of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.2.3.25 - 2012-11-19
+ The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi"
+ Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher,
+ Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer,
+ programmer, and friend. Unstinting in his dedication to the cause of
+ freedom, he inspired and helped many of us as we began our work on
+ anonymity, and inspires us still. Please honor his memory by writing
+ software to protect people's freedoms, and by helping others to do so.
+
+ Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
+ significantly reduced directory overhead (via microdescriptors),
+ enormous crypto performance improvements for fast relays on new
+ enough hardware, a new v3 TLS handshake protocol that can better
+ resist fingerprinting, support for protocol obfuscation plugins (aka
+ pluggable transports), better scalability for hidden services, IPv6
+ support for bridges, performance improvements like allowing clients
+ to skip the first round-trip on the circuit ("optimistic data") and
+ refilling token buckets more often, a new "stream isolation" design
+ to isolate different applications on different circuits, and many
+ stability, security, and privacy fixes.
+
+ Major features (v3 directory protocol):
+ - Clients now use microdescriptors instead of regular descriptors
+ to build circuits. Microdescriptors are authority-generated
+ summaries of regular descriptors' contents, designed to change very
+ rarely (see proposal 158 for details). This feature is designed
+ to save bandwidth, especially for clients on slow internet
+ connections. Use "UseMicrodescriptors 0" to disable it.
+ - Caches now download, cache, and serve microdescriptors, as well
+ as multiple "flavors" of the consensus, including a flavor that
+ describes microdescriptors.
+
+ o Major features (build hardening):
+ - Enable gcc and ld hardening by default. Resolves ticket 5210.
+
+ o Major features (relay scaling):
+ - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64
+ instruction set, take advantage of OpenSSL's AESNI, bitsliced, or
+ vectorized AES implementations as appropriate. These can be much,
+ much faster than other AES implementations.
+ - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode
+ implementation. It makes AES_CTR about 7% faster than our old one
+ (which was about 10% faster than the one OpenSSL used to provide).
+ Resolves ticket 4526.
+ - Use OpenSSL's EVP interface for AES encryption, so that all AES
+ operations can use hardware acceleration (if present). Resolves
+ ticket 4442.
+ - Unconditionally use OpenSSL's AES implementation instead of our
+ old built-in one. OpenSSL's AES has been better for a while, and
+ relatively few servers should still be on any version of OpenSSL
+ that doesn't have good optimized assembly AES.
+
+ o Major features (blocking resistance):
+ - Update TLS cipher list to match Firefox 8 and later. Resolves
+ ticket 4744.
+ - Remove support for clients falsely claiming to support standard
+ ciphersuites that they can actually provide. As of modern OpenSSL
+ versions, it's not necessary to fake any standard ciphersuite,
+ and doing so prevents us from using better ciphersuites in the
+ future, since servers can't know whether an advertised ciphersuite
+ is really supported or not. Some hosts -- notably, ones with very
+ old versions of OpenSSL or where OpenSSL has been built with ECC
+ disabled -- will stand out because of this change; TBB users should
+ not be affected. Implements the client side of proposal 198.
+ - Implement a new handshake protocol (v3) for authenticating Tors to
+ each other over TLS. It should be more resistant to fingerprinting
+ than previous protocols, and should require less TLS hacking for
+ future Tor implementations. Implements proposal 176.
+ - Allow variable-length padding cells, to disguise the length of
+ Tor's TLS records. Implements part of proposal 184.
+ - While we're trying to bootstrap, record how many TLS connections
+ fail in each state, and report which states saw the most failures
+ in response to any bootstrap failures. This feature may speed up
+ diagnosis of censorship events. Implements ticket 3116.
+
+ o Major features (pluggable transports):
+ - Clients and bridges can now be configured to use a separate
+ "transport" proxy. This approach makes the censorship arms race
+ easier by allowing bridges to use protocol obfuscation plugins.
+ Implements proposal 180 (tickets 2841 and 3472).
+
+ o Major features (DoS resistance):
+ - Now that Tor 0.2.0.x is completely deprecated, enable the final
+ part of "Proposal 110: Avoiding infinite length circuits" by
+ refusing all circuit-extend requests that do not use a relay_early
+ cell. This change helps Tor resist a class of denial-of-service
+ attacks by limiting the maximum circuit length.
+ - Tear down the circuit if we get an unexpected SENDME cell. Clients
+ could use this trick to make their circuits receive cells faster
+ than our flow control would have allowed, or to gum up the network,
+ or possibly to do targeted memory denial-of-service attacks on
+ entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
+ from July 2002, before the release of Tor 0.0.0.
+
+ o Major features (hidden services):
+ - Adjust the number of introduction points that a hidden service
+ will try to maintain based on how long its introduction points
+ remain in use and how many introductions they handle. Fixes
+ part of bug 3825.
+ - Add a "tor2web mode" for clients that want to connect to hidden
+ services non-anonymously (and possibly more quickly). As a safety
+ measure to try to keep users from turning this on without knowing
+ what they are doing, tor2web mode must be explicitly enabled at
+ compile time, and a copy of Tor compiled to run in tor2web mode
+ cannot be used as a normal Tor client. Implements feature 2553.
+
+ o Major features (IPv6):
+ - Clients can now connect to private bridges over IPv6. Bridges
+ still need at least one IPv4 address in order to connect to
+ other relays. Note that we don't yet handle the case where the
+ user has two bridge lines for the same bridge (one IPv4, one
+ IPv6). Implements parts of proposal 186.
+
+ o Major features (directory authorities):
+ - Use a more secure consensus parameter voting algorithm. Now at
+ least three directory authorities or a majority of them must
+ vote on a given parameter before it will be included in the
+ consensus. Implements proposal 178.
+ - Remove the artificially low cutoff of 20KB to guarantee the Fast
+ flag. In the past few years the average relay speed has picked
+ up, and while the "top 7/8 of the network get the Fast flag" and
+ "all relays with 20KB or more of capacity get the Fast flag" rules
+ used to have the same result, now the top 7/8 of the network has
+ a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489.
+
+ o Major features (performance):
+ - Exit nodes now accept and queue data on not-yet-connected streams.
+ Previously, the client wasn't allowed to send data until the
+ stream was connected, which slowed down all connections. This
+ change will enable clients to perform a "fast-start" on streams
+ and send data without having to wait for a confirmation that the
+ stream has opened. Patch from Ian Goldberg; implements the server
+ side of Proposal 174.
+ - When using an exit relay running 0.2.3.x, clients can now
+ "optimistically" send data before the exit relay reports that
+ the stream has opened. This saves a round trip when starting
+ connections where the client speaks first (such as web browsing).
