ChangeLog 148 KB
Newer Older
1
Changes in version 0.1.2.5-xxxx - 200?-??-??
2
3
4
  o Major features:
    - Enable "BEGIN_DIR" cells: prefer to connect to the directory
      server via TLS so we do encrypted directory requests rather than
5
6
      plaintext. On by default; disable via the TunnelDirConns config
      option if you like.
7
8
9
    - Enable write limiting as well as read limiting. Now we sacrifice
      capacity if we're pushing out lots of directory traffic, rather
      than overrunning the user's intended bandwidth limits.
10
11
12
13
14
    - Authorities now include server versions in networkstatus. This adds
      about 2% to the side of compressed networkstatus docs, and allows
      clients to tell which servers support BEGIN_DIR and which don't.
      The implementation is forward-compatible with a proposed future
      protocol version scheme not tied to Tor versions.
15
16
17
18
    - Support running the Tor service with a torrc not in the
      same directory as tor.exe (Bug #356) and default to using the torrc
      located in the %appdata%\Tor\ of the user who installed the service.
      Patch from Matt Edman.
19

20
  o Minor features:
21
    - Start using the state file to store bandwidth accounting data:
Roger Dingledine's avatar
Roger Dingledine committed
22
      the bw_accounting file is now obsolete. We'll keep generating it
23
      for a while for people who are still using 0.1.2.4-alpha.
Roger Dingledine's avatar
Roger Dingledine committed
24
25
26
    - Try to batch changes to the state file so that we do as few
      disk writes as possible while still storing important things in
      a timely fashion.
27
28
    - Ongoing work on eventdns infrastructure: add dns server and ipv6
      support.
29
    - Make PIDFile work on Windows (untested).
30
31
32
    - Add internal descriptions for a bunch of configuration options:
      accessible via controller interface and in comments in saved
      options files.
33
34
    - Reject *:563 (NTTPS) in the default exit policy. We already reject
      NNTP by default, so this seems like a sensible addition.
Roger Dingledine's avatar
Roger Dingledine committed
35
36
    - Authorities do not recommend exits as guards if this would shift
      excess load to the exit nodes.
37
    - Avoid some inadvertent info leaks by making clients reject hostnames
Roger Dingledine's avatar
Roger Dingledine committed
38
39
40
41
42
      with invalid characters. Add an option "AllowNonRFC953Hostnames"
      to disable this behavior, in case somebody is running a private
      network with hosts called @, !, and #.
    - Add a new address-spec.txt document to describe our special-case
      addresses: .exit, .onion, and .noconnnect.
43
44
    - Add a maintainer script to tell us which options are missing
      documentation.
45
46
47
    - Remove some options that have been deprecated since at least 0.1.0.x:
      AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and SysLog.  Use
      AccountingMax instead of AccountingMaxKB; use Log to set log options.
48
49
50
    - DirServer configuration lines now have an orport option so clients can
      open encrypted tunnels to the authorities without having downloaded
      their descriptors yet.
51
52
53
54
    - Clients track responses with status 503 from dirservers.  After a
      dirserver has given us a 503, we try not to use it until an hour
      has gone by, or until we have no dirservers that haven't given us
      a 503.
55
56
    - The state file and the bw_accounting file get saved less often when
      AvoidDiskWrites is set.
57
58
59
    - We no longer look for identity and onion keys in "identity.key" and
      "onion.key" -- these were replaced by secret_id_key and
      secret_onion_key in 0.0.8pre1.
60
61
    - We no longer require unrecognized directory entries to be preceded by
      "opt".
62
63
64
    - When we get a 503 from a directory, and we're not a server, we don't
      count the failure against the total number of failures allowed for the
      thing we're trying to download.
65
66
67
    - Report X-Your-Address-Is correctly from tunneled directory connections;
      don't report X-Your-Address-Is is when it's an internal address; and
      never believe reported remote addresses when they're internal.
68
    - Add client-side caching for reverse DNS lookups.
69
    - Add support to tor-resolve for reverse lookups and SOCKS5.
70
71
72
    - We now check for the case when common DNS requests are going to
      wildcarded addresses, and change our exit policy to reject *:* if
      it's happening.  (Bug #364)
73
74
    - When we change nameservers or IP addresses, reset and re-launch
      our tests for DNS hijacking.
75

76
77
78
79
80
81
82
83
84
85
86
87
  o Security bugfixes:
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.
    - When generating bandwidth history, round down to the nearest
      1k. When storing accounting data, round up to the nearest 1k.
    - When we're running as a server, remember when we last rotated onion
      keys, so that we will rotate keys once they're a week old even if
      we never stay up for a week ourselves.

88
89
  o Major bugfixes:
    - Fix a longstanding bug in eventdns that prevented the count of
Roger Dingledine's avatar
Roger Dingledine committed
90
91
92
93
      timed-out resolves from ever being reset. This bug caused us to
      give up on a nameserver the third time it timed out, and try it
      10 seconds later... and to give up on it every time it timed out
      after that. (May fix bug 326.)
94
95
96
97
    - Take out the '5 second' timeout from the connection retry
      schedule. Now the first connect attempt will wait a full 10
      seconds before switching to a new circuit. Perhaps this will help
      a lot. Based on observations from Mike Perry.
98
99

