ChangeLog 360 KB
Newer Older
1
Changes in version 0.2.1.8-alpha - 2008-??-??
2
3
4
5
  o Major bugfixes:
    - Fix a DOS opportunity during the voting signature collection process
      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.

6
7
8
  o Minor bugfixes:
    - Get file locking working on win32.  Bugfix on 0.2.1.6-alpha.  Fixes
      bug 859.
9
10
    - Made Tor a little less aggressive about deleting expired certificates.
      Partial fix for bug 854.
11
12
    - Stop doing unaligned memory access that generated bus errors on
      sparc64.  Fix for bug 862.
13

14
15
16
  o Minor features (controller):
    - Return circuit purposes in response to GETINFO circuit-status.  Fixes
      bug 858.
17

Roger Dingledine's avatar
Roger Dingledine committed
18
Changes in version 0.2.1.7-alpha - 2008-11-08
Roger Dingledine's avatar
Roger Dingledine committed
19
20
21
22
23
24
  o Security fixes:
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
25
    - The "User" and "Group" config options did not clear the
26
27
28
29
30
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
Roger Dingledine's avatar
Roger Dingledine committed
31
32
33
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
    - Do not use or believe expired v3 authority certificates. Patch
      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
Roger Dingledine's avatar
Roger Dingledine committed
34

35
36
37
38
  o Minor features:
    - Now NodeFamily and MyFamily config options allow spaces in
      identity fingerprints, so it's easier to paste them in.
      Suggested by Lucky Green.
39
40
41
42
43
44
45
    - Implement the 0x20 hack to better resist DNS poisoning: set the
      case on outgoing DNS requests randomly, and reject responses that do
      not match the case correctly. This logic can be disabled with the
      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
      of servers that do not reliably preserve case in replies. See
      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
      for more info.
46
47
    - Preserve case in replies to DNSPort requests in order to support
      the 0x20 hack for resisting DNS poisoning attacks.
Roger Dingledine's avatar
Roger Dingledine committed
48
49

  o Hidden service performance improvements:
50
51
    - When the client launches an introduction circuit, retry with a
      new circuit after 30 seconds rather than 60 seconds.
52
53
    - Launch a second client-side introduction circuit in parallel
      after a delay of 15 seconds (based on work by Christian Wilms).
Roger Dingledine's avatar
Roger Dingledine committed
54
55
56
57
    - Hidden services start out building five intro circuits rather
      than three, and when the first three finish they publish a service
      descriptor using those. Now we publish our service descriptor much
      faster after restart.
58

59
60
61
62
  o Minor bugfixes:
    - Minor fix in the warning messages when you're having problems
      bootstrapping; also, be more forgiving of bootstrap problems when
      we're still making incremental progress on a given bootstrap phase.
Roger Dingledine's avatar
Roger Dingledine committed
63
64
65
    - When we're choosing an exit node for a circuit, and we have
      no pending streams, choose a good general exit rather than one that
      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
66
    - Send a valid END cell back when a client tries to connect to a
67
68
      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
      840. Patch from rovv.
69
70
    - If a broken client asks a non-exit router to connect somewhere,
      do not even do the DNS lookup before rejecting the connection.
71
      Fixes another case of bug 619. Patch from rovv.
72
73
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
74
      Fixes another case of bug 752. Patch from rovv.
75
76
    - Check which hops rendezvous stream cells are associated with to
      prevent possible guess-the-streamid injection attacks from
77
      intermediate hops. Fixes another case of bug 446. Based on patch
78
      from rovv.
79
    - Avoid using a negative right-shift when comparing 32-bit
80
      addresses. Possible fix for bug 845 and bug 811.
81
82
    - Make the assert_circuit_ok() function work correctly on circuits that
      have already been marked for close.
83
84
    - Fix read-off-the-end-of-string error in unit tests when decoding
      introduction points.
85
86
    - Fix uninitialized size field for memory area allocation: may improve
      memory performance during directory parsing.
87
88
89
90
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.
    - Do not say we're fetching a certificate when we'll in fact skip it
      because of a pending download.
91

92

93
Changes in version 0.2.1.6-alpha - 2008-09-30
94
95
96
97
  Tor 0.2.1.6-alpha further improves performance and robustness of
  hidden services, starts work on supporting per-country relay selection,
  and fixes a variety of smaller issues.

98
99
  o Major features:
    - Implement proposal 121: make it possible to build hidden services
100
101
102
103
104
105
106
107
108
109
      that only certain clients are allowed to connect to. This is
      enforced at several points, so that unauthorized clients are unable
      to send INTRODUCE cells to the service, or even (depending on the
      type of authentication) to learn introduction points. This feature
      raises the bar for certain kinds of active attacks against hidden
      services. Code by Karsten Loesing.
    - Relays now store and serve v2 hidden service descriptors by default,
      i.e., the new default value for HidServDirectoryV2 is 1. This is
      the last step in proposal 114, which aims to make hidden service
      lookups more reliable.
110
111
112
113
114
    - Start work to allow node restrictions to include country codes. The
      syntax to exclude nodes in a country with country code XX is
      "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
      refinement to decide what config options should take priority if
      you ask to both use a particular node and exclude it.
115
116
    - Allow ExitNodes list to include IP ranges and country codes, just
      like the Exclude*Nodes lists. Patch from Robert Hogan.
117

118
119
120
121
  o Major bugfixes:
    - Fix a bug when parsing ports in tor_addr_port_parse() that caused
      Tor to fail to start if you had it configured to use a bridge
      relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
122
123
    - When extending a circuit to a hidden service directory to upload a
      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
124
125
126
127
128
129
      requests failed, because the router descriptor had not been
      downloaded yet. In these cases, we now wait until the router
      descriptor is downloaded, and then retry. Likewise, clients
      now skip over a hidden service directory if they don't yet have
      its router descriptor, rather than futilely requesting it and
      putting mysterious complaints in the logs. Fixes bug 767. Bugfix
130
      on 0.2.0.10-alpha.
131
132
133
134
135
136
137
138
139
140
    - When fetching v0 and v2 rendezvous service descriptors in parallel,
      we were failing the whole hidden service request when the v0
      descriptor fetch fails, even if the v2 fetch is still pending and
      might succeed. Similarly, if the last v2 fetch fails, we were
      failing the whole hidden service request even if a v0 fetch is
      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
    - DNS replies need to have names matching their requests, but
      these names should be in the questions section, not necessarily
      in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.

