stable release

Tor 0.2.1.18 and 0.2.1.19 released as stable

phobos — Wed, 05 Aug 2009 23:44:33 -0700

Tor 0.2.1.18 lays the foundations for performance improvements, adds
status events to help users diagnose bootstrap problems, adds optional
authentication/authorization for hidden services, fixes a variety of
potential anonymity problems, and includes a huge pile of other features
and bug fixes.

Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
services.

https://www.torproject.org/easy-download

Changes in version 0.2.1.19 - 2009-07-28
Major bugfixes:

Make accessing hidden services on 0.2.1.x work right again.
Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
part of patch provided by "optimist".

Minor features:

When a relay/bridge is writing out its identity key fingerprint to
the "fingerprint" file and to its logs, write it without spaces. Now
it will look like the fingerprints in our bridges documentation,
and confuse fewer users.

Minor bugfixes:

Relays no longer publish a new server descriptor if they change
their MaxAdvertisedBandwidth config option but it doesn't end up
changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
fixes bug 1026. Patch from Sebastian.
Avoid leaking memory every time we get a create cell but we have
so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
fixes bug 1034. Reported by BarkerJr.

Changes in version 0.2.1.18 - 2009-07-24
Major features (clients):

Start sending "bootstrap phase" status events to the controller,
so it can keep the user informed of progress fetching directory
information and establishing circuits. Also inform the controller
if we think we're stuck at a particular bootstrap phase. Implements
proposal 137.
Clients replace entry guards that were chosen more than a few months
ago. This change should significantly improve client performance,
especially once more people upgrade, since relays that have been
a guard for a long time are currently overloaded.
Network status consensus documents and votes now contain bandwidth
information for each relay. Clients use the bandwidth values
in the consensus, rather than the bandwidth values in each
relay descriptor. This approach opens the door to more accurate
bandwidth estimates once the directory authorities start doing
active measurements. Implements part of proposal 141.

Major features (relays):

Disable and refactor some debugging checks that forced a linear scan
over the whole server-side DNS cache. These accounted for over 50%
of CPU time on a relatively busy exit node's gprof profile. Also,
disable some debugging checks that appeared in exit node profile
data. Found by Jacob.
New DirPortFrontPage option that takes an html file and publishes
it as "/" on the DirPort. Now relay operators can provide a
disclaimer without needing to set up a separate webserver. There's
a sample disclaimer in contrib/tor-exit-notice.html.

Major features (hidden services):

Make it possible to build hidden services that only certain clients
are allowed to connect to. This is enforced at several points,
so that unauthorized clients are unable to send INTRODUCE cells
to the service, or even (depending on the type of authentication)
to learn introduction points. This feature raises the bar for
certain kinds of active attacks against hidden services. Design
and code by Karsten Loesing. Implements proposal 121.
Relays now store and serve v2 hidden service descriptors by default,
i.e., the new default value for HidServDirectoryV2 is 1. This is
the last step in proposal 114, which aims to make hidden service
lookups more reliable.

Major features (path selection):

ExitNodes and Exclude*Nodes config options now allow you to restrict
by country code ("{US}") or IP address or address pattern
("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
refinement to decide what config options should take priority if
you ask to both use a particular node and exclude it.

Major features (misc):

When building a consensus, do not include routers that are down.
This cuts down 30% to 40% on consensus size. Implements proposal
138.
New TestingTorNetwork config option to allow adjustment of
previously constant values that could slow bootstrapping. Implements
proposal 135. Patch from Karsten.
Convert many internal address representations to optionally hold
IPv6 addresses. Generate and accept IPv6 addresses in many protocol
elements. Make resolver code handle nameservers located at IPv6
addresses.
More work on making our TLS handshake blend in: modify the list
of ciphers advertised by OpenSSL in client mode to even more
closely resemble a common web browser. We cheat a little so that
we can advertise ciphers that the locally installed OpenSSL doesn't
know about.
Use the TLS1 hostname extension to more closely resemble browser
behavior.

Security fixes (anonymity/entropy):

Never use a connection with a mismatched address to extend a
circuit, unless that connection is canonical. A canonical
connection is one whose address is authenticated by the router's
identity key, either in a NETINFO cell or in a router descriptor.
Implement most of proposal 110: The first K cells to be sent
along a circuit are marked as special "early" cells; only K "early"
cells will be allowed. Once this code is universal, we can block
certain kinds of denial-of-service attack by requiring that EXTEND
commands must be sent using an "early" cell.
Resume using OpenSSL's RAND_poll() for better (and more portable)
cross-platform entropy collection again. We used to use it, then
stopped using it because of a bug that could crash systems that
called RAND_poll when they had a lot of fds open. It looks like the
bug got fixed in late 2006. Our new behavior is to call RAND_poll()
at startup, and to call RAND_poll() when we reseed later only if
we have a non-buggy OpenSSL version.
When the client is choosing entry guards, now it selects at most
one guard from a given relay family. Otherwise we could end up with
all of our entry points into the network run by the same operator.
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
Do not use or believe expired v3 authority certificates. Patch
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
Drop begin cells to a hidden service if they come from the middle
of a circuit. Patch from lark.
When we erroneously receive two EXTEND cells for the same circuit
ID on the same connection, drop the second. Patch from lark.
Authorities now vote for the Stable flag for any router whose
weighted MTBF is at least 5 days, regardless of the mean MTBF.
Clients now never report any stream end reason except 'MISC'.
Implements proposal 148.

Major bugfixes (crashes):

Parse dates and IPv4 addresses in a locale- and libc-independent
manner, to avoid platform-dependent behavior on malformed input.
Fix a crash that occurs on exit nodes when a nameserver request
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
bug 929.
Do not assume that a stack-allocated character array will be
64-bit aligned on platforms that demand that uint64_t access is
aligned. Possible fix for bug 604.
Resolve a very rare crash bug that could occur when the user forced
a nameserver reconfiguration during the middle of a nameserver
probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
Avoid a "0 divided by 0" calculation when calculating router uptime
at directory authorities. Bugfix on 0.2.0.8-alpha.
Fix an assertion bug in parsing policy-related options; possible fix
for bug 811.
Rate-limit too-many-sockets messages: when they happen, they happen
a lot and end up filling up the disk. Resolves bug 748.
Fix a race condition that could cause crashes or memory corruption
when running as a server with a controller listening for log
messages.
Avoid crashing when we have a policy specified in a DirPolicy or
SocksPolicy or ReachableAddresses option with ports set on it,
and we re-load the policy. May fix bug 996.
Fix an assertion failure on 64-bit platforms when we allocated
memory right up to the end of a memarea, then realigned the memory
one step beyond the end. Fixes a possible cause of bug 930.
Protect the count of open sockets with a mutex, so we can't
corrupt it when two threads are closing or opening sockets at once.
Fix for bug 939. Bugfix on 0.2.0.1-alpha.

Major bugfixes (clients):

Discard router descriptors as we load them if they are more than
five days old. Otherwise if Tor is off for a long time and then
starts with cached descriptors, it will try to use the onion keys
in those obsolete descriptors when building circuits. Fixes bug 887.
When we choose to abandon a new entry guard because we think our
older ones might be better, close any circuits pending on that
new entry guard connection. This fix should make us recover much
faster when our network is down and then comes back. Bugfix on
0.1.2.8-beta; found by lodger.
When Tor clients restart after 1-5 days, they discard all their
cached descriptors as too old, but they still use the cached
consensus document. This approach is good for robustness, but
bad for performance: since they don't know any bandwidths, they
end up choosing at random rather than weighting their choice by
speed. Fixed by the above feature of putting bandwidths in the
consensus.

Major bugfixes (relays):

Relays were falling out of the networkstatus consensus for
part of a day if they changed their local config but the
authorities discarded their new descriptor as "not sufficiently
different". Now directory authorities accept a descriptor as changed
if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
patch by Sebastian.
Ensure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
Directory authorities were neglecting to mark relays down in their
internal histories if the relays fall off the routerlist without
ever being found unreachable. So there were relays in the histories
that haven't been seen for eight months, and are listed as being
up for eight months. This wreaked havoc on the "median wfu" and
"median mtbf" calculations, in turn making Guard and Stable flags
wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
on 0.2.0.6-alpha.

Major bugfixes (hidden services):

When establishing a hidden service, introduction points that
originate from cannibalized circuits were completely ignored
and not included in rendezvous service descriptors. This might
have been another reason for delay in making a hidden service
available. Bugfix from long ago (0.0.9.x?)

Major bugfixes (memory and resource management):

Fixed some memory leaks -- some quite frequent, some almost
impossible to trigger -- based on results from Coverity.
Speed up parsing and cut down on memory fragmentation by using
stack-style allocations for parsing directory objects. Previously,
this accounted for over 40% of allocations from within Tor's code
on a typical directory cache.
Use a Bloom filter rather than a digest-based set to track which
descriptors we need to keep around when we're cleaning out old
router descriptors. This speeds up the computation significantly,
and may reduce fragmentation.

New/changed config options:

Now NodeFamily and MyFamily config options allow spaces in
identity fingerprints, so it's easier to paste them in.
Suggested by Lucky Green.
Allow ports 465 and 587 in the default exit policy again. We had
rejected them in 0.1.0.15, because back in 2005 they were commonly
misconfigured and ended up as spam targets. We hear they are better
locked down these days.
Make TrackHostExit mappings expire a while after their last use, not
after their creation. Patch from Robert Hogan.
Add an ExcludeExitNodes option so users can list a set of nodes
that should be be excluded from the exit node position, but
allowed elsewhere. Implements proposal 151.
New --hush command-line option similar to --quiet. While --quiet
disables all logging to the console on startup, --hush limits the
output to messages of warning and error severity.
New configure/torrc options (--enable-geoip-stats,
DirRecordUsageByCountry) to record how many IPs we've served
directory info to in each country code, how many status documents
total we've sent to each country code, and what share of the total
directory requests we should expect to see.
Make outbound DNS packets respect the OutboundBindAddress setting.
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
Allow separate log levels to be configured for different logging
domains. For example, this allows one to log all notices, warnings,
or errors, plus all memory management messages of level debug or
higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
Update to the "June 3 2009" ip-to-country file.