  o Minor bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
100
    - Fix a bug when a PF socket is first used. (Patch from Fabian Keil.)
Roger Dingledine's avatar
Roger Dingledine committed
101
    - Fix an assert failure when a directory authority sets
102
103
      AuthDirRejectUnlisted and then receives a descriptor from an
      unlisted router (reported by seeess).
104
    - Fix a bug on the Windows implementation of tor_mmap_file that
Roger Dingledine's avatar
Roger Dingledine committed
105
106
      would prevent the cached-routers file from ever loading (reported
      by John Kimble).
107
108
109
    - Fix a bug in 0.1.2.2-alpha that prevented clients from asking
      to resolve an address at a given exit node even when they ask for
      it by name.
110
111
112
    - Routers no longer ever list themselves in their "family" line,
      even if configured to do so.  This makes it easier to configure
      family lists efficiently.
Roger Dingledine's avatar
Roger Dingledine committed
113
114
115
116
    - When running as a server, don't fall back to 127.0.0.1 when no
      nameservers are configured in /etc/resolv.conf; instead, make the
      user fix resolv.conf or specify nameservers explicitly. (Resolves
      bug 363.)
117
    - Stop accepting certain malformed ports in configured exit policies.
118
119
    - Don't re-write the fingerprint file every restart, unless it has
      changed.
120
121
122
123
    - Cleaned-up code and documentation in NT services. Patch from Matt
      Edman.
    - Removed the supposedly misleading error message mentioned in Bug #294.
      Patch from Matt Edman.
124
125
    - Stop warning when a single nameserver fails: only warn when _all_ of
      our nameservers have failed.  (Part of a solution to bug #326.)
126

127
  o Controller features:
128
    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
129
130
    - Reimplement GETINFO so that info/names stays in sync with the
      actual keys.
131
    - Implement "GETINFO fingerprint".
132
133
    - Implement "SETEVENTS GUARD" so controllers can get updates on
      entry guard status as it changes.
134

135
136
  o Controller bugfixes:
    - Report the circuit number correctly in STREAM CLOSED events. (Bug
137
      reported by Mike Perry.)
138
139
    - Do not report bizarre values for results of accounting GETINFOs
      when the last second's write or read exceeds the alloted bandwidth.
140
141


142
Changes in version 0.1.2.4-alpha - 2006-12-03
143
144
145
146
  o Major features:
    - Add support for using natd; this allows FreeBSDs earlier than
      5.1.2 to have ipfw send connections through Tor without using
      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
147

148
149
150
151
152
153
154
155
156
  o Minor features:
    - Make all connections to addresses of the form ".noconnect"
      immediately get closed. This lets application/controller combos
      successfully test whether they're talking to the same Tor by
      watching for STREAM events.
    - Make cross.sh cross-compilation script work even when autogen.sh
      hasn't been run. (Patch from Michael Mohr.)
    - Statistics dumped by -USR2 now include a breakdown of public key
      operations, for profiling.
157

158
159
160
161
  o Major bugfixes:
    - Fix a major leak when directory authorities parse their
      approved-routers list, a minor memory leak when we fail to pick
      an exit node, and a few rare leaks on errors.
162
    - Handle TransPort connections even when the server sends data before
163
      the client sends data. Previously, the connection would just hang
164
165
      until the client sent data. (Patch from tup based on patch from
      Zajcev Evgeny.)
166
167
    - Avoid assert failure when our cached-routers file is empty on
      startup.
168

169
  o Minor bugfixes:
170
171
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
172
173
    - Have directory authorities allow larger amounts of drift in uptime
      without replacing the server descriptor: previously, a server that
174
175
      restarted every 30 minutes could have 48 "interesting" descriptors
      per day.
176
177
    - Start linking to the Tor specification and Tor reference manual
      correctly in the Windows installer.
178
179
180
181
182
183
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.
    - Resume building on Irix64, and fix a lot of warnings from its
      MIPSpro C compiler.
    - Don't corrupt last_guessed_ip in router_new_address_suggestion()
      when we're running as a client.
184

185

186
Changes in version 0.1.2.3-alpha - 2006-10-29
187
  o Minor features:
188
    - Prepare for servers to publish descriptors less often: never
189
      discard a descriptor simply for being too old until either it is
190
191
      recommended by no authorities, or until we get a better one for
      the same router. Make caches consider retaining old recommended
192
      routers for even longer.
193
194
195
    - If most authorities set a BadExit flag for a server, clients
      don't think of it as a general-purpose exit. Clients only consider
      authorities that advertise themselves as listing bad exits.
196
197
198
    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
      headers for content, so that we can work better in the presence of
      caching HTTP proxies.
199
200
    - Allow authorities to list nodes as bad exits by fingerprint or by
      address.
201

202
  o Minor features, controller:
203
204
    - Add a REASON field to CIRC events; for backward compatibility, this
      field is sent only to controllers that have enabled the extended
205
206
207
      event format.  Also, add additional reason codes to explain why
      a given circuit has been destroyed or truncated. (Patches from
      Mike Perry)
208
209
    - Add a REMOTE_REASON field to extended CIRC events to tell the
      controller about why a remote OR told us to close a circuit.
210
211
    - Stream events also now have REASON and REMOTE_REASON fields,
      working much like those for circuit events.
212
    - There's now a GETINFO ns/... field so that controllers can ask Tor
213
214
215
      about the current status of a router.
    - A new event type "NS" to inform a controller when our opinion of
      a router's status has changed.
216
217
    - Add a GETINFO events/names and GETINFO features/names so controllers
      can tell which events and features are supported.
218
219
    - A new CLEARDNSCACHE signal to allow controllers to clear the
      client-side DNS cache without expiring circuits.
220

Roger Dingledine's avatar
Roger Dingledine committed
221
222
223
224
  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

