ChangeLog 218 KB
Newer Older
1
Changes in version 0.2.0.1-alpha - 2007-??-??
2
3
4
5
6
7
8
  o Major features:
    - Change the way that Tor buffers data that it is waiting to write.
      Instead of queueing data cells in an enormous ring buffer for each
      client->OR or OR->OR connection, we now queue cells on a separate
      queue for each circuit.  This lets us use less slack memory, and
      will eventually let us be smarter about prioritizing different kinds
      of traffic.
9
10
    - Use memory pools to allocate cells with better speed and memory
      efficiency, especially on platforms where malloc() is inefficient.
11
12
    - Stop reading on edge connections when their corresponding circuit
      buffers are full; start again as the circuits empty out.
13
14
15
16
    - New config options RelayBandwidthRate and RelayBandwidthBurst:
      a separate set of token buckets for relayed traffic. Right now
      relayed traffic is defined as answers to directory requests, and
      OR connections that don't have any local circuits on them.
17
18
19
    - Make PreferTunneledDirConns and TunnelDirConns work even when
      we have no cached directory info. This means Tor clients can now
      do all of their connections protected by TLS.
20
21
22
    - Add an HSAuthorityRecordStats option that hidden service authorities
      can use to track statistics of overall hidden service usage without
      logging information that would be very useful to an attacker.
23
24
    - Start work implementing proposal 103: Add a standalone tool to
      generate key certificates.
25

26
27
28
  o Security fixes:
    - Directory authorities now call routers stable if they have an
      uptime of at least 30 days, even if that's not the median uptime
29
      in the network. Implements proposal 107, suggested by Kevin Bauer
30
31
      and Damon McCoy.

Roger Dingledine's avatar
Roger Dingledine committed
32
33
34
35
36
  o Crash fixes:
    - If a directory server runs out of space in the connection table
      as it's processing a begin_dir request, it will free the exit stream
      but leave it attached to the circuit, leading to unpredictable
      behavior. (Reported by seeess, fixes bug 425.)
37
38
    - Fix a bug in dirserv_remove_invalid() that would cause authorities
      to corrupt memory under some really unlikely scenarios.
Roger Dingledine's avatar
Roger Dingledine committed
39

40
41
42
  o Major bugfixes:
    - If a directory authority is down, skip it when deciding where to get
      networkstatus objects or descriptors. Otherwise we keep asking
43
44
45
46
47
48
49
      every 10 seconds forever. Fixes bug 384.
    - Count it as a failure if we fetch a valid network-status but we 
      don't want to keep it. Otherwise we'll keep fetching it and keep
      not wanting to keep it. Fixes part of bug 422.
    - If all of our dirservers have given us bad or no networkstatuses 
      lately, then stop hammering them once per minute even when we
      think they're failed. Fixes another part of bug 422.
50

51
  o Minor fixes (resource management):
52
53
54
    - Count the number of open sockets separately from the number
      of active connection_t objects. This will let us avoid underusing
      our allocated connection limit.
55
    - We no longer use socket pairs to link an edge connection to an
56
57
58
59
60
      anonymous directory connection or a dirport test connection.
      Instead, we track the link internally and transfer the data
      in-process. This saves two sockets per "linked" connection (at the
      client and at the server), and avoids the nasty Windows socketpair()
      workaround.
61
62
    - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
      for every single inactive connection_t.
Roger Dingledine's avatar
Roger Dingledine committed
63
64
    - Free items from the 4k/16k-buffer free lists when they haven't been
      used for a while.
65

66
  o Minor features (build):
67
    - Make autoconf search for libevent, openssl, and zlib consistently.
68
    - Update deprecated macros in configure.in.
69
70
71
    - When warning about missing headers, tell the user to let us
      know if the compile succeeds anyway, so we can downgrade the
      warning.
72
73
74
75
    - Include the current subversion revision as part of the version
      string: either fetch it directly if we're in an SVN checkout, do
      some magic to guess it if we're in an SVK checkout, or use
      the last-detected version if we're building from a .tar.gz.
76

77
78
  o Minor features (logging):
    - Always prepend "Bug: " to any log message about a bug.
79
80
    - Put a platform string (e.g. "Linux i686") in the startup log
      message, so when people paste just their logs, we know if it's
81
      OpenBSD or Windows or what.
82
83
    - When logging memory usage, break down memory used in buffers by
      buffer type.
84

85
86
  o Minor features (directory system):
    - Directory authorities accept and serve "extra info" documents for
87
88
89
90
91
92
      routers.  These documents contain fields from router descriptors
      that aren't usually needed, and that use a lot of excess
      bandwidth. Once these fields are removed from router descriptors,
      the bandwidth savings should be about 60%.  (Limitation: servers
      do not yet upload extra-info documents.)  [Partially implements
      proposal 104.]
93
94
95
    - Directory authorities allow multiple router descriptors and/or extra
      info documents to be uploaded in a single go.  This will make
      implementing proposal 104 simpler.
96
97
98
    - New config option V2AuthoritativeDirectory that all directory
      authorities should set. This will let future authorities choose
      not to serve V2 directory information.
99

100
  o Minor features (controller):
101
102
103
    - Add a new config option __DisablePredictedCircuits designed for
      use by the controller, when we don't want Tor to build any circuits
      preemptively.
104
105
    - Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
      so we can exit from the middle of the circuit.
106
    - Implement "getinfo status/circuit-established".
107
108
109
    - Implement "getinfo status/version/..." so a controller can tell
      whether the current version is recommended, and whether any versions
      are good, and how many authorities agree. (Patch from shibz.)
110
111
112

  o Minor features (other):
    - More unit tests.
113

114
115
116
117
118
  o Removed features:
    - Removed support for the old binary "version 0" controller protocol.
      This has been deprecated since 0.1.1, and warnings have been issued
      since 0.1.2.  When we encounter a v0 control message, we now send back
      an error and close the connection.
119
120
121
    - Remove the old "dns worker" server DNS code: it hasn't been default
      since 0.1.2.2-alpha, and all the servers seem to be using the new
      eventdns code.
122

