diff options
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 1027 |
1 files changed, 0 insertions, 1027 deletions
@@ -1,1030 +1,3 @@ -Changes in version 0.1.1.19-rc - 2006-05-03 - o Minor bugs: - - Regenerate our local descriptor if it's dirty and we try to use - it locally (e.g. if it changes during reachability detection). - - If we setconf our ORPort to 0, we continued to listen on the - old ORPort and receive connections. - - Avoid a second warning about machine/limits.h on Debian - GNU/kFreeBSD. - - Be willing to add our own routerinfo into the routerlist. - Now authorities will include themselves in their directories - and network-statuses. - - Stop trying to upload rendezvous descriptors to every - directory authority: only try the v1 authorities. - - Servers no longer complain when they think they're not - registered with the directory authorities. There were too many - false positives. - - Backport dist-rpm changes so rpms can be built without errors. - - o Features: - - Implement an option, VirtualAddrMask, to set which addresses - get handed out in response to mapaddress requests. This works - around a bug in tsocks where 127.0.0.0/8 is never socksified. - - -Changes in version 0.1.1.18-rc - 2006-04-10 - o Major fixes: - - Work harder to download live network-statuses from all the - directory authorities we know about. Improve the threshold - decision logic so we're more robust to edge cases. - - When fetching rendezvous descriptors, we were willing to ask - v2 authorities too, which would always return 404. - - o Minor fixes: - - Stop listing down or invalid nodes in the v1 directory. This will - reduce its bulk by about 1/3, and reduce load on directory mirrors. - - When deciding whether a router is Fast or Guard-worthy, consider - his advertised BandwidthRate and not just the BandwidthCapacity. - - No longer ship INSTALL and README files -- they are useless now. - - Force rpmbuild to behave and honor target_cpu. - - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD. - - Start to include translated versions of the tor-doc-*.html - files, along with the screenshots. Still needs more work. - - Start sending back 512 and 451 errors if mapaddress fails, - rather than not sending anything back at all. - - When we fail to bind or listen on an incoming or outgoing - socket, we should close it before failing. otherwise we just - leak it. (thanks to weasel for finding.) - - Allow "getinfo dir/status/foo" to work, as long as your DirPort - is enabled. (This is a hack, and will be fixed in 0.1.2.x.) - - Make NoPublish (even though deprecated) work again. - - Fix a minor security flaw where a versioning auth dirserver - could list a recommended version many times in a row to make - clients more convinced that it's recommended. - - Fix crash bug if there are two unregistered servers running - with the same nickname, one of them is down, and you ask for - them by nickname in your EntryNodes or ExitNodes. Also, try - to pick the one that's running rather than an arbitrary one. - - Fix an infinite loop we could hit if we go offline for too long. - - Complain when we hit WSAENOBUFS on recv() or write() too. - Perhaps this will help us hunt the bug. - - If you're not a versioning dirserver, don't put the string - "client-versions \nserver-versions \n" in your network-status. - - Lower the minimum required number of file descriptors to 1000, - so we can have some overhead for Valgrind on Linux, where the - default ulimit -n is 1024. - - o New features: - - Add tor.dizum.com as the fifth authoritative directory server. - - Add a new config option FetchUselessDescriptors, off by default, - for when you plan to run "exitlist" on your client and you want - to know about even the non-running descriptors. - - -Changes in version 0.1.1.17-rc - 2006-03-28 - o Major fixes: - - Clients and servers since 0.1.1.10-alpha have been expiring - connections whenever they are idle for 5 minutes and they *do* - have circuits on them. Oops. With this new version, clients will - discard their previous entry guard choices and avoid choosing - entry guards running these flawed versions. - - Fix memory leak when uncompressing concatenated zlib streams. This - was causing substantial leaks over time on Tor servers. - - The v1 directory was including servers as much as 48 hours old, - because that's how the new routerlist->routers works. Now only - include them if they're 20 hours old or less. - - o Minor fixes: - - Resume building on irix64, netbsd 2.0, etc. - - On non-gcc compilers (e.g. solaris), use "-g -O" instead of - "-Wall -g -O2". - - Stop writing the "router.desc" file, ever. Nothing uses it anymore, - and it is confusing some users. - - Mirrors stop caching the v1 directory so often. - - Make the max number of old descriptors that a cache will hold - rise with the number of directory authorities, so we can scale. - - Change our win32 uname() hack to be more forgiving about what - win32 versions it thinks it's found. - - o New features: - - Add lefkada.eecs.harvard.edu as a fourth authoritative directory - server. - - When the controller's *setconf commands fail, collect an error - message in a