Minor features (relays):

Raise the minimum rate limiting to be a relay from 20000 bytes
to 20480 bytes (aka 20KB/s), to match our documentation. Also
update directory authorities so they always assign the Fast flag
to relays with 20KB/s of capacity. Now people running relays won't
suddenly find themselves not seeing any use, if the network gets
faster on average.
If we're a relay and we change our IP address, be more verbose
about the reason that made us change. Should help track down
further bugs for relays on dynamic IP addresses.
Exit servers can now answer resolve requests for ip6.arpa addresses.
Implement most of Proposal 152: allow specialized servers to permit
single-hop circuits, and clients to use those servers to build
single-hop circuits when using a specialized controller. Patch
from Josh Albrecht. Resolves feature request 768.
When relays do their initial bandwidth measurement, don't limit
to just our entry guards for the test circuits. Otherwise we tend
to have multiple test circuits going through a single entry guard,
which makes our bandwidth test less accurate. Fixes part of bug 654;
patch contributed by Josh Albrecht.

Minor features (directory authorities):

Try not to open more than one descriptor-downloading connection
to an authority at once. This should reduce load on directory
authorities. Fixes bug 366.
Add cross-certification to newly generated certificates, so that
a signing key is enough information to look up a certificate. Start
serving certificates by
pairs. Implements proposal 157.
When a directory authority downloads a descriptor that it then
immediately rejects, do not retry downloading it right away. Should
save some bandwidth on authorities. Fix for bug 888. Patch by
Sebastian Hahn.
Directory authorities now serve a /tor/dbg-stability.txt URL to
help debug WFU and MTBF calculations.
In directory authorities' approved-routers files, allow
fingerprints with or without space.

Minor features (directory mirrors):

When a download gets us zero good descriptors, do not notify
Tor that new directory information has arrived.
Servers support a new URL scheme for consensus downloads that
allows the client to specify which authorities are trusted.
The server then only sends the consensus if the client will trust
it. Otherwise a 404 error is sent back. Clients use this
new scheme when the server supports it (meaning it's running
0.2.1.1-alpha or later). Implements proposal 134.

Minor features (bridges):

If the bridge config line doesn't specify a port, assume 443.
This makes bridge lines a bit smaller and easier for users to
understand.
If we're using bridges and our network goes away, be more willing
to forgive our bridges and try again when we get an application
request.

Minor features (hidden services):

When the client launches an introduction circuit, retry with a
new circuit after 30 seconds rather than 60 seconds.
Launch a second client-side introduction circuit in parallel
after a delay of 15 seconds (based on work by Christian Wilms).
Hidden services start out building five intro circuits rather
than three, and when the first three finish they publish a service
descriptor using those. Now we publish our service descriptor much
faster after restart.
Drop the requirement to have an open dir port for storing and
serving v2 hidden service descriptors.

Minor features (build and packaging):

On Linux, use the prctl call to re-enable core dumps when the User
option is set.
Try to make sure that the version of Libevent we're running with
is binary-compatible with the one we built with. May address bug
897 and others.
Add a new --enable-local-appdata configuration switch to change
the default location of the datadir on win32 from APPDATA to
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
entirely. Patch from coderman.
Build correctly against versions of OpenSSL 0.9.8 or later that
are built without support for deprecated functions.
On platforms with a maximum syslog string length, truncate syslog
messages to that length ourselves, rather than relying on the
system to do it for us.
Automatically detect MacOSX versions earlier than 10.4.0, and
disable kqueue from inside Tor when running with these versions.
We previously did this from the startup script, but that was no
help to people who didn't use the startup script. Resolves bug 863.
Build correctly when configured to build outside the main source
path. Patch from Michael Gold.
Disable GCC's strict alias optimization by default, to avoid the
likelihood of its introducing subtle bugs whenever our code violates
the letter of C99's alias rules.
Change the contrib/tor.logrotate script so it makes the new
logs as "_tor:_tor" rather than the default, which is generally
"root:wheel". Fixes bug 676, reported by Serge Koksharov.
Change our header file guard macros to be less likely to conflict
with system headers. Adam Langley noticed that we were conflicting
with log.h on Android.
Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
and stop using a warning that had become unfixably verbose under
GCC 4.3.
Use a lockfile to make sure that two Tor processes are not
simultaneously running with the same datadir.
Allow OpenSSL to use dynamic locks if it wants.
Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.

Minor features (controllers):

When generating circuit events with verbose nicknames for
controllers, try harder to look up nicknames for routers on a
circuit. (Previously, we would look in the router descriptors we had
for nicknames, but not in the consensus.) Partial fix for bug 941.
New controller event NEWCONSENSUS that lists the networkstatus
lines for every recommended relay. Now controllers like Torflow
can keep up-to-date on which relays they should be using.
New controller event "clients_seen" to report a geoip-based summary
of which countries we've seen clients from recently. Now controllers
like Vidalia can show bridge operators that they're actually making
a difference.
Add a 'getinfo status/clients-seen' controller command, in case
controllers want to hear clients_seen events but connect late.
New CONSENSUS_ARRIVED event to note when a new consensus has
been fetched and validated.
Add an internal-use-only __ReloadTorrcOnSIGHUP option for
controllers to prevent SIGHUP from reloading the configuration.
Fixes bug 856.
Return circuit purposes in response to GETINFO circuit-status.
Fixes bug 858.
Serve the latest v3 networkstatus consensus via the control
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
Add a "GETINFO /status/bootstrap-phase" controller option, so the
controller can query our current bootstrap state in case it attaches
partway through and wants to catch up.
Provide circuit purposes along with circuit events to the controller.

Minor features (tools):

Do not have tor-resolve automatically refuse all .onion addresses;
if AutomapHostsOnResolve is set in your torrc, this will work fine.
Add a -p option to tor-resolve for specifying the SOCKS port: some
people find host:port too confusing.
Print the SOCKS5 error message string as well as the error code
when a tor-resolve request fails. Patch from Jacob.

Minor bugfixes (memory and resource management):

Clients no longer cache certificates for authorities they do not
recognize. Bugfix on 0.2.0.9-alpha.
Do not use C's stdio library for writing to log files. This will
improve logging performance by a minute amount, and will stop
leaking fds when our disk is full. Fixes bug 861.
Stop erroneous use of O_APPEND in cases where we did not in fact
want to re-seek to the end of a file before every last write().
Fix a small alignment and memory-wasting bug on buffer chunks.
Spotted by rovv.
Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
to avoid unused RAM in buffer chunks and memory pools.
Reduce the default smartlist size from 32 to 16; it turns out that
most smartlists hold around 8-12 elements tops.
Make dumpstats() log the fullness and size of openssl-internal
buffers.
If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
patch to their OpenSSL, turn it on to save memory on servers. This
patch will (with any luck) get included in a mainline distribution
before too long.
Fix a memory leak when v3 directory authorities load their keys
and cert from disk. Bugfix on 0.2.0.1-alpha.
Stop using malloc_usable_size() to use more area than we had
actually allocated: it was safe, but made valgrind really unhappy.
Make the assert_circuit_ok() function work correctly on circuits that
have already been marked for close.
Fix uninitialized size field for memory area allocation: may improve
memory performance during directory parsing.

Minor bugfixes (clients):

Stop reloading the router list from disk for no reason when we
run out of reachable directory mirrors. Once upon a time reloading
it would set the 'is_running' flag back to 1 for them. It hasn't
done that for a long time.
When we had picked an exit node for a connection, but marked it as
"optional", and it turned out we had no onion key for the exit,
stop wanting that exit and try again. This situation may not
be possible now, but will probably become feasible with proposal
158. Spotted by rovv. Fixes another case of bug 752.
Fix a bug in address parsing that was preventing bridges or hidden
service targets from being at IPv6 addresses.
Do not remove routers as too old if we do not have any consensus
document. Bugfix on 0.2.0.7-alpha.
When an exit relay resolves a stream address to a local IP address,
do not just keep retrying that same exit relay over and
over. Instead, just close the stream. Addresses bug 872. Bugfix
on 0.2.0.32. Patch from rovv.
Made Tor a little less aggressive about deleting expired
certificates. Partial fix for bug 854.
Treat duplicate certificate fetches as failures, so that we do
not try to re-fetch an expired certificate over and over and over.
Do not say we're fetching a certificate when we'll in fact skip it
because of a pending download.
If we have correct permissions on $datadir, we complain to stdout
and fail to start. But dangerous permissions on
$datadir/cached-status/ would cause us to open a log and complain
there. Now complain to stdout and fail to start in both cases. Fixes
bug 820, reported by seeess.

Minor bugfixes (bridges):

When we made bridge authorities stop serving bridge descriptors over
unencrypted links, we also broke DirPort reachability testing for
bridges. So bridges with a non-zero DirPort were printing spurious
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
Don't allow a bridge to publish its router descriptor to a
non-bridge directory authority. Fixes part of bug 932.
When we change to or from being a bridge, reset our counts of
client usage by country. Fixes bug 932.

Minor bugfixes (relays):

Log correct error messages for DNS-related network errors on
Windows.
Actually return -1 in the error case for read_bandwidth_usage().
Harmless bug, since we currently don't care about the return value
anywhere. Bugfix on 0.2.0.9-alpha.
Provide a more useful log message if bug 977 (related to buffer
freelists) ever reappears, and do not crash right away.
We were already rejecting relay begin cells with destination port
of 0. Now also reject extend cells with destination port or address
of 0. Suggested by lark.
When we can't transmit a DNS request due to a network error, retry
it after a while, and eventually transmit a failing response to
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
Solve a bug that kept hardware crypto acceleration from getting
enabled when accounting was turned on. Fixes bug 907. Bugfix on
0.0.9pre6.
When a canonical connection appears later in our internal list
than a noncanonical one for a given OR ID, always use the
canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
Spotted by rovv.
Avoid some nasty corner cases in the logic for marking connections
as too old or obsolete or noncanonical for circuits. Partial
bugfix on bug 891.
Fix another interesting corner-case of bug 891 spotted by rovv:
Previously, if two hosts had different amounts of clock drift, and
one of them created a new connection with just the wrong timing,
the other might decide to deprecate the new connection erroneously.
Bugfix on 0.1.1.13-alpha.
If one win32 nameserver fails to get added, continue adding the
rest, and don't automatically fail.
Fix a bug where an unreachable relay would establish enough
reachability testing circuits to do a bandwidth test -- if
we already have a connection to the middle hop of the testing
circuit, then it could establish the last hop by using the existing
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
circuits no longer use entry guards in 0.2.1.3-alpha.