+ This behavior is controlled by a consensus parameter (currently
+ disabled). To turn it on or off manually, use the "OptimisticData"
+ torrc option. Implements proposal 181; code by Ian Goldberg.
+ - Add a new TokenBucketRefillInterval option to refill token buckets
+ more frequently than once per second. This should improve network
+ performance, alleviate queueing problems, and make traffic less
+ bursty. Implements proposal 183; closes ticket 3630. Design by
+ Florian Tschorsch and Björn Scheuermann; implementation by
+ Florian Tschorsch.
+ - Raise the threshold of server descriptors needed (75%) and exit
+ server descriptors needed (50%) before we will declare ourselves
+ bootstrapped. This will make clients start building circuits a
+ little later, but makes the initially constructed circuits less
+ skewed and less in conflict with further directory fetches. Fixes
+ ticket 3196.
+
+ o Major features (relays):
+ - Relays now try regenerating and uploading their descriptor more
+ frequently if they are not listed in the consensus, or if the
+ version of their descriptor listed in the consensus is too
+ old. This fix should prevent situations where a server declines
+ to re-publish itself because it has done so too recently, even
+ though the authorities decided not to list its recent-enough
+ descriptor. Fix for bug 3327.
+
+ o Major features (stream isolation):
+ - You can now configure Tor so that streams from different
+ applications are isolated on different circuits, to prevent an
+ attacker who sees your streams as they leave an exit node from
+ linking your sessions to one another. To do this, choose some way
+ to distinguish the applications: have them connect to different
+ SocksPorts, or have one of them use SOCKS4 while the other uses
+ SOCKS5, or have them pass different authentication strings to the
+ SOCKS proxy. Then, use the new SocksPort syntax to configure the
+ degree of isolation you need. This implements Proposal 171.
+ - There's a new syntax for specifying multiple client ports (such as
+ SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare
+ multiple *Port entries with full addr:port syntax on each.
+ The old *ListenAddress format is still supported, but you can't
+ mix it with the new *Port syntax.
+
+ o Major features (bufferevents):
+ - Tor can now optionally build with the "bufferevents" buffered IO
+ backend provided by Libevent 2. To use this feature, make sure you
+ have the latest possible version of Libevent, and pass the
+ --enable-bufferevents flag to configure when building Tor from
+ source. This feature will make our networking code more flexible,
+ let us stack layers on each other, and let us use more efficient
+ zero-copy transports where available.
+ - Add experimental support for running on Windows with IOCP and no
+ kernel-space socket buffers. This feature is controlled by a new
+ "UserspaceIOCPBuffers" config option (off by default), which has
+ no effect unless Tor has been built with bufferevents enabled,
+ you're running on Windows, and you've set "DisableIOCP 0". In the
+ long run, this may help solve or mitigate bug 98.
+
+ o Major features (path selection):
+ - The EntryNodes option can now include country codes like {de} or IP
+ addresses or network masks. Previously we had disallowed these
+ options because we didn't have an efficient way to keep the list up
+ to date. Addresses ticket 1982, but see bug 2798 for an unresolved
+ issue here.
+
+ o Major features (port forwarding):
+ - Add support for automatic port mapping on the many home routers
+ that support NAT-PMP or UPnP. To build the support code, you'll
+ need to have the libnatpnp library and/or the libminiupnpc library,
+ and you'll need to enable the feature specifically by passing
+ "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn
+ it on, use the new PortForwarding option.
+
+ o Major features (logging):
+ - Add a new 'Heartbeat' log message type to periodically log a message
+ describing Tor's status at level Notice. This feature is meant for
+ operators who log at notice, and want to make sure that their Tor
+ server is still working. Implementation by George Kadianakis.
+ - Make logging resolution configurable with a new LogTimeGranularity
+ option, and change the default from 1 millisecond to 1 second.
+ Implements enhancement 1668.
+
+ o Major features (other):
+ - New "DisableNetwork" config option to prevent Tor from launching any
+ connections or accepting any connections except on a control port.
+ Bundles and controllers can set this option before letting Tor talk
+ to the rest of the network, for example to prevent any connections
+ to a non-bridge address. Packages like Orbot can also use this
+ option to instruct Tor to save power when the network is off.
+ - Try to use system facilities for enumerating local interface
+ addresses, before falling back to our old approach (which was
+ binding a UDP socket, and calling getsockname() on it). That
+ approach was scaring OS X users whose draconian firewall
+ software warned about binding to UDP sockets regardless of
+ whether packets were sent. Now we try to use getifaddrs(),
+ SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
+ system supports. Resolves ticket 1827.
+ - Add experimental support for a "defaults" torrc file to be parsed
+ before the regular torrc. Torrc options override the defaults file's
+ options in the same way that the command line overrides the torrc.
+ The SAVECONF controller command saves only those options which
+ differ between the current configuration and the defaults file. HUP
+ reloads both files. Implements task 4552.
+
+ o New directory authorities:
+ - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
+ authority. Closes ticket 5749.
+
+ o Security/privacy fixes:
+ - Avoid read-from-freed-memory and double-free bugs that could occur
+ when a DNS request fails while launching it. Fixes bug 6480;
+ bugfix on 0.2.0.1-alpha.
+ - Reject any attempt to extend to an internal address. Without
+ this fix, a router could be used to probe addresses on an internal
+ network to see whether they were accepting connections. Fixes bug
+ 6710; bugfix on 0.0.8pre1.
+ - Close any connection that sends unrecognized junk before the TLS
+ handshake. Solves an issue noted in bug 4369.
+ - The advertised platform of a relay now includes only its operating
+ system's name (e.g., "Linux", "Darwin", "Windows 7"), and not
+ its service pack level (for Windows) or its CPU architecture
+ (for Unix). Also drop the "git-XYZ" tag in the version. Packagers
+ can insert an extra string in the platform line by setting the
+ preprocessor variable TOR_BUILD_TAG. Resolves bug 2988.
+ - Disable TLS session tickets. OpenSSL's implementation was giving
+ our TLS session keys the lifetime of our TLS context objects, when
+ perfect forward secrecy would want us to discard anything that
+ could decrypt a link connection as soon as the link connection
+ was closed. Fixes bug 7139; bugfix on all versions of Tor linked
+ against OpenSSL 1.0.0 or later. Found by Florent Daignière.
+ - Tor tries to wipe potentially sensitive data after using it, so
+ that if some subsequent security failure exposes Tor's memory,
+ the damage will be limited. But we had a bug where the compiler
+ was eliminating these wipe operations when it decided that the
+ memory was no longer visible to a (correctly running) program,
+ hence defeating our attempt at defense in depth. We fix that
+ by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
+ is unlikely to optimize away. Future versions of Tor may use
+ a less ridiculously heavy approach for this. Fixes bug 7352.