141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
  o Minor features:
    - Update to the "September 1 2008" ip-to-country file.
    - Allow ports 465 and 587 in the default exit policy again. We had
      rejected them in 0.1.0.15, because back in 2005 they were commonly
      misconfigured and ended up as spam targets. We hear they are better
      locked down these days.
    - Use a lockfile to make sure that two Tor processes are not
      simultaneously running with the same datadir.
    - Serve the latest v3 networkstatus consensus via the control
      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
    - Better logging about stability/reliability calculations on directory
      servers.
    - Drop the requirement to have an open dir port for storing and
      serving v2 hidden service descriptors.
    - Directory authorities now serve a /tor/dbg-stability.txt URL to
      help debug WFU and MTBF calculations.
    - Implement most of Proposal 152: allow specialized servers to permit
      single-hop circuits, and clients to use those servers to build
      single-hop circuits when using a specialized controller. Patch
      from Josh Albrecht. Resolves feature request 768.
161
162
    - Add a -p option to tor-resolve for specifying the SOCKS port: some
      people find host:port too confusing.
163
    - Make TrackHostExit mappings expire a while after their last use, not
164
      after their creation. Patch from Robert Hogan.
165
    - Provide circuit purposes along with circuit events to the controller.
166

167
168
169
  o Minor bugfixes:
    - Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
      Reported by Tas.
170
171
    - Fixed some memory leaks -- some quite frequent, some almost
      impossible to trigger -- based on results from Coverity.
172
    - When testing for libevent functions, set the LDFLAGS variable
173
      correctly. Found by Riastradh.
174
175
    - Fix an assertion bug in parsing policy-related options; possible fix
      for bug 811.
176
177
    - Catch and report a few more bootstrapping failure cases when Tor
      fails to establish a TCP connection. Cleanup on 0.2.1.x.
178
179
180
    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
      bootstrapping with tunneled directory connections. Bugfix on
      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
181
    - When asked to connect to A.B.exit:80, if we don't know the IP for A
182
183
184
185
      and we know that server B rejects most-but-not all connections to
      port 80, we would previously reject the connection. Now, we assume
      the user knows what they were asking for. Fixes bug 752. Bugfix
      on 0.0.9rc5. Diagnosed by BarkerJr.
186
    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
187
188
      service directories if they have no advertised dir port. Bugfix
      on 0.2.0.10-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
189
    - If we overrun our per-second write limits a little, count this as
190
191
      having used up our write allocation for the second, and choke
      outgoing directory writes. Previously, we had only counted this when
Roger Dingledine's avatar
Roger Dingledine committed
192
      we had met our limits precisely. Fixes bug 824. Patch by rovv.
Nick Mathewson's avatar
Nick Mathewson committed
193
      Bugfix on 0.2.0.x (??).
194
195
    - Avoid a "0 divided by 0" calculation when calculating router uptime
      at directory authorities. Bugfix on 0.2.0.8-alpha.
196
197
198
    - Make DNS resolved controller events into "CLOSED", not
      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
      bug 807.
199
200
201
202
203
204
    - Fix a bug where an unreachable relay would establish enough
      reachability testing circuits to do a bandwidth test -- if
      we already have a connection to the middle hop of the testing
      circuit, then it could establish the last hop by using the existing
      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
      circuits no longer use entry guards in 0.2.1.3-alpha.
205
206
207
208
209
    - If we have correct permissions on $datadir, we complain to stdout
      and fail to start. But dangerous permissions on
      $datadir/cached-status/ would cause us to open a log and complain
      there. Now complain to stdout and fail to start in both cases. Fixes
      bug 820, reported by seeess.
210
211
    - Remove the old v2 directory authority 'lefkada' from the default
      list. It has been gone for many months.
212

213
214
  o Code simplifications and refactoring:
    - Revise the connection_new functions so that a more typesafe variant
215
      exists. This will work better with Coverity, and let us find any
216
      actual mistakes we're making here.
217
218
    - Refactor unit testing logic so that dmalloc can be used sensibly
      with unit tests to check for memory leaks.
219
220
    - Move all hidden-service related fields from connection and circuit
      structure to substructures: this way they won't eat so much memory.
221

222

223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
Changes in version 0.2.0.31 - 2008-09-03
  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
  a big bug we're seeing where in rare cases traffic from one Tor stream
  gets mixed into another stream, and fixes a variety of smaller issues.

  o Major bugfixes:
    - Make sure that two circuits can never exist on the same connection
      with the same circuit ID, even if one is marked for close. This
      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.

  o Minor bugfixes:
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
    - Pick size of default geoip filename string correctly on windows.
      Fixes bug 806. Bugfix on 0.2.0.30.
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
    - Disallow session resumption attempts during the renegotiation
      stage of the v2 handshake protocol. Clients should never be trying
      session resumption at this point, but apparently some did, in
      ways that caused the handshake to fail. Bug found by Geoff Goodell.
      Bugfix on 0.2.0.20-rc.
    - When using the TransPort option on OpenBSD, and using the User
      option to change UID and drop privileges, make sure to open
      /dev/pf before dropping privileges. Fixes bug 782. Patch from
      Christopher Davis. Bugfix on 0.1.2.1-alpha.
    - Try to attach connections immediately upon receiving a RENDEZVOUS2
      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
      on the client side when connecting to a hidden service. Bugfix
      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
    - When closing an application-side connection because its circuit is
      getting torn down, generate the stream event correctly. Bugfix on
      0.1.2.x. Anonymous patch.