Minor bugfixes (directory authorities):

Limit uploaded directory documents to be 16M rather than 500K.
The directory authorities were refusing v3 consensus votes from
other authorities, since the votes are now 504K. Fixes bug 959;
bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;) .
Directory authorities should never send a 503 "busy" response to
requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
bug 959.
Fix code so authorities _actually_ send back X-Descriptor-Not-New
headers. Bugfix on 0.2.0.10-alpha.

Minor bugfixes (hidden services):

When we can't find an intro key for a v2 hidden service descriptor,
fall back to the v0 hidden service descriptor and log a bug message.
Workaround for bug 1024.
In very rare situations new hidden service descriptors were
published earlier than 30 seconds after the last change to the
service. (We currently think that a hidden service descriptor
that's been stable for 30 seconds is worth publishing.)
If a hidden service sends us an END cell, do not consider
retrying the connection; just close it. Patch from rovv.
If we are not using BEGIN_DIR cells, don't attempt to contact hidden
service directories if they have no advertised dir port. Bugfix
on 0.2.0.10-alpha.

Minor bugfixes (tools):

In the torify(1) manpage, mention that tsocks will leak your
DNS requests.

Minor bugfixes (controllers):

If the controller claimed responsibility for a stream, but that
stream never finished making its connection, it would live
forever in circuit_wait state. Now we close it after SocksTimeout
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
Make DNS resolved controller events into "CLOSED", not
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
bug 807.
The control port would close the connection before flushing long
replies, such as the network consensus, if a QUIT command was issued
before the reply had completed. Now, the control port flushes all
pending replies before closing the connection. Also fix a spurious
warning when a QUIT command is issued after a malformed or rejected
AUTHENTICATE command, but before the connection was closed. Patch
by Marcus Griep. Fixes bugs 1015 and 1016.
Fix a bug that made stream bandwidth get misreported to the
controller.

Deprecated and removed features:

The old "tor --version --version" command, which would print out
the subversion "Id" of most of the source files, is now removed. It
turned out to be less useful than we'd expected, and harder to
maintain.
RedirectExits has been removed. It was deprecated since
0.2.0.3-alpha.
Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
Cell pools are now always enabled; --disable-cell-pools is ignored.
Directory mirrors no longer fetch the v1 directory or
running-routers files. They are obsolete, and nobody asks for them
anymore. This is the first step to making v1 authorities obsolete.
Take out the TestVia config option, since it was a workaround for
a bug that was fixed in Tor 0.1.1.21.
Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
HiddenServiceExcludeNodes as obsolete: they never worked properly,
and nobody seems to be using them. Fixes bug 754. Bugfix on
0.1.0.1-rc. Patch from Christian Wilms.
Remove all backward-compatibility code for relays running
versions of Tor so old that they no longer work at all on the
Tor network.

Code simplifications and refactoring:

Tool-assisted documentation cleanup. Nearly every function or
static variable in Tor should have its own documentation now.
Rename the confusing or_is_obsolete field to the more appropriate
is_bad_for_new_circs, and move it to or_connection_t where it
belongs.
Move edge-only flags from connection_t to edge_connection_t: not
only is this better coding, but on machines of plausible alignment,
it should save 4-8 bytes per connection_t. "Every little bit helps."
Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
for consistency; keep old option working for backward compatibility.
Simplify the code for finding connections to use for a circuit.
Revise the connection_new functions so that a more typesafe variant
exists. This will work better with Coverity, and let us find any
actual mistakes we're making here.
Refactor unit testing logic so that dmalloc can be used sensibly
with unit tests to check for memory leaks.
Move all hidden-service related fields from connection and circuit
structure to substructures: this way they won't eat so much memory.
Squeeze 2-5% out of client performance (according to oprofile) by
improving the implementation of some policy-manipulation functions.
Change the implementation of ExcludeNodes and ExcludeExitNodes to
be more efficient. Formerly it was quadratic in the number of
servers; now it should be linear. Fixes bug 509.
Save 16-22 bytes per open circuit by moving the n_addr, n_port,
and n_conn_id_digest fields into a separate structure that's
only needed when the circuit has not yet attached to an n_conn.
Optimize out calls to time(NULL) that occur for every IO operation,
or for every cell. On systems like Windows where time() is a
slow syscall, this fix will be slightly helpful.

Tor 0.2.0.35-stable bundles updated

phobos — Sun, 12 Jul 2009 18:35:00 -0700

Updated Vidalia-bundle packages with Tor 0.2.0.35 are released. The only thing that's changed is the update of Vidalia from 0.1.14 to 0.1.15. You can retrieve the updated packages from https://www.torproject.org/easy-download

Tor 0.2.0.35-stable released

phobos — Thu, 25 Jun 2009 17:34:49 -0700

Tor 0.2.0.35 fixes a big bug that was causing Tor relays with dynamic
IP addresses to disappear from the network. It also fixes a rare crash
bug on fast exit relays.

https://www.torproject.org/easy-download

Changes in version 0.2.0.35 - 2009-06-24
Security fix:

Avoid crashing in the presence of certain malformed descriptors.
Found by lark, and by automated fuzzing.
Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

Major bugfixes:

Finally fix the bug where dynamic-IP relays disappear when their
IP address changes: directory mirrors were mistakenly telling
them their old address if they asked via begin_dir, so they
never got an accurate answer about their new address, so they
just vanished after a day. For belt-and-suspenders, relays that
don't set Address in their config now avoid using begin_dir for
all direct connections. Should fix bugs 827, 883, and 900.
Fix a timing-dependent, allocator-dependent, DNS-related crash bug
that would occur on some exit nodes when DNS failures and timeouts
occurred in certain patterns. Fix for bug 957.

Minor bugfixes:

When starting with a cache over a few days old, do not leak
memory for the obsolete router descriptors in it. Bugfix on
0.2.0.33; fixes bug 672.
Hidden service clients didn't use a cached service descriptor that
was older than 15 minutes, but wouldn't fetch a new one either,
because there was already one in the cache. Now, fetch a v2
descriptor unless the same descriptor was added to the cache within
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.

The original announcement can be found at http://archives.seul.org/or/announce/Jun-2009/msg00000.html

Tor 0.2.0.34-stable released

phobos — Mon, 09 Feb 2009 15:21:20 -0800

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
Security fixes:

Fix an infinite-loop bug on handling corrupt votes under certain
circumstances. Bugfix on 0.2.0.8-alpha.
Fix a temporary DoS vulnerability that could be performed by
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
Avoid a potential crash on exit nodes when processing malformed
input. Remote DoS opportunity. Bugfix on 0.2.0.33.
Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
Spec conformance issue. Bugfix on Tor 0.0.2pre27.

Minor bugfixes:

Fix compilation on systems where time_t is a 64-bit integer.
Patch from Matthias Drochner.
Don't consider expiring already-closed client connections. Fixes
bug 893. Bugfix on 0.0.2pre20.

The original announcement can be found at http://archives.seul.org/or/announce/Feb-2009/msg00000.html

Tor 0.2.0.33-stable released

phobos — Thu, 22 Jan 2009 11:25:00 -0800

Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.

This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)

https://www.torproject.org/download.html

Changes in version 0.2.0.33 - 2009-01-21
Security fixes:

Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
would silently ignore the end cell and not close the stream. If
the client never closes the circuit, then the exit relay never
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
reported by "wood".
When sending CREATED cells back for a given circuit, use a 64-bit
connection ID to find the right connection, rather than an addr:port
combination. Now that we can have multiple OR connections between
the same ORs, it is no longer possible to use addr:port to uniquely
identify a connection.
Bridge relays that had DirPort set to 0 would stop fetching
descriptors shortly after startup, and then briefly resume
after a new bandwidth test and/or after publishing a new bridge
descriptor. Bridge users that try to bootstrap from them would
get a recent networkstatus but would get descriptors from up to
18 hours earlier, meaning most of the descriptors were obsolete
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
Prevent bridge relays from serving their 'extrainfo' document
to anybody who asks, now that extrainfo docs include potentially
sensitive aggregated client geoip summaries. Bugfix on
0.2.0.13-alpha.
If the cached networkstatus consensus is more than five days old,
discard it rather than trying to use it. In theory it could be
useful because it lists alternate directory mirrors, but in practice
it just means we spend many minutes trying directory mirrors that
are long gone from the network. Also discard router descriptors as
we load them if they are more than five days old, since the onion
key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.

Minor bugfixes:

Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
could make gcc generate non-functional binary search code. Bugfix
on 0.2.0.10-alpha.
Build correctly on platforms without socklen_t.
Compile without warnings on solaris.
Avoid potential crash on internal error during signature collection.
Fixes bug 864. Patch from rovv.
Correct handling of possible malformed authority signing key
certificates with internal signature types. Fixes bug 880.
Bugfix on 0.2.0.3-alpha.
Fix a hard-to-trigger resource leak when logging credential status.
CID 349.
When we can't initialize DNS because the network is down, do not
automatically stop Tor from starting. Instead, we retry failed
dns_inits() every 10 minutes, and change the exit policy to reject
*:* until one succeeds. Fixes bug 691.
Use 64 bits instead of 32 bits for connection identifiers used with
the controller protocol, to greatly reduce risk of identifier reuse.
When we're choosing an exit node for a circuit, and we have
no pending streams, choose a good general exit rather than one that
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes one case of bug 752. Patch from rovv.
Clip the MaxCircuitDirtiness config option to a minimum of 10
seconds. Warn the user if lower values are given in the
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
user if lower values are given in the configuration. Bugfix on
0.1.1.17-rc. Patch by Sebastian.
Fix a memory leak when we decline to add a v2 rendezvous descriptor to
the cache because we already had a v0 descriptor with the same ID.
Bugfix on 0.2.0.18-alpha.
Fix a race condition when freeing keys shared between main thread
and CPU workers that could result in a memory leak. Bugfix on
0.1.0.1-rc. Fixes bug 889.
Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv.
Check which hops rendezvous stream cells are associated with to
prevent possible guess-the-streamid injection attacks from
intermediate hops. Fixes another case of bug 446. Based on patch
from rovv.
If a broken client asks a non-exit router to connect somewhere,
do not even do the DNS lookup before rejecting the connection.
Fixes another case of bug 619. Patch from rovv.
When a relay gets a create cell it can't decrypt (e.g. because it's
using the wrong onion key), we were dropping it and letting the
client time out. Now actually answer with a destroy cell. Fixes
bug 904. Bugfix on 0.0.2pre8.

