[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r15572: first draft of the Tor 0.2.0.x Release Notes. (tor/trunk)
Author: arma
Date: 2008-06-30 18:01:17 -0400 (Mon, 30 Jun 2008)
New Revision: 15572
Modified:
tor/trunk/ReleaseNotes
Log:
first draft of the Tor 0.2.0.x Release Notes.
Modified: tor/trunk/ReleaseNotes
===================================================================
--- tor/trunk/ReleaseNotes 2008-06-30 21:52:39 UTC (rev 15571)
+++ tor/trunk/ReleaseNotes 2008-06-30 22:01:17 UTC (rev 15572)
@@ -3,6 +3,767 @@
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.2.0.30 - 2008-07-xx
+ This new stable release switches to a more efficient directory
+ distribution design, adds features to make Tor harder to block,
+ allows Tor to act as a DNS proxy,
+
+ o New v3 directory design:
+ - Tor now uses a new way to learn about and distribute information
+ about the network: the directory authorities vote on a common
+ network status document rather than each publishing their own
+ opinion. Now clients and caches download only one networkstatus
+ document to bootstrap, rather than downloading one for each
+ authority. Clients only download router descriptors listed in
+ the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
+ for details.
+ - Set up moria1, tor26, and dizum as v3 directory authorities
+ in addition to being v2 authorities. Also add three new ones:
+ ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
+ dannenberg (run by CCC).
+ - Switch to multi-level keys for directory authorities: now their
+ long-term identity key can be kept offline, and they periodically
+ generate a new signing key. Clients fetch the "key certificates"
+ to keep up to date on the right keys. Add a standalone tool
+ "tor-gencert" to generate key certificates. Implements proposal 103.
+ - Add a new V3AuthUseLegacyKey config option to make it easier for
+ v3 authorities to change their identity keys if another bug like
+ Debian's OpenSSL RNG flaw appears.
+ - Authorities and caches fetch the v2 networkstatus documents
+ less often, now that v3 is recommended.
+
+ o Make Tor connections stand out less on the wire:
+ - Use an improved TLS handshake designed by Steven Murdoch in proposal
+ 124, as revised in proposal 130. The new handshake is meant to
+ be harder for censors to fingerprint, and it adds the ability
+ to detect certain kinds of man-in-the-middle traffic analysis
+ attacks. The new handshake format includes version negotiation for
+ OR connections as described in proposal 105, which will allow us
+ to improve Tor's link protocol more safely in the future.
+ - Enable encrypted directory connections by default for non-relays,
+ so censor tools that block Tor directory connections based on their
+ plaintext patterns will no longer work. This means Tor works in
+ certain censored countries by default again.
+ - Stop including recognizeable strings in the commonname part of
+ Tor's x509 certificates.
+
+ o Implement bridge relays:
+ - Bridge relays (or "bridges" for short) are Tor relays that aren't
+ listed in the main Tor directory. Since there is no complete public
+ list of them, even an ISP that is filtering connections to all the
+ known Tor relays probably won't be able to block all the bridges.
+ See doc/design-paper/blocking.pdf and proposal 125 for details.
+ - New config option BridgeRelay that specifies you want to be a
+ bridge relay rather than a normal relay. When BridgeRelay is set
+ to 1, then a) you cache dir info even if your DirPort ins't on,
+ and b) the default for PublishServerDescriptor is now "bridge"
+ rather than "v2,v3".
+ - New config option "UseBridges 1" for clients that want to use bridge
+ relays instead of ordinary entry guards. Clients then specify
+ bridge relays by adding "Bridge" lines to their config file. Users
+ can learn about a bridge relay either manually through word of
+ mouth, or by one of our rate-limited mechanisms for giving out
+ bridge addresses without letting an attacker easily enumerate them
+ all. See https://www.torproject.org/bridges for details.
+ - Bridge relays behave like clients with respect to time intervals
+ for downloading new v3 consensus documents -- otherwise they
+ stand out. Bridge users now wait until the end of the interval,
+ so their bridge relay will be sure to have a new consensus document.
+
+ o Implement bridge directory authorities:
+ - Bridge authorities are like normal directory authorities, except
+ they don't serve a list of known bridges. Therefore users that know
+ a bridge's fingerprint can fetch a relay descriptor for that bridge,
+ including fetching updates e.g. if the bridge changes IP address,
+ yet an attacker can't just fetch a list of all the bridges.
+ - Set up Tonga as the default bridge directory authority.
+ - Bridge authorities refuse to serve bridge descriptors or other
+ bridge information over unencrypted connections (that is, when
+ responding to direct DirPort requests rather than begin_dir cells.)
+ - Bridge directory authorities do reachability testing on the
+ bridges they know. They provide router status summaries to the
+ controller via "getinfo ns/purpose/bridge", and also dump summaries
+ to a file periodically, so we can keep internal stats about which
+ bridges are functioning.