+ Reported in an article by Andrey Karpov.
+
+ o Major bugfixes (crashes and asserts):
+ - Avoid a pair of double-free and use-after-mark bugs that can
+ occur with certain timings in canceled and re-received DNS
+ requests. Fixes bug 6472; bugfix on 0.0.7rc1.
+ - Fix a denial of service attack by which any directory authority
+ could crash all the others, or by which a single v2 directory
+ authority could crash everybody downloading v2 directory
+ information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
+ - Fix an assert that directory authorities could trigger on sighup
+ during some configuration state transitions. We now don't treat
+ it as a fatal error when the new descriptor we just generated in
+ init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha.
+ - Avoid segfault when starting up having run with an extremely old
+ version of Tor and parsing its state file. Fixes bug 6801; bugfix
+ on 0.2.2.23-alpha.
+
+ o Major bugfixes (clients):
+ - If we are unable to find any exit that supports our predicted ports,
+ stop calling them predicted, so that we don't loop and build
+ hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6,
+ which introduced predicted ports.
+ - Check at each new consensus whether our entry guards were picked
+ long enough ago that we should rotate them. Previously, we only
+ did this check at startup, which could lead to us holding a guard
+ indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc.
+ - When fetching a bridge descriptor from a bridge authority,
+ always do so anonymously, whether we have been able to open
+ circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha.
+ This behavior makes it *safer* to use UpdateBridgesFromAuthority,
+ but we'll need to wait for bug 6010 before it's actually usable.
+
+ o Major bugfixes (directory voting):
+ - Check more thoroughly to prevent a rogue authority from
+ double-voting on any consensus directory parameter. Previously,
+ authorities would crash in this case if the total number of
+ votes for any parameter exceeded the number of active voters,
+ but would let it pass otherwise. Partially fixes bug 5786; bugfix
+ on 0.2.2.2-alpha.
+ - When computing weight parameters, behave more robustly in the
+ presence of a bad bwweightscale value. Previously, the authorities
+ would crash if they agreed on a sufficiently broken weight_scale
+ value; now, they use a reasonable default and carry on. Fixes the
+ rest of bug 5786; bugfix on 0.2.2.17-alpha.
+ - If authorities are unable to get a v2 consensus document from other
+ directory authorities, they no longer fall back to fetching
+ them from regular directory caches. Fixes bug 5635; bugfix on
+ 0.2.2.26-beta, where routers stopped downloading v2 consensus
+ documents entirely.
+
+ o Major bugfixes (relays):
+ - Fix a bug handling SENDME cells on nonexistent streams that could
+ result in bizarre window values. Report and patch contributed
+ pseudonymously. Fixes part of bug 6271. This bug was introduced
+ before the first Tor release, in svn commit r152.
+ - Don't update the AccountingSoftLimitHitAt state file entry whenever
+ tor gets started. This prevents a wrong average bandwidth
+ estimate, which would cause relays to always start a new accounting
+ interval at the earliest possible moment. Fixes bug 2003; bugfix
+ on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped
+ immensely in tracking this bug down.
+ - Fix a possible crash bug when checking for deactivated circuits
+ in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
+ bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
+ - Set the SO_REUSEADDR socket option before we call bind() on outgoing
+ connections. This change should allow busy exit relays to stop
+ running out of available sockets as quickly. Fixes bug 4950;
+ bugfix on 0.2.2.26-beta.
+
+ o Major bugfixes (blocking resistance):
+ - Bridges no longer include their address in NETINFO cells on outgoing
+ OR connections, to allow them to blend in better with clients.
+ Removes another avenue for enumerating bridges. Reported by
+ "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO
+ cells were introduced.
+ - Warn the user when HTTPProxy, but no other proxy type, is
+ configured. This can cause surprising behavior: it doesn't send
+ all of Tor's traffic over the HTTPProxy -- it sends unencrypted
+ directory traffic only. Resolves ticket 4663.
+
+ o Major bugfixes (hidden services):
+ - Improve hidden service robustness: when an attempt to connect to
+ a hidden service ends, be willing to refetch its hidden service
+ descriptors from each of the HSDir relays responsible for them
+ immediately. Previously, we would not consider refetching the
+ service's descriptors from each HSDir for 15 minutes after the last
+ fetch, which was inconvenient if the hidden service was not running
+ during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335.
+ - Hidden services now ignore the timestamps on INTRODUCE2 cells.
+ They used to check that the timestamp was within 30 minutes
+ of their system clock, so they could cap the size of their
+ replay-detection cache, but that approach unnecessarily refused
+ service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when
+ the v3 intro-point protocol (the first one which sent a timestamp
+ field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
+ - When one of a hidden service's introduction points appears to be
+ unreachable, stop trying it. Previously, we would keep trying
+ to build circuits to the introduction point until we lost the
+ descriptor, usually because the user gave up and restarted Tor.
+ Fixes part of bug 3825.
+
+ o Changes to default torrc file:
+ - Stop listing "socksport 9050" in torrc.sample. We open a socks
+ port on 9050 by default anyway, so this should not change anything
+ in practice.
+ - Stop mentioning the deprecated *ListenAddress options in
+ torrc.sample. Fixes bug 5438.
+ - Document unit of bandwidth-related options in sample torrc.
+ Fixes bug 5621.
+ - Fix broken URLs in the sample torrc file, and tell readers about
+ the OutboundBindAddress, ExitPolicyRejectPrivate, and
+ PublishServerDescriptor options. Addresses bug 4652.
+
+ o Minor features (directory authorities):
+ - Consider new, removed or changed IPv6 OR ports a non-cosmetic
+ change when the authority is deciding whether to accept a newly
+ uploaded descriptor. Implements ticket 6423.
+ - Directory authorities are now a little more lenient at accepting
+ older router descriptors, or newer router descriptors that don't
+ make big changes. This should help ameliorate past and future
+ issues where routers think they have uploaded valid descriptors,
+ but the authorities don't think so. Fix for ticket 2479.
+ - Authority operators can now vote for all relays in a given
+ set of countries to be BadDir/BadExit/Invalid/Rejected.
+ - Provide two consensus parameters (FastFlagMinThreshold and
+ FastFlagMaxThreshold) to control the range of allowable bandwidths
+ for the Fast directory flag. These allow authorities to run
+ experiments on appropriate requirements for being a "Fast" node.
+ The AuthDirFastGuarantee config value still applies. Implements
+ ticket 3946.
+
+ o Minor features (bridges / bridge authorities):
+ - Make bridge SSL certificates a bit more stealthy by using random
+ serial numbers, in the same fashion as OpenSSL when generating
+ self-signed certificates. Implements ticket 4584.
+ - Tag a bridge's descriptor as "never to be sent unencrypted".