270
Changes in version 0.2.1.5-alpha - 2008-08-31
Roger Dingledine's avatar
Roger Dingledine committed
271
272
273
274
275
276
277
  Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
  in a lot of the infrastructure for adding authorization to hidden
  services, lays the groundwork for having clients read their load
  balancing information out of the networkstatus consensus rather than
  the individual router descriptors, addresses two potential anonymity
  issues, and fixes a variety of smaller issues.

278
  o Major features:
279
280
281
    - Convert many internal address representations to optionally hold
      IPv6 addresses.
    - Generate and accept IPv6 addresses in many protocol elements.
282
    - Make resolver code handle nameservers located at ipv6 addresses.
Roger Dingledine's avatar
Roger Dingledine committed
283
284
    - Begin implementation of proposal 121 ("Client authorization for
      hidden services"): configure hidden services with client
285
      authorization, publish descriptors for them, and configure
Roger Dingledine's avatar
Roger Dingledine committed
286
287
288
289
290
291
292
293
      authorization data for hidden services at clients. The next
      step is to actually access hidden services that perform client
      authorization.
    - More progress toward proposal 141: Network status consensus
      documents and votes now contain bandwidth information for each
      router and a summary of that router's exit policy. Eventually this
      will be used by clients so that they do not have to download every
      known descriptor before building circuits.
294

295
  o Major bugfixes (on 0.2.0.x and before):
296
297
    - When sending CREATED cells back for a given circuit, use a 64-bit
      connection ID to find the right connection, rather than an addr:port
298
299
      combination. Now that we can have multiple OR connections between
      the same ORs, it is no longer possible to use addr:port to uniquely
300
      identify a connection.
301
302
303
304
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
Roger Dingledine's avatar
Roger Dingledine committed
305
306
307
308
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.
309

310
  o Minor bugfixes:
311
312
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
313
    - When using the TransPort option on OpenBSD, and using the User
314
315
316
      option to change UID and drop privileges, make sure to open /dev/pf
      before dropping privileges. Fixes bug 782. Patch from Christopher
      Davis. Bugfix on 0.1.2.1-alpha.
317
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
318
      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
319
    - Add a missing safe_str() call for a debug log message.
320
321
    - Use 64 bits instead of 32 bits for connection identifiers used with
      the controller protocol, to greatly reduce risk of identifier reuse.
322
323
324
325
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
326

327
328
329
330
331
  o Minor features:
    - Rate-limit too-many-sockets messages: when they happen, they happen
      a lot. Resolves bug 748.
    - Resist DNS poisoning a little better by making sure that names in
      answer sections match.
Roger Dingledine's avatar
Roger Dingledine committed
332
333
    - Print the SOCKS5 error message string as well as the error code
      when a tor-resolve request fails. Patch from Jacob.
334

335

Roger Dingledine's avatar
Roger Dingledine committed
336
Changes in version 0.2.1.4-alpha - 2008-08-04
Roger Dingledine's avatar
Roger Dingledine committed
337
338
  Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.

339
  o Major bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
340
341
342
343
344
345
346
    - The address part of exit policies was not correctly written
      to router descriptors. This generated router descriptors that failed
      their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
      on 0.2.1.3-alpha.
    - Tor triggered a false assert when extending a circuit to a relay
      but we already have a connection open to that relay. Noticed by
      phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.
347

348
  o Minor bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
349
350
351
352
353
    - Fix a hidden service logging bug: in some edge cases, the router
      descriptor of a previously picked introduction point becomes
      obsolete and we need to give up on it rather than continually
      complaining that it has become obsolete. Observed by xiando. Bugfix
      on 0.2.1.3-alpha.
354

355
356
357
358
  o Removed features:
    - Take out the TestVia config option, since it was a workaround for
      a bug that was fixed in Tor 0.1.1.21.

359

Roger Dingledine's avatar
Roger Dingledine committed
360
Changes in version 0.2.1.3-alpha - 2008-08-03
Roger Dingledine's avatar
Roger Dingledine committed
361
362
363
364
365
366
  Tor 0.2.1.3-alpha implements most of the pieces to prevent
  infinite-length circuit attacks (see proposal 110); fixes a bug that
  might cause exit relays to corrupt streams they send back; allows
  address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
  ExcludeExitNodes config options; and fixes a big pile of bugs.

367
368
369
370
  o Bootstrapping bugfixes (on 0.2.1.x-alpha):
    - Send a bootstrap problem "warn" event on the first problem if the
      reason is NO_ROUTE (that is, our network is down).

371
  o Major features:
Roger Dingledine's avatar
Roger Dingledine committed
372
373
374
375
376
    - Implement most of proposal 110: The first K cells to be sent
      along a circuit are marked as special "early" cells; only K "early"
      cells will be allowed. Once this code is universal, we can block
      certain kinds of DOS attack by requiring that EXTEND commands must
      be sent using an "early" cell.
377

378
  o Major bugfixes:
379
380
381
382
    - Try to attach connections immediately upon receiving a RENDEZVOUS2
      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
      on the client side when connecting to a hidden service. Bugfix
      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
383
    - Ensure that two circuits can never exist on the same connection
Roger Dingledine's avatar
Roger Dingledine committed
384
      with the same circuit ID, even if one is marked for close. This
385
      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
386

