diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 987 |
1 files changed, 987 insertions, 0 deletions
@@ -1,3 +1,522 @@ +Changes in version 0.2.2.15-alpha - 2010-08-1? + o Major bugfixes: + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + - The PerConnBWRate and Burst config options, along with the + bwconnrate and bwconnburst consensus params, initialized each conn's + token bucket values only when the connection is established. Now we + update them if the config options change, and update them every time + we get a new consensus. Otherwise we can encounter an ugly edge + case where we initialize an OR conn to client-level bandwidth, + but then later the relay joins the consensus and we leave it + throttled. Bugfix on 0.2.2.7-alpha; fixes bug 1830. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + + o Major features: + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Allow enabling or disabling the *Statistics config options while + Tor is running. + + o Minor features: + - Update to the August 1 2010 Maxmind GeoLite Country database. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Build correctly on mingw with more recent versions of OpenSSL 0.9.8. + Patch from mingw-san. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - Remove the old debian/ directory from the main Tor distribution. + The official Tor-for-debian git repository lives at the URL + https://git.torproject.org/debian/tor.git + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - New unit tests for exit-port history statistics; refactored exit + statistics code to be more easily tested. + + o Minor bugfixes (on 0.2.1.x and earlier): + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Let users configure a regular relay to be their bridge. It didn't + work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha; fixes bug 1776. + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code, + and so sent back END_STREAM_REASON_MISC. They now send a new stream + ending reason: END_STREAM_REASON_NOROUTE. Also update the spec to + reflect this new reason. Bugfix on 0.1.0.1-rc; fixes bug 1793. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + + o Minor bugfixes (on 0.2.2.x): + - Alter directory authorities to always consider Exit-flagged nodes + as potential Guard nodes in their votes. The actual decision to + use Exits as Guards is done in the consensus bandwidth weights. + Fixes bug 1294; bugfix on 0.2.2.10-alpha. + - When the controller is reporting the purpose of circuits that + didn't finish building before the circuit build timeout, it was + printing UNKNOWN_13. Now print EXPIRED. Bugfix on 0.2.2.14-alpha. + - Our libevent version parsing code couldn't handle versions like + 1.4.14b-stable and incorrectly warned the user about using an + old and broken version of libevent. Treat 1.4.14b-stable like + 1.4.14-stable when parsing the version. Fixes bug 1731; bugfix + on 0.2.2.1-alpha. + - Don't use substitution references like $(VAR:MOD) when + $(asciidoc_files) is empty -- make(1) on NetBSD transforms + '$(:x)' to 'x' rather than the empty string. This bites us in + doc/ when configured with --disable-asciidoc. Bugfix on + 0.2.2.9-alpha; fixes bug 1773. + - Fix to remove a spurious hidden service server-side log notice about + "Ancient non-dirty circuits". Bugfix on 0.2.2.14-alpha; fixes + bug 1741. + - Fix compilation with --with-dmalloc set. Bugfix on 0.2.2.6-alpha; + fixes bug 1832. + - Fix three memory leaks: one in circuit_build_times_parse_state(), + one in dirvote_add_signatures_to_pending_consensus(), and one every + time we parse a v3 network consensus. Bugfixes on 0.2.2.14-alpha, + 0.2.2.6-alpha, and 0.2.2.10-alpha respectively; fixes bug 1831. + + +Changes in version 0.2.2.14-alpha - 2010-07-12 + Tor 0.2.2.14-alpha greatly improves client-side handling of + circuit build timeouts, which are used to estimate speed and improve + performance. We also move to a much better GeoIP database, port Tor to + Windows CE, introduce new compile flags that improve code security, + add an eighth v3 directory authority, and address a lot of more + minor issues. + + o Major bugfixes: + - Tor directory authorities no longer crash when started with a + cached-microdesc-consensus file in their data directory. Bugfix + on 0.2.2.6-alpha; fixes bug 1532. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - Ignore negative and large circuit build timeout values that can + happen during a suspend or hibernate. These values caused various + asserts to fire. Bugfix on 0.2.2.2-alpha; fixes bug 1245. + - Alter calculation of Pareto distribution parameter 'Xm' for + Circuit Build Timeout learning to use the weighted average of the + top N=3 modes (because we have three entry guards). Considering + multiple modes should improve the timeout calculation in some cases, + and prevent extremely high timeout values. Bugfix on 0.2.2.2-alpha; + fixes bug 1335. + - Alter calculation of Pareto distribution parameter 'Alpha' to use a + right censored distribution model. This approach improves over the + synthetic timeout generation approach that was producing insanely + high timeout values. Now we calculate build timeouts using truncated + times. Bugfix on 0.2.2.2-alpha; fixes bugs 1245 and 1335. + - Do not close circuits that are under construction when they reach + the circuit build timeout. Instead, leave them building (but do not + use them) for up until the time corresponding to the 95th percentile + on the Pareto CDF or 60 seconds, whichever is greater. This is done + to provide better data for the new Pareto model. This percentile + can be controlled by the consensus. + + o Major features: + - Move to the June 2010 Maxmind GeoLite country db (rather than the + June 2009 ip-to-country GeoIP db) for our statistics that count + how many users relays are seeing from each country. Now we have + more accurate data for many African countries. + - Port Tor to build and run correctly on Windows CE systems, using + the wcecompat library. Contributed by Valerio Lupi. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + + o New directory authorities: + - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory + authority. + + o Minor features: + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives only an IP address instead of a + hostname. Setups that do DNS locally over Tor are fine, and we + shouldn't spam the logs in that case. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - Add ability to disable circuit build time learning via consensus + parameter and via a LearnCircuitBuildTimeout config option. Also + automatically disable circuit build time calculation if we are + either a AuthoritativeDirectory, or if we fail to write our state + file. Fixes bug 1296. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + + o Minor bugfixes: + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - When a2x fails, mention that the user could disable manpages instead + of trying to fix their asciidoc installation. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - If you run a bridge that listens on multiple IP addresses, and + some user configures a bridge address that uses a different IP + address than your bridge writes in its router descriptor, and the + user doesn't specify an identity key, their Tor would discard the + descriptor because "it isn't one of our configured bridges", and + fail to bootstrap. Now believe the descriptor and bootstrap anyway. + Bugfix on 0.2.0.3-alpha. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Make directory mirrors report non-zero dirreq-v[23]-shares again. + Fixes bug 1564; bugfix on 0.2.2.9-alpha. + - Eliminate a case where a circuit build time warning was displayed + after network connectivity resumed. Bugfix on 0.2.2.2-alpha. + + +Changes in version 0.2.1.26 - 2010-05-02 + Tor 0.2.1.26 addresses the recent connection and memory overload + problems we've been seeing on relays, especially relays with their + DirPort open. If your relay has been crashing, or you turned it off + because it used too many resources, give this release a try. + + This release also fixes yet another instance of broken OpenSSL libraries + that was causing some relays to drop out of the consensus. + + o Major bugfixes: + - Teach relays to defend themselves from connection overload. Relays + now close idle circuits early if it looks like they were intended + for directory fetches. Relays are also more aggressive about closing + TLS connections that have no circuits on them. Such circuits are + unlikely to be re-used, and tens of thousands of them were piling + up at the fast relays, causing the relays to run out of sockets + and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling + their directory fetches over TLS). + - Fix SSL renegotiation behavior on OpenSSL versions like on Centos + that claim to be earlier than 0.9.8m, but which have in reality + backported huge swaths of 0.9.8m or 0.9.8n renegotiation + behavior. Possible fix for some cases of bug 1346. + - Directory mirrors were fetching relay descriptors only from v2 + directory authorities, rather than v3 authorities like they should. + Only 2 v2 authorities remain (compared to 7 v3 authorities), leading + to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324. + + o Minor bugfixes: + - Finally get rid of the deprecated and now harmful notion of "clique + mode", where directory authorities maintain TLS connections to + every other relay. + + o Testsuite fixes: + - In the util/threads test, no longer free the test_mutex before all + worker threads have finished. Bugfix on 0.2.1.6-alpha. + - The master thread could starve the worker threads quite badly on + certain systems, causing them to run only partially in the allowed + window. This resulted in test failures. Now the master thread sleeps + occasionally for a few microseconds while the two worker-threads + compete for the mutex. Bugfix on 0.2.0.1-alpha. + + +Changes in version 0.2.2.13-alpha - 2010-04-24 + Tor 0.2.2.13-alpha addresses the recent connection and memory overload + problems we've been seeing on