225
  o Minor bugfixes:
226
227
228
229
230
231
232
233
    - Avoid sending junk to controllers or segfaulting when a controller
      uses EVENT_NEW_DESC with verbose nicknames.
    - Stop triggering asserts if the controller tries to extend hidden
      service circuits (reported by mwenge).
    - Avoid infinite loop on unexpected controller input.
    - When the controller does a "GETINFO network-status", tell it
      about even those routers whose descriptors are very old, and use
      long nicknames where appropriate.
234
    - Change NT service functions to be loaded on demand.  This lets us
235
      build with MinGW without breaking Tor for Windows 98 users.
236
237
238
239
    - Do DirPort reachability tests less often, since a single test
      chews through many circuits before giving up.
    - In the hidden service example in torrc.sample, stop recommending
      esoteric and discouraged hidden service options.
240
241
    - When stopping an NT service, wait up to 10 sec for it to actually
      stop.  (Patch from Matt Edman; resolves bug 295.)
242
243
244
    - Fix handling of verbose nicknames with ORCONN controller events:
      make them show up exactly when requested, rather than exactly when
      not requested.
245
    - When reporting verbose nicknames in entry_guards_getinfo(), avoid
246
247
248
249
250
251
252
253
254
255
256
      printing a duplicate "$" in the keys we send (reported by mwenge).
    - Correctly set maximum connection limit on Cygwin. (This time
      for sure!)
    - Try to detect Windows correctly when cross-compiling.
    - Detect the size of the routers file correctly even if it is
      corrupted (on systems without mmap) or not page-aligned (on systems
      with mmap). This bug was harmless.
    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
      to open a stream fails; now we do in more cases. This should
      make clients able to find a good exit faster in some cases, since
      unhandleable requests will now get an error rather than timing out.
257
258
    - Resolve two memory leaks when rebuilding the on-disk router cache
      (reported by fookoowa).
259
260
    - Clean up minor code warnings suggested by the MIPSpro C compiler,
      and reported by some Centos users.
261
262
    - Controller signals now work on non-Unix platforms that don't define
      SIGUSR1 and SIGUSR2 the way we expect.
263
264
    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
      values before failing, and always enables eventdns.
265
266
267
268
    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
      Try to fix this in configure.in by checking for most functions
      before we check for libevent.

269

270
Changes in version 0.1.2.2-alpha - 2006-10-07
271
  o Major features:
272
    - Make our async eventdns library on-by-default for Tor servers,
273
      and plan to deprecate the separate dnsworker threads.
274
    - Add server-side support for "reverse" DNS lookups (using PTR
Roger Dingledine's avatar
Roger Dingledine committed
275
      records so clients can determine the canonical hostname for a given
276
277
      IPv4 address). Only supported by servers using eventdns; servers
      now announce in their descriptors whether they support eventdns.
278
    - Specify and implement client-side SOCKS5 interface for reverse DNS
279
      lookups (see doc/socks-extensions.txt).
280
    - Add a BEGIN_DIR relay cell type for an easier in-protocol way to
281
282
283
284
285
286
287
      connect to directory servers through Tor. Previously, clients needed
      to find Tor exits to make private connections to directory servers.
    - Avoid choosing Exit nodes for entry or middle hops when the
      total bandwidth available from non-Exit nodes is much higher than
      the total bandwidth available from Exit nodes.
    - Workaround for name servers (like Earthlink's) that hijack failing
      DNS requests and replace the no-such-server answer with a "helpful"
288
289
290
291
      redirect to an advertising-driven search portal. Also work around
      DNS hijackers who "helpfully" decline to hijack known-invalid
      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
      lets you turn it off.
292
293
294
    - Send out a burst of long-range padding cells once we've established
      that we're reachable. Spread them over 4 circuits, so hopefully
      a few will be fast. This exercises our bandwidth and bootstraps
295
      us into the directory more quickly.
296
297
298

  o New/improved config options:
    - Add new config option "ResolvConf" to let the server operator
299
      choose an alternate resolve.conf file when using eventdns.
300
    - Add an "EnforceDistinctSubnets" option to control our "exclude
301
      servers on the same /16" behavior. It's still on by default; this
302
303
      is mostly for people who want to operate private test networks with
      all the machines on the same subnet.
304
    - If one of our entry guards is on the ExcludeNodes list, or the
Roger Dingledine's avatar
Roger Dingledine committed
305
306
307
308
309
310
      directory authorities don't think it's a good guard, treat it as
      if it were unlisted: stop using it as a guard, and throw it off
      the guards list if it stays that way for a long time.
    - Allow directory authorities to be marked separately as authorities
      for the v1 directory protocol, the v2 directory protocol, and
      as hidden service directories, to make it easier to retire old
311
      authorities. V1 authorities should set "HSAuthoritativeDir 1"
Roger Dingledine's avatar
Roger Dingledine committed
312
      to continue being hidden service authorities too.
313
314
315
316
317
    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).

  o Minor features, controller:
    - Fix CIRC controller events so that controllers can learn the
      identity digests of non-Named servers used in circuit paths.
318
319
320
321
322
    - Let controllers ask for more useful identifiers for servers. Instead
      of learning identity digests for un-Named servers and nicknames
      for Named servers, the new identifiers include digest, nickname,
      and indication of Named status. Off by default; see control-spec.txt
      for more information.
323
324
    - Add a "getinfo address" controller command so it can display Tor's
      best guess to the user.
325
326
327
    - New controller event to alert the controller when our server
      descriptor has changed.
    - Give more meaningful errors on controller authentication failure.
328
329
330
331
332
333

  o Minor features, other:
    - When asked to resolve a hostname, don't use non-exit servers unless
      requested to do so. This allows servers with broken DNS to be
      useful to the network.
    - Divide eventdns log messages into warn and info messages.
Roger Dingledine's avatar
Roger Dingledine committed
334
    - Reserve the nickname "Unnamed" for routers that can't pick
335
      a hostname: any router can call itself Unnamed; directory
Roger Dingledine's avatar
Roger Dingledine committed
336
337
      authorities will never allocate Unnamed to any particular router;
      clients won't believe that any router is the canonical Unnamed.
Roger Dingledine's avatar
Roger Dingledine committed
338
339
    - Only include function names in log messages for info/debug messages.
      For notice/warn/err, the content of the message should be clear on
340
      its own, and printing the function name only confuses users.
Roger Dingledine's avatar
Roger Dingledine committed
341
342
    - Avoid some false positives during reachability testing: don't try
      to test via a server that's on the same /24 as us.
343
344
    - If we fail to build a circuit to an intended enclave, and it's
      not mandatory that we use that enclave, stop wanting it.
345
346
    - When eventdns is enabled, allow multithreaded builds on NetBSD and
      OpenBSD. (We had previously disabled threads on these platforms
347
      because they didn't have working thread-safe resolver functions.)
348