387
388
  o Minor features:
    - When relays do their initial bandwidth measurement, don't limit
Roger Dingledine's avatar
Roger Dingledine committed
389
390
391
392
      to just our entry guards for the test circuits. Otherwise we tend
      to have multiple test circuits going through a single entry guard,
      which makes our bandwidth test less accurate. Fixes part of bug 654;
      patch contributed by Josh Albrecht.
393
394
    - Add an ExcludeExitNodes option so users can list a set of nodes
      that should be be excluded from the exit node position, but
Roger Dingledine's avatar
Roger Dingledine committed
395
      allowed elsewhere. Implements proposal 151.
396
397
    - Allow address patterns (e.g., 255.128.0.0/16) to appear in
      ExcludeNodes and ExcludeExitNodes lists.
Roger Dingledine's avatar
Roger Dingledine committed
398
399
400
    - Change the implementation of ExcludeNodes and ExcludeExitNodes to
      be more efficient. Formerly it was quadratic in the number of
      servers; now it should be linear. Fixes bug 509.
401
    - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
402
403
      and n_conn_id_digest fields into a separate structure that's
      only needed when the circuit has not yet attached to an n_conn.
404

405
406
407
408
  o Minor bugfixes:
    - Change the contrib/tor.logrotate script so it makes the new
      logs as "_tor:_tor" rather than the default, which is generally
      "root:wheel". Fixes bug 676, reported by Serge Koksharov.
409
410
    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
      warnings (occasionally), but it can also cause the compiler to
Roger Dingledine's avatar
Roger Dingledine committed
411
      eliminate error-checking code. Suggested by Peter Gutmann.
412
413
414
415
    - When a hidden service is giving up on an introduction point candidate
      that was not included in the last published rendezvous descriptor,
      don't reschedule publication of the next descriptor. Fixes bug 763.
      Bugfix on 0.0.9.3.
416
417
418
    - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
      HiddenServiceExcludeNodes as obsolete: they never worked properly,
      and nobody claims to be using them. Fixes bug 754. Bugfix on
Roger Dingledine's avatar
Roger Dingledine committed
419
      0.1.0.1-rc. Patch from Christian Wilms.
420
421
    - Fix a small alignment and memory-wasting bug on buffer chunks.
      Spotted by rovv.
422

423
424
425
  o Minor bugfixes (controller):
    - When closing an application-side connection because its circuit
      is getting torn down, generate the stream event correctly.
Roger Dingledine's avatar
Roger Dingledine committed
426
      Bugfix on 0.1.2.x. Anonymous patch.
427

428
  o Removed features:
Roger Dingledine's avatar
Roger Dingledine committed
429
430
431
    - Remove all backward-compatibility code to support relays running
      versions of Tor so old that they no longer work at all on the
      Tor network.
432

433

434
Changes in version 0.2.0.29-rc - 2008-07-08
Roger Dingledine's avatar
Roger Dingledine committed
435
436
437
  Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
  hidden-service performance bugs, and fixes a bunch of smaller bugs.

438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
  o Major bugfixes:
    - If you have more than one bridge but don't know their keys,
      you would only launch a request for the descriptor of the first one
      on your list. (Tor considered launching requests for the others, but
      found that it already had a connection on the way for $0000...0000
      so it didn't open another.) Bugfix on 0.2.0.x.
    - If you have more than one bridge but don't know their keys, and the
      connection to one of the bridges failed, you would cancel all
      pending bridge connections. (After all, they all have the same
      digest.) Bugfix on 0.2.0.x.
    - When a hidden service was trying to establish an introduction point,
      and Tor had built circuits preemptively for such purposes, we
      were ignoring all the preemptive circuits and launching a new one
      instead. Bugfix on 0.2.0.14-alpha.
    - When a hidden service was trying to establish an introduction point,
      and Tor *did* manage to reuse one of the preemptively built
      circuits, it didn't correctly remember which one it used,
      so it asked for another one soon after, until there were no
      more preemptive circuits, at which point it launched one from
      scratch. Bugfix on 0.0.9.x.
    - Make directory servers include the X-Your-Address-Is: http header in
      their responses even for begin_dir conns. Now clients who only
      ever use begin_dir connections still have a way to learn their IP
      address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.

  o Minor bugfixes:
464
    - Fix a macro/CPP interaction that was confusing some compilers:
465
      some GCCs don't like #if/#endif pairs inside macro arguments.
466
      Fixes bug 707.
467
468
469
470
471
472
    - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
      Fixes bug 704; fix from Steven Murdoch.
    - When opening /dev/null in finish_daemonize(), do not pass the
      O_CREAT flag. Fortify was complaining, and correctly so. Fixes
      bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
    - Correctly detect transparent proxy support on Linux hosts that
473
      require in.h to be included before netfilter_ipv4.h. Patch
474
      from coderman.
475
    - Disallow session resumption attempts during the renegotiation
476
477
478
479
      stage of the v2 handshake protocol. Clients should never be trying
      session resumption at this point, but apparently some did, in
      ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
      found by Geoff Goodell.
480
481


482
Changes in version 0.2.1.2-alpha - 2008-06-20
483
484
485
486
487
488
  Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
  make it easier to set up your own private Tor network; fixes several
  big bugs with using more than one bridge relay; fixes a big bug with
  offering hidden services quickly after Tor starts; and uses a better
  API for reporting potential bootstrapping problems to the controller.

489
  o Major features:
490
491
492
    - New TestingTorNetwork config option to allow adjustment of
      previously constant values that, while reasonable, could slow
      bootstrapping. Implements proposal 135. Patch from Karsten.
493

494
  o Major bugfixes:
495
    - If you have more than one bridge but don't know their digests,
496
497
498
      you would only learn a request for the descriptor of the first one
      on your list. (Tor considered launching requests for the others, but
      found that it already had a connection on the way for $0000...0000
499
      so it didn't open another.) Bugfix on 0.2.0.x.
500
501
502
    - If you have more than one bridge but don't know their digests,
      and the connection to one of the bridges failed, you would cancel
      all pending bridge connections. (After all, they all have the
503
504
505
506
507
508
      same digest.) Bugfix on 0.2.0.x.
    - When establishing a hidden service, introduction points that
      originate from cannibalized circuits are completely ignored and not
      included in rendezvous service descriptors. This might be another
      reason for delay in making a hidden service available. Bugfix
      from long ago (0.0.9.x?)
509

