ChangeLog

Changes in version 0.2.1.8-alpha - 2008-??-??
  o Major bugfixes:
    - Fix a DOS opportunity during the voting signature collection process
      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.

  o Minor bugfixes:
    - Get file locking working on win32.  Bugfix on 0.2.1.6-alpha.  Fixes
      bug 859.
    - Made Tor a little less aggressive about deleting expired certificates.
      Partial fix for bug 854.
    - Stop doing unaligned memory access that generated bus errors on
      sparc64.  Fix for bug 862.

  o Minor features (controller):
    - Return circuit purposes in response to GETINFO circuit-status.  Fixes
      bug 858.

Changes in version 0.2.1.7-alpha - 2008-11-08
  o Security fixes:
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
    - The "User" and "Group" config options did not clear the
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
    - Do not use or believe expired v3 authority certificates. Patch
      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.

  o Minor features:
    - Now NodeFamily and MyFamily config options allow spaces in
      identity fingerprints, so it's easier to paste them in.
      Suggested by Lucky Green.
    - Implement the 0x20 hack to better resist DNS poisoning: set the
      case on outgoing DNS requests randomly, and reject responses that do
      not match the case correctly. This logic can be disabled with the
      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
      of servers that do not reliably preserve case in replies. See
      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
      for more info.
    - Preserve case in replies to DNSPort requests in order to support
      the 0x20 hack for resisting DNS poisoning attacks.

  o Hidden service performance improvements:
    - When the client launches an introduction circuit, retry with a
      new circuit after 30 seconds rather than 60 seconds.
    - Launch a second client-side introduction circuit in parallel
      after a delay of 15 seconds (based on work by Christian Wilms).
    - Hidden services start out building five intro circuits rather
      than three, and when the first three finish they publish a service
      descriptor using those. Now we publish our service descriptor much
      faster after restart.

  o Minor bugfixes:
    - Minor fix in the warning messages when you're having problems
      bootstrapping; also, be more forgiving of bootstrap problems when
      we're still making incremental progress on a given bootstrap phase.
    - When we're choosing an exit node for a circuit, and we have
      no pending streams, choose a good general exit rather than one that
      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
    - Send a valid END cell back when a client tries to connect to a
      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
      840. Patch from rovv.
    - If a broken client asks a non-exit router to connect somewhere,
      do not even do the DNS lookup before rejecting the connection.
      Fixes another case of bug 619. Patch from rovv.
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
      Fixes another case of bug 752. Patch from rovv.
    - Check which hops rendezvous stream cells are associated with to
      prevent possible guess-the-streamid injection attacks from
      intermediate hops. Fixes another case of bug 446. Based on patch
      from rovv.
    - Avoid using a negative right-shift when comparing 32-bit
      addresses. Possible fix for bug 845 and bug 811.
    - Make the assert_circuit_ok() function work correctly on circuits that
      have already been marked for close.
    - Fix read-off-the-end-of-string error in unit tests when decoding
      introduction points.
    - Fix uninitialized size field for memory area allocation: may improve
      memory performance during directory parsing.
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.
    - Do not say we're fetching a certificate when we'll in fact skip it
      because of a pending download.


Changes in version 0.2.1.6-alpha - 2008-09-30
  Tor 0.2.1.6-alpha further improves performance and robustness of
  hidden services, starts work on supporting per-country relay selection,
  and fixes a variety of smaller issues.

  o Major features:
    - Implement proposal 121: make it possible to build hidden services
      that only certain clients are allowed to connect to. This is
      enforced at several points, so that unauthorized clients are unable
      to send INTRODUCE cells to the service, or even (depending on the
      type of authentication) to learn introduction points. This feature
      raises the bar for certain kinds of active attacks against hidden
      services. Code by Karsten Loesing.
    - Relays now store and serve v2 hidden service descriptors by default,
      i.e., the new default value for HidServDirectoryV2 is 1. This is
      the last step in proposal 114, which aims to make hidden service
      lookups more reliable.
    - Start work to allow node restrictions to include country codes. The
      syntax to exclude nodes in a country with country code XX is
      "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
      refinement to decide what config options should take priority if
      you ask to both use a particular node and exclude it.
    - Allow ExitNodes list to include IP ranges and country codes, just
      like the Exclude*Nodes lists. Patch from Robert Hogan.

  o Major bugfixes:
    - Fix a bug when parsing ports in tor_addr_port_parse() that caused
      Tor to fail to start if you had it configured to use a bridge
      relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
    - When extending a circuit to a hidden service directory to upload a
      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
      requests failed, because the router descriptor had not been
      downloaded yet. In these cases, we now wait until the router
      descriptor is downloaded, and then retry. Likewise, clients
      now skip over a hidden service directory if they don't yet have
      its router descriptor, rather than futilely requesting it and
      putting mysterious complaints in the logs. Fixes bug 767. Bugfix
      on 0.2.0.10-alpha.
    - When fetching v0 and v2 rendezvous service descriptors in parallel,
      we were failing the whole hidden service request when the v0
      descriptor fetch fails, even if the v2 fetch is still pending and
      might succeed. Similarly, if the last v2 fetch fails, we were
      failing the whole hidden service request even if a v0 fetch is
      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
    - DNS replies need to have names matching their requests, but
      these names should be in the questions section, not necessarily
      in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.

