ChangeLog 125 KB
Newer Older
1
Changes in version 0.1.2.2-alpha - 2006-??-??
2
3
  o Major features:
    - Add server-side support for "reverse" DNS lookups (using PTR
4
5
6
7
8
      records so clients can determine the canonical hostname for a
      given IPv4 address).  This has been specified for a long time,
      but was previously never implemented.  This is only supported by
      eventdns; servers now announce in their descriptors whether they
      support eventdns.
9
10
    - Specify and implement client-side SOCKS5 interface for reverse DNS
      lookups; see doc/socks-extensions.txt for full information.
11

12
13
  o Minor features:
    - Check for name servers (like Earthlink's) that hijack failing DNS
14
15
16
17
18
      requests and replace the no-such-server answer with a "helpful"
      redirect to an advertising-driven search portal.  We're a little
      clever about this, in order to work around DNS hijackers who
      "helpfully" decline to hijack known-invalid RFC2606 addresses.
      Config option "ServerDNSDetectHijacking 0" lets you turn it off.
19
    - When asked to resolve a hostname, don't use non-exit servers unless
20
21
      requested to do so.  This allows servers with broken DNS to
      be useful to the network.
22

23
  o Security Fixes, minor:
24
    - If a client asked for a server by name, and we didn't have a
25
26
27
28
29
      descriptor for a named server with that name, we might return an
      old one.
    - Fix NetBSD bug that could allow someone to force uninitialized RAM
      to be sent to a server's DNS resolver. This only affects NetBSD
      and other platforms that do not bounds-check tolower().
30

31
32
33
34
35
36
  o Major bugfixes:
    - Avoiding crashing on race condition in dns.c:
      tor_assert(! resolve->expire)
    - When a client asks the server to resolve (not connect to)
      an address, and it has a cached answer, give them the cached answer.
      Previously, the server would give them no answer at all.
37

38
39
40
  o Minor Bugfixes:
    - Two small performance improvements on parsing descriptors.
    - Major performance improvement on inserting descriptors: change
41
      algorithm from O(n^2) to O(n).
42
43
    - Make the common memory allocation path faster on machines where
      malloc(0) returns a pointer.
44
45
    - Fix a debug log message in eventdns to say "X resolved to Y"
      instead of "X resolved to X".
46
47
48
49
50
51
52
53
54
55
    - Prevent the contrib/exitlist script from printing the same
      result more than once.
    - Resume building on non-gcc compilers and ancient gcc. Resume
      building with the -O0 compile flag. Resume building cleanly on
      Debian woody.
    - Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
    - Improve Tor's chances of building and running on Cygwin again.
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.
56

57
58
59
60
  o Documentation
    - Documented (and renamed) ServerDNSSearchDomains and
      ServerDNSResolvConfFile options.

61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103


  o Packaging:
    - Patches so Tor builds with MinGW on Windows.
    - The Debian package now uses --verify-config when (re)starting,
      to distinguish configuration errors from other errors.
    - Update rpms to require libevent 1.1b.
    - Remove architecture from OS X builds. The official builds are
      now universal binaries.

    - Make eventdns on-by-default.
    - Divide eventdns log messages into warn and info messages.
    - Add new config option "ResolvConf" to let the server operator
      choose an alternate resolve.conf file.

    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
    - Apply patch from Adam Langley: fix assert() in eventdns.c.
    - Finally fix the openssl warnings with newer gccs that believe that
      ignoring a return value is okay, but casting a return value and
      then ignoring it is a sign of madness.
    - Don't crash when the controller receives a third argument to an
      "extendcircuit" request.
    - Add a "getinfo address" controller command.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Start remembering X-Your-Address-Is directory hints even if you're
      a client, so you can become a server more smoothly.
    - Avoid crash when telling controller stream-status and a stream
      is detached.
    - Avoid crashing when we mmap a router cache file of size 0.
    - Avoid duplicate entries on MyFamily line in server descriptor.
    - Patch from Steve Hildrey: Generate network status correctly on
      non-versioning dirservers.
    - Send out a burst of long-range drop cells after we've established
      that we're reachable. Spread them over 4 circuits, so hopefully
      a few will be fast. This exercises our bandwidth and bootstraps
      us quicker.
    - Remove 8888 as a long lived port, and add 6697 (ircs).

    (stopped at r8478)


104
105
106
Changes in version 0.1.2.1-alpha - 2006-08-27
  o Major features:
    - Add "eventdns" async dns library from Adam Langley, tweaked to
107
108
      build on OSX and Windows. Only enabled if you pass the
      --enable-eventdns argument to configure.
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
    - Allow servers with no hostname or IP address to learn their
      IP address by asking the directory authorities. This code only
      kicks in when you would normally have exited with a "no address"
      error. Nothing's authenticated, so use with care.
    - Rather than waiting a fixed amount of time between retrying
      application connections, we wait only 5 seconds for the first,
      10 seconds for the second, and 15 seconds for each retry after
      that. Hopefully this will improve the expected user experience.
    - Patch from Tup to add support for transparent AP connections:
      this basically bundles the functionality of trans-proxy-tor
      into the Tor mainline. Now hosts with compliant pf/netfilter
      implementations can redirect TCP connections straight to Tor
      without diverting through SOCKS. Needs docs.
    - Busy directory servers save lots of memory by spooling server
      descriptors, v1 directories, and v2 networkstatus docs to buffers
      as needed rather than en masse. Also mmap the cached-routers
      files, so we don't need to keep the whole thing in memory too.
    - Automatically avoid picking more than one node from the same
      /16 network when constructing a circuit.
    - Revise and clean up the torrc.sample that we ship with; add
      a section for BandwidthRate and BandwidthBurst.