string and hand it back to the controller. - - Make the v2 dir's "Fast" flag based on relative capacity, just - like "Stable" is based on median uptime. Name everything in the - top 7/8 Fast, and only the top 1/2 gets to be a Guard. - - Log server fingerprint on startup, so new server operators don't - have to go hunting around their filesystem for it. - - Return a robots.txt on our dirport to discourage google indexing. - - Let the controller ask for GETINFO dir/status/foo so it can ask - directly rather than connecting to the dir port. Only works when - dirport is set for now. - - o New config options rather than constants in the code: - - SocksTimeout: How long do we let a socks connection wait - unattached before we fail it? - - CircuitBuildTimeout: Cull non-open circuits that were born - at least this many seconds ago. - - CircuitIdleTimeout: Cull open clean circuits that were born - at least this many seconds ago. - - -Changes in version 0.1.1.16-rc - 2006-03-18 - o Bugfixes on 0.1.1.15-rc: - - Fix assert when the controller asks to attachstream a connect-wait - or resolve-wait stream. - - Now do address rewriting when the controller asks us to attach - to a particular circuit too. This will let Blossom specify - "moria2.exit" without having to learn what moria2's IP address is. - - Make the "tor --verify-config" command-line work again, so people - can automatically check if their torrc will parse. - - Authoritative dirservers no longer require an open connection from - a server to consider him "reachable". We need this change because - when we add new auth dirservers, old servers won't know not to - hang up on them. - - Let Tor build on Sun CC again. - - Fix an off-by-one buffer size in dirserv.c that magically never - hit our three authorities but broke sjmurdoch's own tor network. - - If we as a directory mirror don't know of any v1 directory - authorities, then don't try to cache any v1 directories. - - Stop warning about unknown servers in our family when they are - given as hex digests. - - Stop complaining as quickly to the server operator that he - hasn't registered his nickname/key binding. - - Various cleanups so we can add new V2 Auth Dirservers. - - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to - reflect the updated flags in our v2 dir protocol. - - Resume allowing non-printable characters for exit streams (both - for connecting and for resolving). Now we tolerate applications - that don't follow the RFCs. But continue to block malformed names - at the socks side. - - o Bugfixes on 0.1.0.x: - - Fix assert bug in close_logs(): when we close and delete logs, - remove them all from the global "logfiles" list. - - Fix minor integer overflow in calculating when we expect to use up - our bandwidth allocation before hibernating. - - Fix a couple of bugs in OpenSSL detection. Also, deal better when - there are multiple SSLs installed with different versions. - - When we try to be a server and Address is not explicitly set and - our hostname resolves to a private IP address, try to use an - interface address if it has a public address. Now Windows machines - that think of themselves as localhost can work by default. - - o New features: - - Let the controller ask for GETINFO dir/server/foo so it can ask - directly rather than connecting to the dir port. - - Let the controller tell us about certain router descriptors - that it doesn't want Tor to use in circuits. Implement - SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this. - - New config option SafeSocks to reject all application connections - using unsafe socks protocols. Defaults to off. - - -Changes in version 0.1.1.15-rc - 2006-03-11 - o Bugfixes and cleanups: - - When we're printing strings from the network, don't try to print - non-printable characters. This protects us against shell escape - sequence exploits, and also against attacks to fool humans into - misreading their logs. - - Fix a bug where Tor would fail to establish any connections if you - left it off for 24 hours and then started it: we were happy with - the obsolete network statuses, but they all referred to router - descriptors that were too old to fetch, so we ended up with no - valid router descriptors. - - Fix a seg fault in the controller's "getinfo orconn-status" command - while listing status on incoming handshaking connections. Introduce - a status name "NEW" for these connections. - - If we get a linelist or linelist_s config option from the torrc - (e.g. ExitPolicy) and it has no value, warn and skip rather than - silently resetting it to its default. - - Don't abandon entry guards until they've been down or gone for - a whole month. - - Cleaner and quieter log messages. - - o New features: - - New controller signal NEWNYM that makes new application requests - use clean circuits. - - Add a new circuit purpose 'controller' to let the controller ask - for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT - controller command to let you specify the purpose if you're starting - a new circuit. Add a new SETCIRCUITPURPOSE controller command to - let you change a circuit's purpose after it's been created. - - Accept "private:*" in