  o Minor features:
    - Update to the "September 1 2008" ip-to-country file.
    - Allow ports 465 and 587 in the default exit policy again. We had
      rejected them in 0.1.0.15, because back in 2005 they were commonly
      misconfigured and ended up as spam targets. We hear they are better
      locked down these days.
    - Use a lockfile to make sure that two Tor processes are not
      simultaneously running with the same datadir.
    - Serve the latest v3 networkstatus consensus via the control
      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
    - Better logging about stability/reliability calculations on directory
      servers.
    - Drop the requirement to have an open dir port for storing and
      serving v2 hidden service descriptors.
    - Directory authorities now serve a /tor/dbg-stability.txt URL to
      help debug WFU and MTBF calculations.
    - Implement most of Proposal 152: allow specialized servers to permit
      single-hop circuits, and clients to use those servers to build
      single-hop circuits when using a specialized controller. Patch
      from Josh Albrecht. Resolves feature request 768.
    - Add a -p option to tor-resolve for specifying the SOCKS port: some
      people find host:port too confusing.
    - Make TrackHostExit mappings expire a while after their last use, not
      after their creation. Patch from Robert Hogan.
    - Provide circuit purposes along with circuit events to the controller.

  o Minor bugfixes:
    - Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
      Reported by Tas.
    - Fixed some memory leaks -- some quite frequent, some almost
      impossible to trigger -- based on results from Coverity.
    - When testing for libevent functions, set the LDFLAGS variable
      correctly. Found by Riastradh.
    - Fix an assertion bug in parsing policy-related options; possible fix
      for bug 811.
    - Catch and report a few more bootstrapping failure cases when Tor
      fails to establish a TCP connection. Cleanup on 0.2.1.x.
    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
      bootstrapping with tunneled directory connections. Bugfix on
      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
    - When asked to connect to A.B.exit:80, if we don't know the IP for A
      and we know that server B rejects most-but-not all connections to
      port 80, we would previously reject the connection. Now, we assume
      the user knows what they were asking for. Fixes bug 752. Bugfix
      on 0.0.9rc5. Diagnosed by BarkerJr.
    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
      service directories if they have no advertised dir port. Bugfix
      on 0.2.0.10-alpha.
    - If we overrun our per-second write limits a little, count this as
      having used up our write allocation for the second, and choke
      outgoing directory writes. Previously, we had only counted this when
      we had met our limits precisely. Fixes bug 824. Patch by rovv.
      Bugfix on 0.2.0.x (??).
    - Avoid a "0 divided by 0" calculation when calculating router uptime
      at directory authorities. Bugfix on 0.2.0.8-alpha.
    - Make DNS resolved controller events into "CLOSED", not
      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
      bug 807.
    - Fix a bug where an unreachable relay would establish enough
      reachability testing circuits to do a bandwidth test -- if
      we already have a connection to the middle hop of the testing
      circuit, then it could establish the last hop by using the existing
      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
      circuits no longer use entry guards in 0.2.1.3-alpha.
    - If we have correct permissions on $datadir, we complain to stdout
      and fail to start. But dangerous permissions on
      $datadir/cached-status/ would cause us to open a log and complain
      there. Now complain to stdout and fail to start in both cases. Fixes
      bug 820, reported by seeess.
    - Remove the old v2 directory authority 'lefkada' from the default
      list. It has been gone for many months.

  o Code simplifications and refactoring:
    - Revise the connection_new functions so that a more typesafe variant
      exists. This will work better with Coverity, and let us find any
      actual mistakes we're making here.
    - Refactor unit testing logic so that dmalloc can be used sensibly
      with unit tests to check for memory leaks.
    - Move all hidden-service related fields from connection and circuit
      structure to substructures: this way they won't eat so much memory.


Changes in version 0.2.0.31 - 2008-09-03
  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
  a big bug we're seeing where in rare cases traffic from one Tor stream
  gets mixed into another stream, and fixes a variety of smaller issues.

  o Major bugfixes:
    - Make sure that two circuits can never exist on the same connection
      with the same circuit ID, even if one is marked for close. This
      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.

  o Minor bugfixes:
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
    - Pick size of default geoip filename string correctly on windows.
      Fixes bug 806. Bugfix on 0.2.0.30.
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
    - Disallow session resumption attempts during the renegotiation
      stage of the v2 handshake protocol. Clients should never be trying
      session resumption at this point, but apparently some did, in
      ways that caused the handshake to fail. Bug found by Geoff Goodell.
      Bugfix on 0.2.0.20-rc.
    - When using the TransPort option on OpenBSD, and using the User
      option to change UID and drop privileges, make sure to open
      /dev/pf before dropping privileges. Fixes bug 782. Patch from
      Christopher Davis. Bugfix on 0.1.2.1-alpha.
    - Try to attach connections immediately upon receiving a RENDEZVOUS2
      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
      on the client side when connecting to a hidden service. Bugfix
      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
    - When closing an application-side connection because its circuit is
      getting torn down, generate the stream event correctly. Bugfix on
      0.1.2.x. Anonymous patch.


