Changes in version 0.2.0.9-alpha - 2007-10-?? o Major bugfixes: - Stop publishing a new server descriptor just because we HUP or when we find our DirPort to be reachable but won't actually publish it. Extra descriptors without any real changes are dropped by the authorities, and can screw up our "publish every 18 hours" schedule. o Minor features (router descriptor cache): - If we find a cached-routers file that's been sitting around for more than 28 days unmodified, then most likely it's a leftover from when we upgraded to 0.2.0.8-alpha. Remove it. It has no good routers anyway. o Minor bugfixes (directory authorities): - Correct the implementation of "download votes by digest." Bugfix on 0.2.0.8-alpha. - Make the "next period" votes into "current period" votes immediately after publishing the consensus; avoid a heisenbug that made them stick around indefinitely. o Minor bugfixes (memory leaks): - Stop leaking memory on failing case of base32_decode. Bugfix on 0.2.0.7-alpha. o Minor bugfixes (misc): - Make base32_decode() accept upper-case letters. Bugfix on 0.2.0.7-alpha. o Code simplifications and refactoring: - Remove support for the old bw_accounting file: we've been storing bandwidth accounting information in the state file since 0.1.2.5-alpha. This may result in bandwidth accounting errors if you try to upgrade from 0.1.1.x or earlier, or if you try to downgrade to 0.1.1.x or earlier. Changes in version 0.2.0.8-alpha - 2007-10-12 o Major features (router descriptor cache): - Store routers in a file called cached-descriptors instead of in cached-routers. Initialize cached-descriptors from cached-routers if the old format is around. The new format allows us to store annotations along with descriptors. - Use annotations to record the time we received each descriptor, its source, and its purpose. - Disable the SETROUTERPURPOSE controller command: it is now obsolete. - Controllers should now specify cache=no or cache=yes when using the +POSTDESCRIPTOR command. - Bridge authorities now write bridge descriptors to disk, meaning we can export them to other programs and begin distributing them to blocked users. o Major features (directory authorities): - When a v3 authority is missing votes or signatures, it now tries to fetch them. - Directory authorities track weighted fractional uptime as well as weighted mean-time-between failures. WFU is suitable for deciding whether a node is "usually up", while MTBF is suitable for deciding whether a node is "likely to stay up." We need both, because "usually up" is a good requirement for guards, while "likely to stay up" is a good requirement for long-lived connections. o Major features (v3 directory system): - Caches now download v3 network status documents as needed, and download the descriptors listed in them. - All hosts now attempt to download and keep fresh v3 authority certificates, and re-attempt after failures. - More internal-consistency checks for vote parsing. o Major bugfixes (crashes): - If a connection is shut down abruptly because of something that happened inside connection_flushed_some(), do not call connection_finished_flushing(). Should fix bug 451. Bugfix on 0.1.2.7-alpha. o Major bugfixes (performance): - Fix really bad O(n^2) performance when parsing a long list of routers: Instead of searching the entire list for an "extra-info " string which usually wasn't there, once for every routerinfo we read, just scan lines forward until we find one we like. Bugfix on 0.2.0.1. - When we add data to a write buffer in response to the data on that write buffer getting low because of a flush, do not consider the newly added data as a candidate for immediate flushing, but rather make it wait until the next round of writing. Otherwise, we flush and refill recursively, and a single greedy TLS connection can eat all of our bandwidth. Bugfix on 0.1.2.7-alpha. o Minor features (v3 authority system): - Add more ways for tools to download the votes that lead to the current consensus. - Send a 503 when low on bandwidth and a vote, consensus, or certificate is requested. - If-modified-since is now implemented properly for all kinds of certificate requests. o Minor bugfixes (network statuses): - Tweak the implementation of proposal 109 slightly: allow at most two Tor servers on the same IP address, except if it's the location of a directory authority, in which case allow five. Bugfix on 0.2.0.3-alpha. o Minor bugfixes (controller): - When sending a status event to the controller telling it that an OR address is readable, set the port correctly. (Previously we were reporting the dir port.) Bugfix on 0.1.2.x. o Minor bugfixes (v3 directory system): - Fix logic to look up a cert by its signing key digest. Bugfix on 0.2.0.7-alpha. - Only change the reply to a vote to "OK" if it's not already set. This gets rid of annoying "400 OK" log messages, which may have been masking some deeper issue. Bugfix on 0.2.0.7-alpha. - When we get a valid consensus, recompute the voting schedule. - Base the valid-after time of a vote on the consensus voting schedule, not on our preferred schedule. - Make the return values and messages from signature uploads and downloads more sensible. - Fix a memory leak when serving votes and consensus documents, and another when serving certificates. o Minor bugfixes (performance): - Use a slightly simpler string hashing algorithm (copying Python's instead of Java's) and optimize our digest hashing algorithm to take advantage of 64-bit platforms and to remove some possibly-costly voodoo. - Fix a minor memory leak whenever we parse guards from our state file. Bugfix on 0.2.0.7-alpha. - Fix a minor memory leak whenever we write out a file. Bugfix on 0.2.0.7-alpha. - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO command. Bugfix on 0.2.0.5-alpha. o Minor bugfixes (portability): - On some platforms, accept() can return a broken address. Detect this more quietly, and deal accordingly. Fixes bug 483. - Stop calling tor_strlower() on uninitialized memory in some cases. Bugfix in 0.2.0.7-alpha. o Minor bugfixes (usability): - Treat some 403 responses from directory servers as INFO rather than WARN-severity events. - It's not actually an error to find a non-pending entry in the DNS cache when canceling a pending resolve. Don't log unless stuff is fishy. Resolves bug 463. o Minor bugfixes (anonymity): - Never report that we've used more bandwidth than we're willing to relay: it leaks how much non-relay traffic we're using. Resolves bug 516. - When looking for a circuit to cannibalize, consider family as well as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced circuit cannibalization). o Code simplifications and refactoring: - Make a bunch of functions static. Remove some dead code. - Pull out about a third of the really big routerlist.c; put it in a new module, networkstatus.c. - Merge the extra fields in local_routerstatus_t back into routerstatus_t: we used to need one routerstatus_t for each authority's opinion, plus a local_routerstatus_t for the locally computed consensus opinion. To save space, we put the locally modified fields into local_routerstatus_t, and only the common stuff into routerstatus_t. But once v3 directories are in use, clients and caches will no longer need to hold authority opinions; thus, the rationale for keeping the types separate is now gone. - Make the code used to reschedule and reattempt downloads more uniform. - Turn all 'Are we a directory server/mirror?' logic into a call to dirserver_mode(). - Remove the code to generate the oldest (v1) directory format. The code has been disabled since 0.2.0.5-alpha. Changes in version 0.2.0.7-alpha - 2007-09-21 o New directory authorities: - Set up moria1 and tor26 as the first v3 directory authorities. See doc/spec/dir-spec.txt for details on the new directory design. o Major bugfixes (crashes): - Fix possible segfaults in functions called from rend_process_relay_cell(). Bugfix on 0.1.2.x. o Major bugfixes (bridges): - Fix a bug that made servers send a "404 Not found" in response to attempts to fetch their server descriptor. This caused Tor servers to take many minutes to establish reachability for their DirPort, and it totally crippled bridges. Bugfix on 0.2.0.5-alpha. - Make "UpdateBridgesFromAuthority" torrc option work: when bridge users configure that and specify a bridge with an identity fingerprint, now they will lookup the bridge descriptor at the default bridge authority via a one-hop tunnel, but once circuits are established they will switch to a three-hop tunnel for later connections to the bridge authority. Bugfix in 0.2.0.3-alpha. o Major bugfixes (hidden services): - Hidden services were choosing introduction points uniquely by hexdigest, but when constructing the hidden service descriptor they merely wrote the (potentially ambiguous) nickname. - Clients now use the v2 intro format for hidden service connections: they specify their chosen rendezvous point by identity digest rather than by (potentially ambiguous) nickname. Both are bugfixes on 0.1.2.x, and they could speed up hidden service connections dramatically. Thanks to Karsten Loesing. o Minor features (security): - As a client, do not believe any server that tells us that an address maps to an internal address space. - Make it possible to enable HashedControlPassword and CookieAuthentication at the same time. o Minor features (guard nodes): - Tag every guard node in our state file with the version that we believe added it, or with our own version if we add it. This way, if a user temporarily runs an old version of Tor and then switches back to a new one, she doesn't automatically lose her guards. o Minor features (speed): - When implementing AES counter mode, update only the portions of the counter buffer that need to change, and don't keep separate network-order and host-order counters when they are the same (i.e., on big-endian hosts.) o Minor features (controller): - Accept LF instead of CRLF on controller, since some software has a hard time generating real Internet newlines. - Add GETINFO values for the server status events "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from Robert Hogan. o Removed features: - Routers no longer include bandwidth-history lines in their descriptors; this information is already available in extra-info documents, and including it in router descriptors took up 60% (!) of compressed router descriptor downloads. Completes implementation of proposal 104. - Remove the contrib scripts ExerciseServer.py, PathDemo.py, and TorControl.py, as they use the old v0 controller protocol, and are obsoleted by TorFlow anyway. - Drop support for v1 rendezvous descriptors, since we never used them anyway, and the code has probably rotted by now. Based on patch from Karsten Loesing. - On OSX, stop warning the user that kqueue support in libevent is "experimental", since it seems to have worked fine for ages. o Minor bugfixes: - When generating information telling us how to extend to a given router, do not try to include the nickname if it is absent. Fixes bug 467. Bugfix on 0.2.0.3-alpha. - Fix a user-triggerable (but not remotely-triggerable) segfault in expand_filename(). Bugfix on 0.1.2.x. - Fix a memory leak when freeing incomplete requests from DNSPort. Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha. - Don't try to access (or alter) the state file when running --list-fingerprint or --verify-config or --hash-password. (Resolves bug 499.) Bugfix on 0.1.2.x. - Servers used to decline to publish their DirPort if their BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth were below a threshold. Now they only look at BandwidthRate and RelayBandwidthRate. Bugfix on 0.1.2.x. - Remove an optimization in the AES counter-mode code that assumed that the counter never exceeded 2^68. When the counter can be set arbitrarily as an IV (as it is by Karsten's new hidden services code), this assumption no longer holds. Bugfix on 0.1.2.x. - Resume listing "AUTHORITY" flag for authorities in network status. Bugfix on 0.2.0.3-alpha; reported by Alex de Joode. o Code simplifications and refactoring: - Revamp file-writing logic so we don't need to have the entire contents of a file in memory at once before we write to disk. Tor, meet stdio. - Turn "descriptor store" into a full-fledged type. - Move all NT services code into a separate source file. - Unify all code that computes medians, percentile elements, etc. - Get rid of a needless malloc when parsing address policies. Changes in version 0.1.2.17 - 2007-08-30 o Major bugfixes (security): - We removed support for the old (v0) control protocol. It has been deprecated since Tor 0.1.1.1-alpha, and keeping it secure has become more of a headache than it's worth. o Major bugfixes (load balancing): - When choosing nodes for non-guard positions, weight guards proportionally less, since they already have enough load. Patch from Mike Perry. - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This will allow fast Tor servers to get more attention. - When we're upgrading from an old Tor version, forget our current guards and pick new ones according to the new weightings. These three load balancing patches could raise effective network capacity by a factor of four. Thanks to Mike Perry for measurements. o Major bugfixes (stream expiration): - Expire not-yet-successful application streams in all cases if they've been around longer than SocksTimeout. Right now there are some cases where the stream will live forever, demanding a new circuit every 15 seconds. Fixes bug 454; reported by lodger. o Minor features (controller): - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it is valid before any authentication has been received. It tells a controller what kind of authentication is expected, and what protocol is spoken. Implements proposal 119. o Minor bugfixes (performance): - Save on most routerlist_assert_ok() calls in routerlist.c, thus greatly speeding up loading cached-routers from disk on startup. - Disable sentinel-based debugging for buffer code: we squashed all the bugs that this was supposed to detect a long time ago, and now its only effect is to change our buffer sizes from nice powers of two (which platform mallocs tend to like) to values slightly over powers of two (which make some platform mallocs sad). o Minor bugfixes (misc): - If exit bandwidth ever exceeds one third of total bandwidth, then use the correct formula to weight exit nodes when choosing paths. Based on patch from Mike Perry. - Choose perfectly fairly among routers when choosing by bandwidth and weighting by fraction of bandwidth provided by exits. Previously, we would choose with only approximate fairness, and correct ourselves if we ran off the end of the list. - If we require CookieAuthentication but we fail to write the cookie file, we would warn but not exit, and end