routerdesc exit policies; not generated yet - because older Tors do not understand it. - - Add BSD-style contributed startup script "rc.subr" from Peter - Thoenen. - - -Changes in version 0.1.1.14-alpha - 2006-02-20 - o Bugfixes on 0.1.1.x: - - Don't die if we ask for a stdout or stderr log (even implicitly) - and we're set to RunAsDaemon -- just warn. - - We still had a few bugs in the OR connection rotation code that - caused directory servers to slowly aggregate connections to other - fast Tor servers. This time for sure! - - Make log entries on Win32 include the name of the function again. - - We were treating a pair of exit policies if they were equal even - if one said accept and the other said reject -- causing us to - not always publish a new descriptor since we thought nothing - had changed. - - Retry pending server downloads as well as pending networkstatus - downloads when we unexpectedly get a socks request. - - We were ignoring the IS_FAST flag in the directory status, - meaning we were willing to pick trivial-bandwidth nodes for "fast" - connections. - - If the controller's SAVECONF command fails (e.g. due to file - permissions), let the controller know that it failed. - - o Features: - - If we're trying to be a Tor server and running Windows 95/98/ME - as a server, explain that we'll likely crash. - - When we're a server, a client asks for an old-style directory, - and our write bucket is empty, don't give it to him. This way - small servers can continue to serve the directory *sometimes*, - without getting overloaded. - - Compress exit policies even more -- look for duplicate lines - and remove them. - - Clients now honor the "guard" flag in the router status when - picking entry guards, rather than looking at is_fast or is_stable. - - Retain unrecognized lines in $DATADIR/state file, so that we can - be forward-compatible. - - Generate 18.0.0.0/8 address policy format in descs when we can; - warn when the mask is not reducible to a bit-prefix. - - Let the user set ControlListenAddress in the torrc. This can be - dangerous, but there are some cases (like a secured LAN) where it - makes sense. - - Split ReachableAddresses into ReachableDirAddresses and - ReachableORAddresses, so we can restrict Dir conns to port 80 - and OR conns to port 443. - - Now we can target arch and OS in rpm builds (contributed by - Phobos). Also make the resulting dist-rpm filename match the - target arch. - - New config options to help controllers: FetchServerDescriptors - and FetchHidServDescriptors for whether to fetch server - info and hidserv info or let the controller do it, and - PublishServerDescriptor and PublishHidServDescriptors. - - Also let the controller set the __AllDirActionsPrivate config - option if you want all directory fetches/publishes to happen via - Tor (it assumes your controller bootstraps your circuits). - - -Changes in version 0.1.1.13-alpha - 2006-02-09 - o Crashes in 0.1.1.x: - - When you tried to setconf ORPort via the controller, Tor would - crash. So people using TorCP to become a server were sad. - - Solve (I hope) the stack-smashing bug that we were seeing on fast - servers. The problem appears to be something do with OpenSSL's - random number generation, or how we call it, or something. Let me - know if the crashes continue. - - Turn crypto hardware acceleration off by default, until we find - somebody smart who can test it for us. (It appears to produce - seg faults in at least some cases.) - - Fix a rare assert error when we've tried all intro points for - a hidden service and we try fetching the service descriptor again: - "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed" - - o Major fixes: - - Fix a major load balance bug: we were round-robining in 16 KB - chunks, and servers with bandwidthrate of 20 KB, while downloading - a 600 KB directory, would starve their other connections. Now we - try to be a bit more fair. - - Dir authorities and mirrors were never expiring the newest - descriptor for each server, causing memory and directory bloat. - - Fix memory-bloating and connection-bloating bug on servers: We - were never closing any connection that had ever had a circuit on - it, because we were checking conn->n_circuits == 0, yet we had a - bug that let it go negative. - - Make Tor work using squid as your http proxy again -- squid - returns an error if you ask for a URL that's too long, and it uses - a really generic error message. Plus, many people are behind a - transparent squid so they don't even realize it. - - On platforms that don't have getrlimit (like Windows), we were - artificially constraining ourselves to a max of 1024 - connections. Now just assume that we can handle as many as 15000 - connections. Hopefully this won't cause other problems. - - Add a new config option ExitPolicyRejectPrivate which defaults to - 1. This means all exit policies will begin with rejecting private - addresses, unless the server operator explicitly turns it off. - - o Major features: - - Clients no longer download descriptors for non-running descriptors. - - Before we add new directory authorities, we should make it - clear that only v1 authorities