510
511
  o Minor features:
    - Allow OpenSSL to use dynamic locks if it wants.
512
513
    - When building a consensus, do not include routers that are down.
      This will cut down 30% to 40% on consensus size. Implements
514
      proposal 138.
515
516
    - In directory authorities' approved-routers files, allow
      fingerprints with or without space.
517
518
519
520
521
    - Add a "GETINFO /status/bootstrap-phase" controller option, so the
      controller can query our current bootstrap state in case it attaches
      partway through and wants to catch up.
    - Send an initial "Starting" bootstrap status event, so we have a
      state to start out in.
522

523
  o Minor bugfixes:
524
    - Asking for a conditional consensus at .../consensus/<fingerprints>
525
526
      would crash a dirserver if it did not already have a
      consensus. Bugfix on 0.2.1.1-alpha.
527
    - Clean up some macro/CPP interactions: some GCC versions don't like
528
529
      #if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
      0.2.0.x.
530

531
  o Bootstrapping bugfixes (on 0.2.1.1-alpha):
532
533
534
    - Directory authorities shouldn't complain about bootstrapping
      problems just because they do a lot of reachability testing and
      some of the connection attempts fail.
535
536
537
538
539
540
541
    - Start sending "count" and "recommendation" key/value pairs in
      bootstrap problem status events, so the controller can hear about
      problems even before Tor decides they're worth reporting for sure.
    - If you're using bridges, generate "bootstrap problem" warnings
      as soon as you run out of working bridges, rather than waiting
      for ten failures -- which will never happen if you have less than
      ten bridges.
542
543
544
    - If we close our OR connection because there's been a circuit
      pending on it for too long, we were telling our bootstrap status
      events "REASON=NONE". Now tell them "REASON=TIMEOUT".
545

546

547
Changes in version 0.2.1.1-alpha - 2008-06-13
548
549
550
551
552
553
554
  Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
  were making the Tor process bloat especially on Linux; makes our TLS
  handshake blend in better; sends "bootstrap phase" status events to
  the controller, so it can keep the user informed of progress (and
  problems) fetching directory information and establishing circuits;
  and adds a variety of smaller features.

555
  o Major features:
556
557
558
559
560
    - More work on making our TLS handshake blend in: modify the list
      of ciphers advertised by OpenSSL in client mode to even more
      closely resemble a common web browser. We cheat a little so that
      we can advertise ciphers that the locally installed OpenSSL doesn't
      know about.
561
562
563
564
565
    - Start sending "bootstrap phase" status events to the controller,
      so it can keep the user informed of progress fetching directory
      information and establishing circuits. Also inform the controller
      if we think we're stuck at a particular bootstrap phase. Implements
      proposal 137.
566
567
568
569
570
571
572
573
574
575
576
    - Resume using OpenSSL's RAND_poll() for better (and more portable)
      cross-platform entropy collection again. We used to use it, then
      stopped using it because of a bug that could crash systems that
      called RAND_poll when they had a lot of fds open. It looks like the
      bug got fixed in late 2006. Our new behavior is to call RAND_poll()
      at startup, and to call RAND_poll() when we reseed later only if
      we have a non-buggy OpenSSL version.

  o Major bugfixes:
    - When we choose to abandon a new entry guard because we think our
      older ones might be better, close any circuits pending on that
577
578
579
      new entry guard connection. This fix should make us recover much
      faster when our network is down and then comes back. Bugfix on
      0.1.2.8-beta; found by lodger.
580

581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
  o Memory fixes and improvements:
    - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
      to avoid unused RAM in buffer chunks and memory pools.
    - Speed up parsing and cut down on memory fragmentation by using
      stack-style allocations for parsing directory objects. Previously,
      this accounted for over 40% of allocations from within Tor's code
      on a typical directory cache.
    - Use a Bloom filter rather than a digest-based set to track which
      descriptors we need to keep around when we're cleaning out old
      router descriptors. This speeds up the computation significantly,
      and may reduce fragmentation.
    - Reduce the default smartlist size from 32 to 16; it turns out that
      most smartlists hold around 8-12 elements tops.
    - Make dumpstats() log the fullness and size of openssl-internal
      buffers.
    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
      patch to their OpenSSL, turn it on to save memory on servers. This
      patch will (with any luck) get included in a mainline distribution
      before too long.
600
601
602
    - Never use OpenSSL compression: it wastes RAM and CPU trying to
      compress cells, which are basically all encrypted, compressed,
      or both.
603

604
  o Minor bugfixes:
605
606
607
608
    - Stop reloading the router list from disk for no reason when we
      run out of reachable directory mirrors. Once upon a time reloading
      it would set the 'is_running' flag back to 1 for them. It hasn't
      done that for a long time.
609
610
    - In very rare situations new hidden service descriptors were
      published earlier than 30 seconds after the last change to the
611
612
      service. (We currently think that a hidden service descriptor
      that's been stable for 30 seconds is worth publishing.)
Roger Dingledine's avatar
Roger Dingledine committed
613

614
615
  o Minor features:
    - Allow separate log levels to be configured for different logging
616
      domains. For example, this allows one to log all notices, warnings,
617
618
      or errors, plus all memory management messages of level debug or
      higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
619
    - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
620
621
622
      and stop using a warning that had become unfixably verbose under
      GCC 4.3.
    - New --hush command-line option similar to --quiet. While --quiet
Peter Palfrader's avatar
Peter Palfrader committed
623
624
      disables all logging to the console on startup, --hush limits the
      output to messages of warning and error severity.
Peter Palfrader's avatar
Peter Palfrader committed
625
    - Servers support a new URL scheme for consensus downloads that
626
      allows the client to specify which authorities are trusted.
627
      The server then only sends the consensus if the client will trust
628
629
630
      it. Otherwise a 404 error is sent back. Clients use this
      new scheme when the server supports it (meaning it's running
      0.2.1.1-alpha or later). Implements proposal 134.
631
    - New configure/torrc options (--enable-geoip-stats,
632
633
634
      DirRecordUsageByCountry) to record how many IPs we've served
      directory info to in each country code, how many status documents
      total we've sent to each country code, and what share of the total
635
      directory requests we should expect to see.
636
637
    - Use the TLS1 hostname extension to more closely resemble browser
      behavior.
638
    - Lots of new unit tests.
639
640
    - Add a macro to implement the common pattern of iterating through
      two parallel lists in lockstep.
Roger Dingledine's avatar
Roger Dingledine committed
641

642

643
Changes in version 0.2.0.28-rc - 2008-06-13
644
645
646
  Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
  performance bug, and fixes a bunch of smaller bugs.