123
  o Minor bugfixes (portability):
Roger Dingledine's avatar
Roger Dingledine committed
124
125
    - Even though Windows is equally happy with / and \ as path separators,
      try to use \ consistently on Windows and / consistently on Unix: it
126
      makes the log messages nicer.
127
128
129
130
131
132
133
    - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.

  o Minor bugfixes (directory):
    - Correctly enforce that elements of directory objects do not appear
      more often than they are allowed to appear.
    - When we are reporting the DirServer line we just parsed, we were
      logging the second stanza of the key fingerprint, not the first.
134
    - When we have k non-v2 authorities in our DirServer config,
Roger Dingledine's avatar
Roger Dingledine committed
135
      we ignored the last k authorities in the list when updating our
136
      network-statuses.
137

138
  o Minor bugfixes (other):
139
    - Stop allowing hibernating servers to be "stable" or "fast".
140
    - Check return values from pthread_mutex functions.
141
142
143
    - Don't save non-general-purpose router descriptors to the disk cache,
      because we have no way of remembering what their purpose was when
      we restart.
144
    - Add even more asserts to hunt down bug 417.
145
146
    - On Windows, we were preventing other processes from reading
      cached-routers while Tor was running.  (Reported by janbar)
147

148
  o Minor bugfixes (controller):
149
    - Make 'getinfo fingerprint' return a 551 error if we're not a
150
151
      server, so we match what the control spec claims we do. Reported
      by daejees.
152
    - Fix a typo in an error message when extendcircuit fails that
153
154
      caused us to not follow the \r\n-based delimiter protocol. Reported
      by daejees.
155
156
157
    - Actually set the purpose correctly for descriptors inserted with
      purpose=controller.

Roger Dingledine's avatar
Roger Dingledine committed
158
  o Code simplifications and refactoring:
159
160
    - Stop passing around circuit_t and crypt_path_t pointers that are
      implicit in other procedure arguments.
161
    - Drop the old code to choke directory connections when the corresponding
162
      OR connections got full: thanks to the cell queue feature, OR conns
163
      don't get full any more.
164
165
    - Make dns_resolve() handle attaching connections to circuits
      properly, so the caller doesn't have to.
166
    - Rename wants_to_read and wants_to_write to read/write_blocked_on_bw.
167

168
169
170
171
172
173
174
175
176

Changes in version 0.1.2.13 - 2007-04-24
  o Minor fixes:
    - Fix a memory leak when we ask for "all" networkstatuses and we
      get one we don't recognize.
    - Add more asserts to hunt down bug 417.
    - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.


177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
Changes in version 0.1.2.12-rc - 2007-03-16
  o Major bugfixes:
    - Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
      directory information requested inside Tor connections (i.e. via
      begin_dir cells). It only triggered when the same connection was
      serving other data at the same time. Reported by seeess.

  o Minor bugfixes:
    - When creating a circuit via the controller, send a 'launched'
      event when we're done, so we follow the spec better.


Changes in version 0.1.2.11-rc - 2007-03-15
  o Minor bugfixes (controller), reported by daejees:
    - Correct the control spec to match how the code actually responds
      to 'getinfo addr-mappings/*'.
    - The control spec described a GUARDS event, but the code
      implemented a GUARD event. Standardize on GUARD, but let people
      ask for GUARDS too.


198
Changes in version 0.1.2.10-rc - 2007-03-07
199
  o Major bugfixes (Windows):
200
    - Do not load the NT services library functions (which may not exist)
201
202
      just to detect if we're a service trying to shut down. Now we run
      on Win98 and friends again.
203

204
205
  o Minor bugfixes (other):
    - Clarify a couple of log messages.
206
    - Fix a misleading socks5 error number.
207

208

Roger Dingledine's avatar
Roger Dingledine committed
209
Changes in version 0.1.2.9-rc - 2007-03-02
210
211
212
213
214
215
216
217
  o Major bugfixes (Windows):
    - On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead
      of the usual GCC "%llu". This prevents a bug when saving 64-bit
      int configuration values: the high-order 32 bits would get
      truncated. In particular, we were being bitten by the default
      MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400
      and maybe also bug 397.)

218
219
220
221
  o Minor bugfixes (performance):
    - Use OpenSSL's AES implementation on platforms where it's faster.
      This could save us as much as 10% CPU usage.

222
223
224
225
  o Minor bugfixes (server):
    - Do not rotate onion key immediately after setting it for the first
      time.

226
  o Minor bugfixes (directory authorities):
227
228
229
230
231
    - Stop calling servers that have been hibernating for a long time
      "stable". Also, stop letting hibernating or obsolete servers affect
      uptime and bandwidth cutoffs.
    - Stop listing hibernating servers in the v1 directory.

232
233
234
235
  o Minor bugfixes (hidden services):
    - Upload hidden service descriptors slightly less often, to reduce
      load on authorities.

236
237
238
  o Minor bugfixes (other):
    - Fix an assert that could trigger if a controller quickly set then
      cleared EntryNodes.  (Bug found by Udo van den Heuvel.)
239
240
    - On architectures where sizeof(int)>4, still clamp declarable bandwidth
      to INT32_MAX.
241
242
    - Fix a potential race condition in the rpm installer.  Found by
      Stefan Nordhausen.
243
244
245
246
    - Try to fix eventdns warnings once and for all: do not treat a dns rcode
      of 2 as indicating that the server is completely bad; it sometimes
      means that the server is just bad for the request in question. (may fix
      the last of bug 326.)
247
248
249
    - Disable encrypted directory connections when we don't have a server
      descriptor for the destination. We'll get this working again in
      the 0.2.0 branch.
250