should receive/publish hidden - service descriptors. - - o Minor features: - - As soon as we've fetched some more directory info, immediately - try to download more server descriptors. This way we don't have - a 10 second pause during initial bootstrapping. - - Remove even more loud log messages that the server operator can't - do anything about. - - When we're running an obsolete or un-recommended version, make - the log message more clear about what the problem is and what - versions *are* still recommended. - - Provide a more useful warn message when our onion queue gets full: - the CPU is too slow or the exit policy is too liberal. - - Don't warn when we receive a 503 from a dirserver/cache -- this - will pave the way for them being able to refuse if they're busy. - - When we fail to bind a listener, try to provide a more useful - log message: e.g., "Is Tor already running?" - - Adjust tor-spec to parameterize cell and key lengths. Now Ian - Goldberg can prove things about our handshake protocol more - easily. - - MaxConn has been obsolete for a while now. Document the ConnLimit - config option, which is a *minimum* number of file descriptors - that must be available else Tor refuses to start. - - Apply Matt Ghali's --with-syslog-facility patch to ./configure - if you log to syslog and want something other than LOG_DAEMON. - - Make dirservers generate a separate "guard" flag to mean, - "would make a good entry guard". Make clients parse it and vote - on it. Not used by clients yet. - - Implement --with-libevent-dir option to ./configure. Also, improve - search techniques to find libevent, and use those for openssl too. - - Bump the default bandwidthrate to 3 MB, and burst to 6 MB - - Only start testing reachability once we've established a - circuit. This will make startup on dirservers less noisy. - - Don't try to upload hidden service descriptors until we have - established a circuit. - - Fix the controller's "attachstream 0" command to treat conn like - it just connected, doing address remapping, handling .exit and - .onion idioms, and so on. Now we're more uniform in making sure - that the controller hears about new and closing connections. - - -Changes in version 0.1.1.12-alpha - 2006-01-11 - o Bugfixes on 0.1.1.x: - - The fix to close duplicate server connections was closing all - Tor client connections if they didn't establish a circuit - quickly enough. Oops. - - Fix minor memory issue (double-free) that happened on exit. - - o Bugfixes on 0.1.0.x: - - Tor didn't warn when it failed to open a log file. - - -Changes in version 0.1.1.11-alpha - 2006-01-10 - o Crashes in 0.1.1.x: - - Include all the assert/crash fixes from 0.1.0.16. - - If you start Tor and then quit very quickly, there were some - races that tried to free things that weren't allocated yet. - - Fix a rare memory stomp if you're running hidden services. - - Fix segfault when specifying DirServer in config without nickname. - - Fix a seg fault when you finish connecting to a server but at - that moment you dump his server descriptor. - - Extendcircuit and Attachstream controller commands would - assert/crash if you don't give them enough arguments. - - Fix an assert error when we're out of space in the connection_list - and we try to post a hidden service descriptor (reported by weasel). - - If you specify a relative torrc path and you set RunAsDaemon in - your torrc, then it chdir()'s to the new directory. If you HUP, - it tries to load the new torrc location, fails, and exits. - The fix: no longer allow a relative path to torrc using -f. - - o Major features: - - Implement "entry guards": automatically choose a handful of entry - nodes and stick with them for all circuits. Only pick new guards - when the ones you have are unsuitable, and if the old guards - become suitable again, switch back. This will increase security - dramatically against certain end-point attacks. The EntryNodes - config option now provides some hints about which entry guards you - want to use most; and StrictEntryNodes means to only use those. - (CVE-2006-0414) - - New directory logic: download by descriptor digest, not by - fingerprint. Caches try to download all listed digests from - authorities; clients try to download "best" digests from caches. - This avoids partitioning and isolating attacks better. - - Make the "stable" router flag in network-status be the median of - the uptimes of running valid servers, and make clients pay - attention to the network-status flags. Thus the cutoff adapts - to the stability of the network as a whole, making IRC, IM, etc - connections more reliable. - - o Major fixes: - - Tor servers with dynamic IP addresses were needing to wait 18 - hours before they could start doing reachability testing using - the new IP address and ports. This is because they were using - the internal descriptor to learn what to test, yet they were only - rebuilding the descriptor once they decided they were reachable. - - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients - to download certain server descriptors, throw them away, and then - fetch them again after 30 minutes. Now mirrors throw away these - server descriptors