Minor bugfixes (hidden services):

Do not throw away existing introduction points on SIGHUP. Bugfix on
0.0.6pre1. Patch by Karsten. Fixes bug 874.

Minor features:

Report the case where all signatures in a detached set are rejected
differently than the case where there is an error handling the
detached set.
When we realize that another process has modified our cached
descriptors, print out a more useful error message rather than
triggering an assertion. Fixes bug 885. Patch from Karsten.
Implement the 0x20 hack to better resist DNS poisoning: set the
case on outgoing DNS requests randomly, and reject responses that do
not match the case correctly. This logic can be disabled with the
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
of servers that do not reliably preserve case in replies. See
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
for more info.
Check DNS replies for more matching fields to better resist DNS
poisoning.
Never use OpenSSL compression: it wastes RAM and CPU trying to
compress cells, which are basically all encrypted, compressed, or
both.

The original announcement can be found at http://archives.seul.org/or/announce/Jan-2009/msg00000.html

Updates on Tor 0.2.0.32 for OS X Users

phobos — Thu, 04 Dec 2008 18:48:00 -0800

As detailed here, http://archives.seul.org/or/talk/Dec-2008/msg00044.html, there are some packaging fixes for OS X users in this 0.2.0.32 stable release.

For OS X users, there is a packaging bugfix in 0.2.0.32 labelled as
0.2.0.32a in the available packages. It turns out for years we've been
shipping a Info.plist with an incorrect key. The issue was discovered
and reported as bug 876,
https://bugs.torproject.org/flyspray/index.php?id=876&do=details.

The commit to fix the problem in the 0_2_0 branch is r17472:
http://archives.seul.org/or/cvs/Dec-2008/msg00037.html

The commit to fix the problem in the Vidalia 0.1 branch is r3361:
http://trac.vidalia-project.net/browser/vidalia/branches/vidalia-0.1/pkg...

The bug is that the OS X Installer will prompt "The chosen volume
contains software which is newer then [sic] the software you are
installing."

The problem is that the Installer looks in the file
/Library/Receipts/Vidalia.pkg/Contents/Info.plist for
CFBundleShortVersionString. We mistakenly called it
CFBundleSortVersionString, which Apple inserts "1" as the value. The
upgrade to Vidalia from 0.1.9 to 0.1.10 apparently triggered the issue.

The fix is to put the correct value in place for the future. The
simplest way to do this is to have the users click "Continue" when
prompted. We could have spent a lot of time trying to fix it for the
user to hide the issue, but well, that is fraught with problems and
complexities. A simple click of "Continue" is far simpler and less
error prone.

The difference between the released 0.2.0.32 Tor code is the inclusion
of r17472. It's not really 0.2.0.32a per se, but since we lack package
versions, I had to distinguish it in some way.

Tor 0.2.0.32 Released

phobos — Thu, 04 Dec 2008 18:42:03 -0800

Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages
(and maybe other packages) noticed by Theo de Raadt, fixes a smaller
security flaw that might allow an attacker to access local services,
further improves hidden service performance, and fixes a variety of
other issues.

https://www.torproject.org/download.html

Or use our new https://www.torproject.org/easy-download page.

Changes in version 0.2.0.32 - 2008-11-20
Security fixes:

The "User" and "Group" config options did not clear the
supplementary group entries for the Tor process. The "User" option
is now more robust, and we now set the groups to the specified
user's primary group. The "Group" option is now ignored. For more
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.

Major bugfixes:

Fix a DOS opportunity during the voting signature collection process
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.

Major bugfixes (hidden services):

When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor has not been
downloaded yet. In these cases, do not attempt to upload the
rendezvous descriptor, but wait until the router descriptor is
downloaded and retry. Likewise, do not attempt to fetch a rendezvous
descriptor from a hidden service directory for which the router
descriptor has not yet been downloaded. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.

Minor bugfixes:

Fix several infrequent memory leaks spotted by Coverity.
When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
When asked to connect to A.B.exit:80, if we don't know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
Bugfix on 0.2.0.x.
Remove the old v2 directory authority 'lefkada' from the default
list. It has been gone for many months.
Stop doing unaligned memory access that generated bus errors on
sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
Make USR2 log-level switch take effect immediately. Bugfix on
0.1.2.8-beta.

Minor bugfixes (controller):

Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.

The original announcement can be found at http://archives.seul.org/or/announce/Dec-2008/msg00000.html

August 2008 Progress Report

phobos — Sun, 21 Sep 2008 16:05:39 -0700

Releases

Vidalia 0.1.7 (released August 2) fixes a bug that caused Vidalia to not recognize Tor's version correctly in Tor 0.2.0.x, adds an "nsh2po" tool that helps Pootle translate the Vidalia bundle installer strings, adds "TZ=UTC" to the BrowserExecutable's environment variables when launched via Vidalia, and updates the Czech, French, and German translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.7/CHANG...

Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Tor 0.2.1.3-alpha (released August 3) implements most of the pieces to prevent infinite-length circuit attacks (see proposal 110); fixes a bug that might cause exit relays to corrupt streams they send back; allows address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and ExcludeExitNodes config options; and fixes a big pile of bugs.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor 0.2.1.4-alpha (released August 4) fixes a pair of crash bugs in 0.2.1.3-alpha.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to version 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

Vidalia 0.1.8 (released August 17) makes the bandwidth graph window look better for languages like Farsi, includes ssleay32.dll in the Windows packages so Vidalia won't crash when it finds an incompatible version of ssleay32.dll in the user's $PATH, makes "escape" and "return" shortcuts for the settings window, and fixes a variety of other bugs.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.8/CHANG...

Tor 0.2.0.30 (released July 15, announced August 21) switches to a more efficient directory distribution design, adds features to make connections to the Tor network harder to block, allows Tor to act as a DNS proxy, adds separate rate limiting for relayed traffic to make it easier for clients to become relays, fixes a variety of potential anonymity problems, and includes the usual huge pile of other features and bug fixes.
http://archives.seul.org/or/announce/Aug-2008/msg00000.html

Tor Browser Bundle 1.1.3 (released August 22) fixes a bug in the 0.1.2 release that messed up translations in the homepage, adds "small=1" to the homepage URL so it doesn't show the huge green onion by default, and updates Vidalia to 0.1.8.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.5-alpha (released August 31) moves us closer to handling IPv6 destinations, puts in a lot of the infrastructure for adding authorization to hidden services, lays the groundwork for having clients read their load balancing information out of the networkstatus consensus rather than the individual router descriptors, addresses two potential anonymity issues, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Sep-2008/msg00072.html

Blocking resistance
The Tor 0.2.1.3-alpha and 0.2.1.4-alpha releases include more fixes for hidden service performance and robustness, have slightly improved bootstrap status event behavior, and start hunting down a horrible bug that looks like it could leak private information:
https://bugs.torproject.org/flyspray/index.php?do=details&id=779

Now that the Tor 0.2.0.30 release has been declared stable, ordinary users will finally get bridge features, the new harder-to-block network protocol, and other features by default.

Core Development
We're working on a draft for a new "automatic software update" protocol, code-named Glider, that incorporates the previous proposals 153 and 154 but is easier to extend to other packages, and is easier to implement and maintain on the server side. We hope to have this new draft out as an actual proposal document, along with some early prototypes of the server side, in September.
https://svn.torproject.org/svn/updater/trunk/specs/glider-spec.txt
Part of the ongoing development question is how to write the client side of this auto update engine in a convenient and easy language like Python, yet have it still be extremely compact on the client side -- since Windows doesn't include Python by default, shipping a Python interpreter with the auto updater could add 10MB to the package size.

Roger sent the list of "research directions we should look at" to or-dev, so more people could look at it:
http://archives.seul.org/or/dev/Aug-2008/msg00031.html
We are working these items into a more comprehensive research and development roadmap; stay tuned.

Advocacy
We answered a lot of press organizations about Tor and the Olympics this month. Our main goal was to explain to technical people how bridges work, what they're for, and explain that in most countries right now Tor works just fine out of the box, so bridges are the backup plan for later down the arms race. The CCC (and others) succeeded in making some good press articles, e.g.
http://www.rsf.org/article.php3?id_article=27991
http://www.guardian.co.uk/technology/2008/aug/07/censorship.hacking
http://www.guardian.co.uk/commentisfree/2008/aug/05/china.censorship

Roger attended Black Hat and Defcon. His Defcon talk was:
"Attacks/Vulnerabilities on Tor: past, present, future"
Slides are at http://freehaven.net/~arma/slides-dc08.pdf
He had a packed room of 500+ people. Lucky Green summarized his take-away from the talk as "we would love to work with you if you find any problems with Tor, and we have a good track record of working well with the community." That sounds like what we were aiming for. We're still waiting for the video to come out so we can link to it from the documentation page.

We also talked a lot with the Mozilla people about privacy-impacting bugs in Firefox. We have a list now:
https://www.torproject.org/torbutton/design/#FirefoxBugs
and should start looking for good Firefox developers to fix them and funding to incent them to do so.

