diff options
-rw-r--r-- | ChangeLog | 479 |
1 files changed, 174 insertions, 305 deletions
@@ -1,34 +1,29 @@ -Changes so far in 0.0.9: -rc7: - o Bugfixes on 0.0.9rc: - - Fix a stack-trashing crash when an exit node begins hibernating. - - Avoid looking at unallocated memory while considering which - ports we need to build circuits to cover. - - Stop a sigpipe: when an 'end' cell races with eof from the app, - we shouldn't hold-open-until-flush if the eof arrived first. - - Fix a bug with init_cookie_authentication() in the controller. - - When recommending new-format log lines, if the upper bound is - LOG_ERR, leave it implicit. - o Bugfixes on 0.0.8.1: - - Fix a whole slew of memory leaks. +Changes in version 0.0.9 - forthcoming + o Bugfixes on 0.0.8.1 (Crashes and asserts): + - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our + write() call will fail and we handle it there. + - When we run out of disk space, or other log writing error, don't + crash. Just stop logging to that log and continue. - Fix isspace() and friends so they still make Solaris happy but also so they don't trigger asserts on win32. + - Fix assert failure on malformed socks4a requests. + - Fix an assert bug where a hidden service provider would fail if + the first hop of his rendezvous circuit was down. + - Better handling of size_t vs int, so we're more robust on 64 + bit platforms. + + o Bugfixes on 0.0.8.1 (Win32): + - Make windows sockets actually non-blocking (oops), and handle + win32 socket errors better. - Fix parse_iso_time on platforms without strptime (eg win32). - - win32: tolerate extra "readable" events better. - win32: when being multithreaded, leave parent fdarray open. + - Better handling of winsock includes on non-MSV win32 compilers. + - Change our file IO stuff (especially wrt OpenSSL) so win32 is + happier. - Make unit tests work on win32. -rc6: - o Bugfixes on 0.0.9rc: - - Clean up some more integer underflow opportunities (not exploitable - we think). - - While hibernating, hup should not regrow our listeners. - - Send an end to the streams we close when we hibernate, rather - than just chopping them off. - - React to eof immediately on non-open edge connections. - - o Bugfixes on 0.0.8.1: + o Bugfixes on 0.0.8.1 (Path selection and streams): - Calculate timeout for waiting for a connected cell from the time we sent the begin cell, not from the time the stream started. If it took a long time to establish the circuit, we would time out @@ -36,8 +31,75 @@ rc6: - Fix router_compare_addr_to_addr_policy: it was not treating a port of * as always matching, so we were picking reject *:* nodes as exit nodes too. Oops. + - When read() failed on a stream, we would close it without sending + back an end. So 'connection refused' would simply be ignored and + the user would get no response. + - Stop a sigpipe: when an 'end' cell races with eof from the app, + we shouldn't hold-open-until-flush if the eof arrived first. + - Let resolve conns retry/expire also, rather than sticking around + forever. + - Fix more dns related bugs: send back resolve_failed and end cells + more reliably when the resolve fails, rather than closing the + circuit and then trying to send the cell. Also attach dummy resolve + connections to a circuit *before* calling dns_resolve(), to fix + a bug where cached answers would never be sent in RESOLVED cells. - o Features: + o Bugfixes on 0.0.8.1 (Circuits): + - Finally fix a bug that's been plaguing us for a year: + With high load, circuit package window was reaching 0. Whenever + we got a circuit-level sendme, we were reading a lot on each + socket, but only writing out a bit. So we would eventually reach + eof. This would be noticed and acted on even when there were still + bytes sitting in the inbuf. + - Use identity comparison, not nickname comparison, to choose which + half of circuit-ID-space each side gets to use. This is needed + because sometimes we think of a router as a nickname, and sometimes + as a hex ID, and we can't predict what the other side will do. + + o Bugfixes on 0.0.8.1 (Other): + - Fix a whole slew of memory leaks. + - Disallow NDEBUG. We don't ever want anybody to turn off debug. + - If we are using select, make sure we stay within FD_SETSIZE. + - When poll() is interrupted, we shouldn't believe the revents values. + - Add a FAST_SMARTLIST define to