+ - If bridge users set the UpdateBridgesFromAuthority config option,
+ but the digest they ask for is a 404 on the bridge authority,
+ they fall back to contacting the bridge directly.
+ - Bridges always use begin_dir to publish their server descriptor to
+ the bridge authority using an anonymous encrypted tunnel.
+ - Early work on a "bridge community" design: if bridge authorities set
+ the BridgePassword config option, they will serve a snapshot of
+ known bridge routerstatuses from their DirPort to anybody who
+ knows that password. Unset by default.
+ - Tor now includes an IP-to-country GeoIP file, so bridge relays can
+ report sanitized aggregated summaries in their extra-info documents
+ privately to the bridge authority, listing which countries are
+ able to reach them. We hope this mechanism will let us learn when
+ certain countries start trying to block bridges.
+ - Bridge authorities write bridge descriptors to disk, so they can
+ reload them after a reboot. They can also export the descriptors
+ to other programs, so we can distribute them to blocked users via
+ the BridgeDB interface, e.g. via https://bridges.torproject.org/
+ and bridges@xxxxxxxxxxxxxxx
+
+ o Tor can be a DNS proxy:
+ - The new client-side DNS proxy feature replaces the need for
+ dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
+ for DNS requests on port 9999, use the Tor network to resolve them
+ anonymously, and send the reply back like a regular DNS server.
+ The code still only implements a subset of DNS.
+ - Add a new AutomapHostsOnResolve option: when it is enabled, any
+ resolve request for hosts matching a given pattern causes Tor to
+ generate an internal virtual address mapping for that host. This
+ allows DNSPort to work sensibly with hidden service users. By
+ default, .exit and .onion addresses are remapped; the list of
+ patterns can be reconfigured with AutomapHostsSuffixes.
+ - Add an "-F" option to tor-resolve to force a resolve for a .onion
+ address. Thanks to the AutomapHostsOnResolve option, this is no
+ longer a completely silly thing to do.
+
+ o Major features (relay usability):
+ - New config options RelayBandwidthRate and RelayBandwidthBurst:
+ a separate set of token buckets for relayed traffic. Right now
+ relayed traffic is defined as answers to directory requests, and
+ OR connections that don't have any local circuits on them. See
+ proposal 111 for details.
+ - Create listener connections before we setuid to the configured
+ User and Group. Now non-Windows users can choose port values
+ under 1024, start Tor as root, and have Tor bind those ports
+ before it changes to another UID. (Windows users could already
+ pick these ports.)
+ - Added a new ConstrainedSockets config option to set SO_SNDBUF and
+ SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
+ on "vserver" accounts. Patch from coderman.
+
+ o Major features (directory authorities):
+ - Directory authorities track weighted fractional uptime and weighted
+ mean-time-between failures for relays. WFU is suitable for deciding
+ whether a node is "usually up", while MTBF is suitable for deciding
+ whether a node is "likely to stay up." We need both, because
+ "usually up" is a good requirement for guards, while "likely to
+ stay up" is a good requirement for long-lived connections.
+ - Directory authorities use a new formula for selecting which relays
+ to advertise as Guards: they must be in the top 7/8 in terms of
+ how long we have known about them, and above the median of those
+ nodes in terms of weighted fractional uptime.
+ - Directory authorities use a new formula for selecting which relays
+ to advertise as Stable: when we have 4 or more days of data, use
+ median measured MTBF rather than median declared uptime. Implements
+ proposal 108.
+ - Directory authorities accept and serve "extra info" documents for
+ routers. Routers now publish their bandwidth-history lines in the
+ extra-info docs rather than the main descriptor. This step saves
+ 60% (!) on compressed router descriptor downloads. Servers upload
+ extra-info docs to any authority that accepts them; directory
+ authorities now allow multiple router descriptors and/or extra
+ info documents to be uploaded in a single go. Authorities, and
+ caches that have been configured to download extra-info documents,
+ download them as needed. Implements proposal 104.
+ - Authorities now list relays who have the same nickname as
+ a different named relay, but list them with a new flag:
+ "Unnamed". Now we can make use of relays that happen to pick the
+ same nickname as a server that registered two years ago and then
+ disappeared. Implements proposal 122.
+ - Store routers in a file called cached-descriptors instead of in
+ cached-routers. Initialize cached-descriptors from cached-routers
+ if the old format is around. The new format allows us to store
+ annotations along with descriptors, to record the time we received
+ each descriptor, its source, and its purpose: currently one of
+ general, controller, or bridge.
+
+ o Major features (other):
+ - New config options WarnPlaintextPorts and RejectPlaintextPorts so
+ Tor can warn and/or refuse connections to ports commonly used with
+ vulnerable-plaintext protocols. Currently we warn on ports 23,
+ 109, 110, and 143, but we don't reject any. Based on proposal 129
+ by Kevin Bauer and Damon McCoy.
