tor-announce

Download

tor-announce@lists.torproject.org

March 2013

1 participants
1 discussions

Tor 0.2.3.25 is released
by Roger Dingledine 01 Mar '13

01 Mar '13

The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, programmer, and friend. Unstinting in his dedication to the cause of freedom, he inspired and helped many of us as we began our work on anonymity, and inspires us still. Please honor his memory by writing software to protect people's freedoms, and by helping others to do so. Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features significantly reduced directory overhead (via microdescriptors), enormous crypto performance improvements for fast relays on new enough hardware, a new v3 TLS handshake protocol that can better resist fingerprinting, support for protocol obfuscation plugins (aka pluggable transports), better scalability for hidden services, IPv6 support for bridges, performance improvements like allowing clients to skip the first round-trip on the circuit ("optimistic data") and refilling token buckets more often, a new "stream isolation" design to isolate different applications on different circuits, and many stability, security, and privacy fixes. (I apologize for the delay in announcing the release to this list: I was waiting for the Tor Browser Bundles with it to stabilize a bit, but with the new integration to Firefox 17, it's become clear that TBB will be in flux a while more.) https://www.torproject.org/download/download Changes in version 0.2.3.25 - 2012-11-19 Major features (v3 directory protocol): - Clients now use microdescriptors instead of regular descriptors to build circuits. Microdescriptors are authority-generated summaries of regular descriptors' contents, designed to change very rarely (see proposal 158 for details). This feature is designed to save bandwidth, especially for clients on slow internet connections. Use "UseMicrodescriptors 0" to disable it. - Caches now download, cache, and serve microdescriptors, as well as multiple "flavors" of the consensus, including a flavor that describes microdescriptors. o Major features (build hardening): - Enable gcc and ld hardening by default. Resolves ticket 5210. o Major features (relay scaling): - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64 instruction set, take advantage of OpenSSL's AESNI, bitsliced, or vectorized AES implementations as appropriate. These can be much, much faster than other AES implementations. - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode implementation. It makes AES_CTR about 7% faster than our old one (which was about 10% faster than the one OpenSSL used to provide). Resolves ticket 4526. - Use OpenSSL's EVP interface for AES encryption, so that all AES operations can use hardware acceleration (if present). Resolves ticket 4442. - Unconditionally use OpenSSL's AES implementation instead of our old built-in one. OpenSSL's AES has been better for a while, and relatively few servers should still be on any version of OpenSSL that doesn't have good optimized assembly AES. o Major features (blocking resistance): - Update TLS cipher list to match Firefox 8 and later. Resolves ticket 4744. - Remove support for clients falsely claiming to support standard ciphersuites that they can actually provide. As of modern OpenSSL versions, it's not necessary to fake any standard ciphersuite, and doing so prevents us from using better ciphersuites in the future, since servers can't know whether an advertised ciphersuite is really supported or not. Some hosts -- notably, ones with very old versions of OpenSSL or where OpenSSL has been built with ECC disabled -- will stand out because of this change; TBB users should not be affected. Implements the client side of proposal 198. - Implement a new handshake protocol (v3) for authenticating Tors to each other over TLS. It should be more resistant to fingerprinting than previous protocols, and should require less TLS hacking for future Tor implementations. Implements proposal 176. - Allow variable-length padding cells, to disguise the length of Tor's TLS records. Implements part of proposal 184. - While we're trying to bootstrap, record how many TLS connections fail in each state, and report which states saw the most failures in response to any bootstrap failures. This feature may speed up diagnosis of censorship events. Implements ticket 3116. o Major features (pluggable transports): - Clients and bridges can now be configured to use a separate "transport" proxy. This approach makes the censorship arms race easier by allowing bridges to use protocol obfuscation plugins. Implements proposal 180 (tickets 2841 and 3472). o Major features (DoS resistance): - Now that Tor 0.2.0.x is completely deprecated, enable the final part of "Proposal 110: Avoiding infinite length circuits" by refusing all circuit-extend requests that do not use a relay_early cell. This change helps Tor resist a class of denial-of-service attacks by limiting the maximum circuit length. - Tear down the circuit if we get an unexpected SENDME cell. Clients could use this trick to make their circuits receive cells faster than our flow control would have allowed, or to gum up the network, or possibly to do targeted memory denial-of-service attacks on entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- from July 2002, before the release of Tor 0.0.0. o Major features (hidden services): - Adjust the number of introduction points that a hidden service will try to maintain based on how long its introduction points remain in use and how many introductions they handle. Fixes part of bug 3825. - Add a "tor2web mode" for clients that want to connect to hidden services non-anonymously (and possibly more quickly). As a safety measure to try to keep users from turning this on without knowing what they are doing, tor2web mode must be explicitly enabled at compile time, and a copy of Tor compiled to run in tor2web mode cannot be used as a normal Tor client. Implements feature 2553. o Major features (IPv6): - Clients can now connect to private bridges over IPv6. Bridges still need at least one IPv4 address in order to connect to other relays. Note that we don't yet handle the case where the user has two bridge lines for the same bridge (one IPv4, one IPv6). Implements parts of proposal 186. o Major features (directory authorities): - Use a more secure consensus parameter voting algorithm. Now at least three directory authorities or a majority of them must vote on a given parameter before it will be included in the consensus. Implements proposal 178. - Remove the artificially low cutoff of 20KB to guarantee the Fast flag. In the past few years the average relay speed has picked up, and while the "top 7/8 of the network get the Fast flag" and "all relays with 20KB or more of capacity get the Fast flag" rules used to have the same result, now the top 7/8 of the network has a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489. o Major features (performance): - Exit nodes now accept and queue data on not-yet-connected streams. Previously, the client wasn't allowed to