+ This shouldn't matter, since bridges don't open non-anonymous
+ connections to the bridge authority and don't allow unencrypted
+ directory connections from clients, but we might as well make
+ sure. Closes bug 5139.
+ - The Bridge Authority now writes statistics on how many bridge
+ descriptors it gave out in total, and how many unique descriptors
+ it gave out. It also lists how often the most and least commonly
+ fetched descriptors were given out, as well as the median and
+ 25th/75th percentile. Implements tickets 4200 and 4294.
+
+ o Minor features (IPv6):
+ - Make the code that clients use to detect an address change be
+ IPv6-aware, so that it won't fill clients' logs with error
+ messages when trying to get the IPv4 address of an IPv6
+ connection. Implements ticket 5537.
+ - Relays now understand an IPv6 address when they get one from a
+ directory server. Resolves ticket 4875.
+
+ o Minor features (hidden services):
+ - Expire old or over-used hidden service introduction points.
+ Required by fix for bug 3460.
+ - Reduce the lifetime of elements of hidden services' Diffie-Hellman
+ public key replay-detection cache from 60 minutes to 5 minutes. This
+ replay-detection cache is now used only to detect multiple
+ INTRODUCE2 cells specifying the same rendezvous point, so we can
+ avoid launching multiple simultaneous attempts to connect to it.
+ - When a hidden service's introduction point times out, consider
+ trying it again during the next attempt to connect to the
+ HS. Previously, we would not try it again unless a newly fetched
+ descriptor contained it. Required by fixes for bugs 1297 and 3825.
+
+ o Minor features (relays):
+ - Relays now include a reason for regenerating their descriptors
+ in an HTTP header when uploading to the authorities. This will
+ make it easier to debug descriptor-upload issues in the future.
+ - Turn on directory request statistics by default and include them in
+ extra-info descriptors. Don't break if we have no GeoIP database.
+ - Replace files in stats/ rather than appending to them. Now that we
+ include statistics in extra-info descriptors, it makes no sense to
+ keep old statistics forever. Implements ticket 2930.
+ - Relays that set "ConnDirectionStatistics 1" write statistics on the
+ bidirectional use of connections to disk every 24 hours.
+ - Add a GeoIP file digest to the extra-info descriptor. Implements
+ ticket 1883.
+
+ o Minor features (new config options):
+ - New config option "DynamicDHGroups" (disabled by default) provides
+ each bridge with a unique prime DH modulus to be used during
+ SSL handshakes. This option attempts to help against censors
+ who might use the Apache DH modulus as a static identifier for
+ bridges. Addresses ticket 4548.
+ - New config option "DisableDebuggerAttachment" (on by default)
+ to prevent basic debugging attachment attempts by other processes.
+ Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
+ - Ordinarily, Tor does not count traffic from private addresses (like
+ 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting.
+ There is now a new option, CountPrivateBandwidth, to disable this
+ behavior. Patch from Daniel Cagara.
+
+ o Minor features (different behavior for old config options):
+ - Allow MapAddress directives to specify matches against super-domains,
+ as in "MapAddress *.torproject.org *.torproject.org.torserver.exit".
+ Implements issue 933.
+ - Don't disable the DirPort when we cannot exceed our AccountingMax
+ limit during this interval because the effective bandwidthrate is
+ low enough. This is useful in a situation where AccountMax is only
+ used as an additional safeguard or to provide statistics.
+ - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri;
+ implements ticket 3439.
+ - When configuring a large set of nodes in EntryNodes, and there are
+ enough of them listed as Guard so that we don't need to consider
+ the non-guard entries, prefer the ones listed with the Guard flag.
+ - If you set the NumCPUs option to 0, Tor will now try to detect how
+ many CPUs you have. This is the new default behavior.
+ - The NodeFamily option -- which let you declare that you want to
+ consider nodes to be part of a family whether they list themselves
+ that way or not -- now allows IP address ranges and country codes.
+
+ o Minor features (new command-line config behavior):
+ - Slightly change behavior of "list" options (that is, config
+ options that can appear more than once) when they appear both in
+ torrc and on the command line. Previously, the command-line options
+ would be appended to the ones from torrc. Now, the command-line
+ options override the torrc options entirely. This new behavior
+ allows the user to override list options (like exit policies and
+ ports to listen on) from the command line, rather than simply
+ appending to the list.
+ - You can get the old (appending) command-line behavior for "list"
+ options by prefixing the option name with a "+".
+ - You can remove all the values for a "list" option from the command
+ line without adding any new ones by prefixing the option name
+ with a "/".
+
+ o Minor features (controller, new events):
+ - Extend the control protocol to report flags that control a circuit's
+ path selection in CIRC events and in replies to 'GETINFO
+ circuit-status'. Implements part of ticket 2411.
+ - Extend the control protocol to report the hidden service address
+ and current state of a hidden-service-related circuit in CIRC
+ events and in replies to 'GETINFO circuit-status'. Implements part
+ of ticket 2411.
+ - Include the creation time of a circuit in CIRC and CIRC2
+ control-port events and the list produced by the 'GETINFO
+ circuit-status' control-port command.
+ - Add a new CONF_CHANGED event so that controllers can be notified
+ of any configuration changes made by other controllers, or by the
+ user. Implements ticket 1692.
+ - Add a new SIGNAL event to the controller interface so that
+ controllers can be notified when Tor handles a signal. Resolves
+ issue 1955. Patch by John Brooks.
+
+ o Minor features (controller, new getinfo options):
+ - Expose our view of whether we have gone dormant to the controller,
+ via a new "GETINFO dormant" value. Torbutton and other controllers
+ can use this to avoid doing periodic requests through Tor while
+ it's dormant (bug 4718). Resolves ticket 5954.
+ - Add a new GETINFO option to get total bytes read and written. Patch
+ from pipe, revised by atagar. Resolves ticket 2345.
+ - Implement new GETINFO controller fields to provide information about
+ the Tor process's pid, euid, username, and resource limits.
+
+ o Minor features (controller, other):
+ - Allow controllers to request an event notification whenever a
+ circuit is cannibalized or its purpose is changed. Implements
+ part of ticket 3457.
+ - Use absolute path names when reporting the torrc filename in the
+ control protocol, so a controller can more easily find the torrc
+ file. Resolves bug 1101.
+ - When reporting the path to the cookie file to the controller,
+ give an absolute path. Resolves ticket 4881.
+
+ o Minor features (log messages):
+ - Add more information to a log statement that might help track down
+ bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a
+ non-IP address" messages (or any Bug messages, for that matter!),
+ please let us know about it.
+ - If EntryNodes are given, but UseEntryGuards is set to 0, warn that
+ EntryNodes will have no effect. Resolves issue 2571.
