fold in changes for 0.2.4.10-alpha

25 files changed, 137 insertions, 141 deletions

diff --git a/ChangeLog b/ChangeLog
index 7c5a490c42..0ed7f56c7c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,140 @@
-Changes in version 0.2.4.10-alpha - 2013-0?-??
+Changes in version 0.2.4.10-alpha - 2013-02-04
+  Tor 0.2.4.10-alpha adds defenses at the directory authority level from
+  certain attacks that flood the network with relays; changes the queue
+  for circuit create requests from a sized-based limit to a time-based
+  limit; resumes building with MSVC on Windows; and fixes a wide variety
+  of other issues.
+
+  o Major bugfixes (directory authority):
+    - When computing directory thresholds, ignore any rejected-as-sybil
+      nodes during the computation so that they can't influence Fast,
+      Guard, etc. (We shoud have done this for proposal 109.) Fixes
+      bug 8146.
+    - When marking a node as a likely sybil, reset its uptime metrics
+      to zero, so that it cannot time towards getting marked as Guard,
+      Stable, or HSDir. (We shoud have done this for proposal 109.) Fixes
+      bug 8147.
+
+  o Major bugfixes:
+    - When a TLS write is partially successful but incomplete, remember
+      that the flushed part has been flushed, and notice that bytes were
+      actually written. Reported and fixed pseudonymously. Fixes bug
+      7708; bugfix on Tor 0.1.0.5-rc.
+    - Reject bogus create and relay cells with 0 circuit ID or 0 stream
+      ID: these could be used to create unexpected streams and circuits
+      which would count as "present" to some parts of Tor but "absent"
+      to others, leading to zombie circuits and streams or to a bandwidth
+      denial-of-service. Fixes bug 7889; bugfix on every released version
+      of Tor. Reported by "oftc_must_be_destroyed".
+    - Rename all macros in our local copy of queue.h to begin with "TOR_".
+      This change seems the only good way to permanently prevent conflicts
+      with queue.h on various operating systems. Fixes bug 8107; bugfix
+      on 0.2.4.6-alpha.
+
+  o Major features (relay):
+    - Instead of limiting the number of queued onionskins (aka circuit
+      create requests) to a fixed, hard-to-configure number, we limit
+      the size of the queue based on how many we expect to be able to
+      process in a given amount of time. We estimate the time it will
+      take to process an onionskin based on average processing time
+      of previous onionskins. Closes ticket 7291. You'll never have to
+      configure MaxOnionsPending again.
+
+  o Major features (portability):
+    - Resume building correctly with MSVC and Makefile.nmake. This patch
+      resolves numerous bugs and fixes reported by ultramage, including
+      7305, 7308, 7309, 7310, 7312, 7313, 7315, 7316, and 7669.
+    - Make the ntor and curve25519 code build correctly with MSVC.
+      Fix on 0.2.4.8-alpha.
+
+  o Minor features:
+    - When directory authorities are computing thresholds for flags,
+      never let the threshold for the Fast flag fall below 4096
+      bytes. Also, do not consider nodes with extremely low bandwidths
+      when deciding thresholds for various directory flags. This change
+      should raise our threshold for Fast relays, possibly in turn
+      improving overall network performance; see ticket 1854. Resolves
+      ticket 8145.
+    - The Tor client now ignores sub-domain components of a .onion
+      address. This change makes HTTP "virtual" hosting
+      possible: http://foo.aaaaaaaaaaaaaaaa.onion/ and
+      http://bar.aaaaaaaaaaaaaaaa.onion/ can be two different websites
+      hosted on the same hidden service. Implements proposal 204.
+    - We compute the overhead from passing onionskins back and forth to
+      cpuworkers, and report it when dumping statistics in response to
+      SIGUSR1. Supports ticket 7291.
+
+  o Minor features (path selection):
+    - When deciding whether we have enough descriptors to build circuits,
+      instead of looking at raw relay counts, look at which fraction
+      of (bandwidth-weighted) paths we're able to build. This approach
+      keeps clients from building circuits if their paths are likely to
+      stand out statistically. The default fraction of paths needed is
+      taken from the consensus directory; you can override it with the
+      new PathsNeededToBuildCircuits option. Fixes ticket 5956.
+    - When any country code is listed in ExcludeNodes or ExcludeExitNodes,
+      and we have GeoIP information, also exclude all nodes with unknown
+      countries "??" and "A1". This behavior is controlled by the
+      new GeoIPExcludeUnknown option: you can make such nodes always
+      excluded with "GeoIPExcludeUnknown 1", and disable the feature
+      with "GeoIPExcludeUnknown 0". Setting "GeoIPExcludeUnknown auto"
+      gets you the default behavior. Implements feature 7706.