Changes in version 0.2.1.5-alpha - 2008-08-31
  Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
  in a lot of the infrastructure for adding authorization to hidden
  services, lays the groundwork for having clients read their load
  balancing information out of the networkstatus consensus rather than
  the individual router descriptors, addresses two potential anonymity
  issues, and fixes a variety of smaller issues.

  o Major features:
    - Convert many internal address representations to optionally hold
      IPv6 addresses.
    - Generate and accept IPv6 addresses in many protocol elements.
    - Make resolver code handle nameservers located at ipv6 addresses.
    - Begin implementation of proposal 121 ("Client authorization for
      hidden services"): configure hidden services with client
      authorization, publish descriptors for them, and configure
      authorization data for hidden services at clients. The next
      step is to actually access hidden services that perform client
      authorization.
    - More progress toward proposal 141: Network status consensus
      documents and votes now contain bandwidth information for each
      router and a summary of that router's exit policy. Eventually this
      will be used by clients so that they do not have to download every
      known descriptor before building circuits.

  o Major bugfixes (on 0.2.0.x and before):
    - When sending CREATED cells back for a given circuit, use a 64-bit
      connection ID to find the right connection, rather than an addr:port
      combination. Now that we can have multiple OR connections between
      the same ORs, it is no longer possible to use addr:port to uniquely
      identify a connection.
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.

  o Minor bugfixes:
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
    - When using the TransPort option on OpenBSD, and using the User
      option to change UID and drop privileges, make sure to open /dev/pf
      before dropping privileges. Fixes bug 782. Patch from Christopher
      Davis. Bugfix on 0.1.2.1-alpha.
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
    - Add a missing safe_str() call for a debug log message.
    - Use 64 bits instead of 32 bits for connection identifiers used with
      the controller protocol, to greatly reduce risk of identifier reuse.
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.

  o Minor features:
    - Rate-limit too-many-sockets messages: when they happen, they happen
      a lot. Resolves bug 748.
    - Resist DNS poisoning a little better by making sure that names in
      answer sections match.
    - Print the SOCKS5 error message string as well as the error code
      when a tor-resolve request fails. Patch from Jacob.


Changes in version 0.2.1.4-alpha - 2008-08-04
  Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.

  o Major bugfixes:
    - The address part of exit policies was not correctly written
      to router descriptors. This generated router descriptors that failed
      their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
      on 0.2.1.3-alpha.
    - Tor triggered a false assert when extending a circuit to a relay
      but we already have a connection open to that relay. Noticed by
      phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.

  o Minor bugfixes:
    - Fix a hidden service logging bug: in some edge cases, the router
      descriptor of a previously picked introduction point becomes
      obsolete and we need to give up on it rather than continually
      complaining that it has become obsolete. Observed by xiando. Bugfix
      on 0.2.1.3-alpha.

  o Removed features:
    - Take out the TestVia config option, since it was a workaround for
      a bug that was fixed in Tor 0.1.1.21.


Changes in version 0.2.1.3-alpha - 2008-08-03
  Tor 0.2.1.3-alpha implements most of the pieces to prevent
  infinite-length circuit attacks (see proposal 110); fixes a bug that
  might cause exit relays to corrupt streams they send back; allows
  address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
  ExcludeExitNodes config options; and fixes a big pile of bugs.

  o Bootstrapping bugfixes (on 0.2.1.x-alpha):
    - Send a bootstrap problem "warn" event on the first problem if the
      reason is NO_ROUTE (that is, our network is down).

  o Major features:
    - Implement most of proposal 110: The first K cells to be sent
      along a circuit are marked as special "early" cells; only K "early"
      cells will be allowed. Once this code is universal, we can block
      certain kinds of DOS attack by requiring that EXTEND commands must
      be sent using an "early" cell.

  o Major bugfixes:
    - Try to attach connections immediately upon receiving a RENDEZVOUS2
      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
      on the client side when connecting to a hidden service. Bugfix
      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
    - Ensure that two circuits can never exist on the same connection
      with the same circuit ID, even if one is marked for close. This
      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.

  o Minor features:
    - When relays do their initial bandwidth measurement, don't limit
      to just our entry guards for the test circuits. Otherwise we tend
      to have multiple test circuits going through a single entry guard,
      which makes our bandwidth test less accurate. Fixes part of bug 654;
      patch contributed by Josh Albrecht.
    - Add an ExcludeExitNodes option so users can list a set of nodes
      that should be be excluded from the exit node position, but
      allowed elsewhere. Implements proposal 151.
    - Allow address patterns (e.g., 255.128.0.0/16) to appear in
      ExcludeNodes and ExcludeExitNodes lists.
    - Change the implementation of ExcludeNodes and ExcludeExitNodes to
      be more efficient. Formerly it was quadratic in the number of
      servers; now it should be linear. Fixes bug 509.
    - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
      and n_conn_id_digest fields into a separate structure that's
      only needed when the circuit has not yet attached to an n_conn.