send data until the stream was connected, which slowed down all connections. This change will enable clients to perform a "fast-start" on streams and send data without having to wait for a confirmation that the stream has opened. Patch from Ian Goldberg; implements the server side of Proposal 174. - When using an exit relay running 0.2.3.x, clients can now "optimistically" send data before the exit relay reports that the stream has opened. This saves a round trip when starting connections where the client speaks first (such as web browsing). This behavior is controlled by a consensus parameter (currently disabled). To turn it on or off manually, use the "OptimisticData" torrc option. Implements proposal 181; code by Ian Goldberg. - Add a new TokenBucketRefillInterval option to refill token buckets more frequently than once per second. This should improve network performance, alleviate queueing problems, and make traffic less bursty. Implements proposal 183; closes ticket 3630. Design by Florian Tschorsch and BjÃ¶rn Scheuermann; implementation by Florian Tschorsch. - Raise the threshold of server descriptors needed (75%) and exit server descriptors needed (50%) before we will declare ourselves bootstrapped. This will make clients start building circuits a little later, but makes the initially constructed circuits less skewed and less in conflict with further directory fetches. Fixes ticket 3196. o Major features (relays): - Relays now try regenerating and uploading their descriptor more frequently if they are not listed in the consensus, or if the version of their descriptor listed in the consensus is too old. This fix should prevent situations where a server declines to re-publish itself because it has done so too recently, even though the authorities decided not to list its recent-enough descriptor. Fix for bug 3327. o Major features (stream isolation): - You can now configure Tor so that streams from different applications are isolated on different circuits, to prevent an attacker who sees your streams as they leave an exit node from linking your sessions to one another. To do this, choose some way to distinguish the applications: have them connect to different SocksPorts, or have one of them use SOCKS4 while the other uses SOCKS5, or have them pass different authentication strings to the SOCKS proxy. Then, use the new SocksPort syntax to configure the degree of isolation you need. This implements Proposal 171. - There's a new syntax for specifying multiple client ports (such as SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare multiple *Port entries with full addr:port syntax on each. The old *ListenAddress format is still supported, but you can't mix it with the new *Port syntax. o Major features (bufferevents): - Tor can now optionally build with the "bufferevents" buffered IO backend provided by Libevent 2. To use this feature, make sure you have the latest possible version of Libevent, and pass the --enable-bufferevents flag to configure when building Tor from source. This feature will make our networking code more flexible, let us stack layers on each other, and let us use more efficient zero-copy transports where available. - Add experimental support for running on Windows with IOCP and no kernel-space socket buffers. This feature is controlled by a new "UserspaceIOCPBuffers" config option (off by default), which has no effect unless Tor has been built with bufferevents enabled, you're running on Windows, and you've set "DisableIOCP 0". In the long run, this may help solve or mitigate bug 98. o Major features (path selection): - The EntryNodes option can now include country codes like {de} or IP addresses or network masks. Previously we had disallowed these options because we didn't have an efficient way to keep the list up to date. Addresses ticket 1982, but see bug 2798 for an unresolved issue here. o Major features (port forwarding): - Add support for automatic port mapping on the many home routers that support NAT-PMP or UPnP. To build the support code, you'll need to have the libnatpnp library and/or the libminiupnpc library, and you'll need to enable the feature specifically by passing "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn it on, use the new PortForwarding option. o Major features (logging): - Add a new 'Heartbeat' log message type to periodically log a message describing Tor's status at level Notice. This feature is meant for operators who log at notice, and want to make sure that their Tor server is still working. Implementation by George Kadianakis. - Make logging resolution configurable with a new LogTimeGranularity option, and change the default from 1 millisecond to 1 second. Implements enhancement 1668. o Major features (other): - New "DisableNetwork" config option to prevent Tor from launching any connections or accepting any connections except on a control port. Bundles and controllers can set this option before letting Tor talk to the rest of the network, for example to prevent any connections to a non-bridge address. Packages like Orbot can also use this option to instruct Tor to save power when the network is off. - Try to use system facilities for enumerating local interface addresses, before falling back to our old approach (which was binding a UDP socket, and calling getsockname() on it). That approach was scaring OS X users whose draconian firewall software warned about binding to UDP sockets regardless of whether packets were sent. Now we try to use getifaddrs(), SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the system supports. Resolves ticket 1827. - Add experimental support for a "defaults" torrc file to be parsed before the regular torrc. Torrc options override the defaults file's options in the same way that the command line overrides the torrc. The SAVECONF controller command saves only those options which differ between the current configuration and the defaults file. HUP reloads both files. Implements task 4552. o New directory authorities: - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory authority. Closes ticket 5749. o Security/privacy fixes: - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha. - Reject any attempt to extend to an internal address. Without this fix, a router could be used to probe addresses on an internal network to see whether they were accepting connections. Fixes bug 6710; bugfix on 0.0.8pre1. - Close any connection that sends unrecognized junk before the TLS handshake. Solves an issue noted in bug 4369. - The advertised platform of a relay now includes only its operating system's name (e.g., "Linux", "Darwin", "Windows 7"), and not its service pack level (for Windows) or its CPU architecture (for Unix). Also drop the "git-XYZ" tag in the version. Packagers can insert an extra string in the platform line by setting the preprocessor variable TOR_BUILD_TAG. Resolves bug 2988. - Disable TLS session tickets. OpenSSL's implementation was giving our TLS session keys the lifetime of our TLS context objects, when perfect forward secrecy would want us to discard anything that could decrypt