349
  o Major bugfixes, anonymity/security:
Roger Dingledine's avatar
Roger Dingledine committed
350
351
    - If a client asked for a server by name, and there's a named server
      in our network-status but we don't have its descriptor yet, we
352
      could return an unnamed server instead.
353
354
355
    - Fix NetBSD bug that could allow someone to force uninitialized RAM
      to be sent to a server's DNS resolver. This only affects NetBSD
      and other platforms that do not bounds-check tolower().
Roger Dingledine's avatar
Roger Dingledine committed
356
357
358
    - Reject (most) attempts to use Tor circuits with length one. (If
      many people start using Tor as a one-hop proxy, exit nodes become
      a more attractive target for compromise.)
359
360
361
    - Just because your DirPort is open doesn't mean people should be
      able to remotely teach you about hidden service descriptors. Now
      only accept rendezvous posts if you've got HSAuthoritativeDir set.
362

363
  o Major bugfixes, other:
364
    - Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
365
366
367
    - When a client asks the server to resolve (not connect to)
      an address, and it has a cached answer, give them the cached answer.
      Previously, the server would give them no answer at all.
368
369
    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
Roger Dingledine's avatar
Roger Dingledine committed
370
371
372
    - We were building exactly the wrong circuits when we anticipated
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
373
374
375
376
377
378
379
380
381
382
383
384
385
386
    - Avoid crashing when we mmap a router cache file of size 0.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Minor bugfixes, correctness:
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid controller-triggered crash when misusing certain commands
      from a v0 controller on platforms that do not handle
      printf("%s",NULL) gracefully.
387
    - Don't crash when a controller sends a third argument to an
388
389
390
391
392
      "extendcircuit" request.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Avoid crash when telling controller stream-status and a stream
      is detached.
393
    - Patch from Adam Langley to fix assert() in eventdns.c.
394
395
    - Fix a debug log message in eventdns to say "X resolved to Y"
      instead of "X resolved to X".
396
397
398
399
400
401
    - Make eventdns give strings for DNS errors, not just error numbers.
    - Track unreachable entry guards correctly: don't conflate
      'unreachable by us right now' with 'listed as down by the directory
      authorities'. With the old code, if a guard was unreachable by
      us but listed as running, it would clog our guard list forever.
    - Behave correctly in case we ever have a network with more than
402
      2GB/s total advertised capacity.
403
404
405
406
407
408
    - Make TrackExitHosts case-insensitive, and fix the behavior of
      ".suffix" TrackExitHosts items to avoid matching in the middle of
      an address.
    - Finally fix the openssl warnings from newer gccs that believe that
      ignoring a return value is okay, but casting a return value and
      then ignoring it is a sign of madness.
409
410
    - Prevent the contrib/exitlist script from printing the same
      result more than once.
411
412
    - Patch from Steve Hildrey: Generate network status correctly on
      non-versioning dirservers.
413
414
    - Don't listen to the X-Your-Address-Is hint if you did the lookup
      via Tor; otherwise you'll think you're the exit node's IP address.
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434

  o Minor bugfixes, performance:
    - Two small performance improvements on parsing descriptors.
    - Major performance improvement on inserting descriptors: change
      algorithm from O(n^2) to O(n).
    - Make the common memory allocation path faster on machines where
      malloc(0) returns a pointer.
    - Start remembering X-Your-Address-Is directory hints even if you're
      a client, so you can become a server more smoothly.
    - Avoid duplicate entries on MyFamily line in server descriptor.

  o Packaging, features:
    - Remove architecture from OS X builds. The official builds are
      now universal binaries.
    - The Debian package now uses --verify-config when (re)starting,
      to distinguish configuration errors from other errors.
    - Update RPMs to require libevent 1.1b.

  o Packaging, bugfixes:
    - Patches so Tor builds with MinGW on Windows.
435
    - Patches so Tor might run on Cygwin again.
436
437
438
    - Resume building on non-gcc compilers and ancient gcc. Resume
      building with the -O0 compile flag. Resume building cleanly on
      Debian woody.
439
    - Run correctly on OS X platforms with case-sensitive filesystems.
440
    - Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
441
    - Add autoconf checks so Tor can build on Solaris x86 again.
442

443
444
445
  o Documentation
    - Documented (and renamed) ServerDNSSearchDomains and
      ServerDNSResolvConfFile options.
446
447
    - Be clearer that the *ListenAddress directives can be repeated
      multiple times.
448

449

450
451
452
Changes in version 0.1.2.1-alpha - 2006-08-27
  o Major features:
    - Add "eventdns" async dns library from Adam Langley, tweaked to
453
454
      build on OSX and Windows. Only enabled if you pass the
      --enable-eventdns argument to configure.
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
    - Allow servers with no hostname or IP address to learn their
      IP address by asking the directory authorities. This code only
      kicks in when you would normally have exited with a "no address"
      error. Nothing's authenticated, so use with care.
    - Rather than waiting a fixed amount of time between retrying
      application connections, we wait only 5 seconds for the first,
      10 seconds for the second, and 15 seconds for each retry after
      that. Hopefully this will improve the expected user experience.
    - Patch from Tup to add support for transparent AP connections:
      this basically bundles the functionality of trans-proxy-tor
      into the Tor mainline. Now hosts with compliant pf/netfilter
      implementations can redirect TCP connections straight to Tor
      without diverting through SOCKS. Needs docs.
    - Busy directory servers save lots of memory by spooling server
      descriptors, v1 directories, and v2 networkstatus docs to buffers
      as needed rather than en masse. Also mmap the cached-routers
      files, so we don't need to keep the whole thing in memory too.
    - Automatically avoid picking more than one node from the same
      /16 network when constructing a circuit.
    - Revise and clean up the torrc.sample that we ship with; add
      a section for BandwidthRate and BandwidthBurst.