  o Minor features:
132
133
134
    - Split circuit_t into origin_circuit_t and or_circuit_t, and
      split connection_t into edge, or, dir, control, and base structs.
      These will save quite a bit of memory on busy servers, and they'll
135
136
137
138
139
140
141
142
      also help us track down bugs in the code and bugs in the spec.
    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
      or later. Log when we are doing this, so we can diagnose it when
      it fails. (Also, recommend libevent 1.1b for kqueue and
      win32 methods; deprecate libevent 1.0b harder; make libevent
      recommendation system saner.)
    - Start being able to build universal binaries on OS X (thanks
      to Phobos).
143
144
    - Export the default exit policy via the control port, so controllers
      don't need to guess what it is / will be later.
145
146
147
148
149
150
151
152
153
154
155
    - Add a man page entry for ProtocolWarnings.
    - Add TestVia config option to the man page.
    - Remove even more protocol-related warnings from Tor server logs,
      such as bad TLS handshakes and malformed begin cells.
    - Stop fetching descriptors if you're not a dir mirror and you
      haven't tried to establish any circuits lately. [This currently
      causes some dangerous behavior, because when you start up again
      you'll use your ancient server descriptors.]
    - New DirPort behavior: if you have your dirport set, you download
      descriptors aggressively like a directory mirror, whether or not
      your ORPort is set.
156
157
158
159
160
161
162
    - Get rid of the router_retry_connections notion. Now routers
      no longer try to rebuild long-term connections to directory
      authorities, and directory authorities no longer try to rebuild
      long-term connections to all servers. We still don't hang up
      connections in these two cases though -- we need to look at it
      more carefully to avoid flapping, and we likely need to wait til
      0.1.1.x is obsolete.
163
164
165
166
167
168
    - Drop compatibility with obsolete Tors that permit create cells
      to have the wrong circ_id_type.
    - Re-enable per-connection rate limiting. Get rid of the "OP
      bandwidth" concept. Lay groundwork for "bandwidth classes" --
      separate global buckets that apply depending on what sort of conn
      it is.
169
170
171
172
    - Start publishing one minute or so after we find our ORPort
      to be reachable. This will help reduce the number of descriptors
      we have for ourselves floating around, since it's quite likely
      other things (e.g. DirPort) will change during that minute too.
173
    - Fork the v1 directory protocol into its own spec document,
174
175
      and mark dir-spec.txt as the currently correct (v2) spec.

176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
  o Major bugfixes:
    - When we find our DirPort to be reachable, publish a new descriptor
      so we'll tell the world (reported by pnx).
    - Publish a new descriptor after we hup/reload. This is important
      if our config has changed such that we'll want to start advertising
      our DirPort now, etc.
    - Allow Tor to start when RunAsDaemon is set but no logs are set.
    - When we have a state file we cannot parse, tell the user and
      move it aside. Now we avoid situations where the user starts
      Tor in 1904, Tor writes a state file with that timestamp in it,
      the user fixes her clock, and Tor refuses to start.
    - Fix configure.in to not produce broken configure files with
      more recent versions of autoconf. Thanks to Clint for his auto*
      voodoo.
    - "tor --verify-config" now exits with -1(255) or 0 depending on
      whether the config options are bad or good.
    - Resolve bug 321 when using dnsworkers: append a period to every
      address we resolve at the exit node, so that we do not accidentally
      pick up local addresses, and so that failing searches are retried
      in the resolver search domains. (This is already solved for
      eventdns.) (This breaks Blossom servers for now.)
    - If we are using an exit enclave and we can't connect, e.g. because
      its webserver is misconfigured to not listen on localhost, then
      back off and try connecting from somewhere else before we fail.

  o Minor bugfixes:
    - Start compiling on MinGW on Windows (patches from Mike Chiussi).
    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
      when the IP address is mapped through MapAddress to a hostname.
    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
      useless IPv6 DNS resolves.
    - Patch suggested by Karsten Loesing: respond to SIGNAL command
      before we execute the signal, in case the signal shuts us down.
    - Clean up AllowInvalidNodes man page entry.
    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
    - Add more asserts to track down an assert error on a windows Tor
      server with connection_add being called with socket == -1.
    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
215
216
217
218
219
    - Fix misleading log messages: an entry guard that is "unlisted",
      as well as not known to be "down" (because we've never heard
      of it), is not therefore "up".
    - Remove code to special-case "-cvs" ending, since it has not
      actually mattered since 0.0.9.
220
221
222
223
    - Make our socks5 handling more robust to broken socks clients:
      throw out everything waiting on the buffer in between socks
      handshake phases, since they can't possibly (so the theory
      goes) have predicted what we plan to respond to them.
224

225

226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
Changes in version 0.1.1.23 - 2006-07-30
  o Major bugfixes:
    - Fast Tor servers, especially exit nodes, were triggering asserts
      due to a bug in handling the list of pending DNS resolves. Some
      bugs still remain here; we're hunting them.
    - Entry guards could crash clients by sending unexpected input.
    - More fixes on reachability testing: if you find yourself reachable,
      then don't ever make any client requests (so you stop predicting
      circuits), then hup or have your clock jump, then later your IP
      changes, you won't think circuits are working, so you won't try to
      test reachability, so you won't publish.

  o Minor bugfixes:
    - Avoid a crash if the controller does a resetconf firewallports
      and then a setconf fascistfirewall=1.
    - Avoid an integer underflow when the dir authority decides whether
      a router is stable: we might wrongly label it stable, and compute
      a slightly wrong median stability, when a descriptor is published
      later than now.
    - Fix a place where we might trigger an assert if we can't build our
      own server descriptor yet.


249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
Changes in version 0.1.1.22 - 2006-07-05
  o Major bugfixes:
    - Fix a big bug that was causing servers to not find themselves
      reachable if they changed IP addresses. Since only 0.1.1.22+
      servers can do reachability testing correctly, now we automatically
      make sure to test via one of these.
    - Fix to allow clients and mirrors to learn directory info from
      descriptor downloads that get cut off partway through.
    - Directory authorities had a bug in deciding if a newly published
      descriptor was novel enough to make everybody want a copy -- a few
      servers seem to be publishing new descriptors many times a minute.
  o Minor bugfixes:
    - Fix a rare bug that was causing some servers to complain about
      "closing wedged cpuworkers" and skip some circuit create requests.
    - Make the Exit flag in directory status documents actually work.