  o Minor bugfixes:
    - Change the contrib/tor.logrotate script so it makes the new
      logs as "_tor:_tor" rather than the default, which is generally
      "root:wheel". Fixes bug 676, reported by Serge Koksharov.
    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
      warnings (occasionally), but it can also cause the compiler to
      eliminate error-checking code. Suggested by Peter Gutmann.
    - When a hidden service is giving up on an introduction point candidate
      that was not included in the last published rendezvous descriptor,
      don't reschedule publication of the next descriptor. Fixes bug 763.
      Bugfix on 0.0.9.3.
    - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
      HiddenServiceExcludeNodes as obsolete: they never worked properly,
      and nobody claims to be using them. Fixes bug 754. Bugfix on
      0.1.0.1-rc. Patch from Christian Wilms.
    - Fix a small alignment and memory-wasting bug on buffer chunks.
      Spotted by rovv.

  o Minor bugfixes (controller):
    - When closing an application-side connection because its circuit
      is getting torn down, generate the stream event correctly.
      Bugfix on 0.1.2.x. Anonymous patch.

  o Removed features:
    - Remove all backward-compatibility code to support relays running
      versions of Tor so old that they no longer work at all on the
      Tor network.


Changes in version 0.2.0.29-rc - 2008-07-08
  Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
  hidden-service performance bugs, and fixes a bunch of smaller bugs.

  o Major bugfixes:
    - If you have more than one bridge but don't know their keys,
      you would only launch a request for the descriptor of the first one
      on your list. (Tor considered launching requests for the others, but
      found that it already had a connection on the way for $0000...0000
      so it didn't open another.) Bugfix on 0.2.0.x.
    - If you have more than one bridge but don't know their keys, and the
      connection to one of the bridges failed, you would cancel all
      pending bridge connections. (After all, they all have the same
      digest.) Bugfix on 0.2.0.x.
    - When a hidden service was trying to establish an introduction point,
      and Tor had built circuits preemptively for such purposes, we
      were ignoring all the preemptive circuits and launching a new one
      instead. Bugfix on 0.2.0.14-alpha.
    - When a hidden service was trying to establish an introduction point,
      and Tor *did* manage to reuse one of the preemptively built
      circuits, it didn't correctly remember which one it used,
      so it asked for another one soon after, until there were no
      more preemptive circuits, at which point it launched one from
      scratch. Bugfix on 0.0.9.x.
    - Make directory servers include the X-Your-Address-Is: http header in
      their responses even for begin_dir conns. Now clients who only
      ever use begin_dir connections still have a way to learn their IP
      address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.

  o Minor bugfixes:
    - Fix a macro/CPP interaction that was confusing some compilers:
      some GCCs don't like #if/#endif pairs inside macro arguments.
      Fixes bug 707.
    - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
      Fixes bug 704; fix from Steven Murdoch.
    - When opening /dev/null in finish_daemonize(), do not pass the
      O_CREAT flag. Fortify was complaining, and correctly so. Fixes
      bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
    - Correctly detect transparent proxy support on Linux hosts that
      require in.h to be included before netfilter_ipv4.h. Patch
      from coderman.
    - Disallow session resumption attempts during the renegotiation
      stage of the v2 handshake protocol. Clients should never be trying
      session resumption at this point, but apparently some did, in
      ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
      found by Geoff Goodell.


Changes in version 0.2.1.2-alpha - 2008-06-20
  Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
  make it easier to set up your own private Tor network; fixes several
  big bugs with using more than one bridge relay; fixes a big bug with
  offering hidden services quickly after Tor starts; and uses a better
  API for reporting potential bootstrapping problems to the controller.

  o Major features:
    - New TestingTorNetwork config option to allow adjustment of
      previously constant values that, while reasonable, could slow
      bootstrapping. Implements proposal 135. Patch from Karsten.

  o Major bugfixes:
    - If you have more than one bridge but don't know their digests,
      you would only learn a request for the descriptor of the first one
      on your list. (Tor considered launching requests for the others, but
      found that it already had a connection on the way for $0000...0000
      so it didn't open another.) Bugfix on 0.2.0.x.
    - If you have more than one bridge but don't know their digests,
      and the connection to one of the bridges failed, you would cancel
      all pending bridge connections. (After all, they all have the
      same digest.) Bugfix on 0.2.0.x.
    - When establishing a hidden service, introduction points that
      originate from cannibalized circuits are completely ignored and not
      included in rendezvous service descriptors. This might be another
      reason for delay in making a hidden service available. Bugfix
      from long ago (0.0.9.x?)

  o Minor features:
    - Allow OpenSSL to use dynamic locks if it wants.
    - When building a consensus, do not include routers that are down.
      This will cut down 30% to 40% on consensus size. Implements
      proposal 138.
    - In directory authorities' approved-routers files, allow
      fingerprints with or without space.
    - Add a "GETINFO /status/bootstrap-phase" controller option, so the
      controller can query our current bootstrap state in case it attaches
      partway through and wants to catch up.
    - Send an initial "Starting" bootstrap status event, so we have a
      state to start out in.