+ - Try to make the introductory warning message that Tor prints on
+ startup more useful for actually finding help and information.
+ Resolves ticket 2474.
+ - When the system call to create a listener socket fails, log the
+ error message explaining why. This may help diagnose bug 4027.
+
+ o Minor features (other):
+ - When we fail to initialize Libevent, retry with IOCP disabled so we
+ don't need to turn on multi-threading support in Libevent, which in
+ turn requires a working socketpair(). This is a workaround for bug
+ 4457, which affects Libevent versions from 2.0.1-alpha through
+ 2.0.15-stable.
+ - When starting as root and then changing our UID via the User
+ control option, and we have a ControlSocket configured, make sure
+ that the ControlSocket is owned by the same account that Tor will
+ run under. Implements ticket 3421; fix by Jérémy Bobbio.
+ - Accept attempts to include a password authenticator in the
+ handshake, as supported by SOCKS5. This handles SOCKS clients that
+ don't know how to omit a password when authenticating. Resolves
+ bug 1666.
+ - Check for and recover from inconsistency in the microdescriptor
+ cache. This will make it harder for us to accidentally free a
+ microdescriptor without removing it from the appropriate data
+ structures. Fixes issue 3135; issue noted by "wanoskarnet".
+ - Shorten links in the tor-exit-notice file. Patch by Christian Kujau.
+
+ o Minor bugfixes (code security):
+ - Prevent a null-pointer dereference when receiving a data cell
+ for a nonexistent stream when the circuit in question has an
+ empty deliver window. We don't believe this is triggerable,
+ since we don't currently allow deliver windows to become empty,
+ but the logic is tricky enough that it's better to make the code
+ robust. Fixes bug 5541; bugfix on 0.0.2pre14.
+ - Fix a (harmless) integer overflow in cell statistics reported by
+ some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha.
+ - Fix our implementation of crypto_random_hostname() so it can't
+ overflow on ridiculously large inputs. (No Tor version has ever
+ provided this kind of bad inputs, but let's be correct in depth.)
+ Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer.
+ - Add a (probably redundant) memory clear between iterations of
+ the router status voting loop, to prevent future coding errors
+ where data might leak between iterations of the loop. Resolves
+ ticket 6514.
+
+ o Minor bugfixes (wrapper functions):
+ - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a
+ utility function used in the control-port code). This shouldn't
+ ever happen unless Tor is completely out of memory, but if it did
+ happen and Tor somehow recovered from it, Tor could have sent a log
+ message to a control port in the middle of a reply to a controller
+ command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha.
+ - Fix some (not actually triggerable) buffer size checks in usage of
+ tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch
+ by Anders Sundman.
+ - Fix parsing of some corner-cases with tor_inet_pton(). Fixes
+ bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman.
+ - Enforce correct return behavior of tor_vsscanf() when the '%%'
+ pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13.
+ - Make our replacement implementation of strtok_r() compatible with
+ the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091;
+ bugfix on 0.2.2.1-alpha.
+ - Find more places in the code that should have been testing for
+ invalid sockets using the SOCKET_OK macro. Required for a fix
+ for bug 4533. Bugfix on 0.2.2.28-beta.
+
+ o Minor bugfixes (code correctness):
+ - Check return value of fputs() when writing authority certificate
+ file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
+ - When building Tor on Windows with -DUNICODE (not default), ensure
+ that error messages, filenames, and DNS server names are always
+ NUL-terminated when we convert them to a single-byte encoding.
+ Fixes bug 5909; bugfix on 0.2.2.16-alpha.
+ - Fix a memory leak when trying to launch a DNS request when the
+ nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor
+ 0.1.2.1-alpha.
+ - Correct file sizes when reading binary files on Cygwin, to avoid
+ a bug where Tor would fail to read its state file. Fixes bug 6844;
+ bugfix on 0.1.2.7-alpha.
+ - Make sure to set *socket_error in all error cases in
+ connection_connect(), so it can't produce a warning about
+ errno being zero from errno_to_orconn_end_reason(). Bugfix on
+ 0.2.1.1-alpha; resolves ticket 6028.
+ - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes
+ bug 4532; found by "troll_un".
+
+ o Minor bugfixes (clients):
+ - Allow one-hop directory-fetching circuits the full "circuit build
+ timeout" period, rather than just half of it, before failing them
+ and marking the relay down. This fix should help reduce cases where
+ clients declare relays (or worse, bridges) unreachable because
+ the TLS handshake takes a few seconds to complete. Fixes bug 6743;
+ bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
+ 30 seconds.
+ - Ensure we don't cannibalize circuits that are longer than three hops
+ already, so we don't end up making circuits with 5 or more
+ hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on
+ 0.1.0.1-rc which introduced cannibalization.
+
+ o Minor bugfixes (relays):
+ - Don't publish a new relay descriptor when we reload our onion key,
+ unless the onion key has actually changed. Fixes bug 3263 and
+ resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha.
+ - When relays refuse a "create" cell because their queue of pending
+ create cells is too big (typically because their cpu can't keep up
+ with the arrival rate), send back reason "resource limit" rather
+ than reason "internal", so network measurement scripts can get a
+ more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
+ - Exit nodes don't need to fetch certificates for authorities that
+ they don't recognize; only directory authorities, bridges,
+ and caches need to do that. Fixes part of bug 2297; bugfix on
+ 0.2.2.11-alpha.
+
+ o Minor bugfixes (directory authority / mirrors):
+ - Avoid O(n^2) performance characteristics when parsing a large
+ extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha.
+ - Authorities no longer include any router in their microdescriptor
+ consensuses for which they couldn't generate or agree on a
+ microdescriptor. Fixes the second piece of bug 6404; fix on
+ 0.2.2.6-alpha.
+ - When checking for requested signatures on the latest consensus
+ before serving it to a client, make sure to check the right
+ consensus flavor. Bugfix on 0.2.2.6-alpha.
+ - Fix an edge case where TestingTorNetwork is set but the authorities
+ and relays all have an uptime of zero, so the private Tor network
+ could briefly lack support for hidden services. Fixes bug 3886;
+ bugfix on 0.2.2.18-alpha.
+ - Directory caches no longer refuse to clean out descriptors because
+ of missing v2 networkstatus documents, unless they're configured
+ to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on
+ 0.2.2.26-beta. Patch by Daniel Bryg.
+ - Don't serve or accept v2 hidden service descriptors over a relay's
+ DirPort. It's never correct to do so, and disabling it might
+ make it more annoying to exploit any bugs that turn up in the
+ descriptor-parsing code. Fixes bug 7149.