optionally inline smartlist_get + and smartlist_len, which are two major profiling offenders. + - If do_hup fails, actually notice. + - Flush the log file descriptor after we print "Tor opening log file", + so we don't see those messages days later. + - Hidden service operators now correctly handle version 1 style + INTRODUCE1 cells (nobody generates them still, so not a critical + bug). + - Handle more errnos from accept() without closing the listener. + Some OpenBSD machines were closing their listeners because + they ran out of file descriptors. + - Some people had wrapped their tor client/server in a script + that would restart it whenever it died. This did not play well + with our "shut down if your version is obsolete" code. Now people + don't fetch a new directory if their local cached version is + recent enough. + - Make our autogen.sh work on ksh as well as bash. + - Better torrc example lines for dirbindaddress and orbindaddress. + - Improved bounds checking on parsed ints (e.g. config options and + the ones we find in directories.) + - Stop using separate defaults for no-config-file and + empty-config-file. Now you have to explicitly turn off SocksPort, + if you don't want it open. + - We were starting to daemonize before we opened our logs, so if + there were any problems opening logs, we would complain to stderr, + which wouldn't work, and then mysteriously exit. + - If a verified OR connects to us before he's uploaded his descriptor, + or we verify him and hup but he still has the original TLS + connection, then conn->nickname is still set like he's unverified. + + o Code security improvements, inspired by Ilja: + - tor_snprintf wrapper over snprintf with consistent (though not C99) + overflow behavior. + - Replace sprintf with tor_snprintf. (I think they were all safe, but + hey.) + - Replace strcpy/strncpy with strlcpy in more places. + - Avoid strcat; use tor_snprintf or strlcat instead. + + o Features (circuits and streams): - New circuit building strategy: keep a list of ports that we've used in the past 6 hours, and always try to have 2 circuits open or on the way that will handle each such port. Seed us with port @@ -48,79 +110,26 @@ rc6: - If you haven't used a clean circuit in an hour, throw it away, just to be on the safe side. (This means after 6 hours a totally unused Tor client will have no circuits open.) - -rc5: - o Bugfixes on 0.0.8.1: - - Disallow NDEBUG. We don't ever want anybody to turn off debug. - - Let resolve conns retry/expire also, rather than sticking around - forever. - - If we are using select, make sure we stay within FD_SETSIZE. - - o Bugfixes on 0.0.9pre: - - Fix integer underflow in tor_vsnprintf() that may be exploitable, - but doesn't seem to be currently; thanks to Ilja van Sprundel for - finding it. - - If anybody set DirFetchPostPeriod, give them StatusFetchPeriod - instead. Impose minima and maxima for all *Period options; impose - even tighter maxima for fetching if we are a caching dirserver. - Clip rather than rejecting. - - Fetch cached running-routers from servers that serve it (that is, - authdirservers and servers running 0.0.9rc5-cvs or later.) - - o Features: - - Accept *:706 (silc) in default exit policy. - - Implement new versioning format for post 0.1. - Support "foo.nickname.exit" addresses, to let Alice request the address "foo" as viewed by exit node "nickname". Based on a patch - by Geoff Goodell. - - Make tor --version --version dump the cvs Id of every file. - -rc4: - o Bugfixes on 0.0.8.1: - - Make windows sockets actually non-blocking (oops), and handle - win32 socket errors better. - - o Bugfixes on 0.0.9rc1: - - Actually catch the -USR2 signal. - -rc3: - o Bugfixes on 0.0.8.1: - - Flush the log file descriptor after we print "Tor opening log file", - so we don't see those messages days later. - - o Bugfixes on 0.0.9rc1: - - Make tor-resolve work again. - - Avoid infinite loop in tor-resolve if tor hangs up on it. - - Fix an assert trigger for clients/servers handling resolves. - -rc2: - o Bugfixes on 0.0.9rc1: - - I broke socks5 support while fixing the eof bug. - - Allow unitless bandwidths and intervals; they default to bytes - and seconds. - - New servers don't start out hibernating; they are active until - they run out of bytes, so they have a better estimate of how - long it takes, and so their operators can know