up in a state where no controller could authenticate. Now we exit. - If we require CookieAuthentication, stop generating a new cookie every time we change any piece of our config. - Refuse to start with certain directory authority keys, and encourage people using them to stop. - Terminate multi-line control events properly. Original patch from tup. - Fix a minor memory leak when we fail to find enough suitable servers to choose a circuit. - Stop leaking part of the descriptor when we run into a particularly unparseable piece of it. Changes in version 0.2.0.6-alpha - 2007-08-26 o New directory authorities: - Set up Tonga as the default bridge directory authority. o Major features: - Directory authorities now track servers by weighted mean-times-between-failures. When we have 4 or more days of data, use measured MTBF rather than declared uptime to decide whether to call a router Stable. Implements proposal 108. o Major bugfixes (load balancing): - When choosing nodes for non-guard positions, weight guards proportionally less, since they already have enough load. Patch from Mike Perry. - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This will allow fast Tor servers to get more attention. - When we're upgrading from an old Tor version, forget our current guards and pick new ones according to the new weightings. These three load balancing patches could raise effective network capacity by a factor of four. Thanks to Mike Perry for measurements. o Major bugfixes (descriptor parsing): - Handle unexpected whitespace better in malformed descriptors. Bug found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x. o Minor features: - There is now an ugly, temporary "desc/all-recent-extrainfo-hack" GETINFO for Torstat to use until it can switch to using extrainfos. - Optionally (if built with -DEXPORTMALLINFO) export the output of mallinfo via http, as tor/mallinfo.txt. Only accessible from localhost. o Minor bugfixes: - Do not intermix bridge routers with controller-added routers. (Bugfix on 0.2.0.x) - Do not fail with an assert when accept() returns an unexpected address family. Addresses but does not wholly fix bug 483. (Bugfix on 0.2.0.x) - Let directory authorities startup even when they can't generate a descriptor immediately, e.g. because they don't know their address. - Stop putting the authentication cookie in a file called "0" in your working directory if you don't specify anything for the new CookieAuthFile option. Reported by Matt Edman. - Make it possible to read the PROTOCOLINFO response in a way that conforms to our control-spec. Reported by Matt Edman. - Fix a minor memory leak when we fail to find enough suitable servers to choose a circuit. Bugfix on 0.1.2.x. - Stop leaking part of the descriptor when we run into a particularly unparseable piece of it. Bugfix on 0.1.2.x. - Unmap the extrainfo cache file on exit. Changes in version 0.2.0.5-alpha - 2007-08-19 o Removed features: - Version 1 directories are no longer generated in full. Instead, authorities generate and serve "stub" v1 directories that list no servers. This will stop Tor versions 0.1.0.x and earlier from working, but (for security reasons) nobody should be running those versions anyway. o Major bugfixes (compilation, 0.2.0.x): - Try to fix Win32 compilation again: improve checking for IPv6 types. - Try to fix MSVC compilation: build correctly on platforms that do not define s6_addr16 or s6_addr32. - Fix compile on platforms without getaddrinfo: bug found by Li-Hui Zhou. o Major bugfixes (stream expiration): - Expire not-yet-successful application streams in all cases if they've been around longer than SocksTimeout. Right now there are some cases where the stream will live forever, demanding a new circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454; reported by lodger. o Minor features (directory servers): - When somebody requests a list of statuses or servers, and we have none of those, return a 404 rather than an empty 200. o Minor features (directory voting): - Store v3 consensus status consensuses on disk, and reload them on startup. o Minor features (security): - Warn about unsafe ControlPort configurations. - Refuse to start with certain directory authority keys, and encourage people using them to stop. o Minor features (controller): - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it is valid before any authentication has been received. It tells a controller what kind of authentication is expected, and what protocol is spoken. Implements proposal 119. - New config option CookieAuthFile to choose a new location for the cookie authentication file, and config option CookieAuthFileGroupReadable to make it group-readable. o Minor features (unit testing): - Add command-line arguments to unit-test executable so that we can invoke any chosen test from the command line rather than having to run the whole test suite at once; and so that we can turn on logging for the unit tests. o Minor bugfixes (on 0.1.2.x): - If we require CookieAuthentication but we fail to write the cookie file, we would warn but not exit, and end up in a state where no controller could authenticate. Now we exit. - If we require CookieAuthentication, stop generating a new cookie every time we change any piece of our config. - When loading bandwidth history, do not believe any information in the future. Fixes bug 434. - When loading entry guard information, do not believe any information in the future. - When we have our clock set far in the future and generate an onion key, then re-set our clock to be correct, we should not stop the onion key from getting rotated. - Clean up torrc sample config file. - Do not automatically run configure from autogen.sh. This non-standard behavior tended to annoy people who have built other programs. o Minor bugfixes (on 0.2.0.x): - Fix a bug with AutomapHostsOnResolve that would always cause the second request to fail. Bug reported by Kate. Bugfix on 0.2.0.3-alpha. - Fix a bug in ADDRMAP controller replies that would sometimes try to print a NULL. Patch from tup. - Read v3 directory authority keys from the right location. - Numerous bugfixes to directory voting code. Changes in version 0.1.2.16 - 2007-08-01 o Major security fixes: - Close immediately after missing authentication on control port; do not allow multiple authentication attempts. Changes in version 0.2.0.4-alpha - 2007-08-01 o Major security fixes: - Close immediately after missing authentication on control port; do not allow multiple authentication attempts. o Major bugfixes (compilation): - Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already defined there. o Minor features (performance): - Be even more aggressive about releasing RAM from small empty buffers. Thanks to our free-list code, this shouldn't be too performance-intensive. - Disable sentinel-based debugging for buffer code: we squashed all the bugs that this was supposed to detect a long time ago, and now its only effect is to change our buffer sizes from nice powers of two (which platform mallocs tend to like) to values siightly over powers of two (which make some platform mallocs sad). - Log malloc statistics from mallinfo() on platforms where it exists. Changes in version 0.2.0.3-alpha - 2007-07-29 o Major features: - The first pieces of our "bridge" design for blocking-resistance are implemented. People can run bridge directory authorities; people can run bridges; and people can configure their Tor clients with a set of bridges to use as the first hop into the Tor network. See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for details. - Create listener connections before we setuid to the configured User and Group. Now non-Windows users can choose port values under 1024, start Tor as root, and have Tor bind those ports before it changes to another UID. (Windows users could already pick these ports.) - Added a new ConstrainedSockets config option to set SO_SNDBUF and SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running on "vserver" accounts. (Patch from coderman.) - Be even more aggressive about separating local traffic from relayed traffic when RelayBandwidthRate is set. (Refines proposal 111.) o Major features (experimental): - First cut of code for "v3 dir voting": directory authorities will vote on a common network status document rather than each publishing their own opinion. This code needs more testing and more corner-case handling before it's ready for use. o Security fixes: - Directory authorities now call routers Fast if their bandwidth is at least 100KB/s, and consider their bandwidth adequate to be a Guard if it is at least 250KB/s, no matter the medians. This fix complements proposal 107. [Bugfix on 0.1.2.x] - Directory authorities now never mark more than 3 servers per IP as Valid and Running. (Implements proposal 109, by Kevin Bauer and Damon McCoy.) - Minor change to organizationName and commonName generation procedures in TLS certificates during Tor handshakes, to invalidate some earlier censorware approaches. This is not a long-term solution, but applying it will give us a bit of time to look into the epidemiology of countermeasures as they spread. o Major bugfixes (directory): - Rewrite directory tokenization code to never run off the end of a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x] o Minor features (controller): - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can match requests to applications. (Patch from Robert Hogan.) - Report address and port correctly on connections to DNSPort. (Patch from Robert Hogan.) - Add a RESOLVE command to launch hostname lookups. (Original patch from Robert Hogan.) - Add GETINFO status/enough-dir-info to let controllers tell whether Tor has downloaded sufficient directory information. (Patch from Tup.) - You can now use the ControlSocket option to tell Tor to listen for controller connections on Unix domain sockets on systems that support them. (Patch from Peter Palfrader.) - STREAM NEW events are generated for DNSPort requests and for tunneled directory connections. (Patch from Robert Hogan.) - New "GETINFO address-mappings/*" command to get address mappings with expiry information. "addr-mappings/*" is now deprecated. (Patch from Tup.) o Minor features (misc): - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch from croup.) - The tor-gencert tool for v3 directory authorities now creates all files as readable to the file creator only, and write-protects the authority identity key. - When dumping memory usage, list bytes used in buffer memory free-lists. - When running with dmalloc, dump more stats on hup and on exit. - Directory authorities now fail quickly and (relatively) harmlessly if they generate a network status document that is somehow malformed. o Traffic load balancing improvements: - If exit bandwidth ever exceeds one third of total bandwidth, then use the correct formula to weight exit nodes when choosing paths. (Based on patch from Mike Perry.) - Choose perfectly fairly among routers when choosing by bandwidth and weighting by fraction of bandwidth provided by exits. Previously, we would choose with only approximate fairness, and correct ourselves if we ran off the end of the list. [Bugfix on 0.1.2.x] o Performance improvements: - Be more aggressive with freeing buffer RAM or putting it on the memory free lists. - Use Critical Sections rather than Mutexes for synchronizing threads on win32; Mutexes are heavier-weight, and designed for synchronizing between processes. o Deprecated and removed features: - RedirectExits is now deprecated. - Stop allowing address masks that do not correspond to bit prefixes. We have warned about these for a really long time; now it's time to reject them. (Patch from croup.) o Minor bugfixes (directory): - Fix another crash bug related to extra-info caching. (Bug found by Peter Palfrader.) [Bugfix on 0.2.0.2-alpha] - Directories no longer return a "304 not modified" when they don't have the networkstatus the client asked for. Also fix a memory leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha] - We had accidentally labelled 0.1.2.x directory servers as not suitable for begin_dir requests, and had labelled no directory servers as suitable for uploading extra-info documents. [Bugfix on 0.2.0.1-alpha] o Minor bugfixes (dns): - Fix a crash when DNSPort is set more than once. (Patch from Robert Hogan.) [Bugfix on 0.2.0.2-alpha] - Add DNSPort connections to the global connection list, so that we can time them out correctly. (Bug found by Robert Hogan.) [Bugfix on 0.2.0.2-alpha] - Fix a dangling reference that could lead to a crash when DNSPort is changed or closed (Patch from Robert Hogan.) [Bugfix on 0.2.0.2-alpha] o Minor bugfixes (controller): - Provide DNS expiry times in GMT, not in local time. For backward compatibility, ADDRMAP events only provide GMT expiry in an extended field. "GETINFO address-mappings" always does the right thing. - Use CRLF line endings properly in NS events. - Terminate multi-line control events properly. (Original patch from tup.) [Bugfix on 0.1.2.x-alpha] - Do not include spaces in SOURCE_ADDR fields in STREAM events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha] Changes in version 0.1.2.15 - 2007-07-17 o Major bugfixes (compilation): - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops. o Major bugfixes (crashes): - Try even harder not to dereference the first character after an mmap(). Reported by lodger. - Fix a crash bug in directory authorities when we re-number the routerlist while inserting a new router. - When the cached-routers file is an even multiple of the page size, don't run off the end and crash. (Fixes bug 455; based on idea from croup.) - Fix eventdns.c behavior on Solaris: It is critical to include orconfig.h _before_ sys/types.h, so that we can get the expected definition of _FILE_OFFSET_BITS. o Major bugfixes (security): - Fix a possible buffer overrun when using BSD natd support. Bug found by croup. - When sending destroy cells from a circuit's origin, don't include the reason for tearing down the circuit. The spec says we didn't, and now we actually don't. Reported by lodger. - Keep streamids from different exits on a circuit separate. This bug may have allowed other routers on a given circuit to inject cells into streams. Reported by lodger; fixes bug 446. - If there's a never-before-connected-to guard node in our list, never choose any guards past it. This way we don't expand our guard list unless we need to. o Minor bugfixes (guard nodes): - Weight guard selection by bandwidth, so that low-bandwidth nodes don't get overused as guards. o Minor bugfixes (directory): - Correctly count the number of authorities that recommend each version. Previously, we were under-counting by 1. - Fix a potential crash bug when we load many server descriptors at once and some of them make others of them