  o Minor features:
478
479
480
    - Split circuit_t into origin_circuit_t and or_circuit_t, and
      split connection_t into edge, or, dir, control, and base structs.
      These will save quite a bit of memory on busy servers, and they'll
481
482
483
484
485
486
487
488
      also help us track down bugs in the code and bugs in the spec.
    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
      or later. Log when we are doing this, so we can diagnose it when
      it fails. (Also, recommend libevent 1.1b for kqueue and
      win32 methods; deprecate libevent 1.0b harder; make libevent
      recommendation system saner.)
    - Start being able to build universal binaries on OS X (thanks
      to Phobos).
489
490
    - Export the default exit policy via the control port, so controllers
      don't need to guess what it is / will be later.
491
492
493
494
495
496
497
498
499
500
501
    - Add a man page entry for ProtocolWarnings.
    - Add TestVia config option to the man page.
    - Remove even more protocol-related warnings from Tor server logs,
      such as bad TLS handshakes and malformed begin cells.
    - Stop fetching descriptors if you're not a dir mirror and you
      haven't tried to establish any circuits lately. [This currently
      causes some dangerous behavior, because when you start up again
      you'll use your ancient server descriptors.]
    - New DirPort behavior: if you have your dirport set, you download
      descriptors aggressively like a directory mirror, whether or not
      your ORPort is set.
502
503
504
505
506
507
508
    - Get rid of the router_retry_connections notion. Now routers
      no longer try to rebuild long-term connections to directory
      authorities, and directory authorities no longer try to rebuild
      long-term connections to all servers. We still don't hang up
      connections in these two cases though -- we need to look at it
      more carefully to avoid flapping, and we likely need to wait til
      0.1.1.x is obsolete.
509
510
511
512
513
514
    - Drop compatibility with obsolete Tors that permit create cells
      to have the wrong circ_id_type.
    - Re-enable per-connection rate limiting. Get rid of the "OP
      bandwidth" concept. Lay groundwork for "bandwidth classes" --
      separate global buckets that apply depending on what sort of conn
      it is.
515
516
517
518
    - Start publishing one minute or so after we find our ORPort
      to be reachable. This will help reduce the number of descriptors
      we have for ourselves floating around, since it's quite likely
      other things (e.g. DirPort) will change during that minute too.
519
    - Fork the v1 directory protocol into its own spec document,
520
521
      and mark dir-spec.txt as the currently correct (v2) spec.

522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
  o Major bugfixes:
    - When we find our DirPort to be reachable, publish a new descriptor
      so we'll tell the world (reported by pnx).
    - Publish a new descriptor after we hup/reload. This is important
      if our config has changed such that we'll want to start advertising
      our DirPort now, etc.
    - Allow Tor to start when RunAsDaemon is set but no logs are set.
    - When we have a state file we cannot parse, tell the user and
      move it aside. Now we avoid situations where the user starts
      Tor in 1904, Tor writes a state file with that timestamp in it,
      the user fixes her clock, and Tor refuses to start.
    - Fix configure.in to not produce broken configure files with
      more recent versions of autoconf. Thanks to Clint for his auto*
      voodoo.
    - "tor --verify-config" now exits with -1(255) or 0 depending on
      whether the config options are bad or good.
    - Resolve bug 321 when using dnsworkers: append a period to every
      address we resolve at the exit node, so that we do not accidentally
      pick up local addresses, and so that failing searches are retried
      in the resolver search domains. (This is already solved for
      eventdns.) (This breaks Blossom servers for now.)
    - If we are using an exit enclave and we can't connect, e.g. because
      its webserver is misconfigured to not listen on localhost, then
      back off and try connecting from somewhere else before we fail.

  o Minor bugfixes:
    - Start compiling on MinGW on Windows (patches from Mike Chiussi).
    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
      when the IP address is mapped through MapAddress to a hostname.
    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
      useless IPv6 DNS resolves.
    - Patch suggested by Karsten Loesing: respond to SIGNAL command
      before we execute the signal, in case the signal shuts us down.
    - Clean up AllowInvalidNodes man page entry.
    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
    - Add more asserts to track down an assert error on a windows Tor
      server with connection_add being called with socket == -1.
    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
561
562
563
564
565
    - Fix misleading log messages: an entry guard that is "unlisted",
      as well as not known to be "down" (because we've never heard
      of it), is not therefore "up".
    - Remove code to special-case "-cvs" ending, since it has not
      actually mattered since 0.0.9.
566
567
568
569
    - Make our socks5 handling more robust to broken socks clients:
      throw out everything waiting on the buffer in between socks
      handshake phases, since they can't possibly (so the theory
      goes) have predicted what we plan to respond to them.
570

571

572
573
574
575
576
577
578
579
580
581
582
583
584
585
Changes in version 0.1.1.26 - 2006-12-14
  o Security bugfixes:
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.

  o Minor bugfixes:
    - Fix an assert failure when a directory authority sets
      AuthDirRejectUnlisted and then receives a descriptor from an
      unlisted router (reported by seeess).


586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
Changes in version 0.1.1.25 - 2006-11-04
  o Major bugfixes:
    - When a client asks us to resolve (rather than connect to)
      an address, and we have a cached answer, give them the cached
      answer. Previously, we would give them no answer at all.
    - We were building exactly the wrong circuits when we predict
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
    - If none of our live entry guards have a high uptime, but we
      require a guard with a high uptime, try adding a new guard before
      we give up on the requirement. This patch should make long-lived
      connections more stable on average.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

  o Minor bugfixes:
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid possibility of controller-triggered crash when misusing
      certain commands from a v0 controller on platforms that do not
      handle printf("%s",NULL) gracefully.
    - Avoid infinite loop on unexpected controller input.
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.