266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
Changes in version 0.1.1.21 - 2006-06-10
  o Crash and assert fixes from 0.1.1.20:
    - Fix a rare crash on Tor servers that have enabled hibernation.
    - Fix a seg fault on startup for Tor networks that use only one
      directory authority.
    - Fix an assert from a race condition that occurs on Tor servers
      while exiting, where various threads are trying to log that they're
      exiting, and delete the logs, at the same time.
    - Make our unit tests pass again on certain obscure platforms.

  o Other fixes:
    - Add support for building SUSE RPM packages.
    - Speed up initial bootstrapping for clients: if we are making our
      first ever connection to any entry guard, then don't mark it down
      right after that.
    - When only one Tor server in the network is labelled as a guard,
      and we've already picked him, we would cycle endlessly picking him
      again, being unhappy about it, etc. Now we specifically exclude
      current guards when picking a new guard.
    - Servers send create cells more reliably after the TLS connection
      is established: we were sometimes forgetting to send half of them
      when we had more than one pending.
    - If we get a create cell that asks us to extend somewhere, but the
      Tor server there doesn't match the expected digest, we now send
      a destroy cell back, rather than silently doing nothing.
    - Make options->RedirectExit work again.
    - Make cookie authentication for the controller work again.
    - Stop being picky about unusual characters in the arguments to
      mapaddress. It's none of our business.
    - Add a new config option "TestVia" that lets you specify preferred
      middle hops to use for test circuits. Perhaps this will let me
      debug the reachability problems better.

  o Log / documentation fixes:
    - If we're a server and some peer has a broken TLS certificate, don't
      log about it unless ProtocolWarnings is set, i.e., we want to hear
      about protocol violations by others.
    - Fix spelling of VirtualAddrNetwork in man page.
    - Add a better explanation at the top of the autogenerated torrc file
      about what happened to our old torrc.


308
Changes in version 0.1.1.20 - 2006-05-23
309
310
311
312
313
314
315
316
  o Crash and assert fixes from 0.1.0.17:
    - Fix assert bug in close_logs() on exit: when we close and delete
      logs, remove them all from the global "logfiles" list.
    - Fix an assert error when we're out of space in the connection_list
      and we try to post a hidden service descriptor (reported by Peter
      Palfrader).
    - Fix a rare assert error when we've tried all intro points for
      a hidden service and we try fetching the service descriptor again:
317
318
      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
    - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
319
320
      out and refuse the setconf if it would fail.
    - If you specify a relative torrc path and you set RunAsDaemon in
321
322
      your torrc, then it chdir()'s to the new directory. If you then
      HUP, it tries to load the new torrc location, fails, and exits.
323
324
325
326
327
328
329
330
      The fix: no longer allow a relative path to torrc when using -f.
    - Check for integer overflows in more places, when adding elements
      to smartlists. This could possibly prevent a buffer overflow
      on malicious huge inputs.

  o Security fixes, major:
    - When we're printing strings from the network, don't try to print
      non-printable characters. Now we're safer against shell escape
331
      sequence exploits, and also against attacks to fool users into
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
      misreading their logs.
    - Implement entry guards: automatically choose a handful of entry
      nodes and stick with them for all circuits. Only pick new guards
      when the ones you have are unsuitable, and if the old guards
      become suitable again, switch back. This will increase security
      dramatically against certain end-point attacks. The EntryNodes
      config option now provides some hints about which entry guards you
      want to use most; and StrictEntryNodes means to only use those.
      Fixes CVE-2006-0414.
    - Implement exit enclaves: if we know an IP address for the
      destination, and there's a running Tor server at that address
      which allows exit to the destination, then extend the circuit to
      that exit first. This provides end-to-end encryption and end-to-end
      authentication. Also, if the user wants a .exit address or enclave,
      use 4 hops rather than 3, and cannibalize a general circ for it
      if you can.
    - Obey our firewall options more faithfully:
      . If we can't get to a dirserver directly, try going via Tor.
      . Don't ever try to connect (as a client) to a place our
        firewall options forbid.
      . If we specify a proxy and also firewall options, obey the
        firewall options even when we're using the proxy: some proxies
        can only proxy to certain destinations.
    - Make clients regenerate their keys when their IP address changes.
    - For the OS X package's modified privoxy config file, comment
      out the "logfile" line so we don't log everything passed
      through privoxy.
    - Our TLS handshakes were generating a single public/private
      keypair for the TLS context, rather than making a new one for
      each new connection. Oops. (But we were still rotating them
      periodically, so it's not so bad.)
    - When we were cannibalizing a circuit with a particular exit
      node in mind, we weren't checking to see if that exit node was
365
      already present earlier in the circuit. Now we are.
366
    - Require server descriptors to list IPv4 addresses -- hostnames
367
368
      are no longer allowed. This also fixes potential vulnerabilities
      to servers providing hostnames as their address and then
369
370
371
372
373
      preferentially resolving them so they can partition users.
    - Our logic to decide if the OR we connected to was the right guy
      was brittle and maybe open to a mitm for invalid routers.

  o Security fixes, minor:
374
375
    - Adjust tor-spec.txt to parameterize cell and key lengths. Now
      Ian Goldberg can prove things about our handshake protocol more
376
      easily.
377
378
379
    - Make directory authorities generate a separate "guard" flag to
      mean "would make a good entry guard". Clients now honor the
      is_guard flag rather than looking at is_fast or is_stable.
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
    - Try to list MyFamily elements by key, not by nickname, and warn
      if we've not heard of a server.
    - Start using RAND_bytes rather than RAND_pseudo_bytes from
      OpenSSL. Also, reseed our entropy every hour, not just at
      startup. And add entropy in 512-bit chunks, not 160-bit chunks.
    - Refuse server descriptors where the fingerprint line doesn't match
      the included identity key. Tor doesn't care, but other apps (and
      humans) might actually be trusting the fingerprint line.
    - We used to kill the circuit when we receive a relay command we
      don't recognize. Now we just drop that cell.
    - Fix a bug found by Lasse Overlier: when we were making internal
      circuits (intended to be cannibalized later for rendezvous and
      introduction circuits), we were picking them so that they had
      useful exit nodes. There was no need for this, and it actually
      aids some statistical attacks.
    - Start treating internal circuits and exit circuits separately.
      It's important to keep them separate because internal circuits
      have their last hops picked like middle hops, rather than like
      exit hops. So exiting on them will break the user's expectations.
399
400
401
402
403
    - Fix a possible way to DoS dirservers.
    - When the client asked for a rendezvous port that the hidden
      service didn't want to provide, we were sending an IP address
      back along with the end cell. Fortunately, it was zero. But stop
      that anyway.
404
405