We put up our mid-August NLnet reports:
https://www.torproject.org/projects/hidserv#Aug08
https://www.torproject.org/projects/lowbandwidth#Aug08

Jacob spent a long week of hacking in Argentina, for DebConf 8 (the yearly Debian Conference). Lots of Tor advocacy. Another box of Tor stickers applied to many many laptops. Lots of people were interested in Tor and many many people installed Tor on both laptops and servers. This advocacy resulted in at least two new high bandwidth nodes that he helped the administrators configure. The first is in Japan. The second is our first major high bandwidth node in New Zealand.

Coverity (coverity.com) is now scanning Tor. It found a bunch of minor memory leaks, a few false positives, and some other miscellaneous bugs. Nick fixed almost all of the bugs in a quick afternoon, excepting some testing code that has some resource leaks. Jacob is going to work on getting other Tor related projects into Coverity.

Mike Perry has been working lately on publicity for moving more high-profile websites to use SSL correctly. Last year at Defcon he reported a bug in how many sites (including GMail) handle their cookies: he basically described an easy way for anybody in Starbucks to steal your GMail cookie and log into your gmail account, even if you are always very careful to only use "https" when logging in to your gmail account. The attack works because cookies *can* be set with an "only present this cookie on an SSL connection" flag when they're created, but no sites actually set this flag because they are concerned about usability. This attack is easy to perform as a Tor exit relay too. This year, Mike presented an actual tool that performs this attack on a local wireless network in an automated way. Some high-profile sites are slowly moving to use more secure login approaches.

Matt Edman finished running the "Vidalia logo design contest". The contest resulted in 76 entries. There were a lot of questionable submissions (Vidalia ninjas?!), but there were also a few great ones. He is tending towards this entry as his choice for the new Vidalia logo:
http://www.worth1000.com/view.asp?entry=479229

Usability
Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Incognito now comes with much more thorough documentation about which software packages are included, and how they are configured:
http://www.browseanonymouslyanywhere.com/incognito/uploadfiles/docs.html

Incognito's next step is to work on a "hardened" option that uses a more secure kernel and other applications. The goal is to keep the same usability but be even less vulnerable to application-level and kernel-level attacks that could be used to gain access to the system and then try to unveil the user.

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to release 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

We're working on a new branch of Vidalia that can be used in Tor Browser Bundle, for launching Firefox directly without needing the extra installer scripts called "Firefox Portable". If we get this working, then we can hopefully make progress on running multiple Firefoxes at once (one used for Tor launched by TBB, and one used for non-Tor).
http://trac.vidalia-project.net/browser/vidalia/branches/alt-launcher

The German CCC organization put together a version of the Tor Browser Bundle called the "Freedom Stick" for use in teaching the media about the Chinese firewall and the Olympics:
http://chinesewall.ccc.de/freedomstick-en.html

Scalability
From the Tor 0.2.1.5-alpha ChangeLog:
"More progress toward proposal 141: Network status consensus documents and votes now contain bandwidth information for each router and a summary of that router's exit policy. Eventually this will be used by clients so that they do not have to download every known descriptor before building circuits."

We're worked on getting "Tor Weather" back up and working:
https://weather.torproject.org/
Weather is a service to let relay operators get notified when their relay is unreachable for an extended period of time. It's still in its early experimental stages, but it's already proved useful to its early testers. It's also using SSL as its base URL now.

Jacob has also been working on a Tor network map, to visualize where our relays are. Using all of the known descriptors, it maps each node with some GeoIP code and plot it onto a map. You can interact with the data to see the IP address of each node, the node name and the city/country information if we could find it. Sadly, it *will* lock your browser up for one or two minutes, as there's a lot of data to parse:
http://freehaven.net/~ioerror/maps/v3-tormap.html

Tor 0.2.0.31 Released

phobos — Mon, 08 Sep 2008 21:34:15 -0700

A better formatted version of this can be found at the OR-Announce Archives.

Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
a big bug we're seeing where in rare cases traffic from one Tor stream
gets mixed into another stream, and fixes a variety of smaller issues.

https://www.torproject.org/download.html

Changes in version 0.2.0.31 - 2008-09-03
o Major bugfixes:
- Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.

o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying
session resumption at this point, but apparently some did, in
ways that caused the handshake to fail. Bug found by Geoff Goodell.
Bugfix on 0.2.0.20-rc.
- When using the TransPort option on OpenBSD, and using the User
option to change UID and drop privileges, make sure to open
/dev/pf before dropping privileges. Fixes bug 782. Patch from
Christopher Davis. Bugfix on 0.1.2.1-alpha.
- Try to attach connections immediately upon receiving a RENDEZVOUS2
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
on the client side when connecting to a hidden service. Bugfix
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
- When closing an application-side connection because its circuit is
getting torn down, generate the stream event correctly. Bugfix on
0.1.2.x. Anonymous patch.

Tor 0.2.0.30 is released as stable

phobos — Mon, 25 Aug 2008 19:48:37 -0700

Tor 0.2.0.30 is released. A better formatted version of this report can be found at gmane.org

Tor 0.2.0.30 switches to a more efficient directory distribution design,
adds features to make connections to the Tor network harder to block,
allows Tor to act as a DNS proxy, adds separate rate limiting for relayed
traffic to make it easier for clients to become relays, fixes a variety
of potential anonymity problems, and includes the usual huge pile of
other features and bug fixes.

https://www.torproject.org/download.html

Changes in version 0.2.0.30 - 2008-07-15
o New v3 directory design:
- Tor now uses a new way to learn about and distribute information
about the network: the directory authorities vote on a common
network status document rather than each publishing their own
opinion. Now clients and caches download only one networkstatus
document to bootstrap, rather than downloading one for each
authority. Clients only download router descriptors listed in
the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
for details.
- Set up moria1, tor26, and dizum as v3 directory authorities
in addition to being v2 authorities. Also add three new ones:
ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
dannenberg (run by CCC).
- Switch to multi-level keys for directory authorities: now their
long-term identity key can be kept offline, and they periodically
generate a new signing key. Clients fetch the "key certificates"
to keep up to date on the right keys. Add a standalone tool
"tor-gencert" to generate key certificates. Implements proposal 103.
- Add a new V3AuthUseLegacyKey config option to make it easier for
v3 authorities to change their identity keys if another bug like
Debian's OpenSSL RNG flaw appears.
- Authorities and caches fetch the v2 networkstatus documents
less often, now that v3 is recommended.

o Make Tor connections stand out less on the wire:
- Use an improved TLS handshake designed by Steven Murdoch in proposal
124, as revised in proposal 130. The new handshake is meant to
be harder for censors to fingerprint, and it adds the ability
to detect certain kinds of man-in-the-middle traffic analysis
attacks. The new handshake format includes version negotiation for
OR connections as described in proposal 105, which will allow us
to improve Tor's link protocol more safely in the future.
- Enable encrypted directory connections by default for non-relays,
so censor tools that block Tor directory connections based on their
plaintext patterns will no longer work. This means Tor works in
certain censored countries by default again.
- Stop including recognizeable strings in the commonname part of
Tor's x509 certificates.

o Implement bridge relays:
- Bridge relays (or "bridges" for short) are Tor relays that aren't
listed in the main Tor directory. Since there is no complete public
list of them, even an ISP that is filtering connections to all the
known Tor relays probably won't be able to block all the bridges.
See doc/design-paper/blocking.pdf and proposal 125 for details.
- New config option BridgeRelay that specifies you want to be a
bridge relay rather than a normal relay. When BridgeRelay is set
to 1, then a) you cache dir info even if your DirPort ins't on,
and b) the default for PublishServerDescriptor is now "bridge"
rather than "v2,v3".
- New config option "UseBridges 1" for clients that want to use bridge
relays instead of ordinary entry guards. Clients then specify
bridge relays by adding "Bridge" lines to their config file. Users
can learn about a bridge relay either manually through word of
mouth, or by one of our rate-limited mechanisms for giving out
bridge addresses without letting an attacker easily enumerate them
all. See https://www.torproject.org/bridges for details.
- Bridge relays behave like clients with respect to time intervals
for downloading new v3 consensus documents -- otherwise they
stand out. Bridge users now wait until the end of the interval,
so their bridge relay will be sure to have a new consensus document.

o Implement bridge directory authorities:
- Bridge authorities are like normal directory authorities, except
they don't serve a list of known bridges. Therefore users that know
a bridge's fingerprint can fetch a relay descriptor for that bridge,
including fetching updates e.g. if the bridge changes IP address,
yet an attacker can't just fetch a list of all the bridges.
- Set up Tonga as the default bridge directory authority.
- Bridge authorities refuse to serve bridge descriptors or other
bridge information over unencrypted connections (that is, when
responding to direct DirPort requests rather than begin_dir cells.)
- Bridge directory authorities do reachability testing on the
bridges they know. They provide router status summaries to the
controller via "getinfo ns/purpose/bridge", and also dump summaries
to a file periodically, so we can keep internal stats about which
bridges are functioning.
- If bridge users set the UpdateBridgesFromAuthority config option,
but the digest they ask for is a 404 on the bridge authority,
they fall back to contacting the bridge directly.
- Bridges always use begin_dir to publish their server descriptor to
the bridge authority using an anonymous encrypted tunnel.
- Early work on a "bridge community" design: if bridge authorities set
the BridgePassword config option, they will serve a snapshot of
known bridge routerstatuses from their DirPort to anybody who
knows that password. Unset by default.
- Tor now includes an IP-to-country GeoIP file, so bridge relays can
report sanitized aggregated summaries in their extra-info documents
privately to the bridge authority, listing which countries are
able to reach them. We hope this mechanism will let us learn when
certain countries start trying to block bridges.
- Bridge authorities write bridge descriptors to disk, so they can
reload them after a reboot. They can also export the descriptors
to other programs, so we can distribute them to blocked users via
the BridgeDB interface, e.g. via https://bridges.torproject.org/
and bridges torproject.org.