251

252
Changes in version 0.1.2.8-beta - 2007-02-26
253
254
255
  o Major bugfixes (crashes):
    - Stop crashing when the controller asks us to resetconf more than
      one config option at once. (Vidalia 0.0.11 does this.)
256
    - Fix a crash that happened on Win98 when we're given command-line
257
258
259
      arguments: don't try to load NT service functions from advapi32.dll
      except when we need them. (Bug introduced in 0.1.2.7-alpha;
      resolves bug 389.)
260
261
262
263
264
265
    - Fix a longstanding obscure crash bug that could occur when
      we run out of DNS worker processes. (Resolves bug 390.)

  o Major bugfixes (hidden services):
    - Correctly detect whether hidden service descriptor downloads are
      in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
266
267
268
269

  o Major bugfixes (accounting):
    - When we start during an accounting interval before it's time to wake
      up, remember to wake up at the correct time. (May fix bug 342.)
270

271
272
  o Minor bugfixes (controller):
    - Give the controller END_STREAM_REASON_DESTROY events _before_ we
273
274
275
      clear the corresponding on_circuit variable, and remember later
      that we don't need to send a redundant CLOSED event.  (Resolves part
      3 of bug 367.)
276
    - Report events where a resolve succeeded or where we got a socks
Roger Dingledine's avatar
Roger Dingledine committed
277
278
      protocol error correctly, rather than calling both of them
      "INTERNAL".
279
280
    - Change reported stream target addresses to IP consistently when
      we finally get the IP from an exit node.
281
282
    - Send log messages to the controller even if they happen to be very
      long.
283

284
  o Minor bugfixes (other):
Roger Dingledine's avatar
Roger Dingledine committed
285
286
287
288
289
290
    - Display correct results when reporting which versions are
      recommended, and how recommended they are. (Resolves bug 383.)
    - Improve our estimates for directory bandwidth to be less random:
      guess that an unrecognized directory will have the average bandwidth
      from all known directories, not that it will have the average
      bandwidth from those directories earlier than it on the list.
291
292
    - If we start a server with ClientOnly 1, then set ClientOnly to 0
      and hup, stop triggering an assert based on an empty onion_key.
293
294
295
296
297
298
    - On platforms with no working mmap() equivalent, don't warn the
      user when cached-routers doesn't exist.
    - Warn the user when mmap() [or its equivalent] fails for some reason
      other than file-not-found.
    - Don't warn the user when cached-routers.new doesn't exist: that's
      perfectly fine when starting up for the first time.
Roger Dingledine's avatar
Roger Dingledine committed
299
300
    - When EntryNodes are configured, rebuild the guard list to contain,
      in order: the EntryNodes that were guards before; the rest of the
301
      EntryNodes; the nodes that were guards before.
Roger Dingledine's avatar
Roger Dingledine committed
302
303
304
305
306
307
308
309
310
311
312
    - Mask out all signals in sub-threads; only the libevent signal
      handler should be processing them. This should prevent some crashes
      on some machines using pthreads. (Patch from coderman.)
    - Fix switched arguments on memset in the implementation of
      tor_munmap() for systems with no mmap() call.
    - When Tor receives a router descriptor that it asked for, but
      no longer wants (because it has received fresh networkstatuses
      in the meantime), do not warn the user.  Cache the descriptor if
      we're a cache; drop it if we aren't.
    - Make earlier entry guards _really_ get retried when the network
      comes back online.
313
314
    - On a malformed DNS reply, always give an error to the corresponding
      DNS request.
315
316
    - Build with recent libevents on platforms that do not define the
      nonstandard types "u_int8_t" and friends.
317

318
  o Minor features (controller):
Roger Dingledine's avatar
Roger Dingledine committed
319
320
321
322
    - Warn the user when an application uses the obsolete binary v0
      control protocol.  We're planning to remove support for it during
      the next development series, so it's good to give people some
      advance warning.
Roger Dingledine's avatar
Roger Dingledine committed
323
324
325
326
327
328
329
330
    - Add STREAM_BW events to report per-entry-stream bandwidth
      use. (Patch from Robert Hogan.)
    - Rate-limit SIGNEWNYM signals in response to controllers that
      impolitely generate them for every single stream. (Patch from
      mwenge; closes bug 394.)
    - Make REMAP stream events have a SOURCE (cache or exit), and
      make them generated in every case where we get a successful
      connected or resolved cell.
331

332
  o Minor bugfixes (performance):
Roger Dingledine's avatar
Roger Dingledine committed
333
    - Call router_have_min_dir_info half as often. (This is showing up in
334
      some profiles, but not others.)
Roger Dingledine's avatar
Roger Dingledine committed
335
    - When using GCC, make log_debug never get called at all, and its
336
337
      arguments never get evaluated, when no debug logs are configured.
      (This is showing up in some profiles, but not others.)
338

339
  o Minor features:
340
341
    - Remove some never-implemented options.  Mark PathlenCoinWeight as
      obsolete.
342
    - Implement proposal 106: Stop requiring clients to have well-formed
Roger Dingledine's avatar
Roger Dingledine committed
343
344
345
346
347
      certificates; stop checking nicknames in certificates. (Clients
      have certificates so that they can look like Tor servers, but in
      the future we might want to allow them to look like regular TLS
      clients instead. Nicknames in certificates serve no purpose other
      than making our protocol easier to recognize on the wire.)
348
349
    - Revise messages on handshake failure again to be even more clear about
      which are incoming connections and which are outgoing.
350
351
    - Discard any v1 directory info that's over 1 month old (for
      directories) or over 1 week old (for running-routers lists).
352
    - Do not warn when individual nodes in the configuration's EntryNodes,
Roger Dingledine's avatar
Roger Dingledine committed
353
354
      ExitNodes, etc are down: warn only when all possible nodes
      are down. (Fixes bug 348.)
355
    - Always remove expired routers and networkstatus docs before checking
Roger Dingledine's avatar
Roger Dingledine committed
356
357
      whether we have enough information to build circuits. (Fixes
      bug 373.)
358
    - Put a lower-bound on MaxAdvertisedBandwidth.
359
360


361
Changes in version 0.1.2.7-alpha - 2007-02-06
362
  o Major bugfixes (rate limiting):
363
364
365
    - Servers decline directory requests much more aggressively when
      they're low on bandwidth. Otherwise they end up queueing more and
      more directory responses, which can't be good for latency.
366
    - But never refuse directory requests from local addresses.
367
368
    - Fix a memory leak when sending a 503 response for a networkstatus
      request.
369
370
    - Be willing to read or write on local connections (e.g. controller
      connections) even when the global rate limiting buckets are empty.
371
372
373
    - If our system clock jumps back in time, don't publish a negative
      uptime in the descriptor. Also, don't let the global rate limiting
      buckets go absurdly negative.
374
375
376
377
    - Flush local controller connection buffers periodically as we're
      writing to them, so we avoid queueing 4+ megabytes of data before
      trying to flush.