  o Minor bugfixes:
    - Asking for a conditional consensus at .../consensus/<fingerprints>
      would crash a dirserver if it did not already have a
      consensus. Bugfix on 0.2.1.1-alpha.
    - Clean up some macro/CPP interactions: some GCC versions don't like
      #if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
      0.2.0.x.

  o Bootstrapping bugfixes (on 0.2.1.1-alpha):
    - Directory authorities shouldn't complain about bootstrapping
      problems just because they do a lot of reachability testing and
      some of the connection attempts fail.
    - Start sending "count" and "recommendation" key/value pairs in
      bootstrap problem status events, so the controller can hear about
      problems even before Tor decides they're worth reporting for sure.
    - If you're using bridges, generate "bootstrap problem" warnings
      as soon as you run out of working bridges, rather than waiting
      for ten failures -- which will never happen if you have less than
      ten bridges.
    - If we close our OR connection because there's been a circuit
      pending on it for too long, we were telling our bootstrap status
      events "REASON=NONE". Now tell them "REASON=TIMEOUT".


Changes in version 0.2.1.1-alpha - 2008-06-13
  Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
  were making the Tor process bloat especially on Linux; makes our TLS
  handshake blend in better; sends "bootstrap phase" status events to
  the controller, so it can keep the user informed of progress (and
  problems) fetching directory information and establishing circuits;
  and adds a variety of smaller features.

  o Major features:
    - More work on making our TLS handshake blend in: modify the list
      of ciphers advertised by OpenSSL in client mode to even more
      closely resemble a common web browser. We cheat a little so that
      we can advertise ciphers that the locally installed OpenSSL doesn't
      know about.
    - Start sending "bootstrap phase" status events to the controller,
      so it can keep the user informed of progress fetching directory
      information and establishing circuits. Also inform the controller
      if we think we're stuck at a particular bootstrap phase. Implements
      proposal 137.
    - Resume using OpenSSL's RAND_poll() for better (and more portable)
      cross-platform entropy collection again. We used to use it, then
      stopped using it because of a bug that could crash systems that
      called RAND_poll when they had a lot of fds open. It looks like the
      bug got fixed in late 2006. Our new behavior is to call RAND_poll()
      at startup, and to call RAND_poll() when we reseed later only if
      we have a non-buggy OpenSSL version.

  o Major bugfixes:
    - When we choose to abandon a new entry guard because we think our
      older ones might be better, close any circuits pending on that
      new entry guard connection. This fix should make us recover much
      faster when our network is down and then comes back. Bugfix on
      0.1.2.8-beta; found by lodger.

  o Memory fixes and improvements:
    - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
      to avoid unused RAM in buffer chunks and memory pools.
    - Speed up parsing and cut down on memory fragmentation by using
      stack-style allocations for parsing directory objects. Previously,
      this accounted for over 40% of allocations from within Tor's code
      on a typical directory cache.
    - Use a Bloom filter rather than a digest-based set to track which
      descriptors we need to keep around when we're cleaning out old
      router descriptors. This speeds up the computation significantly,
      and may reduce fragmentation.
    - Reduce the default smartlist size from 32 to 16; it turns out that
      most smartlists hold around 8-12 elements tops.
    - Make dumpstats() log the fullness and size of openssl-internal
      buffers.
    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
      patch to their OpenSSL, turn it on to save memory on servers. This
      patch will (with any luck) get included in a mainline distribution
      before too long.
    - Never use OpenSSL compression: it wastes RAM and CPU trying to
      compress cells, which are basically all encrypted, compressed,
      or both.

  o Minor bugfixes:
    - Stop reloading the router list from disk for no reason when we
      run out of reachable directory mirrors. Once upon a time reloading
      it would set the 'is_running' flag back to 1 for them. It hasn't
      done that for a long time.
    - In very rare situations new hidden service descriptors were
      published earlier than 30 seconds after the last change to the
      service. (We currently think that a hidden service descriptor
      that's been stable for 30 seconds is worth publishing.)

  o Minor features:
    - Allow separate log levels to be configured for different logging
      domains. For example, this allows one to log all notices, warnings,
      or errors, plus all memory management messages of level debug or
      higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
    - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
      and stop using a warning that had become unfixably verbose under
      GCC 4.3.
    - New --hush command-line option similar to --quiet. While --quiet
      disables all logging to the console on startup, --hush limits the
      output to messages of warning and error severity.
    - Servers support a new URL scheme for consensus downloads that
      allows the client to specify which authorities are trusted.
      The server then only sends the consensus if the client will trust
      it. Otherwise a 404 error is sent back. Clients use this
      new scheme when the server supports it (meaning it's running
      0.2.1.1-alpha or later). Implements proposal 134.
    - New configure/torrc options (--enable-geoip-stats,
      DirRecordUsageByCountry) to record how many IPs we've served
      directory info to in each country code, how many status documents
      total we've sent to each country code, and what share of the total
      directory requests we should expect to see.
    - Use the TLS1 hostname extension to more closely resemble browser
      behavior.
    - Lots of new unit tests.
    - Add a macro to implement the common pattern of iterating through
      two parallel lists in lockstep.