relays, especially relays with their + DirPort open. If your relay has been crashing, or you turned it off + because it used too many resources, give this release a try. + + o Major bugfixes: + - Teach relays to defend themselves from connection overload. Relays + now close idle circuits early if it looks like they were intended + for directory fetches. Relays are also more aggressive about closing + TLS connections that have no circuits on them. Such circuits are + unlikely to be re-used, and tens of thousands of them were piling + up at the fast relays, causing the relays to run out of sockets + and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling + their directory fetches over TLS). + + o Minor features: + - Finally get rid of the deprecated and now harmful notion of "clique + mode", where directory authorities maintain TLS connections to + every other relay. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + + +Changes in version 0.2.2.12-alpha - 2010-04-20 + Tor 0.2.2.12-alpha fixes a critical bug in how directory authorities + handle and vote on descriptors. It was causing relays to drop out of + the consensus. + + o Major bugfixes: + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Fix two typos in tor_vasprintf() that broke the compile on Windows, + and a warning in or.h related to bandwidth_weight_rule_t that + prevented clean compile on OS X. Fixes bug 1363; bugfix on + 0.2.2.11-alpha. + - Fix a segfault on relays when DirReqStatistics is enabled + and 24 hours pass. Bug found by keb. Fixes bug 1365; bugfix on + 0.2.2.11-alpha. + + o Minor bugfixes: + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their OrPort. It is neither the operator's + fault nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + + +Changes in version 0.2.2.11-alpha - 2010-04-15 + Tor 0.2.2.11-alpha fixes yet another instance of broken OpenSSL + libraries that was causing some relays to drop out of the consensus. + + o Major bugfixes: + - Directory mirrors were fetching relay descriptors only from v2 + directory authorities, rather than v3 authorities like they should. + Only 2 v2 authorities remain (compared to 7 v3 authorities), leading + to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324. + - Fix a parsing error that made every possible value of + CircPriorityHalflifeMsec get treated as "1 msec". Bugfix + on 0.2.2.7-alpha. Rename CircPriorityHalflifeMsec to + CircuitPriorityHalflifeMsec, so authorities can tell newer relays + about the option without breaking older ones. + - Fix SSL renegotiation behavior on OpenSSL versions like on Centos + that claim to be earlier than 0.9.8m, but which have in reality + backported huge swaths of 0.9.8m or 0.9.8n renegotiation + behavior. Possible fix for some cases of bug 1346. + + o Minor features: + - Experiment with a more aggressive approach to preventing clients + from making one-hop exit streams. Exit relays who want to try it + out can set "RefuseUnknownExits 1" in their torrc, and then look + for "Attempt by %s to open a stream" log messages. Let us know + how it goes! + - Add support for statically linking zlib by specifying + --enable-static-zlib, to go with our support for statically linking + openssl and libevent. Resolves bug 1358. + + o Minor bugfixes: + - Fix a segfault that happens whenever a Tor client that is using + libevent2's bufferevents gets a hup signal. Bugfix on 0.2.2.5-alpha; + fixes bug 1341. + - When we cleaned up the contrib/tor-exit-notice.html file, we left + out the first line. Fixes bug 1295. + - When building the manpage from a tarball, we required asciidoc, but + the asciidoc -> roff/html conversion was already done for the + tarball. Make 'make' complain only when we need asciidoc (either + because we're compiling directly from git, or because we altered + the asciidoc manpage in the tarball). Bugfix on 0.2.2.9-alpha. + - When none of the directory authorities vote on any params, Tor + segfaulted when trying to make the consensus from the votes. We + didn't trigger the bug in practice, because authorities do include + params in their votes. Bugfix on 0.2.2.10-alpha; fixes bug 1322. + + o Testsuite fixes: + - In the util/threads test, no longer free the test_mutex before all + worker threads have finished. Bugfix on 0.2.1.6-alpha. + - The master thread could starve the worker threads quite badly on + certain systems, causing them to run only partially in the allowed + window. This resulted in test failures. Now the master thread sleeps + occasionally for a few microseconds while the two worker-threads + compete for the mutex. Bugfix on 0.2.0.1-alpha. + + +Changes in version 0.2.2.10-alpha - 2010-03-07 + Tor 0.2.2.10-alpha fixes a regression introduced in 0.2.2.9-alpha that + could prevent relays from guessing their IP address correctly. It also + starts the groundwork for another client-side performance boost, since + currently we're not making efficient use of relays that have both the + Guard flag and the Exit flag. + + o Major bugfixes: + - Fix a regression from our patch