a link connection as soon as the link connection was closed. Fixes bug 7139; bugfix on all versions of Tor linked against OpenSSL 1.0.0 or later. Found by Florent DaigniÃ¨re. - Tor tries to wipe potentially sensitive data after using it, so that if some subsequent security failure exposes Tor's memory, the damage will be limited. But we had a bug where the compiler was eliminating these wipe operations when it decided that the memory was no longer visible to a (correctly running) program, hence defeating our attempt at defense in depth. We fix that by using OpenSSL's OPENSSL_cleanse() operation, which a compiler is unlikely to optimize away. Future versions of Tor may use a less ridiculously heavy approach for this. Fixes bug 7352. Reported in an article by Andrey Karpov. o Major bugfixes (crashes and asserts): - Avoid a pair of double-free and use-after-mark bugs that can occur with certain timings in canceled and re-received DNS requests. Fixes bug 6472; bugfix on 0.0.7rc1. - Fix a denial of service attack by which any directory authority could crash all the others, or by which a single v2 directory authority could crash everybody downloading v2 directory information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. - Fix an assert that directory authorities could trigger on sighup during some configuration state transitions. We now don't treat it as a fatal error when the new descriptor we just generated in init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha. - Avoid segfault when starting up having run with an extremely old version of Tor and parsing its state file. Fixes bug 6801; bugfix on 0.2.2.23-alpha. o Major bugfixes (clients): - If we are unable to find any exit that supports our predicted ports, stop calling them predicted, so that we don't loop and build hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6, which introduced predicted ports. - Check at each new consensus whether our entry guards were picked long enough ago that we should rotate them. Previously, we only did this check at startup, which could lead to us holding a guard indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. - When fetching a bridge descriptor from a bridge authority, always do so anonymously, whether we have been able to open circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. This behavior makes it *safer* to use UpdateBridgesFromAuthority, but we'll need to wait for bug 6010 before it's actually usable. o Major bugfixes (directory voting): - Check more thoroughly to prevent a rogue authority from double-voting on any consensus directory parameter. Previously, authorities would crash in this case if the total number of votes for any parameter exceeded the number of active voters, but would let it pass otherwise. Partially fixes bug 5786; bugfix on 0.2.2.2-alpha. - When computing weight parameters, behave more robustly in the presence of a bad bwweightscale value. Previously, the authorities would crash if they agreed on a sufficiently broken weight_scale value; now, they use a reasonable default and carry on. Fixes the rest of bug 5786; bugfix on 0.2.2.17-alpha. - If authorities are unable to get a v2 consensus document from other directory authorities, they no longer fall back to fetching them from regular directory caches. Fixes bug 5635; bugfix on 0.2.2.26-beta, where routers stopped downloading v2 consensus documents entirely. o Major bugfixes (relays): - Fix a bug handling SENDME cells on nonexistent streams that could result in bizarre window values. Report and patch contributed pseudonymously. Fixes part of bug 6271. This bug was introduced before the first Tor release, in svn commit r152. - Don't update the AccountingSoftLimitHitAt state file entry whenever tor gets started. This prevents a wrong average bandwidth estimate, which would cause relays to always start a new accounting interval at the earliest possible moment. Fixes bug 2003; bugfix on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped immensely in tracking this bug down. - Fix a possible crash bug when checking for deactivated circuits in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. - Set the SO_REUSEADDR socket option before we call bind() on outgoing connections. This change should allow busy exit relays to stop running out of available sockets as quickly. Fixes bug 4950; bugfix on 0.2.2.26-beta. o Major bugfixes (blocking resistance): - Bridges no longer include their address in NETINFO cells on outgoing OR connections, to allow them to blend in better with clients. Removes another avenue for enumerating bridges. Reported by "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO cells were introduced. - Warn the user when HTTPProxy, but no other proxy type, is configured. This can cause surprising behavior: it doesn't send all of Tor's traffic over the HTTPProxy -- it sends unencrypted directory traffic only. Resolves ticket 4663. o Major bugfixes (hidden services): - Improve hidden service robustness: when an attempt to connect to a hidden service ends, be willing to refetch its hidden service descriptors from each of the HSDir relays responsible for them immediately. Previously, we would not consider refetching the service's descriptors from each HSDir for 15 minutes after the last fetch, which was inconvenient if the hidden service was not running during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335. - Hidden services now ignore the timestamps on INTRODUCE2 cells. They used to check that the timestamp was within 30 minutes of their system clock, so they could cap the size of their replay-detection cache, but that approach unnecessarily refused service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when the v3 intro-point protocol (the first one which sent a timestamp field in the INTRODUCE2 cell) was introduced; fixes bug 3460. - When one of a hidden service's introduction points appears to be unreachable, stop trying it. Previously, we would keep trying to build circuits to the introduction point until we lost the descriptor, usually because the user gave up and restarted Tor. Fixes part of bug 3825. o Changes to default torrc file: - Stop listing "socksport 9050" in torrc.sample. We open a socks port on 9050 by default anyway, so this should not change anything in practice. - Stop mentioning the deprecated *ListenAddress options in torrc.sample. Fixes bug 5438. - Document unit of bandwidth-related options in sample torrc. Fixes bug 5621. - Fix broken URLs in the sample torrc file, and tell readers about the OutboundBindAddress, ExitPolicyRejectPrivate, and PublishServerDescriptor options. Addresses bug 4652. o Minor features (directory authorities): - Consider new, removed or changed IPv6 OR ports a non-cosmetic change when the authority is deciding whether to accept a newly uploaded descriptor. Implements ticket 6423. - Directory authorities are now a little more lenient at accepting older router descriptors, or newer router descriptors that don't make big changes. This should help ameliorate past and future issues where routers think they have uploaded valid