obsolete. Fixes bug 458. o Minor bugfixes (hidden services): - Stop tearing down the whole circuit when the user asks for a connection to a port that the hidden service didn't configure. Resolves bug 444. o Minor bugfixes (misc): - On Windows, we were preventing other processes from reading cached-routers while Tor was running. Reported by janbar. - Fix a possible (but very unlikely) bug in picking routers by bandwidth. Add a log message to confirm that it is in fact unlikely. Patch from lodger. - Backport a couple of memory leak fixes. - Backport miscellaneous cosmetic bugfixes. Changes in version 0.2.0.2-alpha - 2007-06-02 o Major bugfixes on 0.2.0.1-alpha: - Fix an assertion failure related to servers without extra-info digests. Resolves bugs 441 and 442. o Minor features (directory): - Support "If-Modified-Since" when answering HTTP requests for directories, running-routers documents, and network-status documents. (There's no need to support it for router descriptors, since those are downloaded by descriptor digest.) o Minor build issues: - Clear up some MIPSPro compiler warnings. - When building from a tarball on a machine that happens to have SVK installed, report the micro-revision as whatever version existed in the tarball, not as "x". Changes in version 0.2.0.1-alpha - 2007-06-01 o Major features, server usability: - New config options RelayBandwidthRate and RelayBandwidthBurst: a separate set of token buckets for relayed traffic. Right now relayed traffic is defined as answers to directory requests, and OR connections that don't have any local circuits on them. o Major features, client usability: - A client-side DNS proxy feature to replace the need for dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen for DNS requests on port 9999, use the Tor network to resolve them anonymously, and send the reply back like a regular DNS server. The code still only implements a subset of DNS. - Make PreferTunneledDirConns and TunnelDirConns work even when we have no cached directory info. This means Tor clients can now do all of their connections protected by TLS. o Major features, performance and efficiency: - Directory authorities accept and serve "extra info" documents for routers. These documents contain fields from router descriptors that aren't usually needed, and that use a lot of excess bandwidth. Once these fields are removed from router descriptors, the bandwidth savings should be about 60%. [Partially implements proposal 104.] - Servers upload extra-info documents to any authority that accepts them. Authorities (and caches that have been configured to download extra-info documents) download them as needed. [Partially implements proposal 104.] - Change the way that Tor buffers data that it is waiting to write. Instead of queueing data cells in an enormous ring buffer for each client->OR or OR->OR connection, we now queue cells on a separate queue for each circuit. This lets us use less slack memory, and will eventually let us be smarter about prioritizing different kinds of traffic. - Use memory pools to allocate cells with better speed and memory efficiency, especially on platforms where malloc() is inefficient. - Stop reading on edge connections when their corresponding circuit buffers are full; start again as the circuits empty out. o Major features, other: - Add an HSAuthorityRecordStats option that hidden service authorities can use to track statistics of overall hidden service usage without logging information that would be very useful to an attacker. - Start work implementing multi-level keys for directory authorities: Add a standalone tool to generate key certificates. (Proposal 103.) o Security fixes: - Directory authorities now call routers Stable if they have an uptime of at least 30 days, even if that's not the median uptime in the network. Implements proposal 107, suggested by Kevin Bauer and Damon McCoy. o Minor fixes (resource management): - Count the number of open sockets separately from the number of active connection_t objects. This will let us avoid underusing our allocated connection limit. - We no longer use socket pairs to link an edge connection to an anonymous directory connection or a DirPort test connection. Instead, we track the link internally and transfer the data in-process. This saves two sockets per "linked" connection (at the client and at the server), and avoids the nasty Windows socketpair() workaround. - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k for every single inactive connection_t. Free items from the 4k/16k-buffer free lists when they haven't been used for a while. o Minor features (build): - Make autoconf search for libevent, openssl, and zlib consistently. - Update deprecated macros in configure.in. - When warning about missing headers, tell the user to let us know if the compile succeeds anyway, so we can downgrade the warning. - Include the current subversion revision as part of the version string: either fetch it directly if we're in an SVN checkout, do some magic to guess it if we're in an SVK checkout, or use the last-detected version if we're building from a .tar.gz. Use this version consistently in log messages. o Minor features (logging): - Always prepend "Bug: " to any log message about a bug. - Put a platform string (e.g. "Linux i686") in the startup log message, so when people paste just their logs, we know if it's OpenBSD or Windows or what. - When logging memory usage, break down memory used in buffers by buffer type. o Minor features (directory system): - New config option V2AuthoritativeDirectory that all directory authorities should set. This will let future authorities choose not to serve V2 directory information. - Directory authorities allow multiple router descriptors and/or extra info documents to be uploaded in a single go. This will make implementing proposal 104 simpler. o Minor features (controller): - Add a new config option __DisablePredictedCircuits designed for use by the controller, when we don't want Tor to build any circuits preemptively. - Let the controller specify HOP=%d as an argument to ATTACHSTREAM, so we can exit from the middle of the circuit. - Implement "getinfo status/circuit-established". - Implement "getinfo status/version/..." so a controller can tell whether the current version is recommended, and whether any versions are good, and how many authorities agree. (Patch from shibz.) o Minor features (hidden services): - Allow multiple HiddenServicePort directives with the same virtual port; when they occur, the user is sent round-robin to one of the target ports chosen at random. Partially fixes bug 393 by adding limited ad-hoc round-robining. o Minor features (other): - More unit tests. - Add a new AutomapHostsOnResolve option: when it is enabled, any resolve request for hosts matching a given pattern causes Tor to generate an internal virtual address mapping for that host. This allows DNSPort to work sensibly with hidden service users. By default, .exit and .onion addresses are remapped; the list of patterns can be reconfigured with AutomapHostsSuffixes. - Add an "-F" option to tor-resolve to force a resolve for a .onion address. Thanks to the AutomapHostsOnResolve option, this is no longer a completely silly thing to do. - If Tor is invoked from something that isn't a shell (e.g. Vidalia), now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman. - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb, minus 1 byte: the actual maximum declared bandwidth. o Removed features: - Removed support for the old binary "version 0" controller protocol. This has been deprecated since 0.1.1, and warnings have been issued since 0.1.2. When we encounter a v0 control message, we now send back an error and close the connection. - Remove the old "dns worker" server DNS code: it hasn't been default since 0.1.2.2-alpha, and all the servers seem to be using the new eventdns code. o Minor bugfixes (portability): - Even though Windows is equally happy with / and \ as path separators, try to use \ consistently on Windows and / consistently on Unix: it makes the log messages nicer. - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE. - Read resolv.conf files correctly on platforms where read() returns partial results on small file reads. o Minor bugfixes (directory): - Correctly enforce that elements of directory objects do not appear more often than they are allowed to appear. - When we are reporting the DirServer line we just parsed, we were logging the second stanza of the key fingerprint, not the first. o Minor bugfixes (logging): - When we hit an EOF on a log (probably because we're shutting down), don't try to remove the log from the list: just mark it as unusable. (Bulletproofs against bug 222.) o Minor bugfixes (other): - In the exitlist script, only consider the most recently published server descriptor for each server. Also, when the user requests a list of servers that _reject_ connections to a given address, explicitly exclude the IPs that also have servers that accept connections to that address. (Resolves bug 405.) - Stop allowing hibernating servers to be "stable" or "fast". - On Windows, we were preventing other processes from reading cached-routers while Tor was running. (Reported by janbar) - Make the NodeFamilies config option work. (Reported by lodger -- it has never actually worked, even though we added it in Oct 2004.) - Check return values from pthread_mutex functions. - Don't save non-general-purpose router descriptors to the disk cache, because we have no way of remembering what their purpose was when we restart. - Add even more asserts to hunt down bug 417. - Build without verbose warnings even on (not-yet-released) gcc 4.2. - Fix a possible (but very unlikely) bug in picking routers by bandwidth. Add a log message to confirm that it is in fact unlikely. o Minor bugfixes (controller): - Make 'getinfo fingerprint' return a 551 error if we're not a server, so we match what the control spec claims we do. Reported by daejees. - Fix a typo in an error message when extendcircuit fails that caused us to not follow the \r\n-based delimiter protocol. Reported by daejees. o Code simplifications and refactoring: - Stop passing around circuit_t and crypt_path_t pointers that are implicit in other procedure arguments. - Drop the old code to choke directory connections when the corresponding OR connections got full: thanks to the cell queue feature, OR conns don't get full any more. - Make dns_resolve() handle attaching connections to circuits properly, so the caller doesn't have to. - Rename wants_to_read and wants_to_write to read/write_blocked_on_bw. - Keep the connection array as a dynamic smartlist_t, rather than as a fixed-sized array. This is important, as the number of connections is becoming increasingly decoupled from the number of sockets. Changes in version 0.1.2.14 - 2007-05-25 o Directory authority changes: - Two directory authorities (moria1 and moria2) just moved to new IP addresses. This change will particularly affect those who serve or use hidden services. o Major bugfixes (crashes): - If a directory server runs out of space in the connection table as it's processing a begin_dir request, it will free the exit stream but leave it attached to the circuit, leading to unpredictable behavior. (Reported by seeess, fixes bug 425.) - Fix a bug in dirserv_remove_invalid() that would cause authorities to corrupt memory under some really unlikely scenarios. - Tighten router parsing rules. (Bugs reported by Benedikt Boss.) - Avoid segfaults when reading from mmaped descriptor file. (Reported by lodger.) o Major bugfixes (security): - When choosing an entry guard for a circuit, avoid using guards that are in the same family as the chosen exit -- not just guards that are exactly the chosen exit. (Reported by lodger.) o Major bugfixes (resource management): - If a directory authority is down, skip it when deciding where to get networkstatus objects or descriptors. Otherwise we keep asking every 10 seconds forever. Fixes bug 384. - Count it as a failure if we fetch a valid network-status but we don't want to keep it. Otherwise we'll keep fetching it and keep not wanting to keep it. Fixes part of bug 422. - If all of our dirservers have given us bad or no networkstatuses lately, then stop hammering them once per minute even when we think they're failed. Fixes another part of bug 422. o Minor bugfixes: - Actually set the purpose correctly for descriptors inserted with purpose=controller. - When we have k non-v2 authorities in our DirServer config, we ignored the last k authorities in the list when updating our network-statuses. - Correctly back-off from requesting router descriptors that we are having a hard time downloading. - Read resolv.conf files correctly on platforms where read() returns partial results on small file reads. - Don't rebuild the entire router store every time we get 32K of routers: rebuild it when the journal gets very large, or when the gaps in the store get very large. o Minor features: - When routers publish SVN revisions in their router descriptors, authorities now include those versions correctly in networkstatus documents. - Warn when using a version of libevent before 1.3b to run a server on OSX or BSD: these versions interact badly with userspace threads. Changes in version 0.1.2.13 - 2007-04-24 o Minor fixes: - Fix a memory leak when we ask for "all" networkstatuses and we get one we don't recognize. - Add more asserts to hunt down bug 417. - Disable kqueue on OS X 10.3 and earlier, to fix bug 371. Changes in version 0.1.2.12-rc - 2007-03-16 o Major bugfixes: - Fix an infinite loop introduced in 0.1.2.7-alpha when we serve directory information requested inside Tor connections (i.e. via begin_dir cells). It only triggered when the same connection was serving other data at the same time. Reported by seeess. o Minor bugfixes: - When creating a circuit via the controller, send a 'launched' event when we're done, so we follow the spec better. Changes in version 0.1.2.11-rc - 2007-03-15 o Minor bugfixes (controller), reported by daejees: - Correct the control spec to match how the code actually responds to 'getinfo addr-mappings/*'. - The control spec described a GUARDS event, but the code implemented a GUARD event. Standardize on GUARD, but let people ask for GUARDS too. Changes in version 0.1.2.10-rc - 2007-03-07 o Major bugfixes (Windows): - Do not load the NT services library functions (which may not exist) just to detect if we're a service trying to shut down. Now we run on Win98 and friends again. o Minor bugfixes (other): - Clarify a couple of log messages. - Fix a misleading socks5 error number. Changes in version 0.1.2.9-rc - 2007-03-02 o Major bugfixes (Windows): - On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead of the usual GCC "%llu". This prevents a bug