  o Packaging improvements:
406
    - Implement --with-libevent-dir option to ./configure. Improve
407
      search techniques to find libevent, and use those for openssl too.
408
    - Fix a couple of bugs in OpenSSL detection. Deal better when
409
410
      there are multiple SSLs installed with different versions.
    - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
411
    - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
412
413
414
415
416
417
418
419
420
421
422
423
424
425
      "-Wall -g -O2".
    - Make unit tests (and other invocations that aren't the real Tor)
      run without launching listeners, creating subdirectories, and so on.
    - The OS X installer was adding a symlink for tor_resolve but
      the binary was called tor-resolve (reported by Thomas Hardly).
    - Now we can target arch and OS in rpm builds (contributed by
      Phobos). Also make the resulting dist-rpm filename match the
      target arch.
    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
      if you log to syslog and want something other than LOG_DAEMON.
    - Fix the torify (tsocks) config file to not use Tor for localhost
      connections.
    - Start shipping socks-extensions.txt, tor-doc-unix.html,
      tor-doc-server.html, and stylesheet.css in the tarball.
426
427
428
429
430
    - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
      They are useless now.
    - Add Peter Palfrader's contributed check-tor script. It lets you
      easily check whether a given server (referenced by nickname)
      is reachable by you.
431
432
433
434
435
    - Add BSD-style contributed startup script "rc.subr" from Peter
      Thoenen.

  o Directory improvements -- new directory protocol:
    - See tor/doc/dir-spec.txt for all the juicy details. Key points:
436
437
    - Authorities and caches publish individual descriptors (by
      digest, by fingerprint, by "all", and by "tell me yours").
438
    - Clients don't download or use the old directory anymore. Now they
439
440
441
      download network-statuses from the directory authorities, and
      fetch individual server descriptors as needed from mirrors.
    - Clients don't download descriptors of non-running servers.
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
    - Download descriptors by digest, not by fingerprint. Caches try to
      download all listed digests from authorities; clients try to
      download "best" digests from caches. This avoids partitioning
      and isolating attacks better.
    - Only upload a new server descriptor when options change, 18
      hours have passed, uptime is reset, or bandwidth changes a lot.
    - Directory authorities silently throw away new descriptors that
      haven't changed much if the timestamps are similar. We do this to
      tolerate older Tor servers that upload a new descriptor every 15
      minutes. (It seemed like a good idea at the time.)
    - Clients choose directory servers from the network status lists,
      not from their internal list of router descriptors. Now they can
      go to caches directly rather than needing to go to authorities
      to bootstrap the first set of descriptors.
    - When picking a random directory, prefer non-authorities if any
      are known.
    - Add a new flag to network-status indicating whether the server
      can answer v2 directory requests too.
    - Directory mirrors now cache up to 16 unrecognized network-status
461
      docs, so new directory authorities will be cached too.
462
463
    - Stop parsing, storing, or using running-routers output (but
      mirrors still cache and serve it).
464
    - Clients consider a threshold of "versioning" directory authorities
465
      before deciding whether to warn the user that he's obsolete.
466
467
    - Authorities publish separate sorted lists of recommended versions
      for clients and for servers.
468
    - Change DirServers config line to note which dirs are v1 authorities.
469
470
    - Put nicknames on the DirServer line, so we can refer to them
      without requiring all our users to memorize their IP addresses.
471
472
473
    - Remove option when getting directory cache to see whether they
      support running-routers; they all do now. Replace it with one
      to see whether caches support v2 stuff.
474
475
476
477
478
    - Stop listing down or invalid nodes in the v1 directory. This
      reduces its bulk by about 1/3, and reduces load on mirrors.
    - Mirrors no longer cache the v1 directory as often.
    - If we as a directory mirror don't know of any v1 directory
      authorities, then don't try to cache any v1 directories.
479

480
  o Other directory improvements:
481
482
483
    - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
      fifth authoritative directory servers.
    - Directory authorities no longer require an open connection from
484
      a server to consider him "reachable". We need this change because
485
486
      when we add new directory authorities, old servers won't know not
      to hang up on them.
487
488
489
490
    - Dir authorities now do their own external reachability testing
      of each server, and only list as running the ones they found to
      be reachable. We also send back warnings to the server's logs if
      it uploads a descriptor that we already believe is unreachable.
491
492
493
    - Spread the directory authorities' reachability testing over the
      entire testing interval, so we don't try to do 500 TLS's at once
      every 20 minutes.
494
495
496
497
498
499
500
501
502
503
504
505
    - Make the "stable" router flag in network-status be the median of
      the uptimes of running valid servers, and make clients pay
      attention to the network-status flags. Thus the cutoff adapts
      to the stability of the network as a whole, making IRC, IM, etc
      connections more reliable.
    - Make the v2 dir's "Fast" flag based on relative capacity, just
      like "Stable" is based on median uptime. Name everything in the
      top 7/8 Fast, and only the top 1/2 gets to be a Guard.
    - Retry directory requests if we fail to get an answer we like
      from a given dirserver (we were retrying before, but only if
      we fail to connect).
    - Return a robots.txt on our dirport to discourage google indexing.
506