descriptors, but the authorities don't think so. Fix for ticket 2479. - Authority operators can now vote for all relays in a given set of countries to be BadDir/BadExit/Invalid/Rejected. - Provide two consensus parameters (FastFlagMinThreshold and FastFlagMaxThreshold) to control the range of allowable bandwidths for the Fast directory flag. These allow authorities to run experiments on appropriate requirements for being a "Fast" node. The AuthDirFastGuarantee config value still applies. Implements ticket 3946. o Minor features (bridges / bridge authorities): - Make bridge SSL certificates a bit more stealthy by using random serial numbers, in the same fashion as OpenSSL when generating self-signed certificates. Implements ticket 4584. - Tag a bridge's descriptor as "never to be sent unencrypted". This shouldn't matter, since bridges don't open non-anonymous connections to the bridge authority and don't allow unencrypted directory connections from clients, but we might as well make sure. Closes bug 5139. - The Bridge Authority now writes statistics on how many bridge descriptors it gave out in total, and how many unique descriptors it gave out. It also lists how often the most and least commonly fetched descriptors were given out, as well as the median and 25th/75th percentile. Implements tickets 4200 and 4294. o Minor features (IPv6): - Make the code that clients use to detect an address change be IPv6-aware, so that it won't fill clients' logs with error messages when trying to get the IPv4 address of an IPv6 connection. Implements ticket 5537. - Relays now understand an IPv6 address when they get one from a directory server. Resolves ticket 4875. o Minor features (hidden services): - Expire old or over-used hidden service introduction points. Required by fix for bug 3460. - Reduce the lifetime of elements of hidden services' Diffie-Hellman public key replay-detection cache from 60 minutes to 5 minutes. This replay-detection cache is now used only to detect multiple INTRODUCE2 cells specifying the same rendezvous point, so we can avoid launching multiple simultaneous attempts to connect to it. - When a hidden service's introduction point times out, consider trying it again during the next attempt to connect to the HS. Previously, we would not try it again unless a newly fetched descriptor contained it. Required by fixes for bugs 1297 and 3825. o Minor features (relays): - Relays now include a reason for regenerating their descriptors in an HTTP header when uploading to the authorities. This will make it easier to debug descriptor-upload issues in the future. - Turn on directory request statistics by default and include them in extra-info descriptors. Don't break if we have no GeoIP database. - Replace files in stats/ rather than appending to them. Now that we include statistics in extra-info descriptors, it makes no sense to keep old statistics forever. Implements ticket 2930. - Relays that set "ConnDirectionStatistics 1" write statistics on the bidirectional use of connections to disk every 24 hours. - Add a GeoIP file digest to the extra-info descriptor. Implements ticket 1883. o Minor features (new config options): - New config option "DynamicDHGroups" (disabled by default) provides each bridge with a unique prime DH modulus to be used during SSL handshakes. This option attempts to help against censors who might use the Apache DH modulus as a static identifier for bridges. Addresses ticket 4548. - New config option "DisableDebuggerAttachment" (on by default) to prevent basic debugging attachment attempts by other processes. Supports Mac OS X and Gnu/Linux. Resolves ticket 3313. - Ordinarily, Tor does not count traffic from private addresses (like 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting. There is now a new option, CountPrivateBandwidth, to disable this behavior. Patch from Daniel Cagara. o Minor features (different behavior for old config options): - Allow MapAddress directives to specify matches against super-domains, as in "MapAddress *.torproject.org *.torproject.org.torserver.exit". Implements issue 933. - Don't disable the DirPort when we cannot exceed our AccountingMax limit during this interval because the effective bandwidthrate is low enough. This is useful in a situation where AccountMax is only used as an additional safeguard or to provide statistics. - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri; implements ticket 3439. - When configuring a large set of nodes in EntryNodes, and there are enough of them listed as Guard so that we don't need to consider the non-guard entries, prefer the ones listed with the Guard flag. - If you set the NumCPUs option to 0, Tor will now try to detect how many CPUs you have. This is the new default behavior. - The NodeFamily option -- which let you declare that you want to consider nodes to be part of a family whether they list themselves that way or not -- now allows IP address ranges and country codes. o Minor features (new command-line config behavior): - Slightly change behavior of "list" options (that is, config options that can appear more than once) when they appear both in torrc and on the command line. Previously, the command-line options would be appended to the ones from torrc. Now, the command-line options override the torrc options entirely. This new behavior allows the user to override list options (like exit policies and ports to listen on) from the command line, rather than simply appending to the list. - You can get the old (appending) command-line behavior for "list" options by prefixing the option name with a "+". - You can remove all the values for a "list" option from the command line without adding any new ones by prefixing the option name with a "/". o Minor features (controller, new events): - Extend the control protocol to report flags that control a circuit's path selection in CIRC events and in replies to 'GETINFO circuit-status'. Implements part of ticket 2411. - Extend the control protocol to report the hidden service address and current state of a hidden-service-related circuit in CIRC events and in replies to 'GETINFO circuit-status'. Implements part of ticket 2411. - Include the creation time of a circuit in CIRC and CIRC2 control-port events and the list produced by the 'GETINFO circuit-status' control-port command. - Add a new CONF_CHANGED event so that controllers can be notified of any configuration changes made by other controllers, or by the user. Implements ticket 1692. - Add a new SIGNAL event to the controller interface so that controllers can be notified when Tor handles a signal. Resolves issue 1955. Patch by John Brooks. o Minor features (controller, new getinfo options): - Expose our view of whether we have gone dormant to the controller, via a new "GETINFO dormant" value. Torbutton and other controllers can use this to avoid doing periodic requests through Tor while it's dormant (bug 4718). Resolves ticket 5954. - Add a new GETINFO option to get total bytes read and written. Patch from pipe, revised by atagar. Resolves ticket 2345. - Implement new GETINFO controller fields to