when saving 64-bit int configuration values: the high-order 32 bits would get truncated. In particular, we were being bitten by the default MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400 and maybe also bug 397.) o Minor bugfixes (performance): - Use OpenSSL's AES implementation on platforms where it's faster. This could save us as much as 10% CPU usage. o Minor bugfixes (server): - Do not rotate onion key immediately after setting it for the first time. o Minor bugfixes (directory authorities): - Stop calling servers that have been hibernating for a long time "stable". Also, stop letting hibernating or obsolete servers affect uptime and bandwidth cutoffs. - Stop listing hibernating servers in the v1 directory. o Minor bugfixes (hidden services): - Upload hidden service descriptors slightly less often, to reduce load on authorities. o Minor bugfixes (other): - Fix an assert that could trigger if a controller quickly set then cleared EntryNodes. (Bug found by Udo van den Heuvel.) - On architectures where sizeof(int)>4, still clamp declarable bandwidth to INT32_MAX. - Fix a potential race condition in the rpm installer. Found by Stefan Nordhausen. - Try to fix eventdns warnings once and for all: do not treat a dns rcode of 2 as indicating that the server is completely bad; it sometimes means that the server is just bad for the request in question. (may fix the last of bug 326.) - Disable encrypted directory connections when we don't have a server descriptor for the destination. We'll get this working again in the 0.2.0 branch. Changes in version 0.1.2.8-beta - 2007-02-26 o Major bugfixes (crashes): - Stop crashing when the controller asks us to resetconf more than one config option at once. (Vidalia 0.0.11 does this.) - Fix a crash that happened on Win98 when we're given command-line arguments: don't try to load NT service functions from advapi32.dll except when we need them. (Bug introduced in 0.1.2.7-alpha; resolves bug 389.) - Fix a longstanding obscure crash bug that could occur when we run out of DNS worker processes. (Resolves bug 390.) o Major bugfixes (hidden services): - Correctly detect whether hidden service descriptor downloads are in-progress. (Suggested by Karsten Loesing; fixes bug 399.) o Major bugfixes (accounting): - When we start during an accounting interval before it's time to wake up, remember to wake up at the correct time. (May fix bug 342.) o Minor bugfixes (controller): - Give the controller END_STREAM_REASON_DESTROY events _before_ we clear the corresponding on_circuit variable, and remember later that we don't need to send a redundant CLOSED event. (Resolves part 3 of bug 367.) - Report events where a resolve succeeded or where we got a socks protocol error correctly, rather than calling both of them "INTERNAL". - Change reported stream target addresses to IP consistently when we finally get the IP from an exit node. - Send log messages to the controller even if they happen to be very long. o Minor bugfixes (other): - Display correct results when reporting which versions are recommended, and how recommended they are. (Resolves bug 383.) - Improve our estimates for directory bandwidth to be less random: guess that an unrecognized directory will have the average bandwidth from all known directories, not that it will have the average bandwidth from those directories earlier than it on the list. - If we start a server with ClientOnly 1, then set ClientOnly to 0 and hup, stop triggering an assert based on an empty onion_key. - On platforms with no working mmap() equivalent, don't warn the user when cached-routers doesn't exist. - Warn the user when mmap() [or its equivalent] fails for some reason other than file-not-found. - Don't warn the user when cached-routers.new doesn't exist: that's perfectly fine when starting up for the first time. - When EntryNodes are configured, rebuild the guard list to contain, in order: the EntryNodes that were guards before; the rest of the EntryNodes; the nodes that were guards before. - Mask out all signals in sub-threads; only the libevent signal handler should be processing them. This should prevent some crashes on some machines using pthreads. (Patch from coderman.) - Fix switched arguments on memset in the implementation of tor_munmap() for systems with no mmap() call. - When Tor receives a router descriptor that it asked for, but no longer wants (because it has received fresh networkstatuses in the meantime), do not warn the user. Cache the descriptor if we're a cache; drop it if we aren't. - Make earlier entry guards _really_ get retried when the network comes back online. - On a malformed DNS reply, always give an error to the corresponding DNS request. - Build with recent libevents on platforms that do not define the nonstandard types "u_int8_t" and friends. o Minor features (controller): - Warn the user when an application uses the obsolete binary v0 control protocol. We're planning to remove support for it during the next development series, so it's good to give people some advance warning. - Add STREAM_BW events to report per-entry-stream bandwidth use. (Patch from Robert Hogan.) - Rate-limit SIGNEWNYM signals in response to controllers that impolitely generate them for every single stream. (Patch from mwenge; closes bug 394.) - Make REMAP stream events have a SOURCE (cache or exit), and make them generated in every case where we get a successful connected or resolved cell. o Minor bugfixes (performance): - Call router_have_min_dir_info half as often. (This is showing up in some profiles, but not others.) - When using GCC, make log_debug never get called at all, and its arguments never get evaluated, when no debug logs are configured. (This is showing up in some profiles, but not others.) o Minor features: - Remove some never-implemented options. Mark PathlenCoinWeight as obsolete. - Implement proposal 106: Stop requiring clients to have well-formed certificates; stop checking nicknames in certificates. (Clients have certificates so that they can look like Tor servers, but in the future we might want to allow them to look like regular TLS clients instead. Nicknames in certificates serve no purpose other than making our protocol easier to recognize on the wire.) - Revise messages on handshake failure again to be even more clear about which are incoming connections and which are outgoing. - Discard any v1 directory info that's over 1 month old (for directories) or over 1 week old (for running-routers lists). - Do not warn when individual nodes in the configuration's EntryNodes, ExitNodes, etc are down: warn only when all possible nodes are down. (Fixes bug 348.) - Always remove expired routers and networkstatus docs before checking whether we have enough information to build circuits. (Fixes bug 373.) - Put a lower-bound on MaxAdvertisedBandwidth. Changes in version 0.1.2.7-alpha - 2007-02-06 o Major bugfixes (rate limiting): - Servers decline directory requests much more aggressively when they're low on bandwidth. Otherwise they end up queueing more and more directory responses, which can't be good for latency. - But never refuse directory requests from local addresses. - Fix a memory leak when sending a 503 response for a networkstatus request. - Be willing to read or write on local connections (e.g. controller connections) even when the global rate limiting buckets are empty. - If our system clock jumps back in time, don't publish a negative uptime in the descriptor. Also, don't let the global rate limiting buckets go absurdly negative. - Flush local controller connection buffers periodically as we're writing to them, so we avoid queueing 4+ megabytes of data before trying to flush. o Major bugfixes (NT services): - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a command-line flag so that admins can override the default by saying "tor --service install --user "SomeUser"". This will not affect existing installed services. Also, warn the user that the service will look for its configuration file in the service user's %appdata% directory. (We can't do the 'hardwire the user's appdata directory' trick any more, since we may not have read access to that directory.) o Major bugfixes (other): - Previously, we would cache up to 16 old networkstatus documents indefinitely, if they came from nontrusted authorities. Now we discard them if they are more than 10 days old. - Fix a crash bug in the presence of DNS hijacking (reported by Andrew Del Vecchio). - Detect and reject malformed DNS responses containing circular pointer loops. - If exits are rare enough that we're not marking exits as guards, ignore exit bandwidth when we're deciding the required bandwidth to become a guard. - When we're handling a directory connection tunneled over Tor, don't fill up internal memory buffers with all the data we want to tunnel; instead, only add it if the OR connection that will eventually receive it has some room for it. (This can lead to slowdowns in tunneled dir connections; a better solution will have to wait for 0.2.0.) o Minor bugfixes (dns): - Add some defensive programming to eventdns.c in an attempt to catch possible memory-stomping bugs. - Detect and reject DNS replies containing IPv4 or IPv6 records with an incorrect number of bytes. (Previously, we would ignore the extra bytes.) - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles in the correct order, and doesn't crash. - Free memory held in recently-completed DNS lookup attempts on exit. This was not a memory leak, but may have been hiding memory leaks. - Handle TTL values correctly on reverse DNS lookups. - Treat failure to parse resolv.conf as an error. o Minor bugfixes (other): - Fix crash with "tor --list-fingerprint" (reported by seeess). - When computing clock skew from directory HTTP headers, consider what time it was when we finished asking for the directory, not what time it is now. - Expire socks connections if they spend too long waiting for the handshake to finish. Previously we would let them sit around for days, if the connecting application didn't close them either. - And if the socks handshake hasn't started, don't send a "DNS resolve socks failed" handshake reply; just close it. - Stop using C functions that OpenBSD's linker doesn't like. - Don't launch requests for descriptors unless we have networkstatuses from at least half of the authorities. This delays the first download slightly under pathological circumstances, but can prevent us from downloading a bunch of descriptors we don't need. - Do not log IPs with TLS failures for incoming TLS connections. (Fixes bug 382.) - If the user asks to use invalid exit nodes, be willing to use unstable ones. - Stop using the reserved ac_cv namespace in our configure script. - Call stat() slightly less often; use fstat() when possible. - Refactor the way we handle pending circuits when an OR connection completes or fails, in an attempt to fix a rare crash bug. - Only rewrite a conn's address based on X-Forwarded-For: headers if it's a parseable public IP address; and stop adding extra quotes to the resulting address. o Major features: - Weight directory requests by advertised bandwidth. Now we can let servers enable write limiting but still allow most clients to succeed at their directory requests. (We still ignore weights when choosing a directory authority; I hope this is a feature.) o Minor features: - Create a new file ReleaseNotes which was the old ChangeLog. The new ChangeLog file now includes the summaries for all development versions too. - Check for addresses with invalid characters at the exit as well as at the client, and warn less verbosely when they fail. You can override this by setting ServerDNSAllowNonRFC953Addresses to 1. - Adapt a patch from goodell to let the contrib/exitlist script take arguments rather than require direct editing. - Inform the server operator when we decide not to advertise a DirPort due to AccountingMax enabled or a low BandwidthRate. It was confusing Zax, so now we're hopefully more helpful. - Bring us one step closer to being able to establish an encrypted directory tunnel without knowing a descriptor first. Still not ready yet. As part of the change, now assume we can use a create_fast cell if we don't know anything about a router. - Allow exit nodes to use nameservers running on ports other than 53. - Servers now cache reverse DNS replies. - Add an --ignore-missing-torrc command-line option so that we can get the "use sensible defaults if the configuration file doesn't exist" behavior even when specifying a torrc location on the command line. o Minor features (controller): - Track reasons for OR connection failure; make these reasons available via the controller interface. (Patch from Mike Perry.) - Add a SOCKS_BAD_HOSTNAME client status event so controllers can learn when clients are sending malformed hostnames to Tor. - Clean up documentation for controller status events. - Add a REMAP status to stream events to note that a stream's address has changed because of a cached address or a MapAddress directive. Changes in version 0.1.2.6-alpha - 2007-01-09 o Major bugfixes: - Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS connection handles more than 4 gigs in either direction, we crash. - Fix an assert error introduced in 0.1.2.5-alpha: if we're an advertised exit node, somebody might try to exit from us when we're bootstrapping and before we've built our descriptor yet. Refuse the connection rather than crashing. o Minor bugfixes: - Warn if we (as a server) find that we've resolved an address that we weren't planning to resolve. - Warn that using select() on any libevent version before 1.1 will be unnecessarily slow (even for select()). - Flush ERR-level controller status events just like we currently flush ERR-level log events, so that a Tor shutdown doesn't prevent the controller from learning about current events. o Minor features (more controller status events): - Implement EXTERNAL_ADDRESS server status event so controllers can learn when our address changes. - Implement BAD_SERVER_DESCRIPTOR server status event so controllers can learn when directories reject our descriptor. - Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers can learn when a client application is speaking a non-socks protocol to our SocksPort. - Implement DANGEROUS_SOCKS client status event so controllers can learn when a client application is leaking DNS addresses. - Implement BUG general status event so controllers can learn when Tor is unhappy about its internal invariants. - Implement CLOCK_SKEW general status event so controllers can learn when Tor thinks the system clock is set incorrectly. - Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR server status events so controllers can learn when their descriptors are accepted by a directory. - Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED} server