+    - Path Use Bias: Perform separate accounting for successful circuit
+      use. Keep separate statistics on stream attempt rates versus stream
+      success rates for each guard. Provide configurable thresholds to
+      determine when to emit log messages or disable use of guards that
+      fail too many stream attempts. Resolves ticket 7802.
+
+  o Minor features (log messages):
+    - When learning a fingerprint for a bridge, log its corresponding
+      transport type. Implements ticket 7896.
+    - Improve the log message when "Bug/attack: unexpected sendme cell
+      from client" occurs, to help us track bug 8093.
+
+  o Minor bugfixes:
+    - Remove a couple of extraneous semicolons that were upsetting the
+      cparser library. Patch by Christian Grothoff. Fixes bug 7115;
+      bugfix on 0.2.2.1-alpha.
+    - Remove a source of rounding error during path bias count scaling;
+      don't count cannibalized circuits as used for path bias until we
+      actually try to use them; and fix a circuit_package_relay_cell()
+      warning message about n_chan==NULL. Fixes bug 7802.
+    - Detect nacl when its headers are in a nacl/ subdirectory. Also,
+      actually link against nacl when we're configured to use it. Fixes
+      bug 7972; bugfix on 0.2.4.8-alpha.
+    - Compile correctly with the --disable-curve25519 option. Fixes
+      bug 8153; bugfix on 0.2.4.8-alpha.
+
+  o Build improvements:
+    - Do not report status verbosely from autogen.sh unless the -v flag
+      is specified. Fixes issue 4664. Patch from Onizuka.
+    - Replace all calls to snprintf() outside of src/ext with
+      tor_snprintf(). Also remove the #define to replace snprintf with
+      _snprintf on Windows; they have different semantics, and all of
+      our callers should be using tor_snprintf() anyway. Fixes bug 7304.
+    - Try to detect if we are ever building on a platform where
+      memset(...,0,...) does not set the value of a double to 0.0. Such
+      platforms are permitted by the C standard, though in practice
+      they're pretty rare (since IEEE 754 is nigh-ubiquitous). We don't
+      currently support them, but it's better to detect them and fail
+      than to perform erroneously.
+
+  o Removed features:
+    - Stop exporting estimates of v2 and v3 directory traffic shares
+      in extrainfo documents. They were unneeded and sometimes inaccurate.
+      Also stop exporting any v2 directory request statistics. Resolves
+      ticket 5823.
+    - Drop support for detecting and warning about versions of Libevent
+      before 1.3e. Nothing reasonable ships with them any longer;
+      warning the user about them shouldn't be needed. Resolves ticket
+      6826.
+
+  o Code simplifications and refactoring:
+    - Rename "isin" functions to "contains", for grammar. Resolves
+      ticket 5285.
+    - Rename Tor's logging function log() to tor_log(), to avoid conflicts
+      with the natural logarithm function from the system libm. Resolves
+      ticket 7599.
 
 
 Changes in version 0.2.4.9-alpha - 2013-01-15
diff --git a/changes/4664 b/changes/4664
deleted file mode 100644
index eb81da925e..0000000000
--- a/changes/4664
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (build):
-    - Do not report status verbosely from autogen.sh unless the -v flag
-      is specified. Fixes issue 4664. Patch from Onizuka.
-
diff --git a/changes/7304 b/changes/7304
deleted file mode 100644
index bfb797b107..0000000000
--- a/changes/7304
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes:
-    - Replace all calls to snprintf outside of src/ext with tor_snprintf.
-      Fix for bug 7304.
-  o Code simplification and refactoring:
-    - Remove the #define to replace snprintf with _snprintf on windows;
-      they have different semantics, and all of our callers should be
-      using tor_snprintf anyway. Partial fix for bug 7304.
diff --git a/changes/bug5823 b/changes/bug5823
deleted file mode 100644
index d76b590889..0000000000
--- a/changes/bug5823
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Removed featurs:
-    - Stop exporting estimates of v2 and v3 directory traffic shares
-      in extrainfo documents. They were unneeded and sometimes inaccurate.