they're working. - -rc1: - o Bugfixes on 0.0.8.1: - - Finally fix a bug that's been plaguing us for a year: - With high load, circuit package window was reaching 0. Whenever - we got a circuit-level sendme, we were reading a lot on each - socket, but only writing out a bit. So we would eventually reach - eof. This would be noticed and acted on even when there were still - bytes sitting in the inbuf. - - When poll() is interrupted, we shouldn't believe the revents values. - - o Bugfixes on 0.0.9pre6: - - Fix hibernate bug that caused pre6 to be broken. - - Don't keep rephist info for routers that haven't had activity for - 24 hours. (This matters now that clients have keys, since we track - them too.) - - Never call close_temp_logs while validating log options. - - Fix backslash-escaping on tor.sh.in and torctl.in. + from Geoff Goodell. + - If your requested entry or exit node has advertised bandwidth 0, + pick it anyway. + - Be more greedy about filling up relay cells -- we try reading again + once we've processed the stuff we read, in case enough has arrived + to fill the last cell completely. + - Refuse application socks connections to port 0. + - Use only 0.0.9pre1 and later servers for resolve cells. - o Features: + o Features (bandwidth): + - Hibernation: New config option "AccountingMax" lets you + set how many bytes per month (in each direction) you want to + allow your server to consume. Rather than spreading those + bytes out evenly over the month, we instead hibernate for some + of the month and pop up at a deterministic time, work until + the bytes are consumed, then hibernate again. Config option + "MonthlyAccountingStart" lets you specify which day of the month + your billing cycle starts on. - Implement weekly/monthly/daily accounting: now you specify your hibernation properties by AccountingMax N bytes|KB|MB|GB|TB @@ -128,108 +137,46 @@ rc1: Defaults to "month 1 0:00". - Let bandwidth and interval config options be specified as 5 bytes, kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks. - - kill -USR2 now moves all logs to loglevel debug (kill -HUP to - get back to normal.) - - If your requested entry or exit node has advertised bandwidth 0, - pick it anyway. - - Be more greedy about filling up relay cells -- we try reading again - once we've processed the stuff we read, in case enough has arrived - to fill the last cell completely. - - Apply NT service patch from Osamu Fujino. Still needs more work. - -pre6: - o Bugfixes on 0.0.8.1: - - Fix assert failure on malformed socks4a requests. - - Use identity comparison, not nickname comparison, to choose which - half of circuit-ID-space each side gets to use. This is needed - because sometimes we think of a router as a nickname, and sometimes - as a hex ID, and we can't predict what the other side will do. - - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our - write() call will fail and we handle it there. - - Add a FAST_SMARTLIST define to optionally inline smartlist_get - and smartlist_len, which are two major profiling offenders. - o Bugfixes on 0.0.9pre5: - - Fix a bug in read_all that was corrupting config files on windows. - - When we're raising the max number of open file descriptors to - 'unlimited', don't log that we just raised it to '-1'. - - Include event code with events, as required by control-spec.txt. - - Don't give a fingerprint when clients do --list-fingerprint: - it's misleading, because it will never be the same again. - - Stop using strlcpy in tor_strndup, since it was slowing us - down a lot. - - Remove warn on startup about missing cached-directory file. - - Make kill -USR1 work again. - - Hibernate if we start tor during the "wait for wakeup-time" phase - of an accounting interval. Log our hibernation plans better. - - Authoritative dirservers now also cache their directory, so they - have it on start-up. + o Features (directories): + - New "router-status" line in directory, to better bind each verified + nickname to its identity key. + - Clients can ask dirservers for /dir.z to get a compressed version + of the directory. Only works for servers running 0.0.9, of course. + - Make clients cache directories and use them to seed their router + lists at startup. This means clients have a datadir again. + - Respond to content-encoding headers by trying to uncompress as + appropriate. + - Clients