status events so controllers can learn about Tor's progress in deciding whether it's reachable from the outside. - Implement BAD_LIBEVENT general status event so controllers can learn when we have a version/method combination in libevent that needs to be changed. - Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED, and DNS_USELESS server status events so controllers can learn about changes to DNS server status. o Minor features (directory): - Authorities no longer recommend exits as guards if this would shift too much load to the exit nodes. Changes in version 0.1.2.5-alpha - 2007-01-06 o Major features: - Enable write limiting as well as read limiting. Now we sacrifice capacity if we're pushing out lots of directory traffic, rather than overrunning the user's intended bandwidth limits. - Include TLS overhead when counting bandwidth usage; previously, we would count only the bytes sent over TLS, but not the bytes used to send them. - Support running the Tor service with a torrc not in the same directory as tor.exe and default to using the torrc located in the %appdata%\Tor\ of the user who installed the service. Patch from Matt Edman. - Servers now check for the case when common DNS requests are going to wildcarded addresses (i.e. all getting the same answer), and change their exit policy to reject *:* if it's happening. - Implement BEGIN_DIR cells, so we can connect to the directory server via TLS to do encrypted directory requests rather than plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns config options if you like. o Minor features (config and docs): - Start using the state file to store bandwidth accounting data: the bw_accounting file is now obsolete. We'll keep generating it for a while for people who are still using 0.1.2.4-alpha. - Try to batch changes to the state file so that we do as few disk writes as possible while still storing important things in a timely fashion. - The state file and the bw_accounting file get saved less often when the AvoidDiskWrites config option is set. - Make PIDFile work on Windows (untested). - Add internal descriptions for a bunch of configuration options: accessible via controller interface and in comments in saved options files. - Reject *:563 (NNTPS) in the default exit policy. We already reject NNTP by default, so this seems like a sensible addition. - Clients now reject hostnames with invalid characters. This should avoid some inadvertent info leaks. Add an option AllowNonRFC953Hostnames to disable this behavior, in case somebody is running a private network with hosts called @, !, and #. - Add a maintainer script to tell us which options are missing documentation: "make check-docs". - Add a new address-spec.txt document to describe our special-case addresses: .exit, .onion, and .noconnnect. o Minor features (DNS): - Ongoing work on eventdns infrastructure: now it has dns server and ipv6 support. One day Tor will make use of it. - Add client-side caching for reverse DNS lookups. - Add support to tor-resolve tool for reverse lookups and SOCKS5. - When we change nameservers or IP addresses, reset and re-launch our tests for DNS hijacking. o Minor features (directory): - Authorities now specify server versions in networkstatus. This adds about 2% to the size of compressed networkstatus docs, and allows clients to tell which servers support BEGIN_DIR and which don't. The implementation is forward-compatible with a proposed future protocol version scheme not tied to Tor versions. - DirServer configuration lines now have an orport= option so clients can open encrypted tunnels to the authorities without having downloaded their descriptors yet. Enabled for moria1, moria2, tor26, and lefkada now in the default configuration. - Directory servers are more willing to send a 503 "busy" if they are near their write limit, especially for v1 directory requests. Now they can use their limited bandwidth for actual Tor traffic. - Clients track responses with status 503 from dirservers. After a dirserver has given us a 503, we try not to use it until an hour has gone by, or until we have no dirservers that haven't given us a 503. - When we get a 503 from a directory, and we're not a server, we don't count the failure against the total number of failures allowed for the thing we're trying to download. - Report X-Your-Address-Is correctly from tunneled directory connections; don't report X-Your-Address-Is when it's an internal address; and never believe reported remote addresses when they're internal. - Protect against an unlikely DoS attack on directory servers. - Add a BadDirectory flag to network status docs so that authorities can (eventually) tell clients about caches they believe to be broken. o Minor features (controller): - Have GETINFO dir/status/* work on hosts with DirPort disabled. - Reimplement GETINFO so that info/names stays in sync with the actual keys. - Implement "GETINFO fingerprint". - Implement "SETEVENTS GUARD" so controllers can get updates on entry guard status as it changes. o Minor features (clean up obsolete pieces): - Remove some options that have been deprecated since at least 0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log to set log options. - We no longer look for identity and onion keys in "identity.key" and "onion.key" -- these were replaced by secret_id_key and secret_onion_key in 0.0.8pre1. - We no longer require unrecognized directory entries to be preceded by "opt". o Major bugfixes (security): - Stop sending the HttpProxyAuthenticator string to directory servers when directory connections are tunnelled through Tor. - Clients no longer store bandwidth history in the state file. - Do not log introduction points for hidden services if SafeLogging is set. - When generating bandwidth history, round down to the nearest 1k. When storing accounting data, round up to the nearest 1k. - When we're running as a server, remember when we last rotated onion keys, so that we will rotate keys once they're a week old even if we never stay up for a week ourselves. o Major bugfixes (other): - Fix a longstanding bug in eventdns that prevented the count of timed-out resolves from ever being reset. This bug caused us to give up on a nameserver the third time it timed out, and try it 10 seconds later... and to give up on it every time it timed out after that. - Take out the '5 second' timeout from the connection retry schedule. Now the first connect attempt will wait a full 10 seconds before switching to a new circuit. Perhaps this will help a lot. Based on observations from Mike Perry. - Fix a bug on the Windows implementation of tor_mmap_file() that would prevent the cached-routers file from ever loading. Reported by John Kimble. o Minor bugfixes: - Fix an assert failure when a directory authority sets AuthDirRejectUnlisted and then receives a descriptor from an unlisted router. Reported by seeess. - Avoid a double-free when parsing malformed DirServer lines. - Fix a bug when a BSD-style PF socket is first used. Patch from Fabian Keil. - Fix a bug in 0.1.2.2-alpha that prevented clients from asking to resolve an address at a given exit node even when they ask for it by name. - Servers no longer ever list themselves in their "family" line, even if configured to do so. This makes it easier to configure family lists conveniently. - When running as a server, don't fall back to 127.0.0.1 when no nameservers are configured in /etc/resolv.conf; instead, make the user fix resolv.conf or specify nameservers explicitly. (Resolves bug 363.) - Stop accepting certain malformed ports in configured exit policies. - Don't re-write the fingerprint file every restart, unless it has changed. - Stop warning when a single nameserver fails: only warn when _all_ of our nameservers have failed. Also, when we only have one nameserver, raise the threshold for deciding that the nameserver is dead. - Directory authorities now only decide that routers are reachable if their identity keys are as expected. - When the user uses bad syntax in the Log config line, stop suggesting other bad syntax as a replacement. - Correctly detect ipv6 DNS capability on OpenBSD. o Minor bugfixes (controller): - Report the circuit number correctly in STREAM CLOSED events. Bug reported by Mike Perry. - Do not report bizarre values for results of accounting GETINFOs when the last second's write or read exceeds the allotted bandwidth. - Report "unrecognized key" rather than an empty string when the controller tries to fetch a networkstatus that doesn't exist. Changes in version 0.1.1.26 - 2006-12-14 o Security bugfixes: - Stop sending the HttpProxyAuthenticator string to directory servers when directory connections are tunnelled through Tor. - Clients no longer store bandwidth history in the state file. - Do not log introduction points for hidden services if SafeLogging is set. o Minor bugfixes: - Fix an assert failure when a directory authority sets AuthDirRejectUnlisted and then receives a descriptor from an unlisted router (reported by seeess). Changes in version 0.1.2.4-alpha - 2006-12-03 o Major features: - Add support for using natd; this allows FreeBSDs earlier than 5.1.2 to have ipfw send connections through Tor without using SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.) o Minor features: - Make all connections to addresses of the form ".noconnect" immediately get closed. This lets application/controller combos successfully test whether they're talking to the same Tor by watching for STREAM events. - Make cross.sh cross-compilation script work even when autogen.sh hasn't been run. (Patch from Michael Mohr.) - Statistics dumped by -USR2 now include a breakdown of public key operations, for profiling. o Major bugfixes: - Fix a major leak when directory authorities parse their approved-routers list, a minor memory leak when we fail to pick an exit node, and a few rare leaks on errors. - Handle TransPort connections even when the server sends data before the client sends data. Previously, the connection would just hang until the client sent data. (Patch from tup based on patch from Zajcev Evgeny.) - Avoid assert failure when our cached-routers file is empty on startup. o Minor bugfixes: - Don't log spurious warnings when we see a circuit close reason we don't recognize; it's probably just from a newer version of Tor. - Have directory authorities allow larger amounts of drift in uptime without replacing the server descriptor: previously, a server that restarted every 30 minutes could have 48 "interesting" descriptors per day. - Start linking to the Tor specification and Tor reference manual correctly in the Windows installer. - Add Vidalia to the OS X uninstaller script, so when we uninstall Tor/Privoxy we also uninstall Vidalia. - Resume building on Irix64, and fix a lot of warnings from its MIPSpro C compiler. - Don't corrupt last_guessed_ip in router_new_address_suggestion() when we're running as a client. Changes in version 0.1.1.25 - 2006-11-04 o Major bugfixes: - When a client asks us to resolve (rather than connect to) an address, and we have a cached answer, give them the cached answer. Previously, we would give them no answer at all. - We were building exactly the wrong circuits when we predict hidden service requirements, meaning Tor would have to build all its circuits on demand. - If none of our live entry guards have a high uptime, but we require a guard with a high uptime, try adding a new guard before we give up on the requirement. This patch should make long-lived connections more stable on average. - When testing reachability of our DirPort, don't launch new tests when there's already one in progress -- unreachable servers were stacking up dozens of testing streams. o Security bugfixes: - When the user sends a NEWNYM signal, clear the client-side DNS cache too. Otherwise we continue to act on previous information. o Minor bugfixes: - Avoid a memory corruption bug when creating a hash table for the first time. - Avoid possibility of controller-triggered crash when misusing certain commands from a v0 controller on platforms that do not handle printf("%s",NULL) gracefully. - Avoid infinite loop on unexpected controller input. - Don't log spurious warnings when we see a circuit close reason we don't recognize; it's probably just from a newer version of Tor. - Add Vidalia to the OS X uninstaller script, so when we uninstall Tor/Privoxy we also uninstall Vidalia. Changes in version 0.1.2.3-alpha - 2006-10-29 o Minor features: - Prepare for servers to publish descriptors less often: never discard a descriptor simply for being too old until either it is recommended by no authorities, or until we get a better one for the same router. Make caches consider retaining old recommended routers for even longer. - If most authorities set a BadExit flag for a server, clients don't think of it as a general-purpose exit. Clients only consider authorities that advertise themselves as listing bad exits. - Directory servers now provide 'Pragma: no-cache' and 'Expires' headers for content, so that we can work better in the presence of caching HTTP proxies. - Allow authorities to list nodes as bad exits by fingerprint or by address. o Minor features, controller: - Add a REASON field to CIRC events; for backward compatibility, this field is sent only to controllers that have enabled the extended event format. Also, add additional reason codes to explain why a given circuit has been destroyed or truncated. (Patches from Mike Perry) - Add a REMOTE_REASON field to extended CIRC events to tell the controller about why a remote OR told us to close a circuit. - Stream events also now have REASON and REMOTE_REASON fields, working much like those for circuit events. - There's now a GETINFO ns/... field so that controllers can ask Tor about the current status of a router. - A new event type "NS" to inform a controller when our opinion of a router's status has changed. - Add a GETINFO events/names and GETINFO features/names so controllers can tell which events and features are supported. - A new CLEARDNSCACHE signal to allow controllers to clear the client-side DNS cache without expiring circuits. o Security bugfixes: - When the user sends a NEWNYM signal, clear the client-side DNS cache too. Otherwise we continue to act on previous information. o Minor bugfixes: - Avoid sending junk to controllers or segfaulting when a controller uses EVENT_NEW_DESC with verbose nicknames. - Stop triggering asserts if the controller tries to extend hidden service circuits (reported by mwenge). - Avoid infinite loop on unexpected controller input. - When the controller does a "GETINFO network-status", tell it about even those routers whose descriptors are very old, and use long nicknames where appropriate. - Change NT service functions to be loaded on demand. This lets us build with MinGW without breaking