If our system clock jumps back in time, don't publish a negative uptime in the descriptor. Also, don't let the global rate limiting buckets go absurdly negative. - Flush local controller connection buffers periodically as we're writing to them, so we avoid queueing 4+ megabytes of data before trying to flush. o Major bugfixes (NT services): - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a command-line flag so that admins can override the default by saying "tor --service install --user "SomeUser"". This will not affect existing installed services. Also, warn the user that the service will look for its configuration file in the service user's %appdata% directory. (We can't do the 'hardwire the user's appdata directory' trick any more, since we may not have read access to that directory.) o Major bugfixes (other): - Previously, we would cache up to 16 old networkstatus documents indefinitely, if they came from nontrusted authorities. Now we discard them if they are more than 10 days old. - Fix a crash bug in the presence of DNS hijacking (reported by Andr