o Tor can be a DNS proxy:
- The new client-side DNS proxy feature replaces the need for
dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
for DNS requests on port 9999, use the Tor network to resolve them
anonymously, and send the reply back like a regular DNS server.
The code still only implements a subset of DNS.
- Add a new AutomapHostsOnResolve option: when it is enabled, any
resolve request for hosts matching a given pattern causes Tor to
generate an internal virtual address mapping for that host. This
allows DNSPort to work sensibly with hidden service users. By
default, .exit and .onion addresses are remapped; the list of
patterns can be reconfigured with AutomapHostsSuffixes.
- Add an "-F" option to tor-resolve to force a resolve for a .onion
address. Thanks to the AutomapHostsOnResolve option, this is no
longer a completely silly thing to do.

o Major features (relay usability):
- New config options RelayBandwidthRate and RelayBandwidthBurst:
a separate set of token buckets for relayed traffic. Right now
relayed traffic is defined as answers to directory requests, and
OR connections that don't have any local circuits on them. See
proposal 111 for details.
- Create listener connections before we setuid to the configured
User and Group. Now non-Windows users can choose port values
under 1024, start Tor as root, and have Tor bind those ports
before it changes to another UID. (Windows users could already
pick these ports.)
- Added a new ConstrainedSockets config option to set SO_SNDBUF and
SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
on "vserver" accounts. Patch from coderman.

o Major features (directory authorities):
- Directory authorities track weighted fractional uptime and weighted
mean-time-between failures for relays. WFU is suitable for deciding
whether a node is "usually up", while MTBF is suitable for deciding
whether a node is "likely to stay up." We need both, because
"usually up" is a good requirement for guards, while "likely to
stay up" is a good requirement for long-lived connections.
- Directory authorities use a new formula for selecting which relays
to advertise as Guards: they must be in the top 7/8 in terms of
how long we have known about them, and above the median of those
nodes in terms of weighted fractional uptime.
- Directory authorities use a new formula for selecting which relays
to advertise as Stable: when we have 4 or more days of data, use
median measured MTBF rather than median declared uptime. Implements
proposal 108.
- Directory authorities accept and serve "extra info" documents for
routers. Routers now publish their bandwidth-history lines in the
extra-info docs rather than the main descriptor. This step saves
60% (!) on compressed router descriptor downloads. Servers upload
extra-info docs to any authority that accepts them; directory
authorities now allow multiple router descriptors and/or extra
info documents to be uploaded in a single go. Authorities, and
caches that have been configured to download extra-info documents,
download them as needed. Implements proposal 104.
- Authorities now list relays who have the same nickname as
a different named relay, but list them with a new flag:
"Unnamed". Now we can make use of relays that happen to pick the
same nickname as a server that registered two years ago and then
disappeared. Implements proposal 122.
- Store routers in a file called cached-descriptors instead of in
cached-routers. Initialize cached-descriptors from cached-routers
if the old format is around. The new format allows us to store
annotations along with descriptors, to record the time we received
each descriptor, its source, and its purpose: currently one of
general, controller, or bridge.

o Major features (other):
- New config options WarnPlaintextPorts and RejectPlaintextPorts so
Tor can warn and/or refuse connections to ports commonly used with
vulnerable-plaintext protocols. Currently we warn on ports 23,
109, 110, and 143, but we don't reject any. Based on proposal 129
by Kevin Bauer and Damon McCoy.
- Integrate Karsten Loesing's Google Summer of Code project to publish
hidden service descriptors on a set of redundant relays that are a
function of the hidden service address. Now we don't have to rely
on three central hidden service authorities for publishing and
fetching every hidden service descriptor. Implements proposal 114.
- Allow tunnelled directory connections to ask for an encrypted
"begin_dir" connection or an anonymized "uses a full Tor circuit"
connection independently. Now we can make anonymized begin_dir
connections for (e.g.) more secure hidden service posting and
fetching.

o Major bugfixes (crashes and assert failures):
- Stop imposing an arbitrary maximum on the number of file descriptors
used for busy servers. Bug reported by Olaf Selke; patch from
Sebastian Hahn.
- Avoid possible failures when generating a directory with routers
with over-long versions strings, or too many flags set.
- Fix a rare assert error when we're closing one of our threads:
use a mutex to protect the list of logs, so we never write to the
list as it's being freed. Fixes the very rare bug 575, which is
kind of the revenge of bug 222.
- Avoid segfault in the case where a badly behaved v2 versioning
directory sends a signed networkstatus with missing client-versions.
- When we hit an EOF on a log (probably because we're shutting down),
don't try to remove the log from the list: just mark it as
unusable. (Bulletproofs against bug 222.)

o Major bugfixes (code security fixes):
- Detect size overflow in zlib code. Reported by Justin Ferguson and
Dan Kaminsky.
- Rewrite directory tokenization code to never run off the end of
a string. Fixes bug 455. Patch from croup.
- Be more paranoid about overwriting sensitive memory on free(),
as a defensive programming tactic to ensure forward secrecy.

o Major bugfixes (anonymity fixes):
- Reject requests for reverse-dns lookup of names that are in
a private address space. Patch from lodger.
- Never report that we've used more bandwidth than we're willing to
relay: it leaks how much non-relay traffic we're using. Resolves
bug 516.
- As a client, do not believe any server that tells us that an
address maps to an internal address space.
- Warn about unsafe ControlPort configurations.
- Directory authorities now call routers Fast if their bandwidth is
at least 100KB/s, and consider their bandwidth adequate to be a
Guard if it is at least 250KB/s, no matter the medians. This fix
complements proposal 107.
- Directory authorities now never mark more than 2 servers per IP as
Valid and Running (or 5 on addresses shared by authorities).
Implements proposal 109, by Kevin Bauer and Damon McCoy.
- If we're a relay, avoid picking ourselves as an introduction point,
a rendezvous point, or as the final hop for internal circuits. Bug
reported by taranis and lodger.
- Exit relays that are used as a client can now reach themselves
using the .exit notation, rather than just launching an infinite
pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
- Fix a bug where, when we were choosing the 'end stream reason' to
put in our relay end cell that we send to the exit relay, Tor
clients on Windows were sometimes sending the wrong 'reason'. The
anonymity problem is that exit relays may be able to guess whether
the client is running Windows, thus helping partition the anonymity
set. Down the road we should stop sending reasons to exit relays,
or otherwise prevent future versions of this bug.
- Only update guard status (usable / not usable) once we have
enough directory information. This was causing us to discard all our
guards on startup if we hadn't been running for a few weeks. Fixes
bug 448.
- When our directory information has been expired for a while, stop
being willing to build circuits using it. Fixes bug 401.

o Major bugfixes (peace of mind for relay operators)
- Non-exit relays no longer answer "resolve" relay cells, so they
can't be induced to do arbitrary DNS requests. (Tor clients already
avoid using non-exit relays for resolve cells, but now servers
enforce this too.) Fixes bug 619. Patch from lodger.
- When we setconf ClientOnly to 1, close any current OR and Dir
listeners. Reported by mwenge.

o Major bugfixes (other):
- If we only ever used Tor for hidden service lookups or posts, we
would stop building circuits and start refusing connections after
24 hours, since we falsely believed that Tor was dormant. Reported
by nwf.
- Add a new __HashedControlSessionPassword option for controllers
to use for one-off session password hashes that shouldn't get
saved to disk by SAVECONF --- Vidalia users were accumulating a
pile of HashedControlPassword lines in their torrc files, one for
each time they had restarted Tor and then clicked Save. Make Tor
automatically convert "HashedControlPassword" to this new option but
only when it's given on the command line. Partial fix for bug 586.
- Patch from "Andrew S. Lists" to catch when we contact a directory
mirror at IP address X and he says we look like we're coming from
IP address X. Otherwise this would screw up our address detection.
- Reject uploaded descriptors and extrainfo documents if they're
huge. Otherwise we'll cache them all over the network and it'll
clog everything up. Suggested by Aljosha Judmayer.
- When a hidden service was trying to establish an introduction point,
and Tor *did* manage to reuse one of the preemptively built
circuits, it didn't correctly remember which one it used,
so it asked for another one soon after, until there were no
more preemptive circuits, at which point it launched one from
scratch. Bugfix on 0.0.9.x.

o Rate limiting and load balancing improvements:
- When we add data to a write buffer in response to the data on that
write buffer getting low because of a flush, do not consider the
newly added data as a candidate for immediate flushing, but rather
make it wait until the next round of writing. Otherwise, we flush
and refill recursively, and a single greedy TLS connection can
eat all of our bandwidth.
- When counting the number of bytes written on a TLS connection,
look at the BIO actually used for writing to the network, not
at the BIO used (sometimes) to buffer data for the network.
Looking at different BIOs could result in write counts on the
order of ULONG_MAX. Fixes bug 614.
- If we change our MaxAdvertisedBandwidth and then reload torrc,
Tor won't realize it should publish a new relay descriptor. Fixes
bug 688, reported by mfr.
- Avoid using too little bandwidth when our clock skips a few seconds.
- Choose which bridge to use proportional to its advertised bandwidth,
rather than uniformly at random. This should speed up Tor for
bridge users. Also do this for people who set StrictEntryNodes.

o Bootstrapping faster and building circuits more intelligently:
- Fix bug 660 that was preventing us from knowing that we should
preemptively build circuits to handle expected directory requests.
- When we're checking if we have enough dir info for each relay
to begin establishing circuits, make sure that we actually have
the descriptor listed in the consensus, not just any descriptor.
- Correctly notify one-hop connections when a circuit build has
failed. Possible fix for bug 669. Found by lodger.
- Clients now hold circuitless TLS connections open for 1.5 times
MaxCircuitDirtiness (15 minutes), since it is likely that they'll
rebuild a new circuit over them within that timeframe. Previously,
they held them open only for KeepalivePeriod (5 minutes).