+
+ o Minor bugfixes (hidden services, client-side):
+ - Assert that hidden-service-related operations are not performed
+ using single-hop circuits. Previously, Tor would assert that
+ client-side streams are not attached to single-hop circuits,
+ but not that other sensitive operations on the client and service
+ side are not performed using single-hop circuits. Fixes bug 3332;
+ bugfix on 0.0.6.
+ - Avoid undefined behaviour when parsing the list of supported
+ rendezvous/introduction protocols in a hidden service descriptor.
+ Previously, Tor would have confused (as-yet-unused) protocol version
+ numbers greater than 32 with lower ones on many platforms. Fixes
+ bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
+ - Don't close hidden service client circuits which have almost
+ finished connecting to their destination when they reach
+ the normal circuit-build timeout. Previously, we would close
+ introduction circuits which are waiting for an acknowledgement
+ from the introduction point, and rendezvous circuits which have
+ been specified in an INTRODUCE1 cell sent to a hidden service,
+ after the normal CBT. Now, we mark them as 'timed out', and launch
+ another rendezvous attempt in parallel. This behavior change can
+ be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
+ option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha.
+
+ o Minor bugfixes (hidden services, service-side):
+ - Don't close hidden-service-side rendezvous circuits when they
+ reach the normal circuit-build timeout. This behaviour change can
+ be disabled using the new
+ CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
+ remaining part of bug 1297; bugfix on 0.2.2.2-alpha.
+ - Don't launch more than 10 service-side introduction-point circuits
+ for a hidden service in five minutes. Previously, we would consider
+ launching more introduction-point circuits if at least one second
+ had passed without any introduction-point circuits failing. Fixes
+ bug 4607; bugfix on 0.0.7pre1.
+
+ o Minor bugfixes (config option behavior):
+ - If the user tries to set MyFamily on a bridge, refuse to
+ do so, and warn about the security implications. Fixes bug 4657;
+ bugfix on 0.2.0.3-alpha.
+ - The "--quiet" and "--hush" options now apply not only to Tor's
+ behavior before logs are configured, but also to Tor's behavior in
+ the absense of configured logs. Fixes bug 3550; bugfix on
+ 0.2.0.10-alpha.
+ - Change the AllowDotExit rules so they should actually work.
+ We now enforce AllowDotExit only immediately after receiving an
+ address via SOCKS or DNSPort: other sources are free to provide
+ .exit addresses after the resolution occurs. Fixes bug 3940;
+ bugfix on 0.2.2.1-alpha.
+ - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically,
+ don't depend on the consensus parameters or compute adaptive
+ timeouts when it is disabled. Fixes bug 5049; bugfix on
+ 0.2.2.14-alpha.
+ - After we pick a directory mirror, we would refuse to use it if
+ it's in our ExcludeExitNodes list, resulting in mysterious failures
+ to bootstrap for people who just wanted to avoid exiting from
+ certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha.
+ - When told to add a bridge with the same digest as a preexisting
+ bridge but a different addr:port, change the addr:port as
+ requested. Previously we would not notice the change. Fixes half
+ of bug 5603; fix on 0.2.2.26-beta.
+
+ o Minor bugfixes (controller):
+ - Allow manual 'authenticate' commands to the controller interface
+ from netcat (nc) as well as telnet. We were rejecting them because
+ they didn't come with the expected whitespace at the end of the
+ command. Bugfix on 0.1.1.1-alpha; fixes bug 2893.
+ - Report a real bootstrap problem to the controller on router
+ identity mismatch. Previously we just said "foo", which probably
+ made a lot of sense at the time. Fixes bug 4169; bugfix on
+ 0.2.1.1-alpha.
+ - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP
+ option is set to 0 (which Vidalia version 0.2.16 now does when
+ a SAVECONF attempt fails), perform other actions that SIGHUP
+ usually causes (like reopening the logs). Fixes bug 5095; bugfix
+ on 0.2.1.9-alpha.
+ - Correctly handle checking the permissions on the parent
+ directory of a control socket in the root directory. Bug found
+ by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor
+ 0.2.2.26-beta.
+ - End AUTHCHALLENGE error messages (in the control protocol) with
+ a CRLF. Fixes bug 5760; bugfix on 0.2.2.36.
+
+ o Minor bugfixes (network reading/writing):
+ - Disable writing on marked-for-close connections when they are
+ blocked on bandwidth, to prevent busy-looping in Libevent. Fixes
+ bug 5263; bugfix on 0.0.2pre13, where we first added a special
+ case for flushing marked connections.
+ - Make sure that there are no unhandled pending TLS errors before
+ reading from a TLS stream. We had checks in 0.1.0.3-rc, but
+ lost them in 0.1.0.5-rc when we refactored read_to_buf_tls().
+ Bugfix on 0.1.0.5-rc; fixes bug 4528.
+ - Detect SSL handshake even when the initial attempt to write the
+ server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha.
+ - If the client fails to set a reasonable set of ciphersuites
+ during its v2 handshake renegotiation, allow the renegotiation to
+ continue nevertheless (i.e. send all the required certificates).
+ Fixes bug 4591; bugfix on 0.2.0.20-rc.
+
+ o Minor bugfixes (other):
+ - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as
+ resource exhaustion, so that clients can adjust their load to
+ try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which
+ started using END_STREAM_REASON_RESOURCELIMIT.
+ - Don't check for whether the address we're using for outbound
+ connections has changed until after the outbound connection has
+ completed. On Windows, getsockname() doesn't succeed until the
+ connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha.
+ - Don't hold a Windows file handle open for every file mapping;
+ the file mapping handle is sufficient. Fixes bug 5951; bugfix on
+ 0.1.2.1-alpha.
+ - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
+ bugfix on 0.2.1.10-alpha.
+ - If we fail to write a microdescriptor to the disk cache, do not
+ continue replacing the old microdescriptor file. Fixes bug 2954;
+ bugfix on 0.2.2.6-alpha.
+
+ o Minor bugfixes (log messages, path selection):
+ - Downgrade "set buildtimeout to low value" messages to "info"
+ severity; they were never an actual problem, there was never
+ anything reasonable to do about them, and they tended to spam logs
+ from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha.
+ - Rate-limit the "Weighted bandwidth is 0.000000" message, and add
+ more information to it, so that we can track it down in case it
+ returns again. Mitigates bug 5235.
+ - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
+ options_validate(); warn if LearnCircuitBuildTimeout is disabled and
+ CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452.
+ - Issue a log message if a guard completes less than 40% of your
+ circuits. Threshold is configurable by torrc option
+ PathBiasNoticeRate and consensus parameter pb_noticepct. There is
+ additional, off-by-default code to disable guards which fail too
+ many circuits. Addresses ticket 5458.