provide information about the Tor process's pid, euid, username, and resource limits. o Minor features (controller, other): - Allow controllers to request an event notification whenever a circuit is cannibalized or its purpose is changed. Implements part of ticket 3457. - Use absolute path names when reporting the torrc filename in the control protocol, so a controller can more easily find the torrc file. Resolves bug 1101. - When reporting the path to the cookie file to the controller, give an absolute path. Resolves ticket 4881. o Minor features (log messages): - Add more information to a log statement that might help track down bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a non-IP address" messages (or any Bug messages, for that matter!), please let us know about it. - If EntryNodes are given, but UseEntryGuards is set to 0, warn that EntryNodes will have no effect. Resolves issue 2571. - Try to make the introductory warning message that Tor prints on startup more useful for actually finding help and information. Resolves ticket 2474. - When the system call to create a listener socket fails, log the error message explaining why. This may help diagnose bug 4027. o Minor features (other): - When we fail to initialize Libevent, retry with IOCP disabled so we don't need to turn on multi-threading support in Libevent, which in turn requires a working socketpair(). This is a workaround for bug 4457, which affects Libevent versions from 2.0.1-alpha through 2.0.15-stable. - When starting as root and then changing our UID via the User control option, and we have a ControlSocket configured, make sure that the ControlSocket is owned by the same account that Tor will run under. Implements ticket 3421; fix by JÃ©rÃ©my Bobbio. - Accept attempts to include a password authenticator in the handshake, as supported by SOCKS5. This handles SOCKS clients that don't know how to omit a password when authenticating. Resolves bug 1666. - Check for and recover from inconsistency in the microdescriptor cache. This will make it harder for us to accidentally free a microdescriptor without removing it from the appropriate data structures. Fixes issue 3135; issue noted by "wanoskarnet". - Shorten links in the tor-exit-notice file. Patch by Christian Kujau. o Minor bugfixes (code security): - Prevent a null-pointer dereference when receiving a data cell for a nonexistent stream when the circuit in question has an empty deliver window. We don't believe this is triggerable, since we don't currently allow deliver windows to become empty, but the logic is tricky enough that it's better to make the code robust. Fixes bug 5541; bugfix on 0.0.2pre14. - Fix a (harmless) integer overflow in cell statistics reported by some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha. - Fix our implementation of crypto_random_hostname() so it can't overflow on ridiculously large inputs. (No Tor version has ever provided this kind of bad inputs, but let's be correct in depth.) Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer. - Add a (probably redundant) memory clear between iterations of the router status voting loop, to prevent future coding errors where data might leak between iterations of the loop. Resolves ticket 6514. o Minor bugfixes (wrapper functions): - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a utility function used in the control-port code). This shouldn't ever happen unless Tor is completely out of memory, but if it did happen and Tor somehow recovered from it, Tor could have sent a log message to a control port in the middle of a reply to a controller command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha. - Fix some (not actually triggerable) buffer size checks in usage of tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch by Anders Sundman. - Fix parsing of some corner-cases with tor_inet_pton(). Fixes bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman. - Enforce correct return behavior of tor_vsscanf() when the '%%' pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13. - Make our replacement implementation of strtok_r() compatible with the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091; bugfix on 0.2.2.1-alpha. - Find more places in the code that should have been testing for invalid sockets using the SOCKET_OK macro. Required for a fix for bug 4533. Bugfix on 0.2.2.28-beta. o Minor bugfixes (code correctness): - Check return value of fputs() when writing authority certificate file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. - When building Tor on Windows with -DUNICODE (not default), ensure that error messages, filenames, and DNS server names are always NUL-terminated when we convert them to a single-byte encoding. Fixes bug 5909; bugfix on 0.2.2.16-alpha. - Fix a memory leak when trying to launch a DNS request when the nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor 0.1.2.1-alpha. - Correct file sizes when reading binary files on Cygwin, to avoid a bug where Tor would fail to read its state file. Fixes bug 6844; bugfix on 0.1.2.7-alpha. - Make sure to set *socket_error in all error cases in connection_connect(), so it can't produce a warning about errno being zero from errno_to_orconn_end_reason(). Bugfix on 0.2.1.1-alpha; resolves ticket 6028. - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes bug 4532; found by "troll_un". o Minor bugfixes (clients): - Allow one-hop directory-fetching circuits the full "circuit build timeout" period, rather than just half of it, before failing them and marking the relay down. This fix should help reduce cases where clients declare relays (or worse, bridges) unreachable because the TLS handshake takes a few seconds to complete. Fixes bug 6743; bugfix on 0.2.2.2-alpha, where we changed the timeout from a static 30 seconds. - Ensure we don't cannibalize circuits that are longer than three hops already, so we don't end up making circuits with 5 or more hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on 0.1.0.1-rc which introduced cannibalization. o Minor bugfixes (relays): - Don't publish a new relay descriptor when we reload our onion key, unless the onion key has actually changed. Fixes bug 3263 and resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha. - When relays refuse a "create" cell because their queue of pending create cells is too big (typically because their cpu can't keep up with the arrival rate), send back reason "resource limit" rather than reason "internal", so network measurement scripts can get a more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. - Exit nodes don't need to fetch certificates for authorities that they don't recognize; only directory authorities, bridges, and caches need to do that. Fixes part of bug 2297; bugfix on 0.2.2.11-alpha. o Minor bugfixes (directory authority / mirrors): - Avoid O(n^2) performance characteristics when parsing a large extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha. - Authorities no longer include any router in their microdescriptor consensuses for which they couldn't generate or agree on a microdescriptor. Fixes