619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
Changes in version 0.1.1.24 - 2006-09-29
  o Major bugfixes:
    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
    - Fix major performance regression from 0.1.0.x: instead of checking
      whether we have enough directory information every time we want to
      do something, only check when the directory information has changed.
      This should improve client CPU usage by 25-50%.
    - Don't crash if, after a server has been running for a while,
      it can't resolve its hostname.
    - When a client asks us to resolve (not connect to) an address,
      and we have a cached answer, give them the cached answer.
      Previously, we would give them no answer at all.

  o Minor bugfixes:
    - Allow Tor to start when RunAsDaemon is set but no logs are set.
    - Don't crash when the controller receives a third argument to an
      "extendcircuit" request.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Fix configure.in to not produce broken configure files with
      more recent versions of autoconf. Thanks to Clint for his auto*
      voodoo.
    - Fix security bug on NetBSD that could allow someone to force
      uninitialized RAM to be sent to a server's DNS resolver. This
      only affects NetBSD and other platforms that do not bounds-check
      tolower().
    - Warn user when using libevent 1.1a or earlier with win32 or kqueue
      methods: these are known to be buggy.
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.


653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
Changes in version 0.1.1.23 - 2006-07-30
  o Major bugfixes:
    - Fast Tor servers, especially exit nodes, were triggering asserts
      due to a bug in handling the list of pending DNS resolves. Some
      bugs still remain here; we're hunting them.
    - Entry guards could crash clients by sending unexpected input.
    - More fixes on reachability testing: if you find yourself reachable,
      then don't ever make any client requests (so you stop predicting
      circuits), then hup or have your clock jump, then later your IP
      changes, you won't think circuits are working, so you won't try to
      test reachability, so you won't publish.

  o Minor bugfixes:
    - Avoid a crash if the controller does a resetconf firewallports
      and then a setconf fascistfirewall=1.
    - Avoid an integer underflow when the dir authority decides whether
      a router is stable: we might wrongly label it stable, and compute
      a slightly wrong median stability, when a descriptor is published
      later than now.
    - Fix a place where we might trigger an assert if we can't build our
      own server descriptor yet.


676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
Changes in version 0.1.1.22 - 2006-07-05
  o Major bugfixes:
    - Fix a big bug that was causing servers to not find themselves
      reachable if they changed IP addresses. Since only 0.1.1.22+
      servers can do reachability testing correctly, now we automatically
      make sure to test via one of these.
    - Fix to allow clients and mirrors to learn directory info from
      descriptor downloads that get cut off partway through.
    - Directory authorities had a bug in deciding if a newly published
      descriptor was novel enough to make everybody want a copy -- a few
      servers seem to be publishing new descriptors many times a minute.
  o Minor bugfixes:
    - Fix a rare bug that was causing some servers to complain about
      "closing wedged cpuworkers" and skip some circuit create requests.
    - Make the Exit flag in directory status documents actually work.


693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
Changes in version 0.1.1.21 - 2006-06-10
  o Crash and assert fixes from 0.1.1.20:
    - Fix a rare crash on Tor servers that have enabled hibernation.
    - Fix a seg fault on startup for Tor networks that use only one
      directory authority.
    - Fix an assert from a race condition that occurs on Tor servers
      while exiting, where various threads are trying to log that they're
      exiting, and delete the logs, at the same time.
    - Make our unit tests pass again on certain obscure platforms.

  o Other fixes:
    - Add support for building SUSE RPM packages.
    - Speed up initial bootstrapping for clients: if we are making our
      first ever connection to any entry guard, then don't mark it down
      right after that.
    - When only one Tor server in the network is labelled as a guard,
      and we've already picked him, we would cycle endlessly picking him
      again, being unhappy about it, etc. Now we specifically exclude
      current guards when picking a new guard.
    - Servers send create cells more reliably after the TLS connection
      is established: we were sometimes forgetting to send half of them
      when we had more than one pending.
    - If we get a create cell that asks us to extend somewhere, but the
      Tor server there doesn't match the expected digest, we now send
      a destroy cell back, rather than silently doing nothing.
    - Make options->RedirectExit work again.
    - Make cookie authentication for the controller work again.
    - Stop being picky about unusual characters in the arguments to
      mapaddress. It's none of our business.
    - Add a new config option "TestVia" that lets you specify preferred
      middle hops to use for test circuits. Perhaps this will let me
      debug the reachability problems better.

  o Log / documentation fixes:
    - If we're a server and some peer has a broken TLS certificate, don't
      log about it unless ProtocolWarnings is set, i.e., we want to hear
      about protocol violations by others.
    - Fix spelling of VirtualAddrNetwork in man page.
    - Add a better explanation at the top of the autogenerated torrc file
      about what happened to our old torrc.


735
Changes in version 0.1.1.20 - 2006-05-23
736
737
738
739
740
741
742
743
  o Crash and assert fixes from 0.1.0.17:
    - Fix assert bug in close_logs() on exit: when we close and delete
      logs, remove them all from the global "logfiles" list.
    - Fix an assert error when we're out of space in the connection_list
      and we try to post a hidden service descriptor (reported by Peter
      Palfrader).
    - Fix a rare assert error when we've tried all intro points for
      a hidden service and we try fetching the service descriptor again:
744
745
      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
    - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
746
747
      out and refuse the setconf if it would fail.
    - If you specify a relative torrc path and you set RunAsDaemon in
748
749
      your torrc, then it chdir()'s to the new directory. If you then
      HUP, it tries to load the new torrc location, fails, and exits.
750
751
752
753
754
755
756
757
      The fix: no longer allow a relative path to torrc when using -f.
    - Check for integer overflows in more places, when adding elements
      to smartlists. This could possibly prevent a buffer overflow
      on malicious huge inputs.