Tor for Windows 98 users. - Do DirPort reachability tests less often, since a single test chews through many circuits before giving up. - In the hidden service example in torrc.sample, stop recommending esoteric and discouraged hidden service options. - When stopping an NT service, wait up to 10 sec for it to actually stop. (Patch from Matt Edman; resolves bug 295.) - Fix handling of verbose nicknames with ORCONN controller events: make them show up exactly when requested, rather than exactly when not requested. - When reporting verbose nicknames in entry_guards_getinfo(), avoid printing a duplicate "$" in the keys we send (reported by mwenge). - Correctly set maximum connection limit on Cygwin. (This time for sure!) - Try to detect Windows correctly when cross-compiling. - Detect the size of the routers file correctly even if it is corrupted (on systems without mmap) or not page-aligned (on systems with mmap). This bug was harmless. - Sometimes we didn't bother sending a RELAY_END cell when an attempt to open a stream fails; now we do in more cases. This should make clients able to find a good exit faster in some cases, since unhandleable requests will now get an error rather than timing out. - Resolve two memory leaks when rebuilding the on-disk router cache (reported by fookoowa). - Clean up minor code warnings suggested by the MIPSpro C compiler, and reported by some Centos users. - Controller signals now work on non-Unix platforms that don't define SIGUSR1 and SIGUSR2 the way we expect. - Patch from Michael Mohr to contrib/cross.sh, so it checks more values before failing, and always enables eventdns. - Libevent-1.2 exports, but does not define in its headers, strlcpy. Try to fix this in configure.in by checking for most functions before we check for libevent. Changes in version 0.1.2.2-alpha - 2006-10-07 o Major features: - Make our async eventdns library on-by-default for Tor servers, and plan to deprecate the separate dnsworker threads. - Add server-side support for "reverse" DNS lookups (using PTR records so clients can determine the canonical hostname for a given IPv4 address). Only supported by servers using eventdns; servers now announce in their descriptors whether they support eventdns. - Specify and implement client-side SOCKS5 interface for reverse DNS lookups (see doc/socks-extensions.txt). - Add a BEGIN_DIR relay cell type for an easier in-protocol way to connect to directory servers through Tor. Previously, clients needed to find Tor exits to make private connections to directory servers. - Avoid choosing Exit nodes for entry or middle hops when the total bandwidth available from non-Exit nodes is much higher than the total bandwidth available from Exit nodes. - Workaround for name servers (like Earthlink's) that hijack failing DNS requests and replace the no-such-server answer with a "helpful" redirect to an advertising-driven search portal. Also work around DNS hijackers who "helpfully" decline to hijack known-invalid RFC2606 addresses. Config option "ServerDNSDetectHijacking 0" lets you turn it off. - Send out a burst of long-range padding cells once we've established that we're reachable. Spread them over 4 circuits, so hopefully a few will be fast. This exercises our bandwidth and bootstraps us into the directory more quickly. o New/improved config options: - Add new config option "ResolvConf" to let the server operator choose an alternate resolve.conf file when using eventdns. - Add an "EnforceDistinctSubnets" option to control our "exclude servers on the same /16" behavior. It's still on by default; this is mostly for people who want to operate private test networks with all the machines on the same subnet. - If one of our entry guards is on the ExcludeNodes list, or the directory authorities don't think it's a good guard, treat it as if it were unlisted: stop using it as a guard, and throw it off the guards list if it stays that way for a long time. - Allow directory authorities to be marked separately as authorities for the v1 directory protocol, the v2 directory protocol, and as hidden service directories, to make it easier to retire old authorities. V1 authorities should set "HSAuthoritativeDir 1" to continue being hidden service authorities too. - Remove 8888 as a LongLivedPort, and add 6697 (IRCS). o Minor features, controller: - Fix CIRC controller events so that controllers can learn the identity digests of non-Named servers used in circuit paths. - Let controllers ask for more useful identifiers for servers. Instead of learning identity digests for un-Named servers and nicknames for Named servers, the new identifiers include digest, nickname, and indication of Named status. Off by default; see control-spec.txt for more information. - Add a "getinfo address" controller command so it can display Tor's best guess to the user. - New controller event to alert the controller when our server descriptor has changed. - Give more meaningful errors on controller authentication failure. o Minor features, other: - When asked to resolve a hostname, don't use non-exit servers unless requested to do so. This allows servers with broken DNS to be useful to the network. - Divide eventdns log messages into warn and info messages. - Reserve the nickname "Unnamed" for routers that can't pick a hostname: any router can call itself Unnamed; directory authorities will never allocate Unnamed to any particular router; clients won't believe that any router is the canonical Unnamed. - Only include function names in log messages for info/debug messages. For notice/warn/err, the content of the message should be clear on its own, and printing the function name only confuses users. - Avoid some false positives during reachability testing: don't try to test via a server that's on the same /24 as us. - If we fail to build a circuit to an intended enclave, and it's not mandatory that we use that enclave, stop wanting it. - When eventdns is enabled, allow multithreaded builds on NetBSD and OpenBSD. (We had previously disabled threads on these platforms because they didn't have working thread-safe resolver functions.) o Major bugfixes, anonymity/security: - If a client asked for a server by name, and there's a named server in our network-status but we don't have its descriptor yet, we could return an unnamed server instead. - Fix NetBSD bug that could allow someone to force uninitialized RAM to be sent to a server's DNS resolver. This only affects NetBSD and other platforms that do not bounds-check tolower(). - Reject (most) attempts to use Tor circuits with length one. (If many people start using Tor as a one-hop proxy, exit nodes become a more attractive target for compromise.) - Just because your DirPort is open doesn't mean people should be able to remotely teach you about hidden service descriptors. Now only accept rendezvous posts if you've got HSAuthoritativeDir set. o Major bugfixes, other: - Don't crash on race condition in dns.c: tor_assert(!resolve->expire) - When a client asks the server to resolve (not connect to) an address, and it has a cached answer, give them the cached answer. Previously, the server would give them no answer at all. - Allow really slow clients to not hang up five minutes into their directory downloads (suggested by Adam J. Richter). - We were building exactly the wrong circuits when we anticipated hidden service requirements, meaning Tor would have to build all its circuits on demand. - Avoid crashing when we mmap a router cache file of size 0. - When testing reachability of our DirPort, don't launch new tests when there's already one in progress -- unreachable servers were stacking up dozens of testing streams. o Minor bugfixes, correctness: - If we're a directory mirror and we ask for "all" network status documents, we would discard status documents from authorities we don't recognize. - Avoid a memory corruption bug when creating a hash table for the first time. - Avoid controller-triggered crash when misusing certain commands from a v0 controller on platforms that do not handle printf("%s",NULL) gracefully. - Don't crash when a controller sends a third argument to an "extendcircuit" request. - Controller protocol fixes: fix encoding in "getinfo addr-mappings" response; fix error code when "getinfo dir/status/" fails. - Avoid crash when telling controller stream-status and a stream is detached. - Patch from Adam Langley to fix assert() in eventdns.c. - Fix a debug log message in eventdns to say "X resolved to Y" instead of "X resolved to X". - Make eventdns give strings for DNS errors, not just error numbers. - Track unreachable entry guards correctly: don't conflate 'unreachable by us right now' with 'listed as down by the directory authorities'. With the old code, if a guard was unreachable by us but listed as running, it would clog our guard list forever. - Behave correctly in case we ever have a network with more than 2GB/s total advertised capacity. - Make TrackExitHosts case-insensitive, and fix the behavior of ".suffix" TrackExitHosts items to avoid matching in the middle of an address. - Finally fix the openssl warnings from newer gccs that believe that ignoring a return value is okay, but casting a return value and then ignoring it is a sign of madness. - Prevent the contrib/exitlist script from printing the same result more than once. - Patch from Steve Hildrey: Generate network status correctly on non-versioning dirservers. - Don't listen to the X-Your-Address-Is hint if you did the lookup via Tor; otherwise you'll think you're the exit node's IP address. o Minor bugfixes, performance: - Two small performance improvements on parsing descriptors. - Major performance improvement on inserting descriptors: change algorithm from O(n^2) to O(n). - Make the common memory allocation path faster on machines where malloc(0) returns a pointer. - Start remembering X-Your-Address-Is directory hints even if you're a client, so you can become a server more smoothly. - Avoid duplicate entries on MyFamily line in server descriptor. o Packaging, features: - Remove architecture from OS X builds. The official builds are now universal binaries. - The Debian package now uses --verify-config when (re)starting, to distinguish configuration errors from other errors. - Update RPMs to require libevent 1.1b. o Packaging, bugfixes: - Patches so Tor builds with MinGW on Windows. - Patches so Tor might run on Cygwin again. - Resume building on non-gcc compilers and ancient gcc. Resume building with the -O0 compile flag. Resume building cleanly on Debian woody. - Run correctly on OS X platforms with case-sensitive filesystems. - Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup). - Add autoconf checks so Tor can build on Solaris x86 again. o Documentation - Documented (and renamed) ServerDNSSearchDomains and ServerDNSResolvConfFile options. - Be clearer that the *ListenAddress directives can be repeated multiple times. Changes in version 0.1.1.24 - 2006-09-29 o Major bugfixes: - Allow really slow clients to not hang up five minutes into their directory downloads (suggested by Adam J. Richter). - Fix major performance regression from 0.1.0.x: instead of checking whether we have enough directory information every time we want to do something, only check when the directory information has changed. This should improve client CPU usage by 25-50%. - Don't crash if, after a server has been running for a while, it can't resolve its hostname. o Minor bugfixes: - Allow Tor to start when RunAsDaemon is set but no logs are set. - Don't crash when the controller receives a third argument to an "extendcircuit" request. - Controller protocol fixes: fix encoding in "getinfo addr-mappings" response; fix error code when "getinfo dir/status/" fails. - Fix configure.in to not produce broken configure files with more recent versions of autoconf. Thanks to Clint for his auto* voodoo. - Fix security bug on NetBSD that could allow someone to force uninitialized RAM to be sent to a server's DNS resolver. This only affects NetBSD and other platforms that do not bounds-check tolower(). - Warn user when using libevent 1.1a or earlier with win32 or kqueue methods: these are known to be buggy. - If we're a directory mirror and we ask for "all" network status documents, we would discard status documents from authorities we don't recognize. Changes in version 0.1.2.1-alpha - 2006-08-27 o Major features: - Add "eventdns" async dns library from Adam Langley, tweaked to build on OSX and Windows. Only enabled if you pass the --enable-eventdns argument to configure. - Allow servers with no hostname or IP address to learn their IP address by asking the directory authorities. This code only kicks in when you would normally have exited with a "no address" error. Nothing's authenticated, so use with care. - Rather than waiting a fixed amount of time between retrying application connections, we wait only 5 seconds for the first, 10 seconds for the second, and 15 seconds for each retry after that. Hopefully this will improve the expected user experience. - Patch from Tup to add support for transparent AP connections: this basically bundles the functionality of trans-proxy-tor into the Tor mainline. Now hosts with compliant pf/netfilter implementations can redirect TCP connections straight to Tor without diverting through SOCKS. Needs docs. - Busy directory servers save lots of memory by spooling server descriptors, v1 directories, and v2 networkstatus docs to buffers as needed rather than en masse. Also mmap the cached-routers files, so we don't need to keep the whole thing in memory too. - Automatically avoid picking more than one node from the same /16 network when constructing a circuit. - Revise and clean up the torrc.sample that we ship with; add a section for BandwidthRate and BandwidthBurst. o Minor features: - Split circuit_t into origin_circuit_t and or_circuit_t, and split connection_t into edge, or, dir, control, and base structs. These will save quite a bit of memory on busy servers, and they'll also help us track down bugs in the code and bugs in the spec. - Experimentally re-enable kqueue on OSX when using libevent 1.1b or later. Log when we are doing this, so we can diagnose it when it fails. (Also, recommend libevent 1.1b for kqueue and win32 methods; deprecate libevent 1.0b harder; make libevent recommendation system saner.) - Start being able to build universal binaries on OS X (thanks to Phobos). - Export the default exit policy via the control port, so controllers don't need to guess what it is / will be later. - Add a man page entry for ProtocolWarnings. - Add TestVia config option to the man page. - Remove even more protocol-related warnings from Tor server logs, such as bad TLS handshakes and malformed begin cells. - Stop fetching descriptors if you're not a dir mirror and you haven't tried to establish any