Changes in version 0.2.0.28-rc - 2008-06-13
  Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
  performance bug, and fixes a bunch of smaller bugs.

  o Anonymity fixes:
    - Fix a bug where, when we were choosing the 'end stream reason' to
      put in our relay end cell that we send to the exit relay, Tor
      clients on Windows were sometimes sending the wrong 'reason'. The
      anonymity problem is that exit relays may be able to guess whether
      the client is running Windows, thus helping partition the anonymity
      set. Down the road we should stop sending reasons to exit relays,
      or otherwise prevent future versions of this bug.

  o Major bugfixes:
    - While setting up a hidden service, some valid introduction circuits
      were overlooked and abandoned. This might be the reason for
      the long delay in making a hidden service available. Bugfix on
      0.2.0.14-alpha.

  o Minor features:
    - Update to the "June 9 2008" ip-to-country file.
    - Run 'make test' as part of 'make dist', so we stop releasing so
      many development snapshots that fail their unit tests.

  o Minor bugfixes:
    - When we're checking if we have enough dir info for each relay
      to begin establishing circuits, make sure that we actually have
      the descriptor listed in the consensus, not just any descriptor.
      Bugfix on 0.1.2.x.
    - Bridge relays no longer print "xx=0" in their extrainfo document
      for every single country code in the geoip db. Bugfix on
      0.2.0.27-rc.
    - Only warn when we fail to load the geoip file if we were planning to
      include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
    - If we change our MaxAdvertisedBandwidth and then reload torrc,
      Tor won't realize it should publish a new relay descriptor. Fixes
      bug 688, reported by mfr. Bugfix on 0.1.2.x.
    - When we haven't had any application requests lately, don't bother
      logging that we have expired a bunch of descriptors. Bugfix
      on 0.1.2.x.
    - Make relay cells written on a connection count as non-padding when
      tracking how long a connection has been in use. Bugfix on
      0.2.0.1-alpha. Spotted by lodger.
    - Fix unit tests in 0.2.0.27-rc.
    - Fix compile on Windows.


Changes in version 0.2.0.27-rc - 2008-06-03
  Tor 0.2.0.27-rc adds a few features we left out of the earlier
  release candidates. In particular, we now include an IP-to-country
  GeoIP database, so controllers can easily look up what country a
  given relay is in, and so bridge relays can give us some sanitized
  summaries about which countries are making use of bridges. (See proposal
  126-geoip-fetching.txt for details.)

  o Major features:
    - Include an IP-to-country GeoIP file in the tarball, so bridge
      relays can report sanitized summaries of the usage they're seeing.

  o Minor features:
    - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
      Robert Hogan. Fixes the first part of bug 681.
    - Make bridge authorities never serve extrainfo docs.
    - Add support to detect Libevent versions in the 1.4.x series
      on mingw.
    - Fix build on gcc 4.3 with --enable-gcc-warnings set.
    - Include a new contrib/tor-exit-notice.html file that exit relay
      operators can put on their website to help reduce abuse queries.

  o Minor bugfixes:
    - When tunneling an encrypted directory connection, and its first
      circuit fails, do not leave it unattached and ask the controller
      to deal. Fixes the second part of bug 681.
    - Make bridge authorities correctly expire old extrainfo documents
      from time to time.


Changes in version 0.2.0.26-rc - 2008-05-13
  Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
  in Debian's OpenSSL packages. All users running any 0.2.0.x version
  should upgrade, whether they're running Debian or not.

  o Major security fixes:
    - Use new V3 directory authority keys on the tor26, gabelmoo, and
      moria1 V3 directory authorities. The old keys were generated with
      a vulnerable version of Debian's OpenSSL package, and must be
      considered compromised. Other authorities' keys were not generated
      with an affected version of OpenSSL.

  o Major bugfixes:
    - List authority signatures as "unrecognized" based on DirServer
      lines, not on cert cache. Bugfix on 0.2.0.x.

  o Minor features:
    - Add a new V3AuthUseLegacyKey option to make it easier for
      authorities to change their identity keys if they have to.


Changes in version 0.2.0.25-rc - 2008-04-23
  Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.

  o Major bugfixes:
    - Remember to initialize threading before initializing logging.
      Otherwise, many BSD-family implementations will crash hard on
      startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.

  o Minor bugfixes:
    - Authorities correctly free policies on bad servers on
      exit. Fixes bug 672. Bugfix on 0.2.0.x.