and servers now fetch running-routers; cache + running-routers; compress running-routers; serve compressed + running-routers.z + - Make moria2 advertise a dirport of 80, so people behind firewalls + will be able to get a directory. + - Http proxy support + - Dirservers translate requests for http://%s:%d/x to /x + - You can specify "HttpProxy %s[:%d]" and all dir fetches will + be routed through this host. + - Clients ask for /tor/x rather than /x for new enough dirservers. + This way we can one day coexist peacefully with apache. + - Clients specify a "Host: %s%d" http header, to be compatible + with more proxies, and so running squid on an exit node can work. + - Protect dirservers from overzealous descriptor uploading -- wait + 10 seconds after directory gets dirty, before regenerating. - o Features: - - Fetch running-routers; cache running-routers; compress - running-routers; serve compressed running-routers.z - - Add NSI installer script contributed by J Doe. + o Features (packages and install): + - Add NSI installer contributed by J Doe. + - Apply NT service patch from Osamu Fujino. Still needs more work. - Commit VC6 and VC7 workspace/project files. - Commit a tor.spec for making RPM files, with help from jbash. - Add contrib/torctl.in contributed by Glenn Fink. - - Implement the control-spec's SAVECONF command, to write your - configuration to torrc. - - Get cookie authentication for the controller closer to working. - - Include control-spec.txt in the tarball. - - When set_conf changes our server descriptor, upload a new copy. - But don't upload it too often if there are frequent changes. - - Document authentication config in man page, and document signals - we catch. - - Clean up confusing parts of man page and torrc.sample. - Make expand_filename handle ~ and ~username. - Use autoconf to enable largefile support where necessary. Use ftello where available, since ftell can fail at 2GB. - - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can - log more informatively. - - Give a slightly more useful output for "tor -h". - - Refuse application socks connections to port 0. - - Check clock skew for verified servers, but allow unverified - servers and clients to have any clock skew. - - Break DirFetchPostPeriod into: - - DirFetchPeriod for fetching full directory, - - StatusFetchPeriod for fetching running-routers, - - DirPostPeriod for posting server descriptor, - - RendPostPeriod for posting hidden service descriptors. - - Make sure the hidden service descriptors are at a random offset - from each other, to hinder linkability. - -pre5: - o Bugfixes on 0.0.8.1: - - Fix an assert bug where a hidden service provider would fail if - the first hop of his rendezvous circuit was down. - - Hidden service operators now correctly handle version 1 style - INTRODUCE1 cells (nobody generates them still, so not a critical - bug). - - If do_hup fails, actually notice. - - Handle more errnos from accept() without closing the listener. - Some OpenBSD machines were closing their listeners because - they ran out of file descriptors. - - Better handling of winsock includes on non-MSV win32 compilers. - - Some people had wrapped their tor client/server in a script - that would restart it whenever it died. This did not play well - with our "shut down if your version is obsolete" code. Now people - don't fetch a new directory if their local cached version is - recent enough. - - Make our autogen.sh work on ksh as well as bash. + - Ship src/win32/ in the tarball, so people can use it to build. + - Make old win32 fall back to CWD if SHGetSpecialFolderLocation + is broken. - o Bugfixes on 0.0.9pre4: - - Fix a seg fault in unit tests (doesn't affect main program). - - Send resolve cells to exit routers that are running a new - enough version of the resolve code to work right. - - o Major Features: - - Hibernation: New config option "AccountingMaxKB" lets you - set how many KBytes per month you want to allow your server to - consume. Rather than spreading those bytes out evenly over the - month, we instead hibernate for some of the month and pop up - at a deterministic time, work until the bytes are consumed, then - hibernate again. Config option "MonthlyAccountingStart" lets you - specify which day of the month your billing cycle starts on. + o Features (ui controller): - Control interface: a separate