+
+ o Minor bugfixes (log messages, client):
+ - Downgrade "Got a certificate, but we already have it" log messages
+ from warning to info, except when we're a dirauth. Fixes bug 5238;
+ bugfix on 0.2.1.7-alpha.
+ - Fix the log message describing how we work around discovering
+ that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
+ 4837; bugfix on 0.2.2.9-alpha.
+ - When logging about a disallowed .exit name, do not also call it
+ an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha.
+ - Fix a log message suggesting that people contact a non-existent
+ email address. Fixes bug 3448.
+ - Rephrase the log message emitted if the TestSocks check is
+ successful. Patch from Fabian Keil; fixes bug 4094.
+ - Log (at debug level) whenever a circuit's purpose is changed.
+ - Log SSL state transitions at log level DEBUG, log domain
+ HANDSHAKE. This can be useful for debugging censorship events.
+ Implements ticket 3264.
+ - We now log which torrc file we're using on startup. Implements
+ ticket 2444.
+ - Rate-limit log messages when asked to connect anonymously to
+ a private address. When these hit, they tended to hit fast and
+ often. Also, don't bother trying to connect to addresses that we
+ are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory
+ reply makes us think we have been lied to, even when the address the
+ client tried to connect to was "localhost." Resolves ticket 2822.
+
+ o Minor bugfixes (log messages, non-client):
+ - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN.
+ Fixes bug 5932; bugfix on 0.2.2.7-alpha.
+ - Don't log that we have "decided to publish new relay descriptor"
+ unless we are actually publishing a descriptor. Fixes bug 3942;
+ bugfix on 0.2.2.28-beta.
+ - Log which authority we're missing votes from when we go to fetch
+ them from the other auths.
+ - Replace "Sending publish request" log messages with "Launching
+ upload", so that they no longer confusingly imply that we're
+ sending something to a directory we might not even be connected
+ to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha.
+ - Warn when Tor is configured to use accounting in a way that can
+ link a hidden service to some other hidden service or public
+ address. Resolves ticket 6490.
+ - Fix a minor formatting issue in one of tor-gencert's error messages.
+ Fixes bug 4574.
+
+ o Testing:
+ - Update to the latest version of the tinytest unit testing framework.
+ This includes a couple of bugfixes that can be relevant for
+ running forked unit tests on Windows, and removes all reserved
+ identifiers.
+ - Avoid a false positive in the util/threads unit test by increasing
+ the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha.
+ - Make it possible to set the TestingTorNetwork configuration
+ option using AlternateDirAuthority and AlternateBridgeAuthority
+ as an alternative to setting DirServer. Addresses ticket 6377.
+ - Add a unit test for the environment_variable_names_equal() function.
+ - A wide variety of new unit tests by Esteban Manchado Velázquez.
+ - Numerous new unit tests for functions in util.c and address.c by
+ Anders Sundman.
+ - The long-disabled benchmark tests are now split into their own
+ ./src/test/bench binary.
+ - The benchmark tests can now use more accurate timers than
+ gettimeofday() when such timers are available.
+ - Use tt_assert(), not tor_assert(), for checking for test failures.
+ This makes the unit tests more able to go on in the event that
+ one of them fails.
+
+ o Build improvements:
+ - Use the dead_strip option when building Tor on OS X. This reduces
+ binary size by almost 19% when linking openssl and libevent
+ statically, which we do for Tor Browser Bundle.
+ - Provide a better error message about possible OSX Asciidoc failure
+ reasons. Fixes bug 6436.
+ - Detect attempts to build Tor on (as yet hypothetical) versions
+ of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
+ fix for bug 4533. Bugfix on 0.2.2.28-beta.
+ - On Windows, we now define the _WIN32_WINNT macros only if they
+ are not already defined. This lets the person building Tor decide,
+ if they want, to require a later version of Windows.
+ - Our autogen.sh script now uses autoreconf to launch autoconf,
+ automake, and so on. This is more robust against some of the failure
+ modes associated with running the autotools pieces on their own.
+ - Running "make version" now displays the version of Tor that
+ we're about to build. Idea from katmagic; resolves issue 4400.
+ - Make 'tor --digests' list hashes of all Tor source files. Bugfix
+ on 0.2.2.4-alpha; fixes bug 3427.
+ - New --enable-static-tor configure option for building Tor as
+ statically as possible. Idea, general hackery and thoughts from
+ Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket
+ 2702.
+ - Limited, experimental support for building with nmake and MSVC.
+
+ o Build requirements:
+ - Building Tor with bufferevent support now requires Libevent
+ 2.0.13-stable or later. Previous versions of Libevent had bugs in
+ SSL-related bufferevents and related issues that would make Tor
+ work badly with bufferevents. Requiring 2.0.13-stable also allows
+ Tor with bufferevents to take advantage of Libevent APIs
+ introduced after 2.0.8-rc.
+ - Our build system requires automake 1.6 or later to create the
+ Makefile.in files. Previously, you could have used 1.4.
+ This only affects developers and people building Tor from git;
+ people who build Tor from the source distribution without changing
+ the Makefile.am files should be fine.
+ - Detect when we try to build on a platform that doesn't define
+ AF_UNSPEC to 0. We don't work there, so refuse to compile.
+
+ o Build fixes (compile/link):
+ - Format more doubles with %f, not %lf. Patch from grarpamp to make
+ Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on
+ Tor 0.2.0.8-alpha.
+ - When building with --enable-static-tor on OpenBSD, do not
+ erroneously attempt to link -lrt. Fixes bug 5103.
+ - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so
+ that IPv6 stuff will compile on MSVC, and compilation issues
+ will be easier to track down. Fixes bug 5861.
+ - Fix build and 64-bit compile warnings from --enable-openbsd-malloc.
+ Fixes bug 6379. Bugfix on 0.2.0.20-rc.
+ - Make Tor build correctly again with -DUNICODE -D_UNICODE defined.
+ Fixes bug 6097; bugfix on 0.2.2.16-alpha.
+
+ o Build fixes (other):
+ - Use the _WIN32 macro throughout our code to detect Windows.
+ (Previously we had used the obsolete 'WIN32' and the idiosyncratic
+ 'MS_WINDOWS'.)
+ - Properly handle the case where the build-tree is not the same
+ as the source tree when generating src/common/common_sha1.i,
+ src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953;
+ bugfix on 0.2.0.1-alpha.
+ - During configure, search for library containing cos function as
+ libm lives in libcore on some platforms (BeOS/Haiku). Linking
+ against libm was hard-coded before. Fixes the first part of bug
+ 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes
+ Pedersen.
+ - Prevent a false positive from the check-spaces script, by disabling
+ the "whitespace between function name and (" check for functions
+ named 'op()'.