Changes in version 0.2.0.24-rc - 2008-04-22
  Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
  v3 directory authority, makes relays with dynamic IP addresses and no
  DirPort notice more quickly when their IP address changes, fixes a few
  rare crashes and memory leaks, and fixes a few other miscellaneous bugs.

  o New directory authorities:
    - Take lefkada out of the list of v3 directory authorities, since
      it has been down for months.
    - Set up dizum (run by Alex de Joode) as the new sixth v3 directory
      authority.

  o Major bugfixes:
    - Detect address changes more quickly on non-directory mirror
      relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.

  o Minor features (security):
    - Reject requests for reverse-dns lookup of names that are in
      a private address space. Patch from lodger.
    - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
      from lodger.

  o Minor bugfixes (crashes):
    - Avoid a rare assert that can trigger when Tor doesn't have much
      directory information yet and it tries to fetch a v2 hidden
      service descriptor. Fixes bug 651, reported by nwf.
    - Initialize log mutex before initializing dmalloc. Otherwise,
      running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
    - Use recursive pthread mutexes in order to avoid deadlock when
      logging debug-level messages to a controller. Bug spotted by nwf,
      bugfix on 0.2.0.16-alpha.

  o Minor bugfixes (resource management):
    - Keep address policies from leaking memory: start their refcount
      at 1, not 2. Bugfix on 0.2.0.16-alpha.
    - Free authority certificates on exit, so they don't look like memory
      leaks. Bugfix on 0.2.0.19-alpha.
    - Free static hashtables for policy maps and for TLS connections on
      shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
    - Avoid allocating extra space when computing consensuses on 64-bit
      platforms. Bug spotted by aakova.

  o Minor bugfixes (misc):
    - Do not read the configuration file when we've only been told to
      generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
      based on patch from Sebastian Hahn.
    - Exit relays that are used as a client can now reach themselves
      using the .exit notation, rather than just launching an infinite
      pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
    - When attempting to open a logfile fails, tell us why.
    - Fix a dumb bug that was preventing us from knowing that we should
      preemptively build circuits to handle expected directory requests.
      Fixes bug 660. Bugfix on 0.1.2.x.
    - Warn less verbosely about clock skew from netinfo cells from
      untrusted sources. Fixes bug 663.
    - Make controller stream events for DNS requests more consistent,
      by adding "new stream" events for DNS requests, and removing
      spurious "stream closed" events" for cached reverse resolves.
      Patch from mwenge. Fixes bug 646.
    - Correctly notify one-hop connections when a circuit build has
      failed. Possible fix for bug 669. Found by lodger.


Changes in version 0.2.0.23-rc - 2008-03-24
  Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
  makes bootstrapping faster if the first directory mirror you contact
  is down. The bundles also include the new Vidalia 0.1.2 release.

  o Major bugfixes:
    - When a tunneled directory request is made to a directory server
      that's down, notice after 30 seconds rather than 120 seconds. Also,
      fail any begindir streams that are pending on it, so they can
      retry elsewhere. This was causing multi-minute delays on bootstrap.


Changes in version 0.2.0.22-rc - 2008-03-18
  Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
  enables encrypted directory connections by default for non-relays, fixes
  some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
  other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.

  o Major features:
    - Enable encrypted directory connections by default for non-relays,
      so censor tools that block Tor directory connections based on their
      plaintext patterns will no longer work. This means Tor works in
      certain censored countries by default again.

  o Major bugfixes:
    - Make sure servers always request certificates from clients during
      TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
    - Do not enter a CPU-eating loop when a connection is closed in
      the middle of client-side TLS renegotiation. Fixes bug 622. Bug
      diagnosed by lodger; bugfix on 0.2.0.20-rc.
    - Fix assertion failure that could occur when a blocked circuit
      became unblocked, and it had pending client DNS requests. Bugfix
      on 0.2.0.1-alpha. Fixes bug 632.

  o Minor bugfixes (on 0.1.2.x):
    - Generate "STATUS_SERVER" events rather than misspelled
      "STATUS_SEVER" events. Caught by mwenge.
    - When counting the number of bytes written on a TLS connection,
      look at the BIO actually used for writing to the network, not
      at the BIO used (sometimes) to buffer data for the network.
      Looking at different BIOs could result in write counts on the
      order of ULONG_MAX. Fixes bug 614.
    - On Windows, correctly detect errors when listing the contents of
      a directory. Fix from lodger.

  o Minor bugfixes (on 0.2.0.x):
    - Downgrade "sslv3 alert handshake failure" message to INFO.
    - If we set RelayBandwidthRate and RelayBandwidthBurst very high but
      left BandwidthRate and BandwidthBurst at the default, we would be
      silently limited by those defaults. Now raise them to match the
      RelayBandwidth* values.
    - Fix the SVK version detection logic to work correctly on a branch.
    - Make --enable-openbsd-malloc work correctly on Linux with alpha
      CPUs. Fixes bug 625.
    - Logging functions now check that the passed severity is sane.
    - Use proper log levels in the testsuite call of
      get_interface_address6().
    - When using a nonstandard malloc, do not use the platform values for
      HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
    - Make the openbsd malloc code use 8k pages on alpha CPUs and
      16k pages on ia64.
    - Detect mismatched page sizes when using --enable-openbsd-malloc.
    - Avoid double-marked-for-close warning when certain kinds of invalid
      .in-addr.arpa addresses are passed to the DNSPort. Part of a fix
      for bug 617. Bugfix on 0.2.0.1-alpha.
    - Make sure that the "NULL-means-reject *:*" convention is followed by
      all the policy manipulation functions, avoiding some possible crash
      bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
    - Fix the implementation of ClientDNSRejectInternalAddresses so that it
      actually works, and doesn't warn about every single reverse lookup.
      Fixes the other part of bug 617.  Bugfix on 0.2.0.1-alpha.

  o Minor features:
    - Only log guard node status when guard node status has changed.
    - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
      make "INFO" 75% less verbose.