507
  o Controller protocol improvements:
508
    - Revised controller protocol (version 1) that uses ascii rather
509
510
511
      than binary: tor/doc/control-spec.txt. Add supporting libraries
      in python and java and c# so you can use the controller from your
      applications without caring how our protocol works.
512
513
514
515
    - Allow the DEBUG controller event to work again. Mark certain log
      entries as "don't tell this to controllers", so we avoid cycles.
    - New controller function "getinfo accounting", to ask how
      many bytes we've used in this time period.
516
    - Add a "resetconf" command so you can set config options like
517
518
519
      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
      a config option in the torrc with no value, then it clears it
      entirely (rather than setting it to its default).
520
    - Add a "getinfo config-file" to tell us where torrc is. Also
521
      expose guard nodes, config options/names.
522
523
524
525
526
    - Add a "quit" command (when when using the controller manually).
    - Add a new signal "newnym" to "change pseudonyms" -- that is, to
      stop using any currently-dirty circuits for new streams, so we
      don't link new actions to old actions. This also occurs on HUP
      or "signal reload".
527
528
529
    - If we would close a stream early (e.g. it asks for a .exit that
      we know would refuse it) but the LeaveStreamsUnattached config
      option is set by the controller, then don't close it.
530
    - Add a new controller event type "authdir_newdescs" that allows
531
      controllers to get all server descriptors that were uploaded to
532
      a router in its role as directory authority.
533
534
535
536
537
538
539
540
541
542
543
    - New controller option "getinfo desc/all-recent" to fetch the
      latest server descriptor for every router that Tor knows about.
    - Fix the controller's "attachstream 0" command to treat conn like
      it just connected, doing address remapping, handling .exit and
      .onion idioms, and so on. Now we're more uniform in making sure
      that the controller hears about new and closing connections.
    - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
      the controller. Also, rotate dns and cpu workers if the controller
      changes options that will affect them; and initialize the dns
      worker cache tree whether or not we start out as a server.
    - Add a new circuit purpose 'controller' to let the controller ask
544
      for a circuit that Tor won't try to use. Extend the "extendcircuit"
545
      controller command to let you specify the purpose if you're starting
546
      a new circuit.  Add a new "setcircuitpurpose" controller command to
547
      let you change a circuit's purpose after it's been created.
548
549
550
551
    - Let the controller ask for "getinfo dir/server/foo" so it can ask
      directly rather than connecting to the dir port. "getinfo
      dir/status/foo" also works, but currently only if your DirPort
      is enabled.
552
553
    - Let the controller tell us about certain router descriptors
      that it doesn't want Tor to use in circuits. Implement
554
      "setrouterpurpose" and modify "+postdescriptor" to do this.
555
556
557
    - If the controller's *setconf commands fail, collect an error
      message in a string and hand it back to the controller -- don't
      just tell them to go read their logs.
558
559

  o Scalability, resource management, and performance:
560
    - Fix a major load balance bug: we were round-robin reading in 16 KB
561
562
563
      chunks, and servers with bandwidthrate of 20 KB, while downloading
      a 600 KB directory, would starve their other connections. Now we
      try to be a bit more fair.
564
565
    - Be more conservative about whether to advertise our DirPort.
      The main change is to not advertise if we're running at capacity
566
567
      and either a) we could hibernate ever or b) our capacity is low
      and we're using a default DirPort.
568
569
570
571
572
573
574
575
    - We weren't cannibalizing circuits correctly for
      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
      build those from scratch. This should make hidden services faster.
    - Predict required circuits better, with an eye toward making hidden
      services faster on the service end.
    - Compress exit policies even more: look for duplicate lines and
      remove them.
576
577
578
579
580
    - Generate 18.0.0.0/8 address policy format in descs when we can;
      warn when the mask is not reducible to a bit-prefix.
    - There used to be two ways to specify your listening ports in a
      server descriptor: on the "router" line and with a separate "ports"
      line. Remove support for the "ports" line.
581
582
583
584
585
    - Reduce memory requirements in our structs by changing the order
      of fields. Replace balanced trees with hash tables. Inline
      bottleneck smartlist functions. Add a "Map from digest to void*"
      abstraction so we can do less hex encoding/decoding, and use it
      in router_get_by_digest(). Many other CPU and memory improvements.
586
587
588
    - Allow tor_gzip_uncompress to extract as much as possible from
      truncated compressed data. Try to extract as many
      descriptors as possible from truncated http responses (when
589
      purpose is DIR_PURPOSE_FETCH_ROUTERDESC).
590
591
592
593
594
595
596
    - Make circ->onionskin a pointer, not a static array. moria2 was using
      125000 circuit_t's after it had been up for a few weeks, which
      translates to 20+ megs of wasted space.
    - The private half of our EDH handshake keys are now chosen out
      of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
    - Stop doing the complex voodoo overkill checking for insecure
      Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
597
598
599
600
601
602
    - Do round-robin writes for TLS of at most 16 kB per write. This
      might be more fair on loaded Tor servers.
    - Do not use unaligned memory access on alpha, mips, or mipsel.
      It *works*, but is very slow, so we treat them as if it doesn't.