so clients can't get them. - - We were leaving duplicate connections to other ORs open for a week, - rather than closing them once we detect a duplicate. This only - really affected authdirservers, but it affected them a lot. - - Spread the authdirservers' reachability testing over the entire - testing interval, so we don't try to do 500 TLS's at once every - 20 minutes. - - o Minor fixes: - - If the network is down, and we try to connect to a conn because - we have a circuit in mind, and we timeout (30 seconds) because the - network never answers, we were expiring the circuit, but we weren't - obsoleting the connection or telling the entry_guards functions. - - Some Tor servers process billions of cells per day. These statistics - need to be uint64_t's. - - Check for integer overflows in more places, when adding elements - to smartlists. This could possibly prevent a buffer overflow - on malicious huge inputs. I don't see any, but I haven't looked - carefully. - - ReachableAddresses kept growing new "reject *:*" lines on every - setconf/reload. - - When you "setconf log" via the controller, it should remove all - logs. We were automatically adding back in a "log notice stdout". - - Newly bootstrapped Tor networks couldn't establish hidden service - circuits until they had nodes with high uptime. Be more tolerant. - - We were marking servers down when they could not answer every piece - of the directory request we sent them. This was far too harsh. - - Fix the torify (tsocks) config file to not use Tor for localhost - connections. - - Directory authorities now go to the proper authority when asking for - a networkstatus, even when they want a compressed one. - - Fix a harmless bug that was causing Tor servers to log - "Got an end because of misc error, but we're not an AP. Closing." - - Authorities were treating their own descriptor changes as cosmetic, - meaning the descriptor available in the network-status and the - descriptor that clients downloaded were different. - - The OS X installer was adding a symlink for tor_resolve but - the binary was called tor-resolve (reported by Thomas Hardly). - - Workaround a problem with some http proxies where they refuse GET - requests that specify "Content-Length: 0" (reported by Adrian). - - Fix wrong log message when you add a "HiddenServiceNodes" config - line without any HiddenServiceDir line (reported by Chris Thomas). - - o Minor features: - - Write the TorVersion into the state file so we have a prayer of - keeping forward and backward compatibility. - - Revive the FascistFirewall config option rather than eliminating it: - now it's a synonym for ReachableAddresses *:80,*:443. - - Clients choose directory servers from the network status lists, - not from their internal list of router descriptors. Now they can - go to caches directly rather than needing to go to authorities - to bootstrap. - - Directory authorities ignore router descriptors that have only - cosmetic differences: do this for 0.1.0.x servers now too. - - Add a new flag to network-status indicating whether the server - can answer v2 directory requests too. - - Authdirs now stop whining so loudly about bad descriptors that - they fetch from other dirservers. So when there's a log complaint, - it's for sure from a freshly uploaded descriptor. - - Reduce memory requirements in our structs by changing the order - of fields. - - There used to be two ways to specify your listening ports in a - server descriptor: on the "router" line and with a separate "ports" - line. Remove support for the "ports" line. - - New config option "AuthDirRejectUnlisted" for auth dirservers as - a panic button: if we get flooded with unusable servers we can - revert to only listing servers in the approved-routers file. - - Auth dir servers can now mark a fingerprint as "!reject" or - "!invalid" in the approved-routers file (as its nickname), to - refuse descriptors outright or include them but marked as invalid. - - Servers store bandwidth history across restarts/crashes. - - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can - get a better idea of why their circuits failed. Not used yet. - - Directory mirrors now cache up to 16 unrecognized network-status - docs. Now we can add new authdirservers and they'll be cached too. - - When picking a random directory, prefer non-authorities if any - are known. - - New controller option "getinfo desc/all-recent" to fetch the - latest server descriptor for every router that Tor knows about. - - -Changes in version 0.1.1.10-alpha - 2005-12-11 - o Correctness bugfixes on 0.1.0.x: - - On Windows, build with a libevent patch from "I-M Weasel" to avoid - corrupting the heap, losing FDs, or crashing when we need to resize - the fd_sets. (This affects the Win32 binaries, not Tor's sources.) - - Stop doing the complex voodoo overkill checking for insecure - Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy. - - When we were closing connections, there was a rare case that - stomped on memory, triggering seg faults and asserts. - - We were neglecting to unlink marked circuits from soon-to-close OR - connections, which caused some rare scribbling on freed