program can now talk to your client/server over a socket, and get/set config options, receive notifications of circuits and streams starting/finishing/dying, @@ -239,50 +186,31 @@ pre5: with the control port. - "tor --hash-password zzyxz" will output a salted password for use in authenticating to the control interface. + - Implement the control-spec's SAVECONF command, to write your + configuration to torrc. + - Get cookie authentication for the controller closer to working. + - When set_conf changes our server descriptor, upload a new copy. + But don't upload it too often if there are frequent changes. + + o Features (config and command-line): + - Deprecate unofficial config option abbreviations, and abbreviations + not on the command line. + - Configuration infrastructure support for warning on obsolete + options. + - Give a slightly more useful output for "tor -h". + - Break DirFetchPostPeriod into: + - DirFetchPeriod for fetching full directory, + - StatusFetchPeriod for fetching running-routers, + - DirPostPeriod for posting server descriptor, + - RendPostPeriod for posting hidden service descriptors. - New log format in config: "Log minsev[-maxsev] stdout|stderr|syslog" or "Log minsev[-maxsev] file /var/foo" - - o Minor Features: - DirPolicy config option, to let people reject incoming addresses from their dirserver. - "tor --list-fingerprint" will list your identity key fingerprint and then exit. - - Add "pass" target for RedirectExit, to make it easier to break - out of a sequence of RedirectExit rules. - - Clients now generate a TLS cert too, in preparation for having - them act more like real nodes. - - Ship src/win32/ in the tarball, so people can use it to build. - - Make old win32 fall back to CWD if SHGetSpecialFolderLocation - is broken. - - New "router-status" line in directory, to better bind each verified - nickname to its identity key. - - Deprecate unofficial config option abbreviations, and abbreviations - not on the command line. - - Add a pure-C tor-resolve implementation. - - Use getrlimit and friends to ensure we can reach MaxConn (currently - 1024) file descriptors. - - o Code security improvements, inspired by Ilja: - - Replace sprintf with snprintf. (I think they were all safe, but - hey.) - - Replace strcpy/strncpy with strlcpy in more places. - - Avoid strcat; use snprintf or strlcat instead. - - snprintf wrapper with consistent (though not C99) overflow behavior. - -pre4: - o Bugfixes on 0.0.9pre3: - - Ignore fascistfirewall when uploading/downloading hidden service - descriptors, since we go through Tor for those; and when using - an HttpProxy, since we assume it can reach them all. - - When looking for an authoritative dirserver, use only the ones - configured at boot. Don't bother looking in the directory. - - If the server doesn't specify an exit policy, use the real default - exit policy, not reject *:*. - - The rest of the fix for get_default_conf_file() on older win32. - - Make 'Routerfile' config option obsolete. - - o Features: + - Make tor --version --version dump the cvs Id of every file. - New 'MyFamily nick1,...' config option for a server to specify other servers that shouldn't be used in the same circuit with it. Only believed if nick1 also specifies us. @@ -290,32 +218,8 @@ pre4: specify nodes that it doesn't want to use in the same circuit. - New 'Redirectexit pattern address:port' config option for a server to redirect exit connections, e.g. to a local squid. - -pre3: - o Bugfixes on 0.0.8.1: - - Better torrc example lines for dirbindaddress and orbindaddress. - - Improved bounds checking on parsed ints (e.g. config options and - the ones we find in directories.) - - Better handling of size_t vs int, so we're more robust on 64 - bit platforms. - - Fix the rest of the bug where a newly started OR would appear - as unverified even after we've added his fingerprint and hupped - the dirserver. - - Fix a bug from 0.0.7: when read() failed on a stream, we would - close it without sending back an end. So 'connection refused' - would simply be ignored and the user would get no response. - - o Bugfixes on 0.0.9pre2: - - Serving the cached-on-disk directory to people is bad. We now - provide no directory until we've fetched a fresh one. - - Workaround for bug on windows where cached-directories get crlf - corruption. - - Make get_default_conf_file() work