  o Other bugfixes and improvements:
603
604
    - Start storing useful information to $DATADIR/state, so we can
      remember things across invocations of Tor. Retain unrecognized
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
      lines so we can be forward-compatible, and write a TorVersion line
      so we can be backward-compatible.
    - If ORPort is set, Address is not explicitly set, and our hostname
      resolves to a private IP address, try to use an interface address
      if it has a public address. Now Windows machines that think of
      themselves as localhost can guess their address.
    - Regenerate our local descriptor if it's dirty and we try to use
      it locally (e.g. if it changes during reachability detection).
      This was causing some Tor servers to keep publishing the same
      initial descriptor forever.
    - Tor servers with dynamic IP addresses were needing to wait 18
      hours before they could start doing reachability testing using
      the new IP address and ports. This is because they were using
      the internal descriptor to learn what to test, yet they were only
      rebuilding the descriptor once they decided they were reachable.
    - It turns out we couldn't bootstrap a network since we added
      reachability detection in 0.1.0.1-rc. Good thing the Tor network
      has never gone down. Add an AssumeReachable config option to let
623
      servers and authorities bootstrap. When we're trying to build a
624
625
626
627
      high-uptime or high-bandwidth circuit but there aren't enough
      suitable servers, try being less picky rather than simply failing.
    - Newly bootstrapped Tor networks couldn't establish hidden service
      circuits until they had nodes with high uptime. Be more tolerant.
628
629
630
631
632
633
634
635
636
637
638
639
    - Really busy servers were keeping enough circuits open on stable
      connections that they were wrapping around the circuit_id
      space. (It's only two bytes.) This exposed a bug where we would
      feel free to reuse a circuit_id even if it still exists but has
      been marked for close. Try to fix this bug. Some bug remains.
    - When we fail to bind or listen on an incoming or outgoing
      socket, we now close it before refusing, rather than just
      leaking it. (Thanks to Peter Palfrader for finding.)
    - Fix a file descriptor leak in start_daemon().
    - On Windows, you can't always reopen a port right after you've
      closed it. So change retry_listeners() to only close and re-open
      ports that have changed.
640
    - Workaround a problem with some http proxies that refuse GET
641
      requests that specify "Content-Length: 0". Reported by Adrian.
642
643
644
645
646
647
648
649
    - Recover better from TCP connections to Tor servers that are
      broken but don't tell you (it happens!); and rotate TLS
      connections once a week.
    - Fix a scary-looking but apparently harmless bug where circuits
      would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
      servers, and never switch to state CIRCUIT_STATE_OPEN.
    - Check for even more Windows version flags when writing the platform
      string in server descriptors, and note any we don't recognize.
650
651
    - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
      get a better idea of why their circuits failed. Not used yet.
652
653
654
655
656
657
658
    - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
      We don't use them yet, but maybe one day our DNS resolver will be
      able to discover them.
    - Let people type "tor --install" as well as "tor -install" when they
      want to make it an NT service.
    - Looks like we were never delivering deflated (i.e. compressed)
      running-routers lists, even when asked. Oops.
659
660
661
    - We were leaking some memory every time the client changed IPs.
    - Clean up more of the OpenSSL memory when exiting, so we can detect
      memory leaks better.
662
663
    - Never call free() on tor_malloc()d memory. This will help us
      use dmalloc to detect memory leaks.
664
665
    - Some Tor servers process billions of cells per day. These
      statistics are now uint64_t's.
666
667
668
    - Check [X-]Forwarded-For headers in HTTP requests when generating
      log messages. This lets people run dirservers (and caches) behind
      Apache but still know which IP addresses are causing warnings.
669
670
671
672
673
674
675
    - Fix minor integer overflow in calculating when we expect to use up
      our bandwidth allocation before hibernating.
    - Lower the minimum required number of file descriptors to 1000,
      so we can have some overhead for Valgrind on Linux, where the
      default ulimit -n is 1024.
    - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
      and its existence is confusing some users.
676
677

  o Config option fixes:
678
679
    - Add a new config option ExitPolicyRejectPrivate which defaults
      to on. Now all exit policies will begin with rejecting private
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
      addresses, unless the server operator explicitly turns it off.
    - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
    - Add new ReachableORAddresses and ReachableDirAddresses options
      that understand address policies. FascistFirewall is now a synonym
      for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
    - Start calling it FooListenAddress rather than FooBindAddress,
      since few of our users know what it means to bind an address
      or port.
    - If the user gave Tor an odd number of command-line arguments,
      we were silently ignoring the last one. Now we complain and fail.
      This wins the oldest-bug prize -- this bug has been present since
      November 2002, as released in Tor 0.0.0.
    - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
      torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
      it would silently ignore the 6668.
    - If we get a linelist or linelist_s config option from the torrc,
      e.g. ExitPolicy, and it has no value, warn and skip rather than
      silently resetting it to its default.
    - Setconf was appending items to linelists, not clearing them.
699
700
    - Add MyFamily to torrc.sample in the server section, so operators
      will be more likely to learn that it exists.
701
702
703
704
705
706
707
    - Make ContactInfo mandatory for authoritative directory servers.
    - MaxConn has been obsolete for a while now. Document the ConnLimit
      config option, which is a *minimum* number of file descriptors
      that must be available else Tor refuses to start.
    - Get rid of IgnoreVersion undocumented config option, and make us
      only warn, never exit, when we're running an obsolete version.
    - Make MonthlyAccountingStart config option truly obsolete now.
708
    - Correct the man page entry on TrackHostExitsExpire.
709
710
    - Let directory authorities start even if they don't specify an
      Address config option.
711
712
713
714
715
716
717
    - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
      reflect the updated flags in our v2 dir protocol.

  o Config option features:
    - Add a new config option FastFirstHopPK (on by default) so clients
      do a trivial crypto handshake for their first hop, since TLS has
      already taken care of confidentiality and authentication.
718
    - Let the user set ControlListenAddress in the torrc. This can be
719
720
721
722
723
724
725
726
727
      dangerous, but there are some cases (like a secured LAN) where it
      makes sense.
    - New config options to help controllers: FetchServerDescriptors
      and FetchHidServDescriptors for whether to fetch server
      info and hidserv info or let the controller do it, and
      PublishServerDescriptor and PublishHidServDescriptors.
    - Also let the controller set the __AllDirActionsPrivate config
      option if you want all directory fetches/publishes to happen via
      Tor (it assumes your controller bootstraps your circuits).
728
    - Add "HardwareAccel" config option: support for crypto hardware
729
730
731
      accelerators via OpenSSL. Off by default, until we find somebody
      smart who can test it for us. (It appears to produce seg faults
      in at least some cases.)
732
733
    - New config option "AuthDirRejectUnlisted" for directory authorities
      as a panic button: if we get flooded with unusable servers we can
734
      revert to only listing servers in the approved-routers file.
735
736
737
738
739
740
741
    - Directory authorities can now reject/invalidate by key and IP,
      with the config options "AuthDirInvalid" and "AuthDirReject", or
      by marking a fingerprint as "!reject" or "!invalid" (as its
      nickname) in the approved-routers file. This is useful since
      currently we automatically list servers as running and usable
      even if we know they're jerks.
    - Add a new config option TestSocks so people can see whether their
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
      applications are using socks4, socks4a, socks5-with-ip, or
      socks5-with-fqdn. This way they don't have to keep mucking
      with tcpdump and wondering if something got cached somewhere.
    - Add "private:*" as an alias in configuration for policies. Now
      you can simplify your exit policy rather than needing to list
      every single internal or nonroutable network space.
    - Accept "private:*" in routerdesc exit policies; not generated yet
      because older Tors do not understand it.
    - Add configuration option "V1AuthoritativeDirectory 1" which
      moria1, moria2, and tor26 have set.
    - Implement an option, VirtualAddrMask, to set which addresses
      get handed out in response to mapaddress requests. This works
      around a bug in tsocks where 127.0.0.0/8 is never socksified.
    - Add a new config option FetchUselessDescriptors, off by default,
      for when you plan to run "exitlist" on your client and you want
      to know about even the non-running descriptors.
    - SocksTimeout: How long do we let a socks connection wait
      unattached before we fail it?
    - CircuitBuildTimeout: Cull non-open circuits that were born
      at least this many seconds ago.
    - CircuitIdleTimeout: Cull open clean circuits that were born
      at least this many seconds ago.
    - New config option SafeSocks to reject all application connections
      using unsafe socks protocols. Defaults to off.