378
  o Major bugfixes (NT services):
379
    - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
380
      command-line flag so that admins can override the default by saying
381
      "tor --service install --user "SomeUser"".  This will not affect
382
383
384
385
386
      existing installed services.  Also, warn the user that the service
      will look for its configuration file in the service user's
      %appdata% directory.  (We can't do the 'hardwire the user's appdata
      directory' trick any more, since we may not have read access to that
      directory.)
387

388
389
390
391
  o Major bugfixes (other):
    - Previously, we would cache up to 16 old networkstatus documents
      indefinitely, if they came from nontrusted authorities. Now we
      discard them if they are more than 10 days old.
392
393
    - Fix a crash bug in the presence of DNS hijacking (reported by Andrew
      Del Vecchio).
394
395
    - Detect and reject malformed DNS responses containing circular
      pointer loops.
396
397
398
399
400
401
402
403
404
    - If exits are rare enough that we're not marking exits as guards,
      ignore exit bandwidth when we're deciding the required bandwidth
      to become a guard.
    - When we're handling a directory connection tunneled over Tor,
      don't fill up internal memory buffers with all the data we want
      to tunnel; instead, only add it if the OR connection that will
      eventually receive it has some room for it. (This can lead to
      slowdowns in tunneled dir connections; a better solution will have
      to wait for 0.2.0.)
405

406
  o Minor bugfixes (dns):
407
408
    - Add some defensive programming to eventdns.c in an attempt to catch
      possible memory-stomping bugs.
409
    - Detect and reject DNS replies containing IPv4 or IPv6 records with
410
411
412
      an incorrect number of bytes. (Previously, we would ignore the
      extra bytes.)
    - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
413
      in the correct order, and doesn't crash.
414
415
    - Free memory held in recently-completed DNS lookup attempts on exit.
      This was not a memory leak, but may have been hiding memory leaks.
416
417
418
419
420
421
422
423
424
425
426
427
428
429
    - Handle TTL values correctly on reverse DNS lookups.
    - Treat failure to parse resolv.conf as an error.

  o Minor bugfixes (other):
    - Fix crash with "tor --list-fingerprint" (reported by seeess).
    - When computing clock skew from directory HTTP headers, consider what
      time it was when we finished asking for the directory, not what
      time it is now.
    - Expire socks connections if they spend too long waiting for the
      handshake to finish. Previously we would let them sit around for
      days, if the connecting application didn't close them either.
    - And if the socks handshake hasn't started, don't send a
      "DNS resolve socks failed" handshake reply; just close it.
    - Stop using C functions that OpenBSD's linker doesn't like.
430
    - Don't launch requests for descriptors unless we have networkstatuses
431
432
433
434
435
      from at least half of the authorities.  This delays the first
      download slightly under pathological circumstances, but can prevent
      us from downloading a bunch of descriptors we don't need.
    - Do not log IPs with TLS failures for incoming TLS
      connections. (Fixes bug 382.)
436
    - If the user asks to use invalid exit nodes, be willing to use
437
      unstable ones.
438
    - Stop using the reserved ac_cv namespace in our configure script.
439
    - Call stat() slightly less often; use fstat() when possible.
440
441
    - Refactor the way we handle pending circuits when an OR connection
      completes or fails, in an attempt to fix a rare crash bug.
442
443
444
    - Only rewrite a conn's address based on X-Forwarded-For: headers
      if it's a parseable public IP address; and stop adding extra quotes
      to the resulting address.
445

446
447
448
  o Major features:
    - Weight directory requests by advertised bandwidth. Now we can
      let servers enable write limiting but still allow most clients to
449
450
      succeed at their directory requests. (We still ignore weights when
      choosing a directory authority; I hope this is a feature.)
451

Roger Dingledine's avatar
Roger Dingledine committed
452
  o Minor features:
453
    - Create a new file ReleaseNotes which was the old ChangeLog. The
454
455
      new ChangeLog file now includes the summaries for all development
      versions too.
456
457
458
    - Check for addresses with invalid characters at the exit as well
      as at the client, and warn less verbosely when they fail. You can
      override this by setting ServerDNSAllowNonRFC953Addresses to 1.
Roger Dingledine's avatar
Roger Dingledine committed
459
460
    - Adapt a patch from goodell to let the contrib/exitlist script
      take arguments rather than require direct editing.
461
462
463
    - Inform the server operator when we decide not to advertise a
      DirPort due to AccountingMax enabled or a low BandwidthRate. It
      was confusing Zax, so now we're hopefully more helpful.
464
465
466
467
    - Bring us one step closer to being able to establish an encrypted
      directory tunnel without knowing a descriptor first. Still not
      ready yet. As part of the change, now assume we can use a
      create_fast cell if we don't know anything about a router.
468
    - Allow exit nodes to use nameservers running on ports other than 53.
469
    - Servers now cache reverse DNS replies.
470
471
472
473
    - Add an --ignore-missing-torrc command-line option so that we can
      get the "use sensible defaults if the configuration file doesn't
      exist" behavior even when specifying a torrc location on the command
      line.
Roger Dingledine's avatar
Roger Dingledine committed
474
475

  o Minor features (controller):
476
477
478
479
    - Track reasons for OR connection failure; make these reasons
      available via the controller interface. (Patch from Mike Perry.)
    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
      can learn when clients are sending malformed hostnames to Tor.
Roger Dingledine's avatar
Roger Dingledine committed
480
    - Clean up documentation for controller status events.
481
482
483
484
    - Add a REMAP status to stream events to note that a stream's
      address has changed because of a cached address or a MapAddress
      directive.