+ - Integrate Karsten Loesing's Google Summer of Code project to publish
+ hidden service descriptors on a set of redundant relays that are a
+ function of the hidden service address. Now we don't have to rely
+ on three central hidden service authorities for publishing and
+ fetching every hidden service descriptor. Implements proposal 114.
+ - Allow tunnelled directory connections to ask for an encrypted
+ "begin_dir" connection or an anonymized "uses a full Tor circuit"
+ connection independently. Now we can make anonymized begin_dir
+ connections for (e.g.) more secure hidden service posting and
+ fetching.
+
+ o Major bugfixes (crashes and assert failures):
+ - Stop imposing an arbitrary maximum on the number of file descriptors
+ used for busy servers. Bug reported by Olaf Selke; patch from
+ Sebastian Hahn.
+ - Avoid possible failures when generating a directory with routers
+ with over-long versions strings, or too many flags set.
+ - Fix a rare assert error when we're closing one of our threads:
+ use a mutex to protect the list of logs, so we never write to the
+ list as it's being freed. Fixes the very rare bug 575, which is
+ kind of the revenge of bug 222.
+ - Avoid segfault in the case where a badly behaved v2 versioning
+ directory sends a signed networkstatus with missing client-versions.
+ - When we hit an EOF on a log (probably because we're shutting down),
+ don't try to remove the log from the list: just mark it as
+ unusable. (Bulletproofs against bug 222.)
+
+ o Major bugfixes (code security fixes):
+ - Detect size overflow in zlib code. Reported by Justin Ferguson and
+ Dan Kaminsky.
+ - Rewrite directory tokenization code to never run off the end of
+ a string. Fixes bug 455. Patch from croup.
+ - Be more paranoid about overwriting sensitive memory on free(),
+ as a defensive programming tactic to ensure forward secrecy.
+
+ o Major bugfixes (anonymity fixes):
+ - Reject requests for reverse-dns lookup of names that are in
+ a private address space. Patch from lodger.
+ - Never report that we've used more bandwidth than we're willing to
+ relay: it leaks how much non-relay traffic we're using. Resolves
+ bug 516.
+ - As a client, do not believe any server that tells us that an
+ address maps to an internal address space.
+ - Warn about unsafe ControlPort configurations.
+ - Directory authorities now call routers Fast if their bandwidth is
+ at least 100KB/s, and consider their bandwidth adequate to be a
+ Guard if it is at least 250KB/s, no matter the medians. This fix
+ complements proposal 107.
+ - Directory authorities now never mark more than 3 servers per IP as
+ Valid and Running. Implements proposal 109, by Kevin Bauer and
+ Damon McCoy.
+ - If we're a relay, avoid picking ourselves as an introduction point,
+ a rendezvous point, or as the final hop for internal circuits. Bug
+ reported by taranis and lodger.
+ - Exit relays that are used as a client can now reach themselves
+ using the .exit notation, rather than just launching an infinite
+ pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
+ - Fix a bug where, when we were choosing the 'end stream reason' to
+ put in our relay end cell that we send to the exit relay, Tor
+ clients on Windows were sometimes sending the wrong 'reason'. The
+ anonymity problem is that exit relays may be able to guess whether
+ the client is running Windows, thus helping partition the anonymity
+ set. Down the road we should stop sending reasons to exit relays,
+ or otherwise prevent future versions of this bug.
+ - Only update guard status (usable / not usable) once we have
+ enough directory information. This was causing us to discard all our
+ guards on startup if we hadn't been running for a few weeks. Fixes
+ bug 448.
+ - When our directory information has been expired for a while, stop
+ being willing to build circuits using it. Fixes bug 401.
+
+ o Major bugfixes (peace of mind for relay operators)
+ - Non-exit relays no longer answer "resolve" relay cells, so they
+ can't be induced to do arbitrary DNS requests. (Tor clients already
+ avoid using non-exit relays for resolve cells, but now servers
+ enforce this too.) Fixes bug 619. Patch from lodger.
+ - When we setconf ClientOnly to 1, close any current OR and Dir
+ listeners. Reported by mwenge.
+
+ o Major bugfixes (other):
+ - If we only ever used Tor for hidden service lookups or posts, we
+ would stop building circuits and start refusing connections after
+ 24 hours, since we falsely believed that Tor was dormant. Reported
+ by nwf.
+ - Add a new __HashedControlSessionPassword option for controllers
+ to use for one-off session password hashes that shouldn't get
+ saved to disk by SAVECONF --- Vidalia users were accumulating a
+ pile of HashedControlPassword lines in their torrc files, one for
+ each time they had restarted Tor and then clicked Save. Make Tor
+ automatically convert "HashedControlPassword" to this new option but
+ only when it's given on the command line. Partial fix for bug 586.
+ - Patch from "Andrew S. Lists" to catch when we contact a directory
+ mirror at IP address X and he says we look like we're coming from
+ IP address X. Otherwise this would screw up our address detection.