memory. - - When we're deciding whether a stream has enough circuits around - that can handle it, count the freshly dirty ones and not the ones - that are so dirty they won't be able to handle it. - - Recover better from TCP connections to Tor servers that are - broken but don't tell you (it happens!); and rotate TLS - connections once a week. - - When we're expiring old circuits, we had a logic error that caused - us to close new rendezvous circuits rather than old ones. - - Fix a scary-looking but apparently harmless bug where circuits - would sometimes start out in state CIRCUIT_STATE_OR_WAIT at - servers, and never switch to state CIRCUIT_STATE_OPEN. - - When building with -static or on Solaris, we sometimes needed to - build with -ldl. - - Give a useful message when people run Tor as the wrong user, - rather than telling them to start chowning random directories. - - We were failing to inform the controller about new .onion streams. - - o Security bugfixes on 0.1.0.x: - - Refuse server descriptors if the fingerprint line doesn't match - the included identity key. Tor doesn't care, but other apps (and - humans) might actually be trusting the fingerprint line. - - We used to kill the circuit when we receive a relay command we - don't recognize. Now we just drop it. - - Start obeying our firewall options more rigorously: - . If we can't get to a dirserver directly, try going via Tor. - . Don't ever try to connect (as a client) to a place our - firewall options forbid. - . If we specify a proxy and also firewall options, obey the - firewall options even when we're using the proxy: some proxies - can only proxy to certain destinations. - - Fix a bug found by Lasse Overlier: when we were making internal - circuits (intended to be cannibalized later for rendezvous and - introduction circuits), we were picking them so that they had - useful exit nodes. There was no need for this, and it actually - aids some statistical attacks. - - Start treating internal circuits and exit circuits separately. - It's important to keep them separate because internal circuits - have their last hops picked like middle hops, rather than like - exit hops. So exiting on them will break the user's expectations. - - o Bugfixes on 0.1.1.x: - - Take out the mis-feature where we tried to detect IP address - flapping for people with DynDNS, and chose not to upload a new - server descriptor sometimes. - - Try to be compatible with OpenSSL 0.9.6 again. - - Log fix: when the controller is logging about .onion addresses, - sometimes it didn't include the ".onion" part of the address. - - Don't try to modify options->DirServers internally -- if the - user didn't specify any, just add the default ones directly to - the trusted dirserver list. This fixes a bug where people running - controllers would use SETCONF on some totally unrelated config - option, and Tor would start yelling at them about changing their - DirServer lines. - - Let the controller's redirectstream command specify a port, in - case the controller wants to change that too. - - When we requested a pile of server descriptors, we sometimes - accidentally launched a duplicate request for the first one. - - Bugfix for trackhostexits: write down the fingerprint of the - chosen exit, not its nickname, because the chosen exit might not - be verified. - - When parsing foo.exit, if foo is unknown, and we are leaving - circuits unattached, set the chosen_exit field and leave the - address empty. This matters because controllers got confused - otherwise. - - Directory authorities no longer try to download server - descriptors that they know they will reject. - - o Features and updates: - - Replace balanced trees with hash tables: this should make stuff - significantly faster. - - Resume using the AES counter-mode implementation that we ship, - rather than OpenSSL's. Ours is significantly faster. - - Many other CPU and memory improvements. - - Add a new config option FastFirstHopPK (on by default) so clients - do a trivial crypto handshake for their first hop, since TLS has - already taken care of confidentiality and authentication. - - Add a new config option TestSocks so people can see if their - applications are using socks4, socks4a, socks5-with-ip, or - socks5-with-hostname. This way they don't have to keep mucking - with tcpdump and wondering if something got cached somewhere. - - Warn when listening on a public address for socks. I suspect a - lot of people are setting themselves up as open socks proxies, - and they have no idea that jerks on the Internet are using them, - since they simply proxy the traffic into the Tor network. - - Add "private:*" as an alias in configuration for policies. Now - you can simplify your exit policy rather than needing to list - every single internal or nonroutable network space. - - Add a new controller event type that allows controllers to get - all server descriptors that were uploaded to a router in its role - as authoritative dirserver. - - Start shipping socks-extensions.txt, tor-doc-unix.html, - tor-doc-server.html, and stylesheet.css in the tarball. - - Stop shipping tor-doc.html in the tarball. - - -Changes in version 