the second piece of bug 6404; fix on 0.2.2.6-alpha. - When checking for requested signatures on the latest consensus before serving it to a client, make sure to check the right consensus flavor. Bugfix on 0.2.2.6-alpha. - Fix an edge case where TestingTorNetwork is set but the authorities and relays all have an uptime of zero, so the private Tor network could briefly lack support for hidden services. Fixes bug 3886; bugfix on 0.2.2.18-alpha. - Directory caches no longer refuse to clean out descriptors because of missing v2 networkstatus documents, unless they're configured to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on 0.2.2.26-beta. Patch by Daniel Bryg. - Don't serve or accept v2 hidden service descriptors over a relay's DirPort. It's never correct to do so, and disabling it might make it more annoying to exploit any bugs that turn up in the descriptor-parsing code. Fixes bug 7149. o Minor bugfixes (hidden services, client-side): - Assert that hidden-service-related operations are not performed using single-hop circuits. Previously, Tor would assert that client-side streams are not attached to single-hop circuits, but not that other sensitive operations on the client and service side are not performed using single-hop circuits. Fixes bug 3332; bugfix on 0.0.6. - Avoid undefined behaviour when parsing the list of supported rendezvous/introduction protocols in a hidden service descriptor. Previously, Tor would have confused (as-yet-unused) protocol version numbers greater than 32 with lower ones on many platforms. Fixes bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. - Don't close hidden service client circuits which have almost finished connecting to their destination when they reach the normal circuit-build timeout. Previously, we would close introduction circuits which are waiting for an acknowledgement from the introduction point, and rendezvous circuits which have been specified in an INTRODUCE1 cell sent to a hidden service, after the normal CBT. Now, we mark them as 'timed out', and launch another rendezvous attempt in parallel. This behavior change can be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha. o Minor bugfixes (hidden services, service-side): - Don't close hidden-service-side rendezvous circuits when they reach the normal circuit-build timeout. This behaviour change can be disabled using the new CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the remaining part of bug 1297; bugfix on 0.2.2.2-alpha. - Don't launch more than 10 service-side introduction-point circuits for a hidden service in five minutes. Previously, we would consider launching more introduction-point circuits if at least one second had passed without any introduction-point circuits failing. Fixes bug 4607; bugfix on 0.0.7pre1. o Minor bugfixes (config option behavior): - If the user tries to set MyFamily on a bridge, refuse to do so, and warn about the security implications. Fixes bug 4657; bugfix on 0.2.0.3-alpha. - The "--quiet" and "--hush" options now apply not only to Tor's behavior before logs are configured, but also to Tor's behavior in the absense of configured logs. Fixes bug 3550; bugfix on 0.2.0.10-alpha. - Change the AllowDotExit rules so they should actually work. We now enforce AllowDotExit only immediately after receiving an address via SOCKS or DNSPort: other sources are free to provide .exit addresses after the resolution occurs. Fixes bug 3940; bugfix on 0.2.2.1-alpha. - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically, don't depend on the consensus parameters or compute adaptive timeouts when it is disabled. Fixes bug 5049; bugfix on 0.2.2.14-alpha. - After we pick a directory mirror, we would refuse to use it if it's in our ExcludeExitNodes list, resulting in mysterious failures to bootstrap for people who just wanted to avoid exiting from certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha. - When told to add a bridge with the same digest as a preexisting bridge but a different addr:port, change the addr:port as requested. Previously we would not notice the change. Fixes half of bug 5603; fix on 0.2.2.26-beta. o Minor bugfixes (controller): - Allow manual 'authenticate' commands to the controller interface from netcat (nc) as well as telnet. We were rejecting them because they didn't come with the expected whitespace at the end of the command. Bugfix on 0.1.1.1-alpha; fixes bug 2893. - Report a real bootstrap problem to the controller on router identity mismatch. Previously we just said "foo", which probably made a lot of sense at the time. Fixes bug 4169; bugfix on 0.2.1.1-alpha. - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP option is set to 0 (which Vidalia version 0.2.16 now does when a SAVECONF attempt fails), perform other actions that SIGHUP usually causes (like reopening the logs). Fixes bug 5095; bugfix on 0.2.1.9-alpha. - Correctly handle checking the permissions on the parent directory of a control socket in the root directory. Bug found by Esteban Manchado VelÃ¡zquez. Fixes bug 5089; bugfix on Tor 0.2.2.26-beta. - End AUTHCHALLENGE error messages (in the control protocol) with a CRLF. Fixes bug 5760; bugfix on 0.2.2.36. o Minor bugfixes (network reading/writing): - Disable writing on marked-for-close connections when they are blocked on bandwidth, to prevent busy-looping in Libevent. Fixes bug 5263; bugfix on 0.0.2pre13, where we first added a special case for flushing marked connections. - Make sure that there are no unhandled pending TLS errors before reading from a TLS stream. We had checks in 0.1.0.3-rc, but lost them in 0.1.0.5-rc when we refactored read_to_buf_tls(). Bugfix on 0.1.0.5-rc; fixes bug 4528. - Detect SSL handshake even when the initial attempt to write the server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha. - If the client fails to set a reasonable set of ciphersuites during its v2 handshake renegotiation, allow the renegotiation to continue nevertheless (i.e. send all the required certificates). Fixes bug 4591; bugfix on 0.2.0.20-rc. o Minor bugfixes (other): - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as resource exhaustion, so that clients can adjust their load to try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which started using END_STREAM_REASON_RESOURCELIMIT. - Don't check for whether the address we're using for outbound connections has changed until after the outbound connection has completed. On Windows, getsockname() doesn't succeed until the connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha. - Don't hold a Windows file handle open for every file mapping; the file mapping handle is sufficient. Fixes bug 5951; bugfix on 0.1.2.1-alpha. - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; bugfix on 0.2.1.10-alpha. - If we fail to write a microdescriptor to the disk cache, do not continue replacing the old microdescriptor file. Fixes bug 2954; bugfix on 0.2.2.6-alpha. o Minor bugfixes (log messages, path selection): - Downgrade "set buildtimeout to low value" messages to "info" severity; they were never an actual problem, there was never anything