+ - Reject uploaded descriptors and extrainfo documents if they're
+ huge. Otherwise we'll cache them all over the network and it'll
+ clog everything up. Suggested by Aljosha Judmayer.
+
+ o Rate limiting and load balancing improvements:
+ - When we add data to a write buffer in response to the data on that
+ write buffer getting low because of a flush, do not consider the
+ newly added data as a candidate for immediate flushing, but rather
+ make it wait until the next round of writing. Otherwise, we flush
+ and refill recursively, and a single greedy TLS connection can
+ eat all of our bandwidth.
+ - When counting the number of bytes written on a TLS connection,
+ look at the BIO actually used for writing to the network, not
+ at the BIO used (sometimes) to buffer data for the network.
+ Looking at different BIOs could result in write counts on the
+ order of ULONG_MAX. Fixes bug 614.
+ - If we change our MaxAdvertisedBandwidth and then reload torrc,
+ Tor won't realize it should publish a new relay descriptor. Fixes
+ bug 688, reported by mfr.
+ - Avoid using too little bandwidth when our clock skips a few seconds.
+ - Choose which bridge to use proportional to its advertised bandwidth,
+ rather than uniformly at random. This should speed up Tor for
+ bridge users. Also do this for people who set StrictEntryNodes.
+
+ o Bootstrapping faster and building circuits more intelligently:
+ - Fix bug 660 that was preventing us from knowing that we should
+ preemptively build circuits to handle expected directory requests.
+ - When we're checking if we have enough dir info for each relay
+ to begin establishing circuits, make sure that we actually have
+ the descriptor listed in the consensus, not just any descriptor.
+ - Correctly notify one-hop connections when a circuit build has
+ failed. Possible fix for bug 669. Found by lodger.
+ - Clients now hold circuitless TLS connections open for 1.5 times
+ MaxCircuitDirtiness (15 minutes), since it is likely that they'll
+ rebuild a new circuit over them within that timeframe. Previously,
+ they held them open only for KeepalivePeriod (5 minutes).
+
+ o Performance improvements (memory):
+ - Add OpenBSD malloc code from "phk" as an optional malloc
+ replacement on Linux: some glibc libraries do very poorly with
+ Tor's memory allocation patterns. Pass --enable-openbsd-malloc to
+ ./configure to get the replacement malloc code.
+ - Switch our old ring buffer implementation for one more like that
+ used by free Unix kernels. The wasted space in a buffer with 1mb
+ of data will now be more like 8k than 1mb. The new implementation
+ also avoids realloc();realloc(); patterns that can contribute to
+ memory fragmentation.
+ - Change the way that Tor buffers data that it is waiting to write.
+ Instead of queueing data cells in an enormous ring buffer for each
+ client->OR or OR->OR connection, we now queue cells on a separate
+ queue for each circuit. This lets us use less slack memory, and
+ will eventually let us be smarter about prioritizing different kinds
+ of traffic.
+ - Reference-count and share copies of address policy entries; only 5%
+ of them were actually distinct.
+ - Tune parameters for cell pool allocation to minimize amount of
+ RAM overhead used.
+ - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
+ for every single inactive connection_t. Free items from the
+ 4k/16k-buffer free lists when they haven't been used for a while.
+ - Make memory debugging information describe more about history
+ of cell allocation, so we can help reduce our memory use.
+ - Be even more aggressive about releasing RAM from small
+ empty buffers. Thanks to our free-list code, this shouldn't be too
+ performance-intensive.
+ - Log malloc statistics from mallinfo() on platforms where it exists.
+ - Use memory pools to allocate cells with better speed and memory
+ efficiency, especially on platforms where malloc() is inefficient.
+ - Add a --with-tcmalloc option to the configure script to link
+ against tcmalloc (if present). Does not yet search for non-system
+ include paths.
+
+ o Performance improvements (socket management):
+ - Count the number of open sockets separately from the number of
+ active connection_t objects. This will let us avoid underusing
+ our allocated connection limit.
+ - We no longer use socket pairs to link an edge connection to an
+ anonymous directory connection or a DirPort test connection.
+ Instead, we track the link internally and transfer the data
+ in-process. This saves two sockets per "linked" connection (at the
+ client and at the server), and avoids the nasty Windows socketpair()
+ workaround.
+ - We were leaking a file descriptor if Tor started with a zero-length
+ cached-descriptors file. Patch by "freddy77".
+
+ o Performance improvements (CPU use):
+ - Never walk through the list of logs if we know that no log target
+ is interested in a given message.
+ - Call routerlist_remove_old_routers() much less often. This should
+ speed startup, especially on directory caches.
+ - Base64 decoding was actually showing up on our profile when parsing
+ the initial descriptor file; switch to an in-process all-at-once
+ implementation that's about 3.5x times faster than calling out to
+ OpenSSL.
+ - Use a slightly simpler string hashing algorithm (copying Python's
+ instead of Java's) and optimize our digest hashing algorithm to take
+ advantage of 64-bit platforms and to remove some possibly-costly
+ voodoo.