-      Also stop exporting any v2 directory request statistics. Resolves
-      ticket 5823.
diff --git a/changes/bug6826 b/changes/bug6826
deleted file mode 100644
index 6eba19bced..0000000000
--- a/changes/bug6826
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Removed features:
-    - Drop support for detecting and warning about versions of Libevent
-      before 1.3e. Nothing reasonable ships with them any longer;
-      warning the user about them shouldn't be needed. Resolves ticket
-      6826.
diff --git a/changes/bug7115 b/changes/bug7115
deleted file mode 100644
index 976b9a9e85..0000000000
--- a/changes/bug7115
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (portability)
-    - Remove a couple of extraneous semicolos that were upsetting the
-      cparser library. Patch by Christian Grothoff. Fixes bug 7115;
-      bugfix on 0.2.2.1-alpha.
diff --git a/changes/bug7708 b/changes/bug7708
deleted file mode 100644
index e272adf227..0000000000
--- a/changes/bug7708
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Major bugfixes:
-    - When a TLS write is partially successful but incomplete, remember
-      that the flushed part has been flushed, and notice that bytes were
-      actually written. Reported and fixed pseudonymously. Fixes bug
-      7708; bugfix on Tor 0.1.0.5-rc.
diff --git a/changes/bug7802 b/changes/bug7802
deleted file mode 100644
index 9bc0f36fe1..0000000000
--- a/changes/bug7802
+++ /dev/null
@@ -1,11 +0,0 @@
-  o Minor features:
-    - Path Use Bias: Perform separate accounting for successful circuit use.
-      Separate statistics on stream attempt versus success rates are kept
-      for each guard. Configurable thresholds are provided to determine
-      when to emit log messages or disable use of guards that fail too
-      many stream attempts.
-  o Minor bugfixes:
-    - Remove a source of rounding error during path bias count scaling.
-    - Don't count cannibalized circuits as used for path bias until we
-      actually try to use them.
-    - Fix circuit_package_relay_cell warning message about n_chan==NULL.
diff --git a/changes/bug7889 b/changes/bug7889
deleted file mode 100644
index ce99a59ce5..0000000000
--- a/changes/bug7889
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major bugfixes:
-    - Reject bogus create and relay cells with 0 circuit ID or 0 stream
-      ID: these could be used to create unexpected streams and circuits
-      which would count as "present" to some parts of Tor but "absent"
-      to others, leading to zombie circuits and streams or to a
-      bandwidth DOS. Fixes bug 7889; bugfix on every released version of
-      Tor. Reported by "oftc_must_be_destroyed".
-
diff --git a/changes/bug7896 b/changes/bug7896
deleted file mode 100644
index 9eecaa6ab9..0000000000
--- a/changes/bug7896
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor features:
-    - When learning a fingerprint for a bridge, log its corresponding
-      transport type. Implements ticket 7896.
diff --git a/changes/bug7972 b/changes/bug7972
deleted file mode 100644
index 6e1fce69c8..0000000000
--- a/changes/bug7972
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - Detect nacl when its headers are in a nacl/ subdirectory. Fixes bug
-      7972; bugfix on 0.2.4.8-alpha.
-    - Actually link against nacl when we're configured to use it. Fixes bug
-      7972; bugfix on 0.2.4.8-alpha.
diff --git a/changes/bug8093 b/changes/bug8093
deleted file mode 100644
index cbddfd990f..0000000000
--- a/changes/bug8093
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features:
-    - Improve the log message when "Bug/attack: unexpected sendme cell
-      from client" occurs, to help us track bug 8093.
-
diff --git a/changes/bug8146_etc b/changes/bug8146_etc
deleted file mode 100644
index 173ea3b58d..0000000000
--- a/changes/bug8146_etc
+++ /dev/null
@@ -1,13 +0,0 @@
-  o Major bugfixes (security, directory authority):
-    - When computing directory thresholds, ignore any rejected-as-sybil
-      nodes during the computation so that they can't influence Fast,
-      Guard, etc. Fixes bug 8146.
-
-    - When computing thresholds for flags, never let the threshold for
-      the Fast flag to 4096 bytes. Fixes bug 8145.
-    - Do not consider nodes with extremely low bandwidths when deciding
-      thresholds for various directory flags. Another fix for 8145.
-
-    - When marking a node as a likely sybil, reset its uptime metrics
-      to zero, so that it cannot time towards getting marked as Guard,
-      Stable, or HSDir. Fix for bug 8147.
diff --git a/changes/bug8153 b/changes/bug8153
deleted file mode 100644
index 9178f25bac..0000000000
--- a/changes/bug8153
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes:
-    - Compile correctly with the --disable-curve25519 option. Fix for
-      bug 8153; bugfix on 0.2.4.8-alpha.
diff --git a/changes/build_with_msvc b/changes/build_with_msvc
deleted file mode 100644
index 8da0c92bc2..0000000000
--- a/changes/build_with_msvc
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Features (portability):
-    - Build correctly with MSVC and Makefile.nmake. This resolves
-      numerous bugs and fixes reported by ultramage, including 7305,
-      7308, 7309, 7310, 7312, 7313, 7315, 7316, and 7669.
diff --git a/changes/double-0-check b/changes/double-0-check
deleted file mode 100644
index 74554cd272..0000000000
--- a/changes/double-0-check
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Build improvements (bizarre platform detection):
-    - Try to detect it if we are ever building on a platform where
-      memset(...,0,...) does not set the value of a double to 0.0.  Such
-      platforms are permitted by the C standard, though in practice
-      they're pretty rare (since IEEE 754 is nigh-ubiquitous). We don't
-      currently support them, but it's better to detect them and fail
-      than to perform erroneously.