reasonable to do about them, and they tended to spam logs from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. - Rate-limit the "Weighted bandwidth is 0.000000" message, and add more information to it, so that we can track it down in case it returns again. Mitigates bug 5235. - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in options_validate(); warn if LearnCircuitBuildTimeout is disabled and CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452. - Issue a log message if a guard completes less than 40% of your circuits. Threshold is configurable by torrc option PathBiasNoticeRate and consensus parameter pb_noticepct. There is additional, off-by-default code to disable guards which fail too many circuits. Addresses ticket 5458. o Minor bugfixes (log messages, client): - Downgrade "Got a certificate, but we already have it" log messages from warning to info, except when we're a dirauth. Fixes bug 5238; bugfix on 0.2.1.7-alpha. - Fix the log message describing how we work around discovering that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug 4837; bugfix on 0.2.2.9-alpha. - When logging about a disallowed .exit name, do not also call it an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha. - Fix a log message suggesting that people contact a non-existent email address. Fixes bug 3448. - Rephrase the log message emitted if the TestSocks check is successful. Patch from Fabian Keil; fixes bug 4094. - Log (at debug level) whenever a circuit's purpose is changed. - Log SSL state transitions at log level DEBUG, log domain HANDSHAKE. This can be useful for debugging censorship events. Implements ticket 3264. - We now log which torrc file we're using on startup. Implements ticket 2444. - Rate-limit log messages when asked to connect anonymously to a private address. When these hit, they tended to hit fast and often. Also, don't bother trying to connect to addresses that we are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory reply makes us think we have been lied to, even when the address the client tried to connect to was "localhost." Resolves ticket 2822. o Minor bugfixes (log messages, non-client): - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN. Fixes bug 5932; bugfix on 0.2.2.7-alpha. - Don't log that we have "decided to publish new relay descriptor" unless we are actually publishing a descriptor. Fixes bug 3942; bugfix on 0.2.2.28-beta. - Log which authority we're missing votes from when we go to fetch them from the other auths. - Replace "Sending publish request" log messages with "Launching upload", so that they no longer confusingly imply that we're sending something to a directory we might not even be connected to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha. - Warn when Tor is configured to use accounting in a way that can link a hidden service to some other hidden service or public address. Resolves ticket 6490. - Fix a minor formatting issue in one of tor-gencert's error messages. Fixes bug 4574. o Testing: - Update to the latest version of the tinytest unit testing framework. This includes a couple of bugfixes that can be relevant for running forked unit tests on Windows, and removes all reserved identifiers. - Avoid a false positive in the util/threads unit test by increasing the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha. - Make it possible to set the TestingTorNetwork configuration option using AlternateDirAuthority and AlternateBridgeAuthority as an alternative to setting DirServer. Addresses ticket 6377. - Add a unit test for the environment_variable_names_equal() function. - A wide variety of new unit tests by Esteban Manchado VelÃ¡zquez. - Numerous new unit tests for functions in util.c and address.c by Anders Sundman. - The long-disabled benchmark tests are now split into their own ./src/test/bench binary. - The benchmark tests can now use more accurate timers than gettimeofday() when such timers are available. - Use tt_assert(), not tor_assert(), for checking for test failures. This makes the unit tests more able to go on in the event that one of them fails. o Build improvements: - Use the dead_strip option when building Tor on OS X. This reduces binary size by almost 19% when linking openssl and libevent statically, which we do for Tor Browser Bundle. - Provide a better error message about possible OSX Asciidoc failure reasons. Fixes bug 6436. - Detect attempts to build Tor on (as yet hypothetical) versions of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial fix for bug 4533. Bugfix on 0.2.2.28-beta. - On Windows, we now define the _WIN32_WINNT macros only if they are not already defined. This lets the person building Tor decide, if they want, to require a later version of Windows. - Our autogen.sh script now uses autoreconf to launch autoconf, automake, and so on. This is more robust against some of the failure modes associated with running the autotools pieces on their own. - Running "make version" now displays the version of Tor that we're about to build. Idea from katmagic; resolves issue 4400. - Make 'tor --digests' list hashes of all Tor source files. Bugfix on 0.2.2.4-alpha; fixes bug 3427. - New --enable-static-tor configure option for building Tor as statically as possible. Idea, general hackery and thoughts from Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket 2702. - Limited, experimental support for building with nmake and MSVC. o Build requirements: - Building Tor with bufferevent support now requires Libevent 2.0.13-stable or later. Previous versions of Libevent had bugs in SSL-related bufferevents and related issues that would make Tor work badly with bufferevents. Requiring 2.0.13-stable also allows Tor with bufferevents to take advantage of Libevent APIs introduced after 2.0.8-rc. - Our build system requires automake 1.6 or later to create the Makefile.in files. Previously, you could have used 1.4. This only affects developers and people building Tor from git; people who build Tor from the source distribution without changing the Makefile.am files should be fine. - Detect when we try to build on a platform that doesn't define AF_UNSPEC to 0. We don't work there, so refuse to compile. o Build fixes (compile/link): - Format more doubles with %f, not %lf. Patch from grarpamp to make Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on Tor 0.2.0.8-alpha. - When building with --enable-static-tor on OpenBSD, do not erroneously attempt to link -lrt. Fixes bug 5103. - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so that IPv6 stuff will compile on MSVC, and compilation issues will be easier to track down. Fixes bug 5861. - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. Fixes bug 6379. Bugfix on 0.2.0.20-rc. - Make Tor build correctly again with -DUNICODE -D_UNICODE defined. Fixes bug 6097; bugfix on 0.2.2.16-alpha. o Build fixes (other): - Use the _WIN32 macro throughout our code to detect Windows. (Previously we had used the obsolete 'WIN32' and the idiosyncratic 'MS_WINDOWS'.) - Properly handle the case where the build-tree is not the same as the source tree when generating