+ - When implementing AES counter mode, update only the portions of the
+ counter buffer that need to change, and don't keep separate
+ network-order and host-order counters on big-endian hosts (where
+ they are the same).
+ - Add an in-place version of aes_crypt() so that we can avoid doing a
+ needless memcpy() call on each cell payload.
+ - Use Critical Sections rather than Mutexes for synchronizing threads
+ on win32; Mutexes are heavier-weight, and designed for synchronizing
+ between processes.
+
+ o Performance improvements (bandwidth use):
+ - Don't try to launch new descriptor downloads quite so often when we
+ already have enough directory information to build circuits.
+ - Version 1 directories are no longer generated in full. Instead,
+ authorities generate and serve "stub" v1 directories that list
+ no servers. This will stop Tor versions 0.1.0.x and earlier from
+ working, but (for security reasons) nobody should be running those
+ versions anyway.
+ - Avoid going directly to the directory authorities even if you're a
+ relay, if you haven't found yourself reachable yet or if you've
+ decided not to advertise your dirport yet. Addresses bug 556.
+ - If we've gone 12 hours since our last bandwidth check, and we
+ estimate we have less than 50KB bandwidth capacity but we could
+ handle more, do another bandwidth test.
+ - Support "If-Modified-Since" when answering HTTP requests for
+ directories, running-routers documents, and v2 and v3 networkstatus
+ documents. (There's no need to support it for router descriptors,
+ since those are downloaded by descriptor digest.)
+ - Stop fetching directory info so aggressively if your DirPort is
+ on but your ORPort is off; stop fetching v2 dir info entirely.
+ You can override these choices with the new FetchDirInfoEarly
+ config option.
+
+ o Changed config option behavior (features):
+ - Configuration files now accept C-style strings as values. This
+ helps encode characters not allowed in the current configuration
+ file format, such as newline or #. Addresses bug 557.
+ - Add hidden services and DNSPorts to the list of things that make
+ Tor accept that it has running ports. Change starting Tor with no
+ ports from a fatal error to a warning; we might change it back if
+ this turns out to confuse anybody. Fixes bug 579.
+ - Make PublishServerDescriptor default to 1, so the default doesn't
+ have to change as we invent new directory protocol versions.
+ - Allow people to say PreferTunnelledDirConns rather than
+ PreferTunneledDirConns, for those alternate-spellers out there.
+ - Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
+ accommodate the growing number of servers that use the default
+ and are reaching it.
+ - Make it possible to enable HashedControlPassword and
+ CookieAuthentication at the same time.
+ - When a TrackHostExits-chosen exit fails too many times in a row,
+ stop using it. Fixes bug 437.
+
+ o Changed config option behavior (bugfixes):
+ - Do not read the configuration file when we've only been told to
+ generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
+ based on patch from Sebastian Hahn.
+ - Actually validate the options passed to AuthDirReject,
+ AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
+ - Make "ClientOnly 1" config option disable directory ports too.
+ - Don't stop fetching descriptors when FetchUselessDescriptors is
+ set, even if we stop asking for circuits. Bug reported by tup
+ and ioerror.
+ - Servers used to decline to publish their DirPort if their
+ BandwidthRate or MaxAdvertisedBandwidth were below a threshold. Now
+ they look only at BandwidthRate and RelayBandwidthRate.
+ - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
+ minus 1 byte: the actual maximum declared bandwidth.
+ - Make "TrackHostExits ." actually work. Bugfix on 0.1.0.x.
+ - Make the NodeFamilies config option work. (Reported by
+ lodger -- it has never actually worked, even though we added it
+ in Oct 2004.)
+ - If Tor is invoked from something that isn't a shell (e.g. Vidalia),
+ now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
+
+ o New config options:
+ - New configuration options to override default maximum number of
+ servers allowed on a single IP address. This is important for
+ running a test network on a single host. XXX
+ - Three new config options (AlternateDirAuthority,
+ AlternateBridgeAuthority, and AlternateHSAuthority) that let the
+ user selectively replace the default directory authorities by type,
+ rather than the all-or-nothing replacement that DirServer offers.
+ - New config options AuthDirBadDir and AuthDirListBadDirs for
+ authorities to mark certain relays as "bad directories" in the
+ networkstatus documents. Also supports the "!baddir" directive in
+ the approved-routers file.
+ - New config option V2AuthoritativeDirectory that all v2 directory
+ authorities must set. This lets v3 authorities choose not to serve
+ v2 directory information.
+
+ o Minor features (other):
+ - When we're not serving v2 directory information, there is no reason
+ to actually keep any around. Remove the obsolete files and directory
+ on startup if they are very old and we aren't going to serve them.
+ - When we negotiate a v2 link-layer connection (not yet implemented),
+ accept RELAY_EARLY cells and turn them into RELAY cells if we've
+ negotiated a v1 connection for their next step. Initial steps for
+ proposal 110.