circuits lately. [This currently causes some dangerous behavior, because when you start up again you'll use your ancient server descriptors.] - New DirPort behavior: if you have your dirport set, you download descriptors aggressively like a directory mirror, whether or not your ORPort is set. - Get rid of the router_retry_connections notion. Now routers no longer try to rebuild long-term connections to directory authorities, and directory authorities no longer try to rebuild long-term connections to all servers. We still don't hang up connections in these two cases though -- we need to look at it more carefully to avoid flapping, and we likely need to wait til 0.1.1.x is obsolete. - Drop compatibility with obsolete Tors that permit create cells to have the wrong circ_id_type. - Re-enable per-connection rate limiting. Get rid of the "OP bandwidth" concept. Lay groundwork for "bandwidth classes" -- separate global buckets that apply depending on what sort of conn it is. - Start publishing one minute or so after we find our ORPort to be reachable. This will help reduce the number of descriptors we have for ourselves floating around, since it's quite likely other things (e.g. DirPort) will change during that minute too. - Fork the v1 directory protocol into its own spec document, and mark dir-spec.txt as the currently correct (v2) spec. o Major bugfixes: - When we find our DirPort to be reachable, publish a new descriptor so we'll tell the world (reported by pnx). - Publish a new descriptor after we hup/reload. This is important if our config has changed such that we'll want to start advertising our DirPort now, etc. - Allow Tor to start when RunAsDaemon is set but no logs are set. - When we have a state file we cannot parse, tell the user and move it aside. Now we avoid situations where the user starts Tor in 1904, Tor writes a state file with that timestamp in it, the user fixes her clock, and Tor refuses to start. - Fix configure.in to not produce broken configure files with more recent versions of autoconf. Thanks to Clint for his auto* voodoo. - "tor --verify-config" now exits with -1(255) or 0 depending on whether the config options are bad or good. - Resolve bug 321 when using dnsworkers: append a period to every address we resolve at the exit node, so that we do not accidentally pick up local addresses, and so that failing searches are retried in the resolver search domains. (This is already solved for eventdns.) (This breaks Blossom servers for now.) - If we are using an exit enclave and we can't connect, e.g. because its webserver is misconfigured to not listen on localhost, then back off and try connecting from somewhere else before we fail. o Minor bugfixes: - Start compiling on MinGW on Windows (patches from Mike Chiussi). - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio). - Fix bug 314: Tor clients issued "unsafe socks" warnings even when the IP address is mapped through MapAddress to a hostname. - Start passing "ipv4" hints to getaddrinfo(), so servers don't do useless IPv6 DNS resolves. - Patch suggested by Karsten Loesing: respond to SIGNAL command before we execute the signal, in case the signal shuts us down. - Clean up AllowInvalidNodes man page entry. - Claim a commonname of Tor, rather than TOR, in TLS handshakes. - Add more asserts to track down an assert error on a windows Tor server with connection_add being called with socket == -1. - Handle reporting OR_CONN_EVENT_NEW events to the controller. - Fix misleading log messages: an entry guard that is "unlisted", as well as not known to be "down" (because we've never heard of it), is not therefore "up". - Remove code to special-case "-cvs" ending, since it has not actually mattered since 0.0.9. - Make our socks5 handling more robust to broken socks clients: throw out everything waiting on the buffer in between socks handshake phases, since they can't possibly (so the theory goes) have predicted what we plan to respond to them. Changes in version 0.1.1.23 - 2006-07-30 o Major bugfixes: - Fast Tor servers, especially exit nodes, were triggering asserts due to a bug in handling the list of pending DNS resolves. Some bugs still remain here; we're hunting them. - Entry guards could crash clients by sending unexpected input. - More fixes on reachability testing: if you find yourself reachable, then don't ever make any client requests (so you stop predicting circuits), then hup or have your clock jump, then later your IP changes, you won't think circuits are working, so you won't try to test reachability, so you won't publish. o Minor bugfixes: - Avoid a crash if the controller does a resetconf firewallports and then a setconf fascistfirewall=1. - Avoid an integer underflow when the dir authority decides whether a router is stable: we might wrongly label it stable, and compute a slightly wrong median stability, when a descriptor is published later than now. - Fix a place where we might trigger an assert if we can't build our own server descriptor yet. Changes in version 0.1.1.22 - 2006-07-05 o Major bugfixes: - Fix a big bug that was causing servers to not find themselves reachable if they changed IP addresses. Since only 0.1.1.22+ servers can do reachability testing correctly, now we automatically make sure to test via one of these. - Fix to allow clients and mirrors to learn directory info from descriptor downloads that get cut off partway through. - Directory authorities had a bug in deciding if a newly published descriptor was novel enough to make everybody want a copy -- a few servers seem to be publishing new descriptors many times a minute. o Minor bugfixes: - Fix a rare bug that was causing some servers to complain about "closing wedged cpuworkers" and skip some circuit create requests. - Make the Exit flag in directory status documents actually work. Changes in version 0.1.1.21 - 2006-06-10 o Crash and assert fixes from 0.1.1.20: - Fix a rare crash on Tor servers that have enabled hibernation. - Fix a seg fault on startup for Tor networks that use only one directory authority. - Fix an assert from a race condition that occurs on Tor servers while exiting, where various threads are trying to log that they're exiting, and delete the logs, at the same time. - Make our unit tests pass again on certain obscure platforms. o Other fixes: - Add support for building SUSE RPM packages. - Speed up initial bootstrapping for clients: if we are making our first ever connection to any entry guard, then don't mark it down right after that. - When only one Tor server in the network is labelled as a guard, and we've already picked him, we would cycle endlessly picking him again, being unhappy about it, etc. Now we specifically exclude current guards when picking a new guard. - Servers send create cells more reliably after the TLS connection is established: we were sometimes forgetting to send half of them when we had more than one pending. - If we get a create cell that asks us to extend somewhere, but the Tor server there doesn't match the expected digest, we now send a destroy cell back, rather than silently doing nothing. - Make options->RedirectExit work again. - Make cookie authentication for the controller work again. - Stop being picky about unusual characters in the arguments to mapaddress. It's none of our business. - Add a new config option "TestVia" that lets you specify preferred middle hops to use for test circuits. Perhaps this will let me debug the reachability problems better. o Log / documentation fixes: - If we're a server and some peer has a broken TLS certificate, don't log about it unless ProtocolWarnings is set, i.e., we want to hear about protocol violations by others. - Fix spelling of VirtualAddrNetwork in man page. - Add a better explanation at the top of the autogenerated torrc file about what happened to our old torrc. Changes in version 0.1.1.20 - 2006-05-23 o Bugfixes: - Downgrade a log severity where servers complain that they're invalid. - Avoid a compile warning on FreeBSD. - Remove string size limit on NEWDESC messages; solve bug 291. - Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon more thoroughly when we're running on windows. Changes in version 0.1.1.19-rc - 2006-05-03 o Minor bugs: - Regenerate our local descriptor if it's dirty and we try to use it locally (e.g. if it changes during reachability detection). - If we setconf our ORPort to 0, we continued to listen on the old ORPort and receive connections. - Avoid a second warning about machine/limits.h on Debian GNU/kFreeBSD. - Be willing to add our own routerinfo into the routerlist. Now authorities will include themselves in their directories and network-statuses. - Stop trying to upload rendezvous descriptors to every directory authority: only try the v1 authorities. - Servers no longer complain when they think they're not registered with the directory authorities. There were too many false positives. - Backport dist-rpm changes so rpms can be built without errors. o Features: - Implement an option, VirtualAddrMask, to set which addresses get handed out in response to mapaddress requests. This works around a bug in tsocks where 127.0.0.0/8 is never socksified. Changes in version 0.1.1.18-rc - 2006-04-10 o Major fixes: - Work harder to download live network-statuses from all the directory authorities we know about. Improve the threshold decision logic so we're more robust to edge cases. - When fetching rendezvous descriptors, we were willing to ask v2 authorities too, which would always return 404. o Minor fixes: - Stop listing down or invalid nodes in the v1 directory. This will reduce its bulk by about 1/3, and reduce load on directory mirrors. - When deciding whether a router is Fast or Guard-worthy, consider his advertised BandwidthRate and not just the BandwidthCapacity. - No longer ship INSTALL and README files -- they are useless now. - Force rpmbuild to behave and honor target_cpu. - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD. - Start to include translated versions of the tor-doc-*.html files, along with the screenshots. Still needs more work. - Start sending back 512 and 451 errors if mapaddress fails, rather than not sending anything back at all. - When we fail to bind or listen on an incoming or outgoing socket, we should close it before failing. otherwise we just leak it. (thanks to weasel for finding.) - Allow "getinfo dir/status/foo" to work, as long as your DirPort is enabled. (This is a hack, and will be fixed in 0.1.2.x.) - Make NoPublish (even though deprecated) work again. - Fix a minor security flaw where a versioning auth dirserver could list a recommended version many times in a row to make clients more convinced that it's recommended. - Fix crash bug if there are two unregistered servers running with the same nickname, one of them is down, and you ask for them by nickname in your EntryNodes or ExitNodes. Also, try to pick the one that's running rather than an arbitrary one. - Fix an infinite loop we could hit if we go offline for too long. - Complain when we hit WSAENOBUFS on recv() or write() too. Perhaps this will help us hunt the bug. - If you're not a versioning dirserver, don't put the string "client-versions \nserver-versions \n" in your network-status. - Lower the minimum required number of file descriptors to 1000, so we can have some overhead for Valgrind on Linux, where the default ulimit -n is 1024. o New features: - Add tor.dizum.com as the fifth authoritative directory server. - Add a new config option FetchUselessDescriptors, off by default, for when you plan to run "exitlist" on your client and you want to know about even the non-running descriptors. Changes in version 0.1.1.17-rc - 2006-03-28 o Major fixes: - Clients and servers since 0.1.1.10-alpha have been expiring connections whenever they are idle for 5 minutes and they *do* have circuits on them. Oops. With this new version, clients will discard their previous entry guard choices and avoid choosing entry guards running these flawed versions. - Fix memory leak when uncompressing concatenated zlib streams. This was causing substantial leaks over time on Tor servers. - The v1 directory was including servers as much as 48 hours old, because that's how the new routerlist->routers works. Now only include them if they're 20 hours old or less. o Minor fixes: - Resume building on irix64, netbsd 2.0, etc. - On non-gcc compilers (e.g. solaris), use "-g -O" instead of "-Wall -g -O2". - Stop writing the "router.desc" file, ever. Nothing uses it anymore, and it is confusing some users. - Mirrors stop caching the v1 directory so often. - Make the max number of old descriptors that a cache will hold rise with the number of directory authorities, so we can scale. - Change our win32 uname() hack to be more forgiving about what win32 versions it thinks it's found. o New features: - Add lefkada.eecs.harvard.edu as a fourth authoritative directory server. - When the controller's *setconf commands fail, collect an error message in a string and hand it back to the controller. - Make the v2 dir's "Fast" flag based on relative capacity, just like "Stable" is based on median uptime. Name everything in the top 7/8 Fast, and only the top 1/2 gets to be a Guard. - Log server fingerprint on startup, so new server operators don't have to go hunting around their filesystem for it. - Return a robots.txt on our dirport to discourage google indexing. - Let the controller ask for GETINFO dir/status/foo so it can ask directly rather than connecting to the dir port. Only works when dirport is set for now. o New config options rather than constants in the code: - SocksTimeout: How long do we let a socks connection wait unattached before we fail it? - CircuitBuildTimeout: Cull non-open circuits that were born at least this many seconds ago. - CircuitIdleTimeout: Cull open clean circuits that were born at least this many seconds ago. Changes in version 0.1.1.16-rc - 2006-03-18 o Bugfixes on 0.1.1.15-rc: - Fix assert when the controller asks to attachstream a connect-wait or resolve-wait stream. - Now do address rewriting when the controller asks us to attach to a particular circuit too. This will let Blossom specify "moria2.exit" without having to learn what moria2's IP address is. - Make the "tor --verify-config" command-line work again, so people can automatically check if their torrc will parse. - Authoritative dirservers no longer require an open connection from a server to consider him "reachable". We need this change because when we add new auth dirservers, old servers won't know not to hang up on them. - Let Tor build on Sun CC again. - Fix an off-by-one buffer size in dirserv.c that magically never hit our three authorities but broke sjmurdoch's own tor network. - If we as a directory mirror don't know of any v1 directory authorities, then don't try to cache any v1 directories. - Stop