for bug 1244 that caused relays + to guess their IP address incorrectly if they didn't set Address + in their torrc and/or their address fails to resolve. Bugfix on + 0.2.2.9-alpha; fixes bug 1269. + + o Major features (performance): + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients that use these weightings will distribute + network load more evenly across these different relay types. The + weightings are in the consensus so we can change them globally in + the future. Extra thanks to "outofwords" for finding some nasty + security bugs in the first implementation of this feature. + + o Minor features (performance): + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + + o Minor features: + - Allow disabling building of the manpages. Skipping the manpage + speeds up the build considerably. + + o Minor bugfixes (on 0.2.2.x): + - Fix a memleak in the EXTENDCIRCUIT logic. Spotted by coverity. + Bugfix on 0.2.2.9-alpha. + - Disallow values larger than INT32_MAX for PerConnBWRate|Burst + config option. Bugfix on 0.2.2.7-alpha. + - Ship the asciidoc-helper file in the tarball, so that people can + build from source if they want to, and touching the .1.txt files + doesn't break the build. Bugfix on 0.2.2.9-alpha. + + o Minor bugfixes (on 0.2.1.x or earlier): + - Fix a dereference-then-NULL-check sequence when publishing + descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes + bug 1255. + - Fix another dereference-then-NULL-check sequence. Bugfix on + 0.2.1.14-rc. Discovered by ekir; fixes bug 1256. + - Make sure we treat potentially not NUL-terminated strings correctly. + Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257. + + o Code simplifications and refactoring: + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + - Don't use sed in asciidoc-helper anymore. + - Make the build process fail if asciidoc cannot be found and + building with asciidoc isn't disabled. + + +Changes in version 0.2.2.9-alpha - 2010-02-22 + Tor 0.2.2.9-alpha makes Tor work again on the latest OS X, updates the + location of a directory authority, and cleans up a bunch of small bugs. + + o Directory authority changes: + - Change IP address for dannenberg (v3 directory authority), and + remove moria2 (obsolete v1, v2 directory authority and v0 hidden + service directory authority) from the list. + + o Major bugfixes: + - Make Tor work again on the latest OS X: when deciding whether to + use strange flags to turn TLS renegotiation on, detect the OpenSSL + version at run-time, not compile time. We need to do this because + Apple doesn't update its dev-tools headers when it updates its + libraries in a security patch. + - Fix a potential buffer overflow in lookup_last_hid_serv_request() + that could happen on 32-bit platforms with 64-bit time_t. Also fix + a memory leak when requesting a hidden service descriptor we've + requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found + by aakova. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - When freeing a session key, zero it out completely. We only zeroed + the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and + patched by ekir. Fixes bug 1254. + + o Minor bugfixes: + - Fix static compilation by listing the openssl libraries in the right + order. Bugfix on Tor 0.2.2.8-alpha; fixes bug 1237. + - Resume handling .exit hostnames in a special way: originally we + stripped the .exit part and used the requested exit relay. In + 0.2.2.1-alpha we stopped treating them in any special way, meaning + if you use a .exit address then Tor will pass it on to the exit + relay. Now we reject the .exit stream outright, since that behavior + might be more expected by the user. Found and diagnosed by Scott + Bennett and Downie on or-talk. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + - Emit a GUARD DROPPED controller event for a case we missed. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + - Refactor resolve_my_address() to not use gethostbyname() anymore. + Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + parakeep. Bugfix on 0.2.0.3-alpha. + + o Code simplifications and refactoring: + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. + - Remove the --enable-iphone option. According to reports from Marco + Bonetti, Tor builds fine without any special tweaking on recent + iPhone SDK versions. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + - Enabled various circuit build timeout constants to be controlled + by consensus parameters. Also set better defaults for these + parameters based on experimentation on broadband and simulated + high latency links. + + o Minor features: + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + + Changes in version 0.2.1.25 - 2010-03-16 Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could prevent relays from guessing their IP address correctly. It also fixes @@ -22,6 +541,7 @@ Changes in version 0.2.1.25 - 2010-03-16 Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257. + Changes in version 0.2.1.24 - 2010-02-21 Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time for sure! @@ -75,6 +595,154 @@ Changes in version 0.2.1.23 - 2010-02-13 over the behavior introduced in 0.1.2.17. +Changes in version 0.2.2.8-alpha - 2010-01-26 + Tor 0.2.2.8-alpha fixes a crash bug in 0.2.2.7-alpha that has been + causing bridge relays to disappear. If you're running a bridge, + please upgrade. + + o Major bugfixes: + - Fix a memory corruption bug on bridges that occured during the + inclusion of stats data in extra-info descriptors. Also fix the + interface for geoip_get_bridge_stats* to prevent similar bugs in + the future. Diagnosis by Tas, patch by Karsten and Sebastian. + Fixes bug 1208; bugfix on 0.2.2.7-alpha. + + o Minor bugfixes: + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + + +Changes in version 0.2.2.7-alpha - 2010-01-19 + Tor 0.2.2.7-alpha fixes a huge client-side performance bug, as well + as laying the groundwork for further relay-side performance fixes. It + also starts cleaning up client behavior with respect to the EntryNodes, + ExitNodes, and StrictNodes config options. + + This release also rotates two directory authority keys, due to a + security breach of some of the Torproject servers. + + o Directory authority changes: + - Rotate keys (both v3 identity and relay identity) for moria1 + and gabelmoo. + + o Major features (performance): + - We were selecting our guards uniformly at random, and then weighting + which of our guards we'd use uniformly at random. This imbalance + meant that Tor clients were severely limited on throughput (and + probably latency too) by the first hop in their circuit. Now we + select guards weighted by currently advertised bandwidth. We also + automatically discard guards picked using the old algorithm. Fixes + bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry. + - When choosing which cells to relay first, relays can now favor + circuits that have been quiet recently, to provide lower latency + for low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. You can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (relay selection options): + - Switch to a StrictNodes config option, rather than the previous + "StrictEntryNodes" / "StrictExitNodes" separation that was missing a + "StrictExcludeNodes" option. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - If EntryNodes or ExitNodes are set, be more willing to use an + unsuitable (e.g. slow or unstable) circuit. The user asked for it, + they get it. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + + o Major bugfixes: + - Stop bridge directory authorities from answering dbg-stability.txt + directory queries, which would let people fetch a list of all + bridge identities they track. Bugfix on 0.2.1.6-alpha. + + o Minor features: + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. + - Ship the bridges spec file in the tarball too. + - Avoid a mad rush at the beginning of each month when each client + rotates half of its guards. Instead we spread the rotation out + throughout the month, but we still avoid leaving a precise timestamp + in the state file about when we first picked the guard. Improves + over the behavior introduced in 0.1.2.17. + + o Minor bugfixes (compiling): + - Fix compilation on OS X 10.3, which has a stub mlockall() but + hides it. Bugfix on 0.2.2.6-alpha. + - Fix compilation on Solaris by removing support for the + DisableAllSwap config option. Solaris doesn't have an rlimit for + mlockall, so we cannot use it safely. Fixes bug 1198; bugfix on + 0.2.2.6-alpha. + + o Minor bugfixes (crashes): + - Do not segfault when writing buffer stats when we haven't observed + a single circuit to report about. Found by Fabian Lanze. Bugfix on + 0.2.2.1-alpha. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + + o Minor bugfixes (privacy): + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + + o Minor bugfixes (other): + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Fix statistics on client numbers by country as seen by bridges that + were broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour + intervals instead of variable 12-to-48-hour intervals. + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + + o Removed features: + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could have used to track statistics of overall + hidden service usage. + + Changes in version 0.2.1.22 - 2010-01-19 Tor 0.2.1.22 fixes a critical privacy problem in bridge directory authorities -- it would tell you its whole history of bridge descriptors @@ -118,6 +786,69 @@ Changes in version 0.2.1.21 - 2009-12-21 trigger assert. Fixes bug 1173. +Changes in version 0.2.2.6-alpha - 2009-11-19 + Tor 0.2.2.6-alpha lays the groundwork for many upcoming features: + support for the new lower-footprint "microdescriptor" directory design, + future-proofing our consensus format against new hash functions or + other changes, and an Android port. It also makes Tor compatible with + the upcoming OpenSSL 0.9.8l release, and fixes a variety of bugs. + + o Major features: + - Directory authorities can