src/common/common_sha1.i, src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953; bugfix on 0.2.0.1-alpha. - During configure, search for library containing cos function as libm lives in libcore on some platforms (BeOS/Haiku). Linking against libm was hard-coded before. Fixes the first part of bug 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes Pedersen. - Prevent a false positive from the check-spaces script, by disabling the "whitespace between function name and (" check for functions named 'op()'. o Packaging (RPM) changes: - Update our default RPM spec files to work with mock and rpmbuild on RHEL/Fedora. They have an updated set of dependencies and conflicts, a fix for an ancient typo when creating the "_tor" user, and better instructions. Thanks to Ondrej Mikle for the patch series. Fixes bug 6043. - On OpenSUSE, create the /var/run/tor directory on startup if it is not already created. Patch from Andreas Stieger. Fixes bug 2573. o Code refactoring (safety): - Do not use SMARTLIST_FOREACH for any loop whose body exceeds 10 lines. Also, don't nest them. Doing so in the past has led to hard-to-debug code. The new style is to use the SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. - Use macros to indicate OpenSSL versions, so we don't need to worry about accidental hexadecimal bit shifts. - Use tor_sscanf() in place of scanf() in more places through the code. This makes us a little more locale-independent, and should help shut up code-analysis tools that can't tell a safe sscanf string from a dangerous one. - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf. - Use the smartlist_add_asprintf() alias more consistently. o Code refactoring (consolidate): - A major revision to our internal node-selecting and listing logic. Tor already had at least two major ways to look at the question of "which Tor servers do we know about": a list of router descriptors, and a list of entries in the current consensus. With microdescriptors, we're adding a third. Having so many systems without an abstraction layer over them was hurting the codebase. Now, we have a new "node_t" abstraction that presents a consistent interface to a client's view of a Tor node, and holds (nearly) all of the mutable state formerly in routerinfo_t and routerstatus_t. - Move tor_gettimeofday_cached() into compat_libevent.c, and use Libevent's notion of cached time when possible. - Remove duplicate code for invoking getrlimit() from control.c. - Use OpenSSL's built-in SSL_state_string_long() instead of our own homebrewed ssl_state_to_string() replacement. Patch from Emile Snyder. Fixes bug 4653. - Change the symmetric cipher interface so that creating and initializing a stream cipher are no longer separate functions. o Code refactoring (separate): - Make a new "entry connection" struct as an internal subtype of "edge connection", to simplify the code and make exit connections smaller. - Split connection_about_to_close() into separate functions for each connection type. - Rewrite the listener-selection logic so that parsing which ports we want to listen on is now separate from binding to the ports we want. o Code refactoring (name changes): - Rename a handful of old identifiers, mostly related to crypto structures and crypto functions. By convention, our "create an object" functions are called "type_new()", our "free an object" functions are called "type_free()", and our types indicate that they are types only with a final "_t". But a handful of older types and functions broke these rules, with function names like "type_create" or "subsystem_op_type", or with type names like type_env_t. - Rename Tor functions that turn strings into addresses, so that "parse" indicates that no hostname resolution occurs, and "lookup" indicates that hostname resolution may occur. This should help prevent mistakes in the future. Fixes bug 3512. - Use the name "CERTS" consistently to refer to the new cell type; we were calling it CERT in some places and CERTS in others. - Use a TOR_INVALID_SOCKET macro when initializing a socket to an invalid value, rather than just -1. - Rename the bench_{aes,dmap} functions to test_*, so that tinytest can pick them up when the tests aren't disabled. Bugfix on 0.2.2.4-alpha which introduced tinytest. o Code refactoring (other): - Defensively refactor rend_mid_rendezvous() so that protocol violations and length checks happen in the beginning. Fixes bug 5645. - Remove the pure attribute from all functions that used it previously. In many cases we assigned it incorrectly, because the functions might assert or call impure functions, and we don't have evidence that keeping the pure attribute is worthwhile. Implements changes suggested in ticket 4421. - Move the replay-detection cache for the RSA-encrypted parts of INTRODUCE2 cells to the introduction point data structures. Previously, we would use one replay-detection cache per hidden service. Required by fix for bug 3460. - The helper programs tor-gencert, tor-resolve, and tor-checkkey no longer link against Libevent: they never used it, but our library structure used to force them to link it. o Removed features and files: - Remove all internal support for unpadded RSA. We never used it, and it would be a bad idea to start. - Remove some workaround code for OpenSSL 0.9.6 (which is no longer supported). - Remove some redundant #include directives throughout the code. Patch from Andrea Gelmini. - Remove some old code to remember statistics about which descriptors we've served as a directory mirror. The feature wasn't used and is outdated now that microdescriptors are around. - Remove some old code to work around even older versions of Tor that used forked processes to handle DNS requests. Such versions of Tor are no longer in use as relays. - The "torify" script no longer supports the "tsocks" socksifier tool, since tsocks doesn't support DNS and UDP right for Tor. Everyone should be using torsocks instead. Fixes bugs 3530 and 5180. Based on a patch by "ugh". - Remove the torrc.bridge file: we don't use it for anything, and it had become badly desynchronized from torrc.sample. Resolves bug 5622. o Documentation: - Begin a doc/state-contents.txt file to explain the contents of the Tor state file. Fixes bug 2987. - Clarify the documentation for the Alternate*Authority options. Fixes bug 6387. - Document the --defaults-torrc option, and the new semantics for overriding, extending, and clearing lists of options. Closes bug 4748. - Add missing man page documentation for consensus and microdesc files. Resolves ticket 6732. - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. o Documentation fixes: - Improve the manual's documentation for the NT Service command-line options. Addresses ticket 3964. - Clarify SessionGroup documentation slightly; resolves ticket 5437. - Document the changes to the ORPort and DirPort options, and the fact that {OR/Dir}ListenAddress is now unnecessary (and therefore deprecated). Resolves ticket 5597. - Correct a broken faq link in the INSTALL file. Fixes bug 2307. - Clarify that hidden services are TCP only. Fixes bug 6024.

1 0