warning about unknown servers in our family when they are given as hex digests. - Stop complaining as quickly to the server operator that he hasn't registered his nickname/key binding. - Various cleanups so we can add new V2 Auth Dirservers. - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to reflect the updated flags in our v2 dir protocol. - Resume allowing non-printable characters for exit streams (both for connecting and for resolving). Now we tolerate applications that don't follow the RFCs. But continue to block malformed names at the socks side. o Bugfixes on 0.1.0.x: - Fix assert bug in close_logs(): when we close and delete logs, remove them all from the global "logfiles" list. - Fix minor integer overflow in calculating when we expect to use up our bandwidth allocation before hibernating. - Fix a couple of bugs in OpenSSL detection. Also, deal better when there are multiple SSLs installed with different versions. - When we try to be a server and Address is not explicitly set and our hostname resolves to a private IP address, try to use an interface address if it has a public address. Now Windows machines that think of themselves as localhost can work by default. o New features: - Let the controller ask for GETINFO dir/server/foo so it can ask directly rather than connecting to the dir port. - Let the controller tell us about certain router descriptors that it doesn't want Tor to use in circuits. Implement SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this. - New config option SafeSocks to reject all application connections using unsafe socks protocols. Defaults to off. Changes in version 0.1.1.15-rc - 2006-03-11 o Bugfixes and cleanups: - When we're printing strings from the network, don't try to print non-printable characters. This protects us against shell escape sequence exploits, and also against attacks to fool humans into misreading their logs. - Fix a bug where Tor would fail to establish any connections if you left it off for 24 hours and then started it: we were happy with the obsolete network statuses, but they all referred to router descriptors that were too old to fetch, so we ended up with no valid router descriptors. - Fix a seg fault in the controller's "getinfo orconn-status" command while listing status on incoming handshaking connections. Introduce a status name "NEW" for these connections. - If we get a linelist or linelist_s config option from the torrc (e.g. ExitPolicy) and it has no value, warn and skip rather than silently resetting it to its default. - Don't abandon entry guards until they've been down or gone for a whole month. - Cleaner and quieter log messages. o New features: - New controller signal NEWNYM that makes new application requests use clean circuits. - Add a new circuit purpose 'controller' to let the controller ask for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT controller command to let you specify the purpose if you're starting a new circuit. Add a new SETCIRCUITPURPOSE controller command to let you change a circuit's purpose after it's been created. - Accept "private:*" in routerdesc exit policies; not generated yet because older Tors do not understand it. - Add BSD-style contributed startup script "rc.subr" from Peter Thoenen. Changes in version 0.1.1.14-alpha - 2006-02-20 o Bugfixes on 0.1.1.x: - Don't die if we ask for a stdout or stderr log (even implicitly) and we're set to RunAsDaemon -- just warn. - We still had a few bugs in the OR connection rotation code that caused directory servers to slowly aggregate connections to other fast Tor servers. This time for sure! - Make log entries on Win32 include the name of the function again. - We were treating a pair of exit policies if they were equal even if one said accept and the other said reject -- causing us to not always publish a new descriptor since we thought nothing had changed. - Retry pending server downloads as well as pending networkstatus downloads when we unexpectedly get a socks request. - We were ignoring the IS_FAST flag in the directory status, meaning we were willing to pick trivial-bandwidth nodes for "fast" connections. - If the controller's SAVECONF command fails (e.g. due to file permissions), let the controller know that it failed. o Features: - If we're trying to be a Tor server and running Windows 95/98/ME as a server, explain that we'll likely crash. - When we're a server, a client asks for an old-style directory, and our write bucket is empty, don't give it to him. This way small servers can continue to serve the directory *sometimes*, without getting overloaded. - Compress exit policies even more -- look for duplicate lines and remove them. - Clients now honor the "guard" flag in the router status when picking entry guards, rather than looking at is_fast or is_stable. - Retain unrecognized lines in $DATADIR/state file, so that we can be forward-compatible. - Generate 18.0.0.0/8 address policy format in descs when we can; warn when the mask is not reducible to a bit-prefix. - Let the user set ControlListenAddress in the torrc. This can be dangerous, but there are some cases (like a secured LAN) where it makes sense. - Split ReachableAddresses into ReachableDirAddresses and ReachableORAddresses, so we can restrict Dir conns to port 80 and OR conns to port 443. - Now we can target arch and OS in rpm builds (contributed by Phobos). Also make the resulting dist-rpm filename match the target arch. - New config options to help controllers: FetchServerDescriptors and FetchHidServDescriptors for whether to fetch server info and hidserv info or let the controller do it, and PublishServerDescriptor and PublishHidServDescriptors. - Also let the controller set the __AllDirActionsPrivate config option if you want all directory fetches/publishes to happen via Tor (it assumes your controller bootstraps your circuits). Changes in version 0.1.0.17 - 2006-02-17 o Crash bugfixes on 0.1.0.x: - When servers with a non-zero DirPort came out of hibernation, sometimes they would trigger an assert. o Other important bugfixes: - On platforms that don't have getrlimit (like Windows), we were artificially constraining ourselves to a max of 1024 connections. Now just assume that we can handle as many as 15000 connections. Hopefully this won't cause other problems. o Backported features: - When we're a server, a client asks for an old-style directory, and our write bucket is empty, don't give it to him. This way small servers can continue to serve the directory *sometimes*, without getting overloaded. - Whenever you get a 503 in response to a directory fetch, try once more. This will become important once servers start sending 503's whenever they feel busy. - Fetch a new directory every 120 minutes, not every 40 minutes. Now that we have hundreds of thousands of users running the old directory algorithm, it's starting to hurt a lot. - Bump up the period for forcing a hidden service descriptor upload from 20 minutes to 1 hour. Changes in version 0.1.1.13-alpha - 2006-02-09 o Crashes in 0.1.1.x: - When you tried to setconf ORPort via the controller, Tor would crash. So people using TorCP to become a server were sad. - Solve (I hope) the stack-smashing bug that we were seeing on fast servers. The problem appears to be something do with OpenSSL's random number generation, or how we call it, or something. Let me know if the crashes continue. - Turn crypto hardware acceleration off by default, until we find somebody smart who can test it for us. (It appears to produce seg faults in at least some cases.) - Fix a rare assert error when we've tried all intro points for a hidden service and we try fetching the service descriptor again: "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed" o Major fixes: - Fix a major load balance bug: we were round-robining in 16 KB chunks, and servers with bandwidthrate of 20 KB, while downloading a 600 KB directory, would starve their other connections. Now we try to be a bit more fair. - Dir authorities and mirrors were never expiring the newest descriptor for each server, causing memory and directory bloat. - Fix memory-bloating and connection-bloating bug on servers: We were never closing any connection that had ever had a circuit on it, because we were checking conn->n_circuits == 0, yet we had a bug that let it go negative. - Make Tor work using squid as your http proxy again -- squid returns an error if you ask for a URL that's too long, and it uses a really generic error message. Plus, many people are behind a transparent squid so they don't even realize it. - On platforms that don't have getrlimit (like Windows), we were artificially constraining ourselves to a max of 1024 connections. Now just assume that we can handle as many as 15000 connections. Hopefully this won't cause other problems. - Add a new config option ExitPolicyRejectPrivate which defaults to 1. This means all exit policies will begin with rejecting private addresses, unless the server operator explicitly turns it off. o Major features: - Clients not longer download descriptors for non-running descriptors. - Before we add new directory authorities, we should make it clear that only v1 authorities should receive/publish hidden service descriptors. o Minor features: - As soon as we've fetched some more directory info, immediately try to download more server descriptors. This way we don't have a 10 second pause during initial bootstrapping. - Remove even more loud log messages that the server operator can't do anything about. - When we're running an obsolete or un-recommended version, make the log message more clear about what the problem is and what versions *are* still recommended. - Provide a more useful warn message when our onion queue gets full: the CPU is too slow or the exit policy is too liberal. - Don't warn when we receive a 503 from a dirserver/cache -- this will pave the way for them being able to refuse if they're busy. - When we fail to bind a listener, try to provide a more useful log message: e.g., "Is Tor already running?" - Adjust tor-spec to parameterize cell and key lengths. Now Ian Goldberg can prove things about our handshake protocol more easily. - MaxConn has been obsolete for a while now. Document the ConnLimit config option, which is a *minimum* number of file descriptors that must be available else Tor refuses to start. - Apply Matt Ghali's --with-syslog-facility patch to ./configure if you log to syslog and want something other than LOG_DAEMON. - Make dirservers generate a separate "guard" flag to mean, "would make a good entry guard". Make clients parse it and vote on it. Not used by clients yet. - Implement --with-libevent-dir option to ./configure. Also, improve search techniques to find libevent, and use those for openssl too. - Bump the default bandwidthrate to 3 MB, and burst to 6 MB - Only start testing reachability once we've established a circuit. This will make startup on dirservers less noisy. - Don't try to upload hidden service descriptors until we have established a circuit. - Fix the controller's "attachstream 0" command to treat conn like it just connected, doing address remapping, handling .exit and .onion idioms, and so on. Now we're more uniform in making sure that the controller hears about new and closing connections. Changes in version 0.1.1.12-alpha - 2006-01-11 o Bugfixes on 0.1.1.x: - The fix to close duplicate server connections was closing all Tor client connections if they didn't establish a circuit quickly enough. Oops. - Fix minor memory issue (double-free) that happened on exit. o Bugfixes on 0.1.0.x: - Tor didn't warn when it failed to open a log file. Changes in version 0.1.1.11-alpha - 2006-01-10 o Crashes in 0.1.1.x: - Include all the assert/crash fixes from 0.1.0.16. - If you start Tor and then quit very quickly, there were some races that tried to free things that weren't allocated yet. - Fix a rare memory stomp if you're running hidden services. - Fix segfault when specifying DirServer in config without nickname. - Fix a seg fault when you finish connecting to a server but at that moment you dump his server descriptor. - Extendcircuit and Attachstream controller commands would assert/crash if you don't give them enough arguments. - Fix an assert error when we're out of space in the connection_list and we try to post a hidden service descriptor (reported by weasel). - If you specify a relative torrc path and you set RunAsDaemon in your torrc, then it chdir()'s to the new directory. If you HUP, it tries to load the new torrc location, fails, and exits. The fix: no longer allow a relative path to torrc using -f. o Major features: - Implement "entry guards": automatically choose a handful of entry nodes and stick with them for all circuits. Only pick new guards when the ones you have are unsuitable, and if the old guards become suitable again, switch back. This will increase security dramatically against certain end-point attacks. The EntryNodes config option now provides some hints about which entry guards you want to use most; and StrictEntryNodes means to only use those. - New directory logic: download by descriptor digest, not by fingerprint. Caches try to download all listed digests from authorities; clients try to download "best" digests from caches. This avoids partitioning and isolating attacks better. - Make the "stable" router flag in network-status be the median of the uptimes of running valid servers, and make clients pay attention to the network-status flags. Thus the cutoff adapts to the stability of the network as a whole, making IRC, IM, etc connections more reliable. o Major fixes: - Tor servers with dynamic IP addresses were needing to wait 18 hours before they could start doing reachability testing using the new IP address and ports. This is because they were using the internal descriptor to learn what to test, yet they were only rebuilding the descriptor once they decided they were reachable. - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients to download certain server descriptors, throw them away, and then fetch them again after 30 minutes. Now mirrors throw away these server descriptors so clients can't get them. - We were leaving duplicate connections to other ORs open for a week, rather than closing them once we detect a duplicate. This only really affected authdirservers, but it affected them a lot. - Spread the authdirservers' reachability testing over the entire testing interval, so we don't try to do 500 TLS's at once every 20 minutes. o Minor fixes: - If the network is down, and we try to connect to a conn because we have a circuit in mind, and we timeout (30 seconds) because the network never answers, we were expiring the circuit, but we weren't obsoleting the connection or telling the entry_guards functions. - Some Tor servers process billions of cells per day. These statistics