647
648
649
650
651
652
653
654
655
656
657
658
659
  o Anonymity fixes:
    - Fix a bug where, when we were choosing the 'end stream reason' to
      put in our relay end cell that we send to the exit relay, Tor
      clients on Windows were sometimes sending the wrong 'reason'. The
      anonymity problem is that exit relays may be able to guess whether
      the client is running Windows, thus helping partition the anonymity
      set. Down the road we should stop sending reasons to exit relays,
      or otherwise prevent future versions of this bug.

  o Major bugfixes:
    - While setting up a hidden service, some valid introduction circuits
      were overlooked and abandoned. This might be the reason for
      the long delay in making a hidden service available. Bugfix on
660
      0.2.0.14-alpha.
661
662
663
664
665
666
667
668
669
670

  o Minor features:
    - Update to the "June 9 2008" ip-to-country file.
    - Run 'make test' as part of 'make dist', so we stop releasing so
      many development snapshots that fail their unit tests.

  o Minor bugfixes:
    - When we're checking if we have enough dir info for each relay
      to begin establishing circuits, make sure that we actually have
      the descriptor listed in the consensus, not just any descriptor.
671
      Bugfix on 0.1.2.x.
672
    - Bridge relays no longer print "xx=0" in their extrainfo document
673
674
      for every single country code in the geoip db. Bugfix on
      0.2.0.27-rc.
675
    - Only warn when we fail to load the geoip file if we were planning to
676
      include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
677
678
    - If we change our MaxAdvertisedBandwidth and then reload torrc,
      Tor won't realize it should publish a new relay descriptor. Fixes
679
      bug 688, reported by mfr. Bugfix on 0.1.2.x.
680
    - When we haven't had any application requests lately, don't bother
681
682
      logging that we have expired a bunch of descriptors. Bugfix
      on 0.1.2.x.
683
684
685
686
687
688
689
    - Make relay cells written on a connection count as non-padding when
      tracking how long a connection has been in use. Bugfix on
      0.2.0.1-alpha. Spotted by lodger.
    - Fix unit tests in 0.2.0.27-rc.
    - Fix compile on Windows.


690
Changes in version 0.2.0.27-rc - 2008-06-03
691
692
693
694
695
696
697
  Tor 0.2.0.27-rc adds a few features we left out of the earlier
  release candidates. In particular, we now include an IP-to-country
  GeoIP database, so controllers can easily look up what country a
  given relay is in, and so bridge relays can give us some sanitized
  summaries about which countries are making use of bridges. (See proposal
  126-geoip-fetching.txt for details.)

698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
  o Major features:
    - Include an IP-to-country GeoIP file in the tarball, so bridge
      relays can report sanitized summaries of the usage they're seeing.

  o Minor features:
    - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
      Robert Hogan. Fixes the first part of bug 681.
    - Make bridge authorities never serve extrainfo docs.
    - Add support to detect Libevent versions in the 1.4.x series
      on mingw.
    - Fix build on gcc 4.3 with --enable-gcc-warnings set.
    - Include a new contrib/tor-exit-notice.html file that exit relay
      operators can put on their website to help reduce abuse queries.

  o Minor bugfixes:
    - When tunneling an encrypted directory connection, and its first
      circuit fails, do not leave it unattached and ask the controller
      to deal. Fixes the second part of bug 681.
    - Make bridge authorities correctly expire old extrainfo documents
      from time to time.


720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
Changes in version 0.2.0.26-rc - 2008-05-13
  Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
  in Debian's OpenSSL packages. All users running any 0.2.0.x version
  should upgrade, whether they're running Debian or not.

  o Major security fixes:
    - Use new V3 directory authority keys on the tor26, gabelmoo, and
      moria1 V3 directory authorities. The old keys were generated with
      a vulnerable version of Debian's OpenSSL package, and must be
      considered compromised. Other authorities' keys were not generated
      with an affected version of OpenSSL.

  o Major bugfixes:
    - List authority signatures as "unrecognized" based on DirServer
      lines, not on cert cache. Bugfix on 0.2.0.x.

  o Minor features:
    - Add a new V3AuthUseLegacyKey option to make it easier for
      authorities to change their identity keys if they have to.


741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
Changes in version 0.2.0.25-rc - 2008-04-23
  Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.

  o Major bugfixes:
    - Remember to initialize threading before initializing logging.
      Otherwise, many BSD-family implementations will crash hard on
      startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.

  o Minor bugfixes:
    - Authorities correctly free policies on bad servers on
      exit. Fixes bug 672. Bugfix on 0.2.0.x.