o Performance improvements (memory):
- Add OpenBSD malloc code from "phk" as an optional malloc
replacement on Linux: some glibc libraries do very poorly with
Tor's memory allocation patterns. Pass --enable-openbsd-malloc to
./configure to get the replacement malloc code.
- Switch our old ring buffer implementation for one more like that
used by free Unix kernels. The wasted space in a buffer with 1mb
of data will now be more like 8k than 1mb. The new implementation
also avoids realloc();realloc(); patterns that can contribute to
memory fragmentation.
- Change the way that Tor buffers data that it is waiting to write.
Instead of queueing data cells in an enormous ring buffer for each
client->OR or OR->OR connection, we now queue cells on a separate
queue for each circuit. This lets us use less slack memory, and
will eventually let us be smarter about prioritizing different kinds
of traffic.
- Reference-count and share copies of address policy entries; only 5%
of them were actually distinct.
- Tune parameters for cell pool allocation to minimize amount of
RAM overhead used.
- Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
for every single inactive connection_t. Free items from the
4k/16k-buffer free lists when they haven't been used for a while.
- Make memory debugging information describe more about history
of cell allocation, so we can help reduce our memory use.
- Be even more aggressive about releasing RAM from small
empty buffers. Thanks to our free-list code, this shouldn't be too
performance-intensive.
- Log malloc statistics from mallinfo() on platforms where it exists.
- Use memory pools to allocate cells with better speed and memory
efficiency, especially on platforms where malloc() is inefficient.
- Add a --with-tcmalloc option to the configure script to link
against tcmalloc (if present). Does not yet search for non-system
include paths.

o Performance improvements (socket management):
- Count the number of open sockets separately from the number of
active connection_t objects. This will let us avoid underusing
our allocated connection limit.
- We no longer use socket pairs to link an edge connection to an
anonymous directory connection or a DirPort test connection.
Instead, we track the link internally and transfer the data
in-process. This saves two sockets per "linked" connection (at the
client and at the server), and avoids the nasty Windows socketpair()
workaround.
- We were leaking a file descriptor if Tor started with a zero-length
cached-descriptors file. Patch by "freddy77".

o Performance improvements (CPU use):
- Never walk through the list of logs if we know that no log target
is interested in a given message.
- Call routerlist_remove_old_routers() much less often. This should
speed startup, especially on directory caches.
- Base64 decoding was actually showing up on our profile when parsing
the initial descriptor file; switch to an in-process all-at-once
implementation that's about 3.5x times faster than calling out to
OpenSSL.
- Use a slightly simpler string hashing algorithm (copying Python's
instead of Java's) and optimize our digest hashing algorithm to take
advantage of 64-bit platforms and to remove some possibly-costly
voodoo.
- When implementing AES counter mode, update only the portions of the
counter buffer that need to change, and don't keep separate
network-order and host-order counters on big-endian hosts (where
they are the same).
- Add an in-place version of aes_crypt() so that we can avoid doing a
needless memcpy() call on each cell payload.
- Use Critical Sections rather than Mutexes for synchronizing threads
on win32; Mutexes are heavier-weight, and designed for synchronizing
between processes.

o Performance improvements (bandwidth use):
- Don't try to launch new descriptor downloads quite so often when we
already have enough directory information to build circuits.
- Version 1 directories are no longer generated in full. Instead,
authorities generate and serve "stub" v1 directories that list
no servers. This will stop Tor versions 0.1.0.x and earlier from
working, but (for security reasons) nobody should be running those
versions anyway.
- Avoid going directly to the directory authorities even if you're a
relay, if you haven't found yourself reachable yet or if you've
decided not to advertise your dirport yet. Addresses bug 556.
- If we've gone 12 hours since our last bandwidth check, and we
estimate we have less than 50KB bandwidth capacity but we could
handle more, do another bandwidth test.
- Support "If-Modified-Since" when answering HTTP requests for
directories, running-routers documents, and v2 and v3 networkstatus
documents. (There's no need to support it for router descriptors,
since those are downloaded by descriptor digest.)
- Stop fetching directory info so aggressively if your DirPort is
on but your ORPort is off; stop fetching v2 dir info entirely.
You can override these choices with the new FetchDirInfoEarly
config option.

o Changed config option behavior (features):
- Configuration files now accept C-style strings as values. This
helps encode characters not allowed in the current configuration
file format, such as newline or #. Addresses bug 557.
- Add hidden services and DNSPorts to the list of things that make
Tor accept that it has running ports. Change starting Tor with no
ports from a fatal error to a warning; we might change it back if
this turns out to confuse anybody. Fixes bug 579.
- Make PublishServerDescriptor default to 1, so the default doesn't
have to change as we invent new directory protocol versions.
- Allow people to say PreferTunnelledDirConns rather than
PreferTunneledDirConns, for those alternate-spellers out there.
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
accommodate the growing number of servers that use the default
and are reaching it.
- Make it possible to enable HashedControlPassword and
CookieAuthentication at the same time.
- When a TrackHostExits-chosen exit fails too many times in a row,
stop using it. Fixes bug 437.

o Changed config option behavior (bugfixes):
- Do not read the configuration file when we've only been told to
generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
based on patch from Sebastian Hahn.
- Actually validate the options passed to AuthDirReject,
AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
- Make "ClientOnly 1" config option disable directory ports too.
- Don't stop fetching descriptors when FetchUselessDescriptors is
set, even if we stop asking for circuits. Bug reported by tup
and ioerror.
- Servers used to decline to publish their DirPort if their
BandwidthRate or MaxAdvertisedBandwidth were below a threshold. Now
they look only at BandwidthRate and RelayBandwidthRate.
- Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
minus 1 byte: the actual maximum declared bandwidth.
- Make "TrackHostExits ." actually work. Bugfix on 0.1.0.x.
- Make the NodeFamilies config option work. (Reported by
lodger -- it has never actually worked, even though we added it
in Oct 2004.)
- If Tor is invoked from something that isn't a shell (e.g. Vidalia),
now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.

o New config options:
- New configuration options AuthDirMaxServersPerAddr and
AuthDirMaxServersperAuthAddr to override default maximum number
of servers allowed on a single IP address. This is important for
running a test network on a single host.
- Three new config options (AlternateDirAuthority,
AlternateBridgeAuthority, and AlternateHSAuthority) that let the
user selectively replace the default directory authorities by type,
rather than the all-or-nothing replacement that DirServer offers.
- New config options AuthDirBadDir and AuthDirListBadDirs for
authorities to mark certain relays as "bad directories" in the
networkstatus documents. Also supports the "!baddir" directive in
the approved-routers file.
- New config option V2AuthoritativeDirectory that all v2 directory
authorities must set. This lets v3 authorities choose not to serve
v2 directory information.

o Minor features (other):
- When we're not serving v2 directory information, there is no reason
to actually keep any around. Remove the obsolete files and directory
on startup if they are very old and we aren't going to serve them.
- When we negotiate a v2 link-layer connection (not yet implemented),
accept RELAY_EARLY cells and turn them into RELAY cells if we've
negotiated a v1 connection for their next step. Initial steps for
proposal 110.
- When we have no consensus, check FallbackNetworkstatusFile (defaults
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
we can start out knowing some directory caches. We don't ship with
a fallback consensus by default though, because it was making
bootstrapping take too long while we tried many down relays.
- Authorities send back an X-Descriptor-Not-New header in response to
an accepted-but-discarded descriptor upload. Partially implements
fix for bug 535.
- If we find a cached-routers file that's been sitting around for more
than 28 days unmodified, then most likely it's a leftover from
when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
routers anyway.
- When we (as a cache) download a descriptor because it was listed
in a consensus, remember when the consensus was supposed to expire,
and don't expire the descriptor until then.
- Optionally (if built with -DEXPORTMALLINFO) export the output
of mallinfo via http, as tor/mallinfo.txt. Only accessible
from localhost.
- Tag every guard node in our state file with the version that
we believe added it, or with our own version if we add it. This way,
if a user temporarily runs an old version of Tor and then switches
back to a new one, she doesn't automatically lose her guards.
- When somebody requests a list of statuses or servers, and we have
none of those, return a 404 rather than an empty 200.
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
from croup.)
- Add an HSAuthorityRecordStats option that hidden service authorities
can use to track statistics of overall hidden service usage without
logging information that would be as useful to an attacker.
- Allow multiple HiddenServicePort directives with the same virtual
port; when they occur, the user is sent round-robin to one
of the target ports chosen at random. Partially fixes bug 393 by
adding limited ad-hoc round-robining.
- Revamp file-writing logic so we don't need to have the entire
contents of a file in memory at once before we write to disk. Tor,
meet stdio.

o Minor bugfixes (other):
- Alter the code that tries to recover from unhandled write
errors, to not try to flush onto a socket that's given us
unhandled errors.
- Directory mirrors no longer include a guess at the client's IP
address if the connection appears to be coming from the same /24
network; it was producing too many wrong guesses.
- If we're trying to flush the last bytes on a connection (for
example, when answering a directory request), reset the
time-to-give-up timeout every time we manage to write something
on the socket.
- Reject router descriptors with out-of-range bandwidthcapacity or
bandwidthburst values.
- If we can't expand our list of entry guards (e.g. because we're
using bridges or we have StrictEntryNodes set), don't mark relays
down when they fail a directory request. Otherwise we're too quick
to mark all our entry points down.
- Authorities no longer send back "400 you're unreachable please fix
it" errors to Tor servers that aren't online all the time. We're
supposed to tolerate these servers now.
- Let directory authorities startup even when they can't generate
a descriptor immediately, e.g. because they don't know their
address.
- Correctly enforce that elements of directory objects do not appear
more often than they are allowed to appear.
- Stop allowing hibernating servers to be "stable" or "fast".
- On Windows, we were preventing other processes from reading
cached-routers while Tor was running. (Reported by janbar)
- Check return values from pthread_mutex functions.
- When opening /dev/null in finish_daemonize(), do not pass the
O_CREAT flag. Fortify was complaining, and correctly so. Fixes
bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.