now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities can now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will eventually allow clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + + o Major bugfixes: + - Work around a security feature in OpenSSL 0.9.8l that prevents our + handshake from working unless we explicitly tell OpenSSL that we + are using SSL renegotiation safely. We are, but OpenSSL 0.9.8l + won't work unless we say we are. + + o Minor bugfixes: + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - Do not refuse to learn about authority certs and v2 networkstatus + documents that are older than the latest consensus. This bug might + have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha. + Spotted and fixed by xmux. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha; fixes bug 1113. + - Fix a memory leak on directory authorities during voting that was + introduced in 0.2.2.1-alpha. Found via valgrind. + + Changes in version 0.2.1.20 - 2009-10-15 Tor 0.2.1.20 fixes a crash bug when you're accessing many hidden services at once, prepares for more performance improvements, and @@ -193,6 +924,262 @@ Changes in version 0.2.1.20 - 2009-10-15 getinfo and status events until we have a better design for them. +Changes in version 0.2.2.5-alpha - 2009-10-11 + Tor 0.2.2.5-alpha fixes a few compile problems in 0.2.2.4-alpha. + + o Major bugfixes: + - Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha. + + o New directory authorities: + - Move dizum to an alternate IP address. + + +Changes in version 0.2.2.4-alpha - 2009-10-10 + Tor 0.2.2.4-alpha fixes more crash bugs in 0.2.2.2-alpha. It also + introduces a new unit test framework, shifts directry authority + addresses around to reduce the impact from recent blocking events, + and fixes a few smaller bugs. + + o Major bugfixes: + - Fix several more asserts in the circuit_build_times code, for + example one that causes Tor to fail to start once we have + accumulated 5000 build times in the state file. Bugfixes on + 0.2.2.2-alpha; fixes bug 1108. + + o New directory authorities: + - Move moria1 and Tonga to alternate IP addresses. + + o Minor features: + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + - Revert to the "June 3 2009" ip-to-country file. The September one + seems to have removed most US IP addresses. + - Directory authorities now reject Tor relays with versions less than + 0.1.2.14. This step cuts out four relays from the current network, + none of which are very big. + + o Minor bugfixes: + - Fix a couple of smaller issues with gathering statistics. Bugfixes + on 0.2.2.1-alpha. + - Fix two memory leaks in the error case of + circuit_build_times_parse_state(). Bugfix on 0.2.2.2-alpha. + - Don't count one-hop circuits when we're estimating how long it + takes circuits to build on average. Otherwise we'll set our circuit + build timeout lower than we should. Bugfix on 0.2.2.2-alpha. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Code simplifications and refactoring: + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + + +Changes in version 0.2.2.3-alpha - 2009-09-23 + Tor 0.2.2.3-alpha fixes a few crash bugs in 0.2.2.2-alpha. + + o Major bugfixes: + - Fix an overzealous assert in our new circuit build timeout code. + Bugfix on 0.2.2.2-alpha; fixes bug 1103. + + o Minor bugfixes: + - If the networkstatus consensus tells us that we should use a + negative circuit package window, ignore it. Otherwise we'll + believe it and then trigger an assert. Bugfix on 0.2.2.2-alpha. + + +Changes in version 0.2.2.2-alpha - 2009-09-21 + Tor 0.2.2.2-alpha introduces our latest performance improvement for + clients: Tor tracks the average time it takes to build a circuit, and + avoids using circuits that take too long to build. For fast connections, + this feature can cut your expected latency in half. For slow or flaky + connections, it could ruin your Tor experience. Let us know if it does! + + o Major features: + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + We are especially looking for reports (good and bad) from users with + both EDGE and broadband connections that can move from broadband + to EDGE and find out if the build-time data in the .tor/state gets + reset without loss of Tor usability. You should also see a notice + log message telling you that Tor has reset its timeout. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + - Tor now reads the "circwindow" parameter out of the consensus, + and uses that value for its circuit package window rather than the + default of 1000 cells. Begins the implementation of proposal 168. + + o Major bugfixes: + - Fix a remotely triggerable memory leak when a consensus document + contains more than one signature from the same voter. Bugfix on + 0.2.0.3-alpha. + + o Minor bugfixes: + - Fix an extremely rare infinite recursion bug that could occur if + we tried to log a message after shutting down the log subsystem. + Found by Matt Edman. Bugfix on 0.2.0.16-alpha. + - Fix parsing for memory or time units given without a space between + the number and the unit. Bugfix on 0.2.2.1-alpha; fixes bug 1076. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - Fix an obscure bug where hidden services on 64-bit big-endian + systems might mis-read the timestamp in v3 introduce cells, and + refuse to connect back to the client. Discovered by "rotor". + Bugfix on 0.2.1.6-alpha. + - We were triggering a CLOCK_SKEW controller status event whenever + we connect via the v2 connection protocol to any relay that has + a wrong clock. Instead, we should only inform the controller when + it's a trusted authority that claims our clock is wrong. Bugfix + on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit. + - We were telling the controller about CHECKING_REACHABILITY and + REACHABILITY_FAILED status events whenever we launch a testing + circuit or notice that one has failed. Instead, only tell the + controller when we want to inform the user of overall success or + overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported + by SwissTorExit. + - Don't warn when we're using a circuit that ends with a node + excluded in ExcludeExitNodes, but the circuit is not used to access + the outside world. This should help fix bug 1090, but more problems + remain. Bugfix on 0.2.1.6-alpha. + - Work around a small memory leak in some versions of OpenSSL that + stopped the memory used by the hostname TLS extension from being + freed. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + + o Minor features: + - Add a "getinfo status/accepted-server-descriptor" controller + command, which is the recommended way for controllers to learn + whether our server descriptor has been successfully received by at + least on directory authority. Un-recommend good-server-descriptor + getinfo and status events until we have a better design for them. + - Update to the "September 4 2009" ip-to-country file. + + +Changes in version 0.2.2.1-alpha - 2009-08-26 + Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows + Tor clients to bootstrap on networks where only port 80 is reachable, + makes it more straightforward to support hardware crypto accelerators, + and starts the groundwork for gathering stats safely at relays. + + o Security fixes: + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + + o New directory authorities: + - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory + authority. + + o Major features: + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Major bugfixes: + - Send circuit or stream sendme cells when our window has decreased + by 100 cells, not when it has decreased by 101 cells. Bug uncovered + by Karsten when testing the "reduce circuit window" performance + patch. Bugfix on the 54th commit on Tor -- from July 2002, + before the release of Tor 0.0.0. This is the new winner of the + oldest-bug prize. + + o New options for gathering stats safely: + - Directories that set "DirReqStatistics 1" write statistics on + directory request to disk every 24 hours. As compared to the + --enable-geoip-stats flag in 0.2.1.x, there are a few improvements: + 1) stats are written to disk exactly every 24 hours; 2) estimated + shares of v2 and v3 requests are determined as mean values, not at + the end of a measurement period; 3) unresolved requests are listed + with country code '??'; 4) directories also measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. + + o Minor features: + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - The "torify" script now uses torsocks where available. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + + o Minor bugfixes: + - If any the v3 certs we download are unparseable, we should actually + notice the failure so we don't retry indefinitely. Bugfix on + 0.2.0.x; reported by "rotator". + - If the cached cert file is unparseable, warn but don't exit. + - Fix possible segmentation fault on directory authorities. Bugfix on + 0.2.1.14-rc. + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + + o Deprecated and removed features: + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + + o Packaging changes: + - Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X + installer bundles. See + https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHANGELOG + for details of what's new in Vidalia 0.2.3. + - Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta. + - OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific + configuration file, rather than the old Privoxy. + - OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as + x86-only for better compatibility with OS X 10.6, aka Snow Leopard. + - OS X Tor Expert Bundle: Tor is compiled as x86-only for + better compatibility with OS X 10.6, aka Snow Leopard. + - OS X Vidalia Bundle: The multi-package installer is now replaced + by a simple drag and drop to the /Applications folder. This change + occurred with the upgrade to Vidalia 0.2.3. + + Changes in version 0.2.1.19 - 2009-07-28 Tor 0.2.1.19 fixes a major bug with accessing and providing hidden services on Tor 0.2.1.3-alpha through 0.2.1.18. |