485

486
487
488
Changes in version 0.1.2.6-alpha - 2007-01-09
  o Major bugfixes:
    - Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS
489
490
491
      connection handles more than 4 gigs in either direction, we crash.
    - Fix an assert error introduced in 0.1.2.5-alpha: if we're an
      advertised exit node, somebody might try to exit from us when
492
      we're bootstrapping and before we've built our descriptor yet.
493
      Refuse the connection rather than crashing.
494
495
496
497
498
499
500
501
502
503
504

  o Minor bugfixes:
    - Warn if we (as a server) find that we've resolved an address that we
      weren't planning to resolve.
    - Warn that using select() on any libevent version before 1.1 will be
      unnecessarily slow (even for select()).
    - Flush ERR-level controller status events just like we currently
      flush ERR-level log events, so that a Tor shutdown doesn't prevent
      the controller from learning about current events.

  o Minor features (more controller status events):
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
    - Implement EXTERNAL_ADDRESS server status event so controllers can
      learn when our address changes.
    - Implement BAD_SERVER_DESCRIPTOR server status event so controllers
      can learn when directories reject our descriptor.
    - Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers
      can learn when a client application is speaking a non-socks protocol
      to our SocksPort.
    - Implement DANGEROUS_SOCKS client status event so controllers
      can learn when a client application is leaking DNS addresses.
    - Implement BUG general status event so controllers can learn when
      Tor is unhappy about its internal invariants.
    - Implement CLOCK_SKEW general status event so controllers can learn
      when Tor thinks the system clock is set incorrectly.
    - Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR
      server status events so controllers can learn when their descriptors
      are accepted by a directory.
    - Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED}
      server status events so controllers can learn about Tor's progress in
      deciding whether it's reachable from the outside.
524
525
526
    - Implement BAD_LIBEVENT general status event so controllers can learn
      when we have a version/method combination in libevent that needs to
      be changed.
527
528
529
    - Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED,
      and DNS_USELESS server status events so controllers can learn
      about changes to DNS server status.
530

531
  o Minor features (directory):
532
533
    - Authorities no longer recommend exits as guards if this would shift
      too much load to the exit nodes.
534

535

536
Changes in version 0.1.2.5-alpha - 2007-01-06
537
  o Major features:
538
539
540
    - Enable write limiting as well as read limiting. Now we sacrifice
      capacity if we're pushing out lots of directory traffic, rather
      than overrunning the user's intended bandwidth limits.
541
    - Include TLS overhead when counting bandwidth usage; previously, we
542
543
      would count only the bytes sent over TLS, but not the bytes used
      to send them.
544
545
546
547
548
549
550
551
552
553
554
    - Support running the Tor service with a torrc not in the same
      directory as tor.exe and default to using the torrc located in
      the %appdata%\Tor\ of the user who installed the service. Patch
      from Matt Edman.
    - Servers now check for the case when common DNS requests are going to
      wildcarded addresses (i.e. all getting the same answer), and change
      their exit policy to reject *:* if it's happening.
    - Implement BEGIN_DIR cells, so we can connect to the directory
      server via TLS to do encrypted directory requests rather than
      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
      config options if you like.
555

556
  o Minor features (config and docs):
557
    - Start using the state file to store bandwidth accounting data:
Roger Dingledine's avatar
Roger Dingledine committed
558
      the bw_accounting file is now obsolete. We'll keep generating it
559
      for a while for people who are still using 0.1.2.4-alpha.
Roger Dingledine's avatar
Roger Dingledine committed
560
561
562
    - Try to batch changes to the state file so that we do as few
      disk writes as possible while still storing important things in
      a timely fashion.
563
    - The state file and the bw_accounting file get saved less often when
564
      the AvoidDiskWrites config option is set.
565
    - Make PIDFile work on Windows (untested).
566
567
568
    - Add internal descriptions for a bunch of configuration options:
      accessible via controller interface and in comments in saved
      options files.
569
    - Reject *:563 (NNTPS) in the default exit policy. We already reject
570
      NNTP by default, so this seems like a sensible addition.
571
572
573
574
    - Clients now reject hostnames with invalid characters. This should
      avoid some inadvertent info leaks. Add an option
      AllowNonRFC953Hostnames to disable this behavior, in case somebody
      is running a private network with hosts called @, !, and #.
575
    - Add a maintainer script to tell us which options are missing
576
      documentation: "make check-docs".
577
578
579
580
581
582
583
584
585
586
587
588
589
    - Add a new address-spec.txt document to describe our special-case
      addresses: .exit, .onion, and .noconnnect.

  o Minor features (DNS):
    - Ongoing work on eventdns infrastructure: now it has dns server
      and ipv6 support. One day Tor will make use of it.
    - Add client-side caching for reverse DNS lookups.
    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
    - When we change nameservers or IP addresses, reset and re-launch
      our tests for DNS hijacking.

  o Minor features (directory):
    - Authorities now specify server versions in networkstatus. This adds
590
      about 2% to the size of compressed networkstatus docs, and allows
591
592
593
594
      clients to tell which servers support BEGIN_DIR and which don't.
      The implementation is forward-compatible with a proposed future
      protocol version scheme not tied to Tor versions.
    - DirServer configuration lines now have an orport= option so
595
596
597
      clients can open encrypted tunnels to the authorities without
      having downloaded their descriptors yet. Enabled for moria1,
      moria2, tor26, and lefkada now in the default configuration.
598
599
600
601
    - Directory servers are more willing to send a 503 "busy" if they
      are near their write limit, especially for v1 directory requests.
      Now they can use their limited bandwidth for actual Tor traffic.
    - Clients track responses with status 503 from dirservers. After a
602
603
      dirserver has given us a 503, we try not to use it until an hour has
      gone by, or until we have no dirservers that haven't given us a 503.
604
    - When we get a 503 from a directory, and we're not a server, we don't
605
606
607
      count the failure against the total number of failures allowed
      for the thing we're trying to download.
    - Report X-Your-Address-Is correctly from tunneled directory
608
      connections; don't report X-Your-Address-Is when it's an internal
609
610
      address; and never believe reported remote addresses when they're
      internal.
611
    - Protect against an unlikely DoS attack on directory servers.
612
    - Add a BadDirectory flag to network status docs so that authorities
613
614
      can (eventually) tell clients about caches they believe to be
      broken.
615