  o Security fixes, major:
    - When we're printing strings from the network, don't try to print
      non-printable characters. Now we're safer against shell escape
758
      sequence exploits, and also against attacks to fool users into
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
      misreading their logs.
    - Implement entry guards: automatically choose a handful of entry
      nodes and stick with them for all circuits. Only pick new guards
      when the ones you have are unsuitable, and if the old guards
      become suitable again, switch back. This will increase security
      dramatically against certain end-point attacks. The EntryNodes
      config option now provides some hints about which entry guards you
      want to use most; and StrictEntryNodes means to only use those.
      Fixes CVE-2006-0414.
    - Implement exit enclaves: if we know an IP address for the
      destination, and there's a running Tor server at that address
      which allows exit to the destination, then extend the circuit to
      that exit first. This provides end-to-end encryption and end-to-end
      authentication. Also, if the user wants a .exit address or enclave,
      use 4 hops rather than 3, and cannibalize a general circ for it
      if you can.
    - Obey our firewall options more faithfully:
      . If we can't get to a dirserver directly, try going via Tor.
      . Don't ever try to connect (as a client) to a place our
        firewall options forbid.
      . If we specify a proxy and also firewall options, obey the
        firewall options even when we're using the proxy: some proxies
        can only proxy to certain destinations.
    - Make clients regenerate their keys when their IP address changes.
    - For the OS X package's modified privoxy config file, comment
      out the "logfile" line so we don't log everything passed
      through privoxy.
    - Our TLS handshakes were generating a single public/private
      keypair for the TLS context, rather than making a new one for
      each new connection. Oops. (But we were still rotating them
      periodically, so it's not so bad.)
    - When we were cannibalizing a circuit with a particular exit
      node in mind, we weren't checking to see if that exit node was
792
      already present earlier in the circuit. Now we are.
793
    - Require server descriptors to list IPv4 addresses -- hostnames
794
795
      are no longer allowed. This also fixes potential vulnerabilities
      to servers providing hostnames as their address and then
796
797
798
799
800
      preferentially resolving them so they can partition users.
    - Our logic to decide if the OR we connected to was the right guy
      was brittle and maybe open to a mitm for invalid routers.

  o Security fixes, minor:
801
802
    - Adjust tor-spec.txt to parameterize cell and key lengths. Now
      Ian Goldberg can prove things about our handshake protocol more
803
      easily.
804
805
806
    - Make directory authorities generate a separate "guard" flag to
      mean "would make a good entry guard". Clients now honor the
      is_guard flag rather than looking at is_fast or is_stable.
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
    - Try to list MyFamily elements by key, not by nickname, and warn
      if we've not heard of a server.
    - Start using RAND_bytes rather than RAND_pseudo_bytes from
      OpenSSL. Also, reseed our entropy every hour, not just at
      startup. And add entropy in 512-bit chunks, not 160-bit chunks.
    - Refuse server descriptors where the fingerprint line doesn't match
      the included identity key. Tor doesn't care, but other apps (and
      humans) might actually be trusting the fingerprint line.
    - We used to kill the circuit when we receive a relay command we
      don't recognize. Now we just drop that cell.
    - Fix a bug found by Lasse Overlier: when we were making internal
      circuits (intended to be cannibalized later for rendezvous and
      introduction circuits), we were picking them so that they had
      useful exit nodes. There was no need for this, and it actually
      aids some statistical attacks.
    - Start treating internal circuits and exit circuits separately.
      It's important to keep them separate because internal circuits
      have their last hops picked like middle hops, rather than like
      exit hops. So exiting on them will break the user's expectations.
826
827
828
829
830
    - Fix a possible way to DoS dirservers.
    - When the client asked for a rendezvous port that the hidden
      service didn't want to provide, we were sending an IP address
      back along with the end cell. Fortunately, it was zero. But stop
      that anyway.
831
832

  o Packaging improvements:
833
    - Implement --with-libevent-dir option to ./configure. Improve
834
      search techniques to find libevent, and use those for openssl too.
835
    - Fix a couple of bugs in OpenSSL detection. Deal better when
836
837
      there are multiple SSLs installed with different versions.
    - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
838
    - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
839
840
841
842
843
844
845
846
847
848
849
850
851
852
      "-Wall -g -O2".
    - Make unit tests (and other invocations that aren't the real Tor)
      run without launching listeners, creating subdirectories, and so on.
    - The OS X installer was adding a symlink for tor_resolve but
      the binary was called tor-resolve (reported by Thomas Hardly).
    - Now we can target arch and OS in rpm builds (contributed by
      Phobos). Also make the resulting dist-rpm filename match the
      target arch.
    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
      if you log to syslog and want something other than LOG_DAEMON.
    - Fix the torify (tsocks) config file to not use Tor for localhost
      connections.
    - Start shipping socks-extensions.txt, tor-doc-unix.html,
      tor-doc-server.html, and stylesheet.css in the tarball.
853
854
855
856
857
    - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
      They are useless now.
    - Add Peter Palfrader's contributed check-tor script. It lets you
      easily check whether a given server (referenced by nickname)
      is reachable by you.
858
859
860
861
862
    - Add BSD-style contributed startup script "rc.subr" from Peter
      Thoenen.

  o Directory improvements -- new directory protocol:
    - See tor/doc/dir-spec.txt for all the juicy details. Key points:
863
864
    - Authorities and caches publish individual descriptors (by
      digest, by fingerprint, by "all", and by "tell me yours").
865
    - Clients don't download or use the old directory anymore. Now they
866
867
868
      download network-statuses from the directory authorities, and
      fetch individual server descriptors as needed from mirrors.
    - Clients don't download descriptors of non-running servers.
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
    - Download descriptors by digest, not by fingerprint. Caches try to
      download all listed digests from authorities; clients try to
      download "best" digests from caches. This avoids partitioning
      and isolating attacks better.
    - Only upload a new server descriptor when options change, 18
      hours have passed, uptime is reset, or bandwidth changes a lot.
    - Directory authorities silently throw away new descriptors that
      haven't changed much if the timestamps are similar. We do this to
      tolerate older Tor servers that upload a new descriptor every 15
      minutes. (It seemed like a good idea at the time.)
    - Clients choose directory servers from the network status lists,
      not from their internal list of router descriptors. Now they can
      go to caches directly rather than needing to go to authorities
      to bootstrap the first set of descriptors.
    - When picking a random directory, prefer non-authorities if any
      are known.
    - Add a new flag to network-status indicating whether the server
      can answer v2 directory requests too.
    - Directory mirrors now cache up to 16 unrecognized network-status
888
      docs, so new directory authorities will be cached too.
889
890
    - Stop parsing, storing, or using running-routers output (but
      mirrors still cache and serve it).
891
    - Clients consider a threshold of "versioning" directory authorities
892
      before deciding whether to warn the user that he's obsolete.
893
894
    - Authorities publish separate sorted lists of recommended versions
      for clients and for servers.
895
    - Change DirServers config line to note which dirs are v1 authorities.
896
897
    - Put nicknames on the DirServer line, so we can refer to them
      without requiring all our users to memorize their IP addresses.
898
899
900
    - Remove option when getting directory cache to see whether they
      support running-routers; they all do now. Replace it with one
      to see whether caches support v2 stuff.
901
902
903
904
905
    - Stop listing down or invalid nodes in the v1 directory. This
      reduces its bulk by about 1/3, and reduces load on mirrors.
    - Mirrors no longer cache the v1 directory as often.
    - If we as a directory mirror don't know of any v1 directory
      authorities, then don't try to cache any v1 directories.
906