Changes in version 0.2.0.24-rc - 2008-04-22
  Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
  v3 directory authority, makes relays with dynamic IP addresses and no
  DirPort notice more quickly when their IP address changes, fixes a few
  rare crashes and memory leaks, and fixes a few other miscellaneous bugs.

  o New directory authorities:
    - Take lefkada out of the list of v3 directory authorities, since
      it has been down for months.
    - Set up dizum (run by Alex de Joode) as the new sixth v3 directory
      authority.

  o Major bugfixes:
    - Detect address changes more quickly on non-directory mirror
      relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.

  o Minor features (security):
    - Reject requests for reverse-dns lookup of names that are in
      a private address space. Patch from lodger.
    - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
      from lodger.

  o Minor bugfixes (crashes):
    - Avoid a rare assert that can trigger when Tor doesn't have much
      directory information yet and it tries to fetch a v2 hidden
      service descriptor. Fixes bug 651, reported by nwf.
    - Initialize log mutex before initializing dmalloc. Otherwise,
      running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
    - Use recursive pthread mutexes in order to avoid deadlock when
      logging debug-level messages to a controller. Bug spotted by nwf,
      bugfix on 0.2.0.16-alpha.

  o Minor bugfixes (resource management):
    - Keep address policies from leaking memory: start their refcount
      at 1, not 2. Bugfix on 0.2.0.16-alpha.
    - Free authority certificates on exit, so they don't look like memory
      leaks. Bugfix on 0.2.0.19-alpha.
    - Free static hashtables for policy maps and for TLS connections on
      shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
    - Avoid allocating extra space when computing consensuses on 64-bit
      platforms. Bug spotted by aakova.

  o Minor bugfixes (misc):
    - Do not read the configuration file when we've only been told to
      generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
      based on patch from Sebastian Hahn.
    - Exit relays that are used as a client can now reach themselves
      using the .exit notation, rather than just launching an infinite
      pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
    - When attempting to open a logfile fails, tell us why.
    - Fix a dumb bug that was preventing us from knowing that we should
      preemptively build circuits to handle expected directory requests.
      Fixes bug 660. Bugfix on 0.1.2.x.
    - Warn less verbosely about clock skew from netinfo cells from
      untrusted sources. Fixes bug 663.
    - Make controller stream events for DNS requests more consistent,
      by adding "new stream" events for DNS requests, and removing
      spurious "stream closed" events" for cached reverse resolves.
      Patch from mwenge. Fixes bug 646.
    - Correctly notify one-hop connections when a circuit build has
      failed. Possible fix for bug 669. Found by lodger.


817
Changes in version 0.2.0.23-rc - 2008-03-24
818
819
  Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
  makes bootstrapping faster if the first directory mirror you contact
Roger Dingledine's avatar
Roger Dingledine committed
820
821
  is down. The bundles also include the new Vidalia 0.1.2 release.

822
823
824
825
826
827
828
  o Major bugfixes:
    - When a tunneled directory request is made to a directory server
      that's down, notice after 30 seconds rather than 120 seconds. Also,
      fail any begindir streams that are pending on it, so they can
      retry elsewhere. This was causing multi-minute delays on bootstrap.


829
Changes in version 0.2.0.22-rc - 2008-03-18
Roger Dingledine's avatar
Roger Dingledine committed
830
831
832
833
834
  Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
  enables encrypted directory connections by default for non-relays, fixes
  some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
  other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.

835
  o Major features:
836
837
838
839
    - Enable encrypted directory connections by default for non-relays,
      so censor tools that block Tor directory connections based on their
      plaintext patterns will no longer work. This means Tor works in
      certain censored countries by default again.
840
841
842
843

  o Major bugfixes:
    - Make sure servers always request certificates from clients during
      TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
844
845
846
847
848
849
    - Do not enter a CPU-eating loop when a connection is closed in
      the middle of client-side TLS renegotiation. Fixes bug 622. Bug
      diagnosed by lodger; bugfix on 0.2.0.20-rc.
    - Fix assertion failure that could occur when a blocked circuit
      became unblocked, and it had pending client DNS requests. Bugfix
      on 0.2.0.1-alpha. Fixes bug 632.
850
851
852
853
854
855
856
857
858

  o Minor bugfixes (on 0.1.2.x):
    - Generate "STATUS_SERVER" events rather than misspelled
      "STATUS_SEVER" events. Caught by mwenge.
    - When counting the number of bytes written on a TLS connection,
      look at the BIO actually used for writing to the network, not
      at the BIO used (sometimes) to buffer data for the network.
      Looking at different BIOs could result in write counts on the
      order of ULONG_MAX. Fixes bug 614.
859
860
    - On Windows, correctly detect errors when listing the contents of
      a directory. Fix from lodger.
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884

  o Minor bugfixes (on 0.2.0.x):
    - Downgrade "sslv3 alert handshake failure" message to INFO.
    - If we set RelayBandwidthRate and RelayBandwidthBurst very high but
      left BandwidthRate and BandwidthBurst at the default, we would be
      silently limited by those defaults. Now raise them to match the
      RelayBandwidth* values.
    - Fix the SVK version detection logic to work correctly on a branch.
    - Make --enable-openbsd-malloc work correctly on Linux with alpha
      CPUs. Fixes bug 625.
    - Logging functions now check that the passed severity is sane.
    - Use proper log levels in the testsuite call of
      get_interface_address6().
    - When using a nonstandard malloc, do not use the platform values for
      HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
    - Make the openbsd malloc code use 8k pages on alpha CPUs and
      16k pages on ia64.
    - Detect mismatched page sizes when using --enable-openbsd-malloc.
    - Avoid double-marked-for-close warning when certain kinds of invalid
      .in-addr.arpa addresses are passed to the DNSPort. Part of a fix
      for bug 617. Bugfix on 0.2.0.1-alpha.
    - Make sure that the "NULL-means-reject *:*" convention is followed by
      all the policy manipulation functions, avoiding some possible crash
      bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
885
886
887
    - Fix the implementation of ClientDNSRejectInternalAddresses so that it
      actually works, and doesn't warn about every single reverse lookup.
      Fixes the other part of bug 617.  Bugfix on 0.2.0.1-alpha.
888
889
890
891
892
893
894

  o Minor features:
    - Only log guard node status when guard node status has changed.
    - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
      make "INFO" 75% less verbose.


895
Changes in version 0.2.0.21-rc - 2008-03-02
Roger Dingledine's avatar
Roger Dingledine committed
896
897
898
899
900
  Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
  makes Tor work well with Vidalia again, fixes a rare assert bug,
  and fixes a pair of more minor bugs. The bundles also include Vidalia
  0.1.0 and Torbutton 1.1.16.