+ - When we have no consensus, check FallbackNetworkstatusFile (defaults
+ to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
+ we can start out knowing some directory caches. We don't ship with
+ a fallback consensus by default though, because it wasn't making
+ bootstrapping take too long while we tried many down relays.
+ - Authorities send back an X-Descriptor-Not-New header in response to
+ an accepted-but-discarded descriptor upload. Partially implements
+ fix for bug 535.
+ - If we find a cached-routers file that's been sitting around for more
+ than 28 days unmodified, then most likely it's a leftover from
+ when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
+ routers anyway.
+ - When we (as a cache) download a descriptor because it was listed
+ in a consensus, remember when the consensus was supposed to expire,
+ and don't expire the descriptor until then.
+ - Optionally (if built with -DEXPORTMALLINFO) export the output
+ of mallinfo via http, as tor/mallinfo.txt. Only accessible
+ from localhost.
+ - Tag every guard node in our state file with the version that
+ we believe added it, or with our own version if we add it. This way,
+ if a user temporarily runs an old version of Tor and then switches
+ back to a new one, she doesn't automatically lose her guards.
+ - When somebody requests a list of statuses or servers, and we have
+ none of those, return a 404 rather than an empty 200.
+ - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
+ from croup.)
+ - Add an HSAuthorityRecordStats option that hidden service authorities
+ can use to track statistics of overall hidden service usage without
+ logging information that would be as useful to an attacker.
+ - Allow multiple HiddenServicePort directives with the same virtual
+ port; when they occur, the user is sent round-robin to one
+ of the target ports chosen at random. Partially fixes bug 393 by
+ adding limited ad-hoc round-robining.
+ - Revamp file-writing logic so we don't need to have the entire
+ contents of a file in memory at once before we write to disk. Tor,
+ meet stdio.
+
+ o Minor bugfixes (other):
+ - Alter the code that tries to recover from unhandled write
+ errors, to not try to flush onto a socket that's given us
+ unhandled errors.
+ - Directory mirrors no longer include a guess at the client's IP
+ address if the connection appears to be coming from the same /24
+ network; it was producing too many wrong guesses.
+ - If we're trying to flush the last bytes on a connection (for
+ example, when answering a directory request), reset the
+ time-to-give-up timeout every time we manage to write something
+ on the socket.
+ - Reject router descriptors with out-of-range bandwidthcapacity or
+ bandwidthburst values.
+ - If we can't expand our list of entry guards (e.g. because we're
+ using bridges or we have StrictEntryNodes set), don't mark relays
+ down when they fail a directory request. Otherwise we're too quick
+ to mark all our entry points down.
+ - Authorities no longer send back "400 you're unreachable please fix
+ it" errors to Tor servers that aren't online all the time. We're
+ supposed to tolerate these servers now.
+ - Let directory authorities startup even when they can't generate
+ a descriptor immediately, e.g. because they don't know their
+ address.
+ - Correctly enforce that elements of directory objects do not appear
+ more often than they are allowed to appear.
+ - Stop allowing hibernating servers to be "stable" or "fast".
+ - On Windows, we were preventing other processes from reading
+ cached-routers while Tor was running. (Reported by janbar)
+ - Check return values from pthread_mutex functions.
+
+ o Controller features:
+ - The GETCONF command now escapes and quotes configuration values
+ that don't otherwise fit into the torrc file.
+ - The SETCONF command now handles quoted values correctly.
+ - Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
+ ask about source, timestamp of arrival, purpose, etc. We need
+ something like this to help Vidalia not do GeoIP lookups on bridge
+ addresses.
+ - Allow multiple HashedControlPassword config lines, to support
+ multiple controller passwords.
+ - Accept LF instead of CRLF on controller, since some software has a
+ hard time generating real Internet newlines.
+ - Add GETINFO values for the server status events
+ "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
+ Robert Hogan.
+ - There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
+ GETINFO for Torstat to use until it can switch to using extrainfos.
+ - New config option CookieAuthFile to choose a new location for the
+ cookie authentication file, and config option
+ CookieAuthFileGroupReadable to make it group-readable.
+ - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
+ match requests to applications. Patch from Robert Hogan.
+ - Add a RESOLVE command to launch hostname lookups. Original patch
+ from Robert Hogan.
+ - Add GETINFO status/enough-dir-info to let controllers tell whether
+ Tor has downloaded sufficient directory information. Patch from Tup.
+ - You can now use the ControlSocket option to tell Tor to listen for
+ controller connections on Unix domain sockets on systems that
+ support them. Patch from Peter Palfrader.
+ - New "GETINFO address-mappings/*" command to get address mappings
+ with expiry information. "addr-mappings/*" is now deprecated.
+ Patch from Tup.
+ - Add a new config option __DisablePredictedCircuits designed for
+ use by the controller, when we don't want Tor to build any circuits
+ preemptively.
+ - Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
+ so we can exit from the middle of the circuit.
+ - Implement "getinfo status/circuit-established".
+ - Implement "getinfo status/version/..." so a controller can tell
+ whether the current version is recommended, and whether any versions
+ are good, and how many authorities agree. Patch from "shibz".
+ - Controllers should now specify cache=no or cache=yes when using
+ the +POSTDESCRIPTOR command.
+ - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
+ Robert Hogan. Fixes the first part of bug 681.
+ - When reporting clock skew, and we know that the clock is _at least
+ as skewed_ as some value, but we don't know the actual value,
+ report the value as a "minimum skew."
+
+ o Controller bugfixes:
+ - Generate "STATUS_SERVER" events rather than misspelled
+ "STATUS_SEVER" events. Caught by mwenge.
+ - Reject controller commands over 1MB in length, so rogue
+ processes can't run us out of memory.
+ - Change the behavior of "getinfo status/good-server-descriptor"
+ so it doesn't return failure when any authority disappears.
+ - Send NAMESERVER_STATUS messages for a single failed nameserver
+ correctly.
+ - When the DANGEROUS_VERSION controller status event told us we're
+ running an obsolete version, it used the string "OLD" to describe
+ it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
+ "OBSOLETE" in both cases.
+ - Respond to INT and TERM SIGNAL commands before we execute the
+ signal, in case the signal shuts us down. We had a patch in
+ 0.1.2.1-alpha that tried to do this by queueing the response on
+ the connection's buffer before shutting down, but that really
+ isn't the same thing at all. Bug located by Matt Edman.
+ - Provide DNS expiry times in GMT, not in local time. For backward
+ compatibility, ADDRMAP events only provide GMT expiry in an extended
+ field. "GETINFO address-mappings" always does the right thing.
+ - Use CRLF line endings properly in NS events.
+ - Make 'getinfo fingerprint' return a 551 error if we're not a
+ server, so we match what the control spec claims we do. Reported
+ by daejees.
+ - Fix a typo in an error message when extendcircuit fails that
+ caused us to not follow the \r\n-based delimiter protocol. Reported
+ by daejees.
+ - When tunneling an encrypted directory connection, and its first
+ circuit fails, do not leave it unattached and ask the controller
+ to deal. Fixes the second part of bug 681.
+ - Treat some 403 responses from directory servers as INFO rather than
+ WARN-severity events.
+
+ o Portability / building / compiling:
+ - When building with --enable-gcc-warnings, check for whether Apple's
+ warning "-Wshorten-64-to-32" is available.
+ - Support compilation to target iPhone; patch from cjacker huang.
+ To build for iPhone, pass the --enable-iphone option to configure.
+ - Detect non-ASCII platforms (if any still exist) and refuse to
+ build there: some of our code assumes that 'A' is 65 and so on.
+ - Clear up some MIPSPro compiler warnings.
+ - Make autoconf search for libevent, openssl, and zlib consistently.
+ - Update deprecated macros in configure.in.
+ - When warning about missing headers, tell the user to let us
+ know if the compile succeeds anyway, so we can downgrade the
+ warning.
+ - Include the current subversion revision as part of the version
+ string: either fetch it directly if we're in an SVN checkout, do
+ some magic to guess it if we're in an SVK checkout, or use
+ the last-detected version if we're building from a .tar.gz.
+ Use this version consistently in log messages.
+ - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
+ - Read resolv.conf files correctly on platforms where read() returns
+ partial results on small file reads.
+ - Build without verbose warnings even on gcc 4.2 and 4.3.
+ - On Windows, correctly detect errors when listing the contents of
+ a directory. Fix from lodger.
+ - Run 'make test' as part of 'make dist', so we stop releasing so
+ many development snapshots that fail their unit tests.
+ - Add support to detect Libevent versions in the 1.4.x series
+ on mingw.
+ - Add command-line arguments to unit-test executable so that we can
+ invoke any chosen test from the command line rather than having
+ to run the whole test suite at once; and so that we can turn on
+ logging for the unit tests.
+ - Do not automatically run configure from autogen.sh. This
+ non-standard behavior tended to annoy people who have built other
+ programs.
+
+ o Logging improvements:
+ - When we haven't had any application requests lately, don't bother
+ logging that we have expired a bunch of descriptors.
+ - When attempting to open a logfile fails, tell us why.
+ - Only log guard node status when guard node status has changed.
+ - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
+ make "INFO" 75% less verbose.
+ - When SafeLogging is disabled, log addresses along with all TLS
+ errors.
+ - Report TLS "zero return" case as a "clean close" and "IO error"
+ as a "close". Stop calling closes "unexpected closes": existing
+ Tors don't use SSL_close(), so having a connection close without
+ the TLS shutdown handshake is hardly unexpected.
+ - When we receive a consensus from the future, warn about skew.