+
+ o Packaging (RPM) changes:
+ - Update our default RPM spec files to work with mock and rpmbuild
+ on RHEL/Fedora. They have an updated set of dependencies and
+ conflicts, a fix for an ancient typo when creating the "_tor"
+ user, and better instructions. Thanks to Ondrej Mikle for the
+ patch series. Fixes bug 6043.
+ - On OpenSUSE, create the /var/run/tor directory on startup if it
+ is not already created. Patch from Andreas Stieger. Fixes bug 2573.
+
+ o Code refactoring (safety):
+ - Do not use SMARTLIST_FOREACH for any loop whose body exceeds
+ 10 lines. Also, don't nest them. Doing so in the past has
+ led to hard-to-debug code. The new style is to use the
+ SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.
+ - Use macros to indicate OpenSSL versions, so we don't need to worry
+ about accidental hexadecimal bit shifts.
+ - Use tor_sscanf() in place of scanf() in more places through the
+ code. This makes us a little more locale-independent, and
+ should help shut up code-analysis tools that can't tell
+ a safe sscanf string from a dangerous one.
+ - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
+ - Use the smartlist_add_asprintf() alias more consistently.
+
+ o Code refactoring (consolidate):
+ - A major revision to our internal node-selecting and listing logic.
+ Tor already had at least two major ways to look at the question of
+ "which Tor servers do we know about": a list of router descriptors,
+ and a list of entries in the current consensus. With
+ microdescriptors, we're adding a third. Having so many systems
+ without an abstraction layer over them was hurting the codebase.
+ Now, we have a new "node_t" abstraction that presents a consistent
+ interface to a client's view of a Tor node, and holds (nearly) all
+ of the mutable state formerly in routerinfo_t and routerstatus_t.
+ - Move tor_gettimeofday_cached() into compat_libevent.c, and use
+ Libevent's notion of cached time when possible.
+ - Remove duplicate code for invoking getrlimit() from control.c.
+ - Use OpenSSL's built-in SSL_state_string_long() instead of our
+ own homebrewed ssl_state_to_string() replacement. Patch from
+ Emile Snyder. Fixes bug 4653.
+ - Change the symmetric cipher interface so that creating and
+ initializing a stream cipher are no longer separate functions.
+
+ o Code refactoring (separate):
+ - Make a new "entry connection" struct as an internal subtype of "edge
+ connection", to simplify the code and make exit connections smaller.
+ - Split connection_about_to_close() into separate functions for each
+ connection type.
+ - Rewrite the listener-selection logic so that parsing which ports
+ we want to listen on is now separate from binding to the ports
+ we want.
+
+ o Code refactoring (name changes):
+ - Rename a handful of old identifiers, mostly related to crypto
+ structures and crypto functions. By convention, our "create an
+ object" functions are called "type_new()", our "free an object"
+ functions are called "type_free()", and our types indicate that
+ they are types only with a final "_t". But a handful of older
+ types and functions broke these rules, with function names like
+ "type_create" or "subsystem_op_type", or with type names like
+ type_env_t.
+ - Rename Tor functions that turn strings into addresses, so that
+ "parse" indicates that no hostname resolution occurs, and
+ "lookup" indicates that hostname resolution may occur. This
+ should help prevent mistakes in the future. Fixes bug 3512.
+ - Use the name "CERTS" consistently to refer to the new cell type;
+ we were calling it CERT in some places and CERTS in others.
+ - Use a TOR_INVALID_SOCKET macro when initializing a socket to an
+ invalid value, rather than just -1.
+ - Rename the bench_{aes,dmap} functions to test_*, so that tinytest
+ can pick them up when the tests aren't disabled. Bugfix on
+ 0.2.2.4-alpha which introduced tinytest.
+
+ o Code refactoring (other):
+ - Defensively refactor rend_mid_rendezvous() so that protocol
+ violations and length checks happen in the beginning. Fixes
+ bug 5645.
+ - Remove the pure attribute from all functions that used it
+ previously. In many cases we assigned it incorrectly, because the
+ functions might assert or call impure functions, and we don't have
+ evidence that keeping the pure attribute is worthwhile. Implements
+ changes suggested in ticket 4421.
+ - Move the replay-detection cache for the RSA-encrypted parts of
+ INTRODUCE2 cells to the introduction point data structures.
+ Previously, we would use one replay-detection cache per hidden
+ service. Required by fix for bug 3460.
+ - The helper programs tor-gencert, tor-resolve, and tor-checkkey
+ no longer link against Libevent: they never used it, but
+ our library structure used to force them to link it.
+
+ o Removed features and files:
+ - Remove all internal support for unpadded RSA. We never used it, and
+ it would be a bad idea to start.
+ - Remove some workaround code for OpenSSL 0.9.6 (which is no longer
+ supported).
+ - Remove some redundant #include directives throughout the code.
+ Patch from Andrea Gelmini.
+ - Remove some old code to remember statistics about which descriptors
+ we've served as a directory mirror. The feature wasn't used and
+ is outdated now that microdescriptors are around.
+ - Remove some old code to work around even older versions of Tor that
+ used forked processes to handle DNS requests. Such versions of Tor
+ are no longer in use as relays.
+ - The "torify" script no longer supports the "tsocks" socksifier
+ tool, since tsocks doesn't support DNS and UDP right for Tor.
+ Everyone should be using torsocks instead. Fixes bugs 3530 and
+ 5180. Based on a patch by "ugh".
+ - Remove the torrc.bridge file: we don't use it for anything, and
+ it had become badly desynchronized from torrc.sample. Resolves
+ bug 5622.
+
+ o Documentation:
+ - Begin a doc/state-contents.txt file to explain the contents of
+ the Tor state file. Fixes bug 2987.
+ - Clarify the documentation for the Alternate*Authority options.
+ Fixes bug 6387.
+ - Document the --defaults-torrc option, and the new semantics for
+ overriding, extending, and clearing lists of options. Closes
+ bug 4748.
+ - Add missing man page documentation for consensus and microdesc
+ files. Resolves ticket 6732.
+ - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.
+
+ o Documentation fixes:
+ - Improve the manual's documentation for the NT Service command-line
+ options. Addresses ticket 3964.
+ - Clarify SessionGroup documentation slightly; resolves ticket 5437.
+ - Document the changes to the ORPort and DirPort options, and the
+ fact that {OR/Dir}ListenAddress is now unnecessary (and
+ therefore deprecated). Resolves ticket 5597.
+ - Correct a broken faq link in the INSTALL file. Fixes bug 2307.
+ - Clarify that hidden services are TCP only. Fixes bug 6024.
+
+
Changes in version 0.2.2.39 - 2012-09-11
Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
assertions.
projects / thirdparty / tor.git / commitdiff