  o Improved and clearer log messages:
    - Reduce clutter in server logs. We're going to try to make
      them actually usable now. New config option ProtocolWarnings that
      lets you hear about how _other Tors_ are breaking the protocol. Off
      by default.
    - Divide log messages into logging domains. Once we put some sort
      of interface on this, it will let people looking at more verbose
      log levels specify the topics they want to hear more about.
775
776
777
778
    - Log server fingerprint on startup, so new server operators don't
      have to go hunting around their filesystem for it.
    - Provide dire warnings to any users who set DirServer manually;
      move it out of torrc.sample and into torrc.complete.
779
780
781
782
783
784
785
786
787
    - Make the log message less scary when all the dirservers are
      temporarily unreachable.
    - When tor_socketpair() fails in Windows, give a reasonable
      Windows-style errno back.
    - Improve tor_gettimeofday() granularity on windows.
    - We were printing the number of idle dns workers incorrectly when
      culling them.
    - Handle duplicate lines in approved-routers files without warning.
    - We were whining about using socks4 or socks5-with-local-lookup
788
789
      even when it's an IP address in the "virtual" range we designed
      exactly for this case.
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
    - Check for named servers when looking them up by nickname;
      warn when we're calling a non-named server by its nickname;
      don't warn twice about the same name.
    - Downgrade the dirserver log messages when whining about
      unreachability.
    - Correct "your server is reachable" log entries to indicate that
      it was self-testing that told us so.
    - If we're trying to be a Tor server and running Windows 95/98/ME
      as a server, explain that we'll likely crash.
    - Provide a more useful warn message when our onion queue gets full:
      the CPU is too slow or the exit policy is too liberal.
    - Don't warn when we receive a 503 from a dirserver/cache -- this
      will pave the way for them being able to refuse if they're busy.
    - When we fail to bind a listener, try to provide a more useful
      log message: e.g., "Is Tor already running?"
    - Only start testing reachability once we've established a
      circuit. This will make startup on dir authorities less noisy.
    - Don't try to upload hidden service descriptors until we have
      established a circuit.
    - Tor didn't warn when it failed to open a log file.
    - Warn when listening on a public address for socks. We suspect a
      lot of people are setting themselves up as open socks proxies,
      and they have no idea that jerks on the Internet are using them,
      since they simply proxy the traffic into the Tor network.
    - Give a useful message when people run Tor as the wrong user,
      rather than telling them to start chowning random directories.
    - Fix a harmless bug that was causing Tor servers to log
      "Got an end because of misc error, but we're not an AP. Closing."
    - Fix wrong log message when you add a "HiddenServiceNodes" config
      line without any HiddenServiceDir line (reported by Chris Thomas).
820
821
822
    - Directory authorities now stop whining so loudly about bad
      descriptors that they fetch from other dirservers. So when there's
      a log complaint, it's for sure from a freshly uploaded descriptor.
823
824
825
826
827
828
829
830
831
832
833
834
835
    - When logging via syslog, include the pid whenever we provide
      a log entry. Suggested by Todd Fries.
    - When we're shutting down and we do something like try to post a
      server descriptor or rendezvous descriptor, don't complain that
      we seem to be unreachable. Of course we are, we're shutting down.
    - Change log line for unreachability to explicitly suggest /etc/hosts
      as the culprit. Also make it clearer what IP address and ports we're
      testing for reachability.
    - Put quotes around user-supplied strings when logging so users are
      more likely to realize if they add bad characters (like quotes)
      to the torrc.
    - NT service patch from Matt Edman to improve error messages on Win32.

836

837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
Changes in version 0.1.0.17 - 2006-02-17
  o Crash bugfixes on 0.1.0.x:
    - When servers with a non-zero DirPort came out of hibernation,
      sometimes they would trigger an assert.

  o Other important bugfixes:
    - On platforms that don't have getrlimit (like Windows), we were
      artificially constraining ourselves to a max of 1024
      connections. Now just assume that we can handle as many as 15000
      connections. Hopefully this won't cause other problems.

  o Backported features:
    - When we're a server, a client asks for an old-style directory,
      and our write bucket is empty, don't give it to him. This way
      small servers can continue to serve the directory *sometimes*,
      without getting overloaded.
    - Whenever you get a 503 in response to a directory fetch, try
      once more. This will become important once servers start sending
      503's whenever they feel busy.
    - Fetch a new directory every 120 minutes, not every 40 minutes.
      Now that we have hundreds of thousands of users running the old
      directory algorithm, it's starting to hurt a lot.
    - Bump up the period for forcing a hidden service descriptor upload
      from 20 minutes to 1 hour.