901
902
903
904
905
906
907
908
909
910
911
912
913
914
  o Major bugfixes:
    - The control port should declare that it requires password auth
      when HashedControlSessionPassword is set too. Patch from Matt Edman;
      bugfix on 0.2.0.20-rc. Fixes bug 615.
    - Downgrade assert in connection_buckets_decrement() to a log message.
      This may help us solve bug 614, and in any case will make its
      symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
    - We were sometimes miscounting the number of bytes read from the
      network, causing our rate limiting to not be followed exactly.
      Bugfix on 0.2.0.16-alpha. Reported by lodger.

  o Minor bugfixes:
    - Fix compilation with OpenSSL 0.9.8 and 0.9.8a.  All other supported
      OpenSSL versions should have been working fine.  Diagnosis and patch
Roger Dingledine's avatar
Roger Dingledine committed
915
      from lodger, Karsten Loesing, and Sebastian Hahn.  Fixes bug 616.
916
917
918
      Bugfix on 0.2.0.20-rc.


Roger Dingledine's avatar
Roger Dingledine committed
919
Changes in version 0.2.0.20-rc - 2008-02-24
Roger Dingledine's avatar
Roger Dingledine committed
920
921
922
923
924
925
926
  Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
  makes more progress towards normalizing Tor's TLS handshake, makes
  hidden services work better again, helps relays bootstrap if they don't
  know their IP address, adds optional support for linking in openbsd's
  allocator or tcmalloc, allows really fast relays to scale past 15000
  sockets, and fixes a bunch of minor bugs reported by Veracode.

927
  o Major features:
928
    - Enable the revised TLS handshake based on the one designed by
Roger Dingledine's avatar
Roger Dingledine committed
929
      Steven Murdoch in proposal 124, as revised in proposal 130. It
930
      includes version negotiation for OR connections as described in
Roger Dingledine's avatar
Roger Dingledine committed
931
932
933
934
935
936
937
938
939
940
      proposal 105. The new handshake is meant to be harder for censors
      to fingerprint, and it adds the ability to detect certain kinds of
      man-in-the-middle traffic analysis attacks. The version negotiation
      feature will allow us to improve Tor's link protocol more safely
      in the future.
    - Choose which bridge to use proportional to its advertised bandwidth,
      rather than uniformly at random. This should speed up Tor for
      bridge users. Also do this for people who set StrictEntryNodes.
    - When a TrackHostExits-chosen exit fails too many times in a row,
      stop using it. Bugfix on 0.1.2.x; fixes bug 437.
941

942
943
944
945
  o Major bugfixes:
    - Resolved problems with (re-)fetching hidden service descriptors.
      Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
      and 0.2.0.19-alpha.
946
947
    - If we only ever used Tor for hidden service lookups or posts, we
      would stop building circuits and start refusing connections after
948
      24 hours, since we falsely believed that Tor was dormant. Reported
949
      by nwf; bugfix on 0.1.2.x.
950
951
952
953
    - Servers that don't know their own IP address should go to the
      authorities for their first directory fetch, even if their DirPort
      is off or if they don't know they're reachable yet. This will help
      them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
Roger Dingledine's avatar
Roger Dingledine committed
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
    - When counting the number of open sockets, count not only the number
      of sockets we have received from the socket() call, but also
      the number we've gotten from accept() and socketpair(). This bug
      made us fail to count all sockets that we were using for incoming
      connections. Bugfix on 0.2.0.x.
    - Fix code used to find strings within buffers, when those strings
      are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
    - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
    - Add a new __HashedControlSessionPassword option for controllers
      to use for one-off session password hashes that shouldn't get
      saved to disk by SAVECONF --- Vidalia users were accumulating a
      pile of HashedControlPassword lines in their torrc files, one for
      each time they had restarted Tor and then clicked Save. Make Tor
      automatically convert "HashedControlPassword" to this new option but
      only when it's given on the command line. Partial fix for bug 586.
969

970
971
972
  o Minor features (performance):
    - Tune parameters for cell pool allocation to minimize amount of
      RAM overhead used.
973
974
    - Add OpenBSD malloc code from phk as an optional malloc
      replacement on Linux: some glibc libraries do very poorly
Roger Dingledine's avatar
Roger Dingledine committed
975
      with Tor's memory allocation patterns. Pass
976
      --enable-openbsd-malloc to get the replacement malloc code.
977
    - Add a --with-tcmalloc option to the configure script to link
Roger Dingledine's avatar
Roger Dingledine committed
978
      against tcmalloc (if present). Does not yet search for
979
      non-system include paths.
980
    - Stop imposing an arbitrary maximum on the number of file descriptors
Roger Dingledine's avatar
Roger Dingledine committed
981
      used for busy servers. Bug reported by Olaf Selke; patch from
982
      Sebastian Hahn.
983

Roger Dingledine's avatar
Roger Dingledine committed
984
  o Minor features (other):
985
986
    - When SafeLogging is disabled, log addresses along with all TLS
      errors.
Roger Dingledine's avatar
Roger Dingledine committed
987
988
989
    - When building with --enable-gcc-warnings, check for whether Apple's
      warning "-Wshorten-64-to-32" is available.
    - Add a --passphrase-fd argument to the tor-gencert command for
990
991
      scriptability.

Roger Dingledine's avatar
Roger Dingledine committed
992
  o Minor bugfixes (memory leaks and code problems):
993
994
    - We were leaking a file descriptor if Tor started with a zero-length
      cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
Roger Dingledine's avatar
Roger Dingledine committed
995
996
    - Detect size overflow in zlib code. Reported by Justin Ferguson and
      Dan Kaminsky.
997
998
999
    - We were comparing the raw BridgePassword entry with a base64'ed
      version of it, when handling a "/tor/networkstatus-bridges"
      directory request. Now compare correctly. Noticed by Veracode.
1000
    - Recover from bad tracked-since value in MTBF-history file.
For faster browsing, not all history is shown. View entire blame