907
  o Other directory improvements:
908
909
910
    - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
      fifth authoritative directory servers.
    - Directory authorities no longer require an open connection from
911
      a server to consider him "reachable". We need this change because
912
913
      when we add new directory authorities, old servers won't know not
      to hang up on them.
914
915
916
917
    - Dir authorities now do their own external reachability testing
      of each server, and only list as running the ones they found to
      be reachable. We also send back warnings to the server's logs if
      it uploads a descriptor that we already believe is unreachable.
918
919
920
    - Spread the directory authorities' reachability testing over the
      entire testing interval, so we don't try to do 500 TLS's at once
      every 20 minutes.
921
922
923
924
925
926
927
928
929
930
931
932
    - Make the "stable" router flag in network-status be the median of
      the uptimes of running valid servers, and make clients pay
      attention to the network-status flags. Thus the cutoff adapts
      to the stability of the network as a whole, making IRC, IM, etc
      connections more reliable.
    - Make the v2 dir's "Fast" flag based on relative capacity, just
      like "Stable" is based on median uptime. Name everything in the
      top 7/8 Fast, and only the top 1/2 gets to be a Guard.
    - Retry directory requests if we fail to get an answer we like
      from a given dirserver (we were retrying before, but only if
      we fail to connect).
    - Return a robots.txt on our dirport to discourage google indexing.
933

934
  o Controller protocol improvements:
935
    - Revised controller protocol (version 1) that uses ascii rather
936
937
938
      than binary: tor/doc/control-spec.txt. Add supporting libraries
      in python and java and c# so you can use the controller from your
      applications without caring how our protocol works.
939
940
941
942
    - Allow the DEBUG controller event to work again. Mark certain log
      entries as "don't tell this to controllers", so we avoid cycles.
    - New controller function "getinfo accounting", to ask how
      many bytes we've used in this time period.
943
    - Add a "resetconf" command so you can set config options like
944
945
946
      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
      a config option in the torrc with no value, then it clears it
      entirely (rather than setting it to its default).
947
    - Add a "getinfo config-file" to tell us where torrc is. Also
948
      expose guard nodes, config options/names.
949
950
951
952
953
    - Add a "quit" command (when when using the controller manually).
    - Add a new signal "newnym" to "change pseudonyms" -- that is, to
      stop using any currently-dirty circuits for new streams, so we
      don't link new actions to old actions. This also occurs on HUP
      or "signal reload".
954
955
956
    - If we would close a stream early (e.g. it asks for a .exit that
      we know would refuse it) but the LeaveStreamsUnattached config
      option is set by the controller, then don't close it.
957
    - Add a new controller event type "authdir_newdescs" that allows
958
      controllers to get all server descriptors that were uploaded to
959
      a router in its role as directory authority.
960
961
962
963
964
965
966
967
968
969
970
    - New controller option "getinfo desc/all-recent" to fetch the
      latest server descriptor for every router that Tor knows about.
    - Fix the controller's "attachstream 0" command to treat conn like
      it just connected, doing address remapping, handling .exit and
      .onion idioms, and so on. Now we're more uniform in making sure
      that the controller hears about new and closing connections.
    - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
      the controller. Also, rotate dns and cpu workers if the controller
      changes options that will affect them; and initialize the dns
      worker cache tree whether or not we start out as a server.
    - Add a new circuit purpose 'controller' to let the controller ask
971
      for a circuit that Tor won't try to use. Extend the "extendcircuit"
972
      controller command to let you specify the purpose if you're starting
973
      a new circuit.  Add a new "setcircuitpurpose" controller command to
974
      let you change a circuit's purpose after it's been created.
975
976
977
978
    - Let the controller ask for "getinfo dir/server/foo" so it can ask
      directly rather than connecting to the dir port. "getinfo
      dir/status/foo" also works, but currently only if your DirPort
      is enabled.
979
980
    - Let the controller tell us about certain router descriptors
      that it doesn't want Tor to use in circuits. Implement
981
      "setrouterpurpose" and modify "+postdescriptor" to do this.
982
983
984
    - If the controller's *setconf commands fail, collect an error
      message in a string and hand it back to the controller -- don't
      just tell them to go read their logs.
985
986

  o Scalability, resource management, and performance:
987
    - Fix a major load balance bug: we were round-robin reading in 16 KB
988
989
990
      chunks, and servers with bandwidthrate of 20 KB, while downloading
      a 600 KB directory, would starve their other connections. Now we
      try to be a bit more fair.
991
992
    - Be more conservative about whether to advertise our DirPort.
      The main change is to not advertise if we're running at capacity
993
994
      and either a) we could hibernate ever or b) our capacity is low
      and we're using a default DirPort.
995
996
997
998
999
1000
    - We weren't cannibalizing circuits correctly for
      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
      build those from scratch. This should make hidden services faster.
    - Predict required circuits better, with an eye toward making hidden
      services faster on the service end.