on older windows too. - - If we write a *:* exit policy line in the descriptor, don't write - any more exit policy lines. - - o Features: - - Use only 0.0.9pre1 and later servers for resolve cells. + - Add "pass" target for RedirectExit, to make it easier to break + out of a sequence of RedirectExit rules. - Make the dirservers file obsolete. - Include a dir-signing-key token in directories to tell the parsing entity which key is being used to sign. @@ -323,62 +227,27 @@ pre3: - New config option "Dirserver %s:%d [fingerprint]", which can be repeated as many times as needed. If no dirservers specified, default to moria1,moria2,tor26. - - Make moria2 advertise a dirport of 80, so people behind firewalls - will be able to get a directory. - - Http proxy support - - Dirservers translate requests for http://%s:%d/x to /x - - You can specify "HttpProxy %s[:%d]" and all dir fetches will - be routed through this host. - - Clients ask for /tor/x rather than /x for new enough dirservers. - This way we can one day coexist peacefully with apache. - - Clients specify a "Host: %s%d" http header, to be compatible - with more proxies, and so running squid on an exit node can work. - -pre2: - o Bugfixes on pre1: - - Make fetching a cached directory work for 64-bit platforms too. - - Make zlib.h a required header, not an optional header. - -pre1: - o Bugfixes: - - Stop using separate defaults for no-config-file and - empty-config-file. Now you have to explicitly turn off SocksPort, - if you don't want it open. - - Improve man page to mention more of the 0.0.8 features. - - Change our file IO stuff (especially wrt OpenSSL) so win32 is - happier. - - Fix more dns related bugs: send back resolve_failed and end cells - more reliably when the resolve fails, rather than closing the - circuit and then trying to send the cell. Also attach dummy resolve - connections to a circuit *before* calling dns_resolve(), to fix - a bug where cached answers would never be sent in RESOLVED cells. - - When we run out of disk space, or other log writing error, don't - crash. Just stop logging to that log and continue. - - We were starting to daemonize before we opened our logs, so if - there were any problems opening logs, we would complain to stderr, - which wouldn't work, and then mysteriously exit. - - Fix a rare bug where sometimes a verified OR would connect to us - before he'd uploaded his descriptor, which would cause us to - assign conn->nickname as though he's unverified. Now we look through - the fingerprint list to see if he's there. + - Make 'Routerfile' config option obsolete. + - Discourage people from setting their dirfetchpostperiod more often + than once per minute. - o Features: - - Clients can ask dirservers for /dir.z to get a compressed version - of the directory. Only works for servers running 0.0.9, of course. - - Make clients cache directories and use them to seed their router - lists at startup. This means clients have a datadir again. - - Configuration infrastructure support for warning on obsolete - options. - - Respond to content-encoding headers by trying to uncompress as - appropriate. - - Reply with a deflated directory when a client asks for "dir.z". - We could use allow-encodings instead, but allow-encodings isn't - specified in HTTP 1.0. + o Features (other): + - kill -USR2 now moves all logs to loglevel debug (kill -HUP to + get back to normal.) + - Accept *:706 (silc) in default exit policy. + - Implement new versioning format for post 0.1. + - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can + log more informatively. + - Check clock skew for verified servers, but allow unverified + servers and clients to have any clock skew. + - Make sure the hidden service descriptors are at a random offset + from each other, to hinder linkability. + - Clients now generate a TLS cert too, in preparation for having + them act more like real nodes. + - Add a pure-C tor-resolve implementation. + - Use getrlimit and friends to ensure we can reach MaxConn (currently + 1024) file descriptors. - Raise the max dns workers from 50 to 100. - - Discourage people from setting their dirfetchpostperiod more often - than once per minute - - Protect dirservers from overzealous descriptor uploading -- wait - 10 seconds after directory gets dirty, before regenerating. Changes in version 0.0.8.1 - 2004-10-13 |