0.1.1.9-alpha - 2005-11-15 - o Usability improvements: - - Start calling it FooListenAddress rather than FooBindAddress, - since few of our users know what it means to bind an address - or port. - - Reduce clutter in server logs. We're going to try to make - them actually usable now. New config option ProtocolWarnings that - lets you hear about how _other Tors_ are breaking the protocol. Off - by default. - - Divide log messages into logging domains. Once we put some sort - of interface on this, it will let people looking at more verbose - log levels specify the topics they want to hear more about. - - Make directory servers return better http 404 error messages - instead of a generic "Servers unavailable". - - Check for even more Windows version flags when writing the platform - string in server descriptors, and note any we don't recognize. - - Clean up more of the OpenSSL memory when exiting, so we can detect - memory leaks better. - - Make directory authorities be non-versioning, non-naming by - default. Now we can add new directory servers without requiring - their operators to pay close attention. - - When logging via syslog, include the pid whenever we provide - a log entry. Suggested by Todd Fries. - - o Performance improvements: - - Directory servers now silently throw away new descriptors that - haven't changed much if the timestamps are similar. We do this to - tolerate older Tor servers that upload a new descriptor every 15 - minutes. (It seemed like a good idea at the time.) - - Inline bottleneck smartlist functions; use fast versions by default. - - Add a "Map from digest to void*" abstraction digestmap_t so we - can do less hex encoding/decoding. Use it in router_get_by_digest() - to resolve a performance bottleneck. - - Allow tor_gzip_uncompress to extract as much as possible from - truncated compressed data. Try to extract as many - descriptors as possible from truncated http responses (when - DIR_PURPOSE_FETCH_ROUTERDESC). - - Make circ->onionskin a pointer, not a static array. moria2 was using - 125000 circuit_t's after it had been up for a few weeks, which - translates to 20+ megs of wasted space. - - The private half of our EDH handshake keys are now chosen out - of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.) - - o Security improvements: - - Start making directory caches retain old routerinfos, so soon - clients can start asking by digest of descriptor rather than by - fingerprint of server. - - Add half our entropy from RAND_poll in OpenSSL. This knows how - to use egd (if present), openbsd weirdness (if present), vms/os2 - weirdness (if we ever port there), and more in the future. - - o Bugfixes on 0.1.0.x: - - Do round-robin writes of at most 16 kB per write. This might be - more fair on loaded Tor servers, and it might resolve our Windows - crash bug. It might also slow things down. - - Our TLS handshakes were generating a single public/private - keypair for the TLS context, rather than making a new one for - each new connections. Oops. (But we were still rotating them - periodically, so it's not so bad.) - - When we were cannibalizing a circuit with a particular exit - node in mind, we weren't checking to see if that exit node was - already present earlier in the circuit. Oops. - - When a Tor server's IP changes (e.g. from a dyndns address), - upload a new descriptor so clients will learn too. - - Really busy servers were keeping enough circuits open on stable - connections that they were wrapping around the circuit_id - space. (It's only two bytes.) This exposed a bug where we would - feel free to reuse a circuit_id even if it still exists but has - been marked for close. Try to fix this bug. Some bug remains. - - If we would close a stream early (e.g. it asks for a .exit that - we know would refuse it) but the LeaveStreamsUnattached config - option is set by the controller, then don't close it. - - o Bugfixes on 0.1.1.8-alpha: - - Fix a big pile of memory leaks, some of them serious. - - Do not try to download a routerdesc if we would immediately reject - it as obsolete. - - Resume inserting a newline between all router descriptors when - generating (old style) signed directories, since our spec says - we do. - - When providing content-type application/octet-stream for - server descriptors using .z, we were leaving out the - content-encoding header. Oops. (Everything tolerated this just - fine, but that doesn't mean we need to be part of the problem.) - - Fix a potential seg fault in getconf and getinfo using version 1 - of the controller protocol. - - Avoid crash: do not check whether DirPort is reachable when we - are suppressing it because of hibernation. - - Make --hash-password not crash on exit. - - -Changes in version 0.1.1.8-alpha - 2005-10-07 - o New features (major): - - Clients don't download or use the directory anymore. Now they - download and use network-statuses from the trusted dirservers, - and fetch individual server descriptors as needed from mirrors. - See dir-spec.txt for all the gory details. - - Be more conservative about whether to advertise our DirPort. - The main change is to not advertise if we're running at capacity - and