-
diff --git a/changes/enum_bitfield b/changes/enum_bitfield
deleted file mode 100644
index e69de29bb2..0000000000
--- a/changes/enum_bitfield
+++ /dev/null
diff --git a/changes/feature5956 b/changes/feature5956
deleted file mode 100644
index 2e18810588..0000000000
--- a/changes/feature5956
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major features:
-    - When deciding whether we have enough descriptors to build circuits,
-      instead of looking at raw circuit counts, look at which fraction of
-      (bandwidth-weighted) paths we're able to build. This approach keeps
-      clients from building circuits if their paths are likely to stand out
-      statistically. The default fraction of paths needed is taken from the
-      consensus directory; you can override it with the new
-      PathsNeededToBuildCircuits option.  Fixes issue 5956.
diff --git a/changes/feature7706 b/changes/feature7706
deleted file mode 100644
index 69b91a67ec..0000000000
--- a/changes/feature7706
+++ /dev/null
@@ -1,9 +0,0 @@
-  o Minor features:
-    - When any country code is listed in ExcludeNodes or
-      ExcludeExitNodes, and we have GeoIP information, also exclude
-      all nodes with unknown countries ({??} and {A1} if
-      present). This behavior is controlled by the new
-      GeoIPExcludeUnknown option: you can make such nodes always
-      excluded with 'GeoIPExcludeUnknown 1', and disable the feature
-      with 'GeoIPExcludeUnknown 0'. Setting 'GeoIPExcludeUnknown auto'
-      gets you the default behavior.  Implements feature 7706.
diff --git a/changes/msvc b/changes/msvc
deleted file mode 100644
index 1ae92e3f2e..0000000000
--- a/changes/msvc
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Build fixes (MSVC):
-    - Correctly define HAVE_EVENT_BASE_LOOPEXIT, since we only build
-      with MSVC when using Libevent 2.0 or later. Fixes bug 7308.
-      Reported by "ultramage".
-    - Make the ntor and curve25519 code build correctly with MSVC.
-      Fix on 0.2.4.8-alpha.
diff --git a/changes/proposal204 b/changes/proposal204
deleted file mode 100644
index 4c1854b1ed..0000000000
--- a/changes/proposal204
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor features:
-    - Ignore sub-domain components of a .onion address. This makes HTTP "virtual"
-      hosting possible: http://foo.aaaaaaaaaaaaaaaa.onion/ and
-      http//bar.aaaaaaaaaaaaaaaa.onion/ can be two different websites hosted at
-      the same location. Implements proposal 204.
diff --git a/changes/rename5285 b/changes/rename5285
deleted file mode 100644
index 26ec976e2c..0000000000
--- a/changes/rename5285
+++ /dev/null
@@ -1,2 +0,0 @@
- o Code simplifications and refactoring:
-   - Rename "isin" functions to "contains", for grammar. Fixes ticket 5285.
diff --git a/changes/rename_log_7599 b/changes/rename_log_7599
deleted file mode 100644
index 38e843f066..0000000000
--- a/changes/rename_log_7599
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Code simplification and refactoring:
-    - Rename Tor's logging function log() to tor_log(), to avoid conflicts
-      with the natural logarithm function from the system libm.  Resolves
-      ticket 7599.
diff --git a/changes/rename_queue_macros b/changes/rename_queue_macros
deleted file mode 100644
index 29373ac234..0000000000
--- a/changes/rename_queue_macros
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Major bugfixes:
-    - Rename all macros in our local copy of queue.h to begin with TOR_;
-      this seems the only good way to permanently prevent conflicts
-      with queue.h on various operating systems. Fixes bug 8107; bugfix on
-      0.2.4.6-alpha.
-
diff --git a/changes/timed_onionqueue b/changes/timed_onionqueue
deleted file mode 100644
index fe54d78ac8..0000000000
--- a/changes/timed_onionqueue
+++ /dev/null
@@ -1,11 +0,0 @@
-  o Minor features (relay):
-    - Instead of limiting the number of queued onionskins to a configured,
-      hard-to-configure number, we limit the size of the queue based on how
-      many we expect to be able to process in a given amount of time. We
-      estimate the time it will take to process an onionskin based on average
-      processing time of previous onionskins.  Closes ticket 7291. You'll
-      never have to configure MaxOnionsPending again.
-
-    - We compute the overhead from passing onionskins back and forth to
-      cpuworkers, and report it when dumping statistics in response to
-      SIGUSR1.