616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
  o Minor features (controller):
    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
    - Reimplement GETINFO so that info/names stays in sync with the
      actual keys.
    - Implement "GETINFO fingerprint".
    - Implement "SETEVENTS GUARD" so controllers can get updates on
      entry guard status as it changes.

  o Minor features (clean up obsolete pieces):
    - Remove some options that have been deprecated since at least
      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
      to set log options.
    - We no longer look for identity and onion keys in "identity.key" and
      "onion.key" -- these were replaced by secret_id_key and
      secret_onion_key in 0.0.8pre1.
    - We no longer require unrecognized directory entries to be
      preceded by "opt".

  o Major bugfixes (security):
636
637
638
639
640
641
642
643
644
645
646
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.
    - When generating bandwidth history, round down to the nearest
      1k. When storing accounting data, round up to the nearest 1k.
    - When we're running as a server, remember when we last rotated onion
      keys, so that we will rotate keys once they're a week old even if
      we never stay up for a week ourselves.

647
  o Major bugfixes (other):
648
    - Fix a longstanding bug in eventdns that prevented the count of
Roger Dingledine's avatar
Roger Dingledine committed
649
650
651
      timed-out resolves from ever being reset. This bug caused us to
      give up on a nameserver the third time it timed out, and try it
      10 seconds later... and to give up on it every time it timed out
652
      after that.
653
654
655
656
    - Take out the '5 second' timeout from the connection retry
      schedule. Now the first connect attempt will wait a full 10
      seconds before switching to a new circuit. Perhaps this will help
      a lot. Based on observations from Mike Perry.
Roger Dingledine's avatar
Roger Dingledine committed
657
    - Fix a bug on the Windows implementation of tor_mmap_file() that
658
659
      would prevent the cached-routers file from ever loading. Reported
      by John Kimble.
660
661

  o Minor bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
662
    - Fix an assert failure when a directory authority sets
663
      AuthDirRejectUnlisted and then receives a descriptor from an
664
665
666
667
      unlisted router. Reported by seeess.
    - Avoid a double-free when parsing malformed DirServer lines.
    - Fix a bug when a BSD-style PF socket is first used. Patch from
      Fabian Keil.
668
669
670
    - Fix a bug in 0.1.2.2-alpha that prevented clients from asking
      to resolve an address at a given exit node even when they ask for
      it by name.
671
672
673
    - Servers no longer ever list themselves in their "family" line,
      even if configured to do so. This makes it easier to configure
      family lists conveniently.
Roger Dingledine's avatar
Roger Dingledine committed
674
675
676
677
    - When running as a server, don't fall back to 127.0.0.1 when no
      nameservers are configured in /etc/resolv.conf; instead, make the
      user fix resolv.conf or specify nameservers explicitly. (Resolves
      bug 363.)
678
    - Stop accepting certain malformed ports in configured exit policies.
679
680
    - Don't re-write the fingerprint file every restart, unless it has
      changed.
681
    - Stop warning when a single nameserver fails: only warn when _all_ of
682
683
      our nameservers have failed. Also, when we only have one nameserver,
      raise the threshold for deciding that the nameserver is dead.
684
685
    - Directory authorities now only decide that routers are reachable
      if their identity keys are as expected.
686
687
    - When the user uses bad syntax in the Log config line, stop
      suggesting other bad syntax as a replacement.
688
    - Correctly detect ipv6 DNS capability on OpenBSD.
689

690
691
692
  o Minor bugfixes (controller):
    - Report the circuit number correctly in STREAM CLOSED events. Bug
      reported by Mike Perry.
693
    - Do not report bizarre values for results of accounting GETINFOs
694
      when the last second's write or read exceeds the allotted bandwidth.
695
696
    - Report "unrecognized key" rather than an empty string when the
      controller tries to fetch a networkstatus that doesn't exist.
697
698


699
700
701
702
703
704
705
706
707
708
709
710
711
712
Changes in version 0.1.1.26 - 2006-12-14
  o Security bugfixes:
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.

  o Minor bugfixes:
    - Fix an assert failure when a directory authority sets
      AuthDirRejectUnlisted and then receives a descriptor from an
      unlisted router (reported by seeess).


713
Changes in version 0.1.2.4-alpha - 2006-12-03
714
715
716
717
  o Major features:
    - Add support for using natd; this allows FreeBSDs earlier than
      5.1.2 to have ipfw send connections through Tor without using
      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
718

719
720
721
722
723
724
725
726
727
  o Minor features:
    - Make all connections to addresses of the form ".noconnect"
      immediately get closed. This lets application/controller combos
      successfully test whether they're talking to the same Tor by
      watching for STREAM events.
    - Make cross.sh cross-compilation script work even when autogen.sh
      hasn't been run. (Patch from Michael Mohr.)
    - Statistics dumped by -USR2 now include a breakdown of public key
      operations, for profiling.
728

729
730
731
732
  o Major bugfixes:
    - Fix a major leak when directory authorities parse their
      approved-routers list, a minor memory leak when we fail to pick
      an exit node, and a few rare leaks on errors.
733
    - Handle TransPort connections even when the server sends data before
734
      the client sends data. Previously, the connection would just hang
735
736
      until the client sent data. (Patch from tup based on patch from
      Zajcev Evgeny.)
737
738
    - Avoid assert failure when our cached-routers file is empty on
      startup.
739