863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
Changes in version 0.1.0.16 - 2006-01-02
  o Crash bugfixes on 0.1.0.x:
    - On Windows, build with a libevent patch from "I-M Weasel" to avoid
      corrupting the heap, losing FDs, or crashing when we need to resize
      the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
    - It turns out sparc64 platforms crash on unaligned memory access
      too -- so detect and avoid this.
    - Handle truncated compressed data correctly (by detecting it and
      giving an error).
    - Fix possible-but-unlikely free(NULL) in control.c.
    - When we were closing connections, there was a rare case that
      stomped on memory, triggering seg faults and asserts.
    - Avoid potential infinite recursion when building a descriptor. (We
      don't know that it ever happened, but better to fix it anyway.)
    - We were neglecting to unlink marked circuits from soon-to-close OR
      connections, which caused some rare scribbling on freed memory.
    - Fix a memory stomping race bug when closing the joining point of two
      rendezvous circuits.
    - Fix an assert in time parsing found by Steven Murdoch.

  o Other bugfixes on 0.1.0.x:
    - When we're doing reachability testing, provide more useful log
      messages so the operator knows what to expect.
    - Do not check whether DirPort is reachable when we are suppressing
      advertising it because of hibernation.
    - When building with -static or on Solaris, we sometimes needed -ldl.
    - One of the dirservers (tor26) changed its IP address.
    - When we're deciding whether a stream has enough circuits around
      that can handle it, count the freshly dirty ones and not the ones
      that are so dirty they won't be able to handle it.
    - When we're expiring old circuits, we had a logic error that caused
      us to close new rendezvous circuits rather than old ones.
    - Give a more helpful log message when you try to change ORPort via
      the controller: you should upgrade Tor if you want that to work.
    - We were failing to parse Tor versions that start with "Tor ".
    - Tolerate faulty streams better: when a stream fails for reason
      exitpolicy, stop assuming that the router is lying about his exit
      policy. When a stream fails for reason misc, allow it to retry just
      as if it was resolvefailed. When a stream has failed three times,
      reset its failure count so we can try again and get all three tries.


905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
Changes in version 0.1.0.15 - 2005-09-23
  o Bugfixes on 0.1.0.x:
    - Reject ports 465 and 587 (spam targets) in default exit policy.
    - Don't crash when we don't have any spare file descriptors and we
      try to spawn a dns or cpu worker.
    - Get rid of IgnoreVersion undocumented config option, and make us
      only warn, never exit, when we're running an obsolete version.
    - Don't try to print a null string when your server finds itself to
      be unreachable and the Address config option is empty.
    - Make the numbers in read-history and write-history into uint64s,
      so they don't overflow and publish negatives in the descriptor.
    - Fix a minor memory leak in smartlist_string_remove().
    - We were only allowing ourselves to upload a server descriptor at
      most every 20 minutes, even if it changed earlier than that.
    - Clean up log entries that pointed to old URLs.


922
923
Changes in version 0.1.0.14 - 2005-08-08
  o Bugfixes on 0.1.0.x:
924
925
      - Fix the other half of the bug with crypto handshakes
        (CVE-2005-2643).
926
927
928
929
      - Fix an assert trigger if you send a 'signal term' via the
        controller when it's listening for 'event info' messages.


930
931
932
933
934
935
936
937
Changes in version 0.1.0.13 - 2005-08-04
  o Bugfixes on 0.1.0.x:
    - Fix a critical bug in the security of our crypto handshakes.
    - Fix a size_t underflow in smartlist_join_strings2() that made
      it do bad things when you hand it an empty smartlist.
    - Fix Windows installer to ship Tor license (thanks to Aphex for
      pointing out this oversight) and put a link to the doc directory
      in the start menu.
Roger Dingledine's avatar
Roger Dingledine committed
938
939
940
    - Explicitly set no-unaligned-access for sparc: it turns out the
      new gcc's let you compile broken code, but that doesn't make it
      not-broken.
941
942


943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
Changes in version 0.1.0.12 - 2005-07-18
  o New directory servers:
      - tor26 has changed IP address.

  o Bugfixes on 0.1.0.x:
    - Fix a possible double-free in tor_gzip_uncompress().
    - When --disable-threads is set, do not search for or link against
      pthreads libraries.
    - Don't trigger an assert if an authoritative directory server
      claims its dirport is 0.
    - Fix bug with removing Tor as an NT service: some people were
      getting "The service did not return an error." Thanks to Matt
      Edman for the fix.


958
959
960
961
962
963
964
965
966
967
Changes in version 0.1.0.11 - 2005-06-30
  o Bugfixes on 0.1.0.x:
    - Fix major security bug: servers were disregarding their
      exit policies if clients behaved unexpectedly.
    - Make OS X init script check for missing argument, so we don't
      confuse users who invoke it incorrectly.
    - Fix a seg fault in "tor --hash-password foo".
    - The MAPADDRESS control command was broken.


968
Changes in version 0.1.0.10 - 2005-06-14
969
970
971
972
973
974
975
976
977
978
979
  o Fixes on Win32:
    - Make NT services work and start on startup on Win32 (based on
      patch by Matt Edman). See the FAQ entry for details.
    - Make 'platform' string in descriptor more accurate for Win32
      servers, so it's not just "unknown platform".
    - REUSEADDR on normal platforms means you can rebind to the port
      right after somebody else has let it go. But REUSEADDR on Win32
      means you can bind to the port _even when somebody else already
      has it bound_! So, don't do that on Win32.
    - Clean up the log messages when starting on Win32 with no config
      file.
980
981
    - Allow seeding the RNG on Win32 even when you're not running as
      Administrator. If seeding the RNG on Win32 fails, quit.
982

983
984
985
  o Assert / crash bugs:
    - Refuse relay cells that claim to have a length larger than the
      maximum allowed. This prevents a potential attack that could read
986
987
      arbitrary memory (e.g. keys) from an exit server's process
      (CVE-2005-2050).
988
989
990
991
992
    - If unofficial Tor clients connect and send weird TLS certs, our
      Tor server triggers an assert. Stop asserting, and start handling
      TLS errors better in other situations too.
    - Fix a race condition that can trigger an assert when we have a
      pending create cell and an OR connection attempt fails.
993

994
995
996
997
998
999
1000
  o Resource leaks:
    - Use pthreads for worker processes rather than forking. This was
      forced because when we forked, we ended up wasting a lot of
      duplicate ram over time.
      - Also switch to foo_r versions of some library calls to allow
        reentry and threadsafeness.
      - Implement --disable-threads configure option. Disable threads on