o Controller features:
- The GETCONF command now escapes and quotes configuration values
that don't otherwise fit into the torrc file.
- The SETCONF command now handles quoted values correctly.
- Add "GETINFO/desc-annotations/id/≤OR digest>" so controllers can
ask about source, timestamp of arrival, purpose, etc. We need
something like this to help Vidalia not do GeoIP lookups on bridge
addresses.
- Allow multiple HashedControlPassword config lines, to support
multiple controller passwords.
- Accept LF instead of CRLF on controller, since some software has a
hard time generating real Internet newlines.
- Add GETINFO values for the server status events
"REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
Robert Hogan.
- There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
GETINFO for Torstat to use until it can switch to using extrainfos.
- New config option CookieAuthFile to choose a new location for the
cookie authentication file, and config option
CookieAuthFileGroupReadable to make it group-readable.
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
match requests to applications. Patch from Robert Hogan.
- Add a RESOLVE command to launch hostname lookups. Original patch
from Robert Hogan.
- Add GETINFO status/enough-dir-info to let controllers tell whether
Tor has downloaded sufficient directory information. Patch from Tup.
- You can now use the ControlSocket option to tell Tor to listen for
controller connections on Unix domain sockets on systems that
support them. Patch from Peter Palfrader.
- New "GETINFO address-mappings/*" command to get address mappings
with expiry information. "addr-mappings/*" is now deprecated.
Patch from Tup.
- Add a new config option __DisablePredictedCircuits designed for
use by the controller, when we don't want Tor to build any circuits
preemptively.
- Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
so we can exit from the middle of the circuit.
- Implement "getinfo status/circuit-established".
- Implement "getinfo status/version/..." so a controller can tell
whether the current version is recommended, and whether any versions
are good, and how many authorities agree. Patch from "shibz".
- Controllers should now specify cache=no or cache=yes when using
the +POSTDESCRIPTOR command.
- Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
Robert Hogan. Fixes the first part of bug 681.
- When reporting clock skew, and we know that the clock is _at least
as skewed_ as some value, but we don't know the actual value,
report the value as a "minimum skew."

o Controller bugfixes:
- Generate "STATUS_SERVER" events rather than misspelled
"STATUS_SEVER" events. Caught by mwenge.
- Reject controller commands over 1MB in length, so rogue
processes can't run us out of memory.
- Change the behavior of "getinfo status/good-server-descriptor"
so it doesn't return failure when any authority disappears.
- Send NAMESERVER_STATUS messages for a single failed nameserver
correctly.
- When the DANGEROUS_VERSION controller status event told us we're
running an obsolete version, it used the string "OLD" to describe
it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
"OBSOLETE" in both cases.
- Respond to INT and TERM SIGNAL commands before we execute the
signal, in case the signal shuts us down. We had a patch in
0.1.2.1-alpha that tried to do this by queueing the response on
the connection's buffer before shutting down, but that really
isn't the same thing at all. Bug located by Matt Edman.
- Provide DNS expiry times in GMT, not in local time. For backward
compatibility, ADDRMAP events only provide GMT expiry in an extended
field. "GETINFO address-mappings" always does the right thing.
- Use CRLF line endings properly in NS events.
- Make 'getinfo fingerprint' return a 551 error if we're not a
server, so we match what the control spec claims we do. Reported
by daejees.
- Fix a typo in an error message when extendcircuit fails that
caused us to not follow the \r\n-based delimiter protocol. Reported
by daejees.
- When tunneling an encrypted directory connection, and its first
circuit fails, do not leave it unattached and ask the controller
to deal. Fixes the second part of bug 681.
- Treat some 403 responses from directory servers as INFO rather than
WARN-severity events.

o Portability / building / compiling:
- When building with --enable-gcc-warnings, check for whether Apple's
warning "-Wshorten-64-to-32" is available.
- Support compilation to target iPhone; patch from cjacker huang.
To build for iPhone, pass the --enable-iphone option to configure.
- Detect non-ASCII platforms (if any still exist) and refuse to
build there: some of our code assumes that 'A' is 65 and so on.
- Clear up some MIPSPro compiler warnings.
- Make autoconf search for libevent, openssl, and zlib consistently.
- Update deprecated macros in configure.in.
- When warning about missing headers, tell the user to let us
know if the compile succeeds anyway, so we can downgrade the
warning.
- Include the current subversion revision as part of the version
string: either fetch it directly if we're in an SVN checkout, do
some magic to guess it if we're in an SVK checkout, or use
the last-detected version if we're building from a .tar.gz.
Use this version consistently in log messages.
- Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
- Read resolv.conf files correctly on platforms where read() returns
partial results on small file reads.
- Build without verbose warnings even on gcc 4.2 and 4.3.
- On Windows, correctly detect errors when listing the contents of
a directory. Fix from lodger.
- Run 'make test' as part of 'make dist', so we stop releasing so
many development snapshots that fail their unit tests.
- Add support to detect Libevent versions in the 1.4.x series
on mingw.
- Add command-line arguments to unit-test executable so that we can
invoke any chosen test from the command line rather than having
to run the whole test suite at once; and so that we can turn on
logging for the unit tests.
- Do not automatically run configure from autogen.sh. This
non-standard behavior tended to annoy people who have built other
programs.
- Fix a macro/CPP interaction that was confusing some compilers:
some GCCs don't like #if/#endif pairs inside macro arguments.
Fixes bug 707.
- Fix macro collision between OpenSSL 0.9.8h and Windows headers.
Fixes bug 704; fix from Steven Murdoch.
- Correctly detect transparent proxy support on Linux hosts that
require in.h to be included before netfilter_ipv4.h. Patch
from coderman.

o Logging improvements:
- When we haven't had any application requests lately, don't bother
logging that we have expired a bunch of descriptors.
- When attempting to open a logfile fails, tell us why.
- Only log guard node status when guard node status has changed.
- Downgrade the 3 most common "INFO" messages to "DEBUG". This will
make "INFO" 75% less verbose.
- When SafeLogging is disabled, log addresses along with all TLS
errors.
- Report TLS "zero return" case as a "clean close" and "IO error"
as a "close". Stop calling closes "unexpected closes": existing
Tors don't use SSL_close(), so having a connection close without
the TLS shutdown handshake is hardly unexpected.
- When we receive a consensus from the future, warn about skew.
- Make "not enough dir info yet" warnings describe *why* Tor feels
it doesn't have enough directory info yet.
- On the USR1 signal, when dmalloc is in use, log the top 10 memory
consumers. (We already do this on HUP.)
- Give more descriptive well-formedness errors for out-of-range
hidden service descriptor/protocol versions.
- Stop recommending that every server operator send mail to tor-ops.
Resolves bug 597. Bugfix on 0.1.2.x.
- Improve skew reporting: try to give the user a better log message
about how skewed they are, and how much this matters.
- New --quiet command-line option to suppress the default console log.
Good in combination with --hash-password.
- Don't complain that "your server has not managed to confirm that its
ports are reachable" if we haven't been able to build any circuits
yet.
- Detect the reason for failing to mmap a descriptor file we just
wrote, and give a more useful log message. Fixes bug 533.
- Always prepend "Bug: " to any log message about a bug.
- When dumping memory usage, list bytes used in buffer memory
free-lists.
- When running with dmalloc, dump more stats on hup and on exit.
- Put a platform string (e.g. "Linux i686") in the startup log
message, so when people paste just their logs, we know if it's
OpenBSD or Windows or what.
- When logging memory usage, break down memory used in buffers by
buffer type.
- When we are reporting the DirServer line we just parsed, we were
logging the second stanza of the key fingerprint, not the first.
- Even though Windows is equally happy with / and \ as path separators,
try to use \ consistently on Windows and / consistently on Unix: it
makes the log messages nicer.
- On OSX, stop warning the user that kqueue support in libevent is
"experimental", since it seems to have worked fine for ages.

o Contributed scripts and tools:
- Update linux-tor-prio.sh script to allow QoS based on the uid of
the Tor process. Patch from Marco Bonetti with tweaks from Mike
Perry.
- Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
Unix users an easy way to script their Tor process (e.g. by
adjusting bandwidth based on the time of the day).
- In the exitlist script, only consider the most recently published
server descriptor for each server. Also, when the user requests
a list of servers that _reject_ connections to a given address,
explicitly exclude the IPs that also have servers that accept
connections to that address. Resolves bug 405.
- Include a new contrib/tor-exit-notice.html file that exit relay
operators can put on their website to help reduce abuse queries.

o Newly deprecated features:
- The status/version/num-versioning and status/version/num-concurring
GETINFO controller options are no longer useful in the v3 directory
protocol: treat them as deprecated, and warn when they're used.
- The RedirectExits config option is now deprecated.

o Removed features:
- Drop the old code to choke directory connections when the
corresponding OR connections got full: thanks to the cell queue
feature, OR conns don't get full any more.
- Remove the old "dns worker" server DNS code: it hasn't been default
since 0.1.2.2-alpha, and all the servers are using the new
eventdns code.
- Remove the code to generate the oldest (v1) directory format.
- Remove support for the old bw_accounting file: we've been storing
bandwidth accounting information in the state file since
0.1.2.5-alpha. This may result in bandwidth accounting errors
if you try to upgrade from 0.1.1.x or earlier, or if you try to
downgrade to 0.1.1.x or earlier.
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
it, it had no AES, and it hasn't seen any security patches since
2004.
- Stop overloading the circuit_t.onionskin field for both "onionskin
from a CREATE cell that we are waiting for a cpuworker to be
assigned" and "onionskin from an EXTEND cell that we are going to
send to an OR as soon as we are connected". Might help with bug 600.
- Remove the tor_strpartition() function: its logic was confused,
and it was only used for one thing that could be implemented far
more easily.
- Remove the contrib scripts ExerciseServer.py, PathDemo.py,
and TorControl.py, as they use the old v0 controller protocol,
and are obsoleted by TorFlow anyway.
- Drop support for v1 rendezvous descriptors, since we never used
them anyway, and the code has probably rotted by now. Based on
patch from Karsten Loesing.
- Stop allowing address masks that do not correspond to bit prefixes.
We have warned about these for a really long time; now it's time
to reject them. (Patch from croup.)
- Remove an optimization in the AES counter-mode code that assumed
that the counter never exceeded 2^68. When the counter can be set
arbitrarily as an IV (as it is by Karsten's new hidden services
code), this assumption no longer holds.
- Disable the SETROUTERPURPOSE controller command: it is now
obsolete.