Changes in version 0.2.0.21-rc - 2008-03-02
  Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
  makes Tor work well with Vidalia again, fixes a rare assert bug,
  and fixes a pair of more minor bugs. The bundles also include Vidalia
  0.1.0 and Torbutton 1.1.16.

  o Major bugfixes:
    - The control port should declare that it requires password auth
      when HashedControlSessionPassword is set too. Patch from Matt Edman;
      bugfix on 0.2.0.20-rc. Fixes bug 615.
    - Downgrade assert in connection_buckets_decrement() to a log message.
      This may help us solve bug 614, and in any case will make its
      symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
    - We were sometimes miscounting the number of bytes read from the
      network, causing our rate limiting to not be followed exactly.
      Bugfix on 0.2.0.16-alpha. Reported by lodger.

  o Minor bugfixes:
    - Fix compilation with OpenSSL 0.9.8 and 0.9.8a.  All other supported
      OpenSSL versions should have been working fine.  Diagnosis and patch
      from lodger, Karsten Loesing, and Sebastian Hahn.  Fixes bug 616.
      Bugfix on 0.2.0.20-rc.


Changes in version 0.2.0.20-rc - 2008-02-24
  Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
  makes more progress towards normalizing Tor's TLS handshake, makes
  hidden services work better again, helps relays bootstrap if they don't
  know their IP address, adds optional support for linking in openbsd's
  allocator or tcmalloc, allows really fast relays to scale past 15000
  sockets, and fixes a bunch of minor bugs reported by Veracode.

  o Major features:
    - Enable the revised TLS handshake based on the one designed by
      Steven Murdoch in proposal 124, as revised in proposal 130. It
      includes version negotiation for OR connections as described in
      proposal 105. The new handshake is meant to be harder for censors
      to fingerprint, and it adds the ability to detect certain kinds of
      man-in-the-middle traffic analysis attacks. The version negotiation
      feature will allow us to improve Tor's link protocol more safely
      in the future.
    - Choose which bridge to use proportional to its advertised bandwidth,
      rather than uniformly at random. This should speed up Tor for
      bridge users. Also do this for people who set StrictEntryNodes.
    - When a TrackHostExits-chosen exit fails too many times in a row,
      stop using it. Bugfix on 0.1.2.x; fixes bug 437.

  o Major bugfixes:
    - Resolved problems with (re-)fetching hidden service descriptors.
      Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
      and 0.2.0.19-alpha.
    - If we only ever used Tor for hidden service lookups or posts, we
      would stop building circuits and start refusing connections after
      24 hours, since we falsely believed that Tor was dormant. Reported
      by nwf; bugfix on 0.1.2.x.
    - Servers that don't know their own IP address should go to the
      authorities for their first directory fetch, even if their DirPort
      is off or if they don't know they're reachable yet. This will help
      them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
    - When counting the number of open sockets, count not only the number
      of sockets we have received from the socket() call, but also
      the number we've gotten from accept() and socketpair(). This bug
      made us fail to count all sockets that we were using for incoming
      connections. Bugfix on 0.2.0.x.
    - Fix code used to find strings within buffers, when those strings
      are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
    - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
    - Add a new __HashedControlSessionPassword option for controllers
      to use for one-off session password hashes that shouldn't get
      saved to disk by SAVECONF --- Vidalia users were accumulating a
      pile of HashedControlPassword lines in their torrc files, one for
      each time they had restarted Tor and then clicked Save. Make Tor
      automatically convert "HashedControlPassword" to this new option but
      only when it's given on the command line. Partial fix for bug 586.

  o Minor features (performance):
    - Tune parameters for cell pool allocation to minimize amount of
      RAM overhead used.
    - Add OpenBSD malloc code from phk as an optional malloc
      replacement on Linux: some glibc libraries do very poorly
      with Tor's memory allocation patterns. Pass
      --enable-openbsd-malloc to get the replacement malloc code.
    - Add a --with-tcmalloc option to the configure script to link
      against tcmalloc (if present). Does not yet search for
      non-system include paths.
    - Stop imposing an arbitrary maximum on the number of file descriptors
      used for busy servers. Bug reported by Olaf Selke; patch from
      Sebastian Hahn.

  o Minor features (other):
    - When SafeLogging is disabled, log addresses along with all TLS
      errors.
    - When building with --enable-gcc-warnings, check for whether Apple's
      warning "-Wshorten-64-to-32" is available.
    - Add a --passphrase-fd argument to the tor-gencert command for
      scriptability.

  o Minor bugfixes (memory leaks and code problems):
    - We were leaking a file descriptor if Tor started with a zero-length
      cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
    - Detect size overflow in zlib code. Reported by Justin Ferguson and
      Dan Kaminsky.
    - We were comparing the raw BridgePassword entry with a base64'ed
      version of it, when handling a "/tor/networkstatus-bridges"
      directory request. Now compare correctly. Noticed by Veracode.
    - Recover from bad tracked-since value in MTBF-history file.