740
  o Minor bugfixes:
741
742
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
743
744
    - Have directory authorities allow larger amounts of drift in uptime
      without replacing the server descriptor: previously, a server that
745
746
      restarted every 30 minutes could have 48 "interesting" descriptors
      per day.
747
748
    - Start linking to the Tor specification and Tor reference manual
      correctly in the Windows installer.
749
750
751
752
753
754
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.
    - Resume building on Irix64, and fix a lot of warnings from its
      MIPSpro C compiler.
    - Don't corrupt last_guessed_ip in router_new_address_suggestion()
      when we're running as a client.
755

756

757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
Changes in version 0.1.1.25 - 2006-11-04
  o Major bugfixes:
    - When a client asks us to resolve (rather than connect to)
      an address, and we have a cached answer, give them the cached
      answer. Previously, we would give them no answer at all.
    - We were building exactly the wrong circuits when we predict
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
    - If none of our live entry guards have a high uptime, but we
      require a guard with a high uptime, try adding a new guard before
      we give up on the requirement. This patch should make long-lived
      connections more stable on average.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

  o Minor bugfixes:
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid possibility of controller-triggered crash when misusing
      certain commands from a v0 controller on platforms that do not
      handle printf("%s",NULL) gracefully.
    - Avoid infinite loop on unexpected controller input.
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.


790
Changes in version 0.1.2.3-alpha - 2006-10-29
791
  o Minor features:
792
    - Prepare for servers to publish descriptors less often: never
793
      discard a descriptor simply for being too old until either it is
794
795
      recommended by no authorities, or until we get a better one for
      the same router. Make caches consider retaining old recommended
796
      routers for even longer.
797
798
799
    - If most authorities set a BadExit flag for a server, clients
      don't think of it as a general-purpose exit. Clients only consider
      authorities that advertise themselves as listing bad exits.
800
801
802
    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
      headers for content, so that we can work better in the presence of
      caching HTTP proxies.
803
804
    - Allow authorities to list nodes as bad exits by fingerprint or by
      address.
805

806
  o Minor features, controller:
807
808
    - Add a REASON field to CIRC events; for backward compatibility, this
      field is sent only to controllers that have enabled the extended
809
810
811
      event format.  Also, add additional reason codes to explain why
      a given circuit has been destroyed or truncated. (Patches from
      Mike Perry)
812
813
    - Add a REMOTE_REASON field to extended CIRC events to tell the
      controller about why a remote OR told us to close a circuit.
814
815
    - Stream events also now have REASON and REMOTE_REASON fields,
      working much like those for circuit events.
816
    - There's now a GETINFO ns/... field so that controllers can ask Tor
817
818
819
      about the current status of a router.
    - A new event type "NS" to inform a controller when our opinion of
      a router's status has changed.
820
821
    - Add a GETINFO events/names and GETINFO features/names so controllers
      can tell which events and features are supported.
822
823
    - A new CLEARDNSCACHE signal to allow controllers to clear the
      client-side DNS cache without expiring circuits.
824

Roger Dingledine's avatar
Roger Dingledine committed
825
826
827
828
  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

829
  o Minor bugfixes:
830
831
832
833
834
835
836
837
    - Avoid sending junk to controllers or segfaulting when a controller
      uses EVENT_NEW_DESC with verbose nicknames.
    - Stop triggering asserts if the controller tries to extend hidden
      service circuits (reported by mwenge).
    - Avoid infinite loop on unexpected controller input.
    - When the controller does a "GETINFO network-status", tell it
      about even those routers whose descriptors are very old, and use
      long nicknames where appropriate.
838
    - Change NT service functions to be loaded on demand.  This lets us
839
      build with MinGW without breaking Tor for Windows 98 users.
840
841
842
843
    - Do DirPort reachability tests less often, since a single test
      chews through many circuits before giving up.
    - In the hidden service example in torrc.sample, stop recommending
      esoteric and discouraged hidden service options.
844
845
    - When stopping an NT service, wait up to 10 sec for it to actually
      stop.  (Patch from Matt Edman; resolves bug 295.)
846
847
848
    - Fix handling of verbose nicknames with ORCONN controller events:
      make them show up exactly when requested, rather than exactly when
      not requested.
849
    - When reporting verbose nicknames in entry_guards_getinfo(), avoid
850
851
852
853
854
855
856
857
858
859
860
      printing a duplicate "$" in the keys we send (reported by mwenge).
    - Correctly set maximum connection limit on Cygwin. (This time
      for sure!)
    - Try to detect Windows correctly when cross-compiling.
    - Detect the size of the routers file correctly even if it is
      corrupted (on systems without mmap) or not page-aligned (on systems
      with mmap). This bug was harmless.
    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
      to open a stream fails; now we do in more cases. This should
      make clients able to find a good exit faster in some cases, since
      unhandleable requests will now get an error rather than timing out.
861
862
    - Resolve two memory leaks when rebuilding the on-disk router cache
      (reported by fookoowa).
863
864
    - Clean up minor code warnings suggested by the MIPSpro C compiler,
      and reported by some Centos users.
865
866
    - Controller signals now work on non-Unix platforms that don't define
      SIGUSR1 and SIGUSR2 the way we expect.
867
868
    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
      values before failing, and always enables eventdns.
869
870
871
872
    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
      Try to fix this in configure.in by checking for most functions
      before we check for libevent.