+ - Make "not enough dir info yet" warnings describe *why* Tor feels
+ it doesn't have enough directory info yet.
+ - On the USR1 signal, when dmalloc is in use, log the top 10 memory
+ consumers. (We already do this on HUP.)
+ - Give more descriptive well-formedness errors for out-of-range
+ hidden service descriptor/protocol versions.
+ - Stop recommending that every server operator send mail to tor-ops.
+ Resolves bug 597. Bugfix on 0.1.2.x.
+ - Improve skew reporting: try to give the user a better log message
+ about how skewed they are, and how much this matters.
+ - New --quiet command-line option to suppress the default console log.
+ Good in combination with --hash-password.
+ - Don't complain that "your server has not managed to confirm that its
+ ports are reachable" if we haven't been able to build any circuits
+ yet.
+ - Detect the reason for failing to mmap a descriptor file we just
+ wrote, and give a more useful log message. Fixes bug 533.
+ - Always prepend "Bug: " to any log message about a bug.
+ - When dumping memory usage, list bytes used in buffer memory
+ free-lists.
+ - When running with dmalloc, dump more stats on hup and on exit.
+ - Put a platform string (e.g. "Linux i686") in the startup log
+ message, so when people paste just their logs, we know if it's
+ OpenBSD or Windows or what.
+ - When logging memory usage, break down memory used in buffers by
+ buffer type.
+ - When we are reporting the DirServer line we just parsed, we were
+ logging the second stanza of the key fingerprint, not the first.
+ - Even though Windows is equally happy with / and \ as path separators,
+ try to use \ consistently on Windows and / consistently on Unix: it
+ makes the log messages nicer.
+ - On OSX, stop warning the user that kqueue support in libevent is
+ "experimental", since it seems to have worked fine for ages.
+
+ o Contributed scripts and tools:
+ - Update linux-tor-prio.sh script to allow QoS based on the uid of
+ the Tor process. Patch from Marco Bonetti with tweaks from Mike
+ Perry.
+ - Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
+ Unix users an easy way to script their Tor process (e.g. by
+ adjusting bandwidth based on the time of the day).
+ - In the exitlist script, only consider the most recently published
+ server descriptor for each server. Also, when the user requests
+ a list of servers that _reject_ connections to a given address,
+ explicitly exclude the IPs that also have servers that accept
+ connections to that address. Resolves bug 405.
+ - Include a new contrib/tor-exit-notice.html file that exit relay
+ operators can put on their website to help reduce abuse queries.
+
+ o Newly deprecated features:
+ - The status/version/num-versioning and status/version/num-concurring
+ GETINFO controller options are no longer useful in the v3 directory
+ protocol: treat them as deprecated, and warn when they're used.
+ - The RedirectExits config option is now deprecated.
+
+ o Removed features:
+ - Drop the old code to choke directory connections when the
+ corresponding OR connections got full: thanks to the cell queue
+ feature, OR conns don't get full any more.
+ - Remove the old "dns worker" server DNS code: it hasn't been default
+ since 0.1.2.2-alpha, and all the servers are using the new
+ eventdns code.
+ - Remove the code to generate the oldest (v1) directory format.
+ - Remove support for the old bw_accounting file: we've been storing
+ bandwidth accounting information in the state file since
+ 0.1.2.5-alpha. This may result in bandwidth accounting errors
+ if you try to upgrade from 0.1.1.x or earlier, or if you try to
+ downgrade to 0.1.1.x or earlier.
+ - Drop support for OpenSSL version 0.9.6. Just about nobody was using
+ it, it had no AES, and it hasn't seen any security patches since
+ 2004.
+ - Stop overloading the circuit_t.onionskin field for both "onionskin
+ from a CREATE cell that we are waiting for a cpuworker to be
+ assigned" and "onionskin from an EXTEND cell that we are going to
+ send to an OR as soon as we are connected". Might help with bug 600.
+ - Remove the tor_strpartition() function: its logic was confused,
+ and it was only used for one thing that could be implemented far
+ more easily.
+ - Remove the contrib scripts ExerciseServer.py, PathDemo.py,
+ and TorControl.py, as they use the old v0 controller protocol,
+ and are obsoleted by TorFlow anyway.
+ - Drop support for v1 rendezvous descriptors, since we never used
+ them anyway, and the code has probably rotted by now. Based on
+ patch from Karsten Loesing.
+ - Stop allowing address masks that do not correspond to bit prefixes.
+ We have warned about these for a really long time; now it's time
+ to reject them. (Patch from croup.)
+ - Remove an optimization in the AES counter-mode code that assumed
+ that the counter never exceeded 2^68. When the counter can be set
+ arbitrarily as an IV (as it is by Karsten's new hidden services
+ code), this assumption no longer holds.
+ - Disable the SETROUTERPURPOSE controller command: it is now
+ obsolete.
+
+
Changes in version 0.1.2.19 - 2008-01-17
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
exit policy a little bit more conservative so it's safer to run an