873

874
Changes in version 0.1.2.2-alpha - 2006-10-07
875
  o Major features:
876
    - Make our async eventdns library on-by-default for Tor servers,
877
      and plan to deprecate the separate dnsworker threads.
878
    - Add server-side support for "reverse" DNS lookups (using PTR
Roger Dingledine's avatar
Roger Dingledine committed
879
      records so clients can determine the canonical hostname for a given
880
881
      IPv4 address). Only supported by servers using eventdns; servers
      now announce in their descriptors whether they support eventdns.
882
    - Specify and implement client-side SOCKS5 interface for reverse DNS
883
      lookups (see doc/socks-extensions.txt).
884
    - Add a BEGIN_DIR relay cell type for an easier in-protocol way to
885
886
887
888
889
890
891
      connect to directory servers through Tor. Previously, clients needed
      to find Tor exits to make private connections to directory servers.
    - Avoid choosing Exit nodes for entry or middle hops when the
      total bandwidth available from non-Exit nodes is much higher than
      the total bandwidth available from Exit nodes.
    - Workaround for name servers (like Earthlink's) that hijack failing
      DNS requests and replace the no-such-server answer with a "helpful"
892
893
894
895
      redirect to an advertising-driven search portal. Also work around
      DNS hijackers who "helpfully" decline to hijack known-invalid
      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
      lets you turn it off.
896
897
898
    - Send out a burst of long-range padding cells once we've established
      that we're reachable. Spread them over 4 circuits, so hopefully
      a few will be fast. This exercises our bandwidth and bootstraps
899
      us into the directory more quickly.
900
901
902

  o New/improved config options:
    - Add new config option "ResolvConf" to let the server operator
903
      choose an alternate resolve.conf file when using eventdns.
904
    - Add an "EnforceDistinctSubnets" option to control our "exclude
905
      servers on the same /16" behavior. It's still on by default; this
906
907
      is mostly for people who want to operate private test networks with
      all the machines on the same subnet.
908
    - If one of our entry guards is on the ExcludeNodes list, or the
Roger Dingledine's avatar
Roger Dingledine committed
909
910
911
912
913
914
      directory authorities don't think it's a good guard, treat it as
      if it were unlisted: stop using it as a guard, and throw it off
      the guards list if it stays that way for a long time.
    - Allow directory authorities to be marked separately as authorities
      for the v1 directory protocol, the v2 directory protocol, and
      as hidden service directories, to make it easier to retire old
915
      authorities. V1 authorities should set "HSAuthoritativeDir 1"
Roger Dingledine's avatar
Roger Dingledine committed
916
      to continue being hidden service authorities too.
917
918
919
920
921
    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).

  o Minor features, controller:
    - Fix CIRC controller events so that controllers can learn the
      identity digests of non-Named servers used in circuit paths.
922
923
924
925
926
    - Let controllers ask for more useful identifiers for servers. Instead
      of learning identity digests for un-Named servers and nicknames
      for Named servers, the new identifiers include digest, nickname,
      and indication of Named status. Off by default; see control-spec.txt
      for more information.
927
928
    - Add a "getinfo address" controller command so it can display Tor's
      best guess to the user.
929
930
931
    - New controller event to alert the controller when our server
      descriptor has changed.
    - Give more meaningful errors on controller authentication failure.
932
933
934
935
936
937

  o Minor features, other:
    - When asked to resolve a hostname, don't use non-exit servers unless
      requested to do so. This allows servers with broken DNS to be
      useful to the network.
    - Divide eventdns log messages into warn and info messages.
Roger Dingledine's avatar
Roger Dingledine committed
938
    - Reserve the nickname "Unnamed" for routers that can't pick
939
      a hostname: any router can call itself Unnamed; directory
Roger Dingledine's avatar
Roger Dingledine committed
940
941
      authorities will never allocate Unnamed to any particular router;
      clients won't believe that any router is the canonical Unnamed.
Roger Dingledine's avatar
Roger Dingledine committed
942
943
    - Only include function names in log messages for info/debug messages.
      For notice/warn/err, the content of the message should be clear on
944
      its own, and printing the function name only confuses users.
Roger Dingledine's avatar
Roger Dingledine committed
945
946
    - Avoid some false positives during reachability testing: don't try
      to test via a server that's on the same /24 as us.
947
948
    - If we fail to build a circuit to an intended enclave, and it's
      not mandatory that we use that enclave, stop wanting it.
949
950
    - When eventdns is enabled, allow multithreaded builds on NetBSD and
      OpenBSD. (We had previously disabled threads on these platforms
951
      because they didn't have working thread-safe resolver functions.)
952

953
  o Major bugfixes, anonymity/security:
Roger Dingledine's avatar
Roger Dingledine committed
954
955
    - If a client asked for a server by name, and there's a named server
      in our network-status but we don't have its descriptor yet, we
956
      could return an unnamed server instead.
957
958
959
    - Fix NetBSD bug that could allow someone to force uninitialized RAM
      to be sent to a server's DNS resolver. This only affects NetBSD
      and other platforms that do not bounds-check tolower().
Roger Dingledine's avatar
Roger Dingledine committed
960
961
962
    - Reject (most) attempts to use Tor circuits with length one. (If
      many people start using Tor as a one-hop proxy, exit nodes become
      a more attractive target for compromise.)
963
964
965
    - Just because your DirPort is open doesn't mean people should be
      able to remotely teach you about hidden service descriptors. Now
      only accept rendezvous posts if you've got HSAuthoritativeDir set.
966

967
  o Major bugfixes, other:
968
    - Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
969
970
971
    - When a client asks the server to resolve (not connect to)
      an address, and it has a cached answer, give them the cached answer.
      Previously, the server would give them no answer at all.
972
973
    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
Roger Dingledine's avatar
Roger Dingledine committed
974
975
976
    - We were building exactly the wrong circuits when we anticipated
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
977
978
979
980
981
982
983
984
985
986
987
988
989
990
    - Avoid crashing when we mmap a router cache file of size 0.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Minor bugfixes, correctness:
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid controller-triggered crash when misusing certain commands
      from a v0 controller on platforms that do not handle
      printf("%s",NULL) gracefully.
991
    - Don't crash when a controller sends a third argument to an
992
993
994
995
996
      "extendcircuit" request.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Avoid crash when telling controller stream-status and a stream
      is detached.
997
    - Patch from Adam Langley to fix assert() in eventdns.c.
998
999
    - Fix a debug log message in eventdns to say "X resolved to Y"
      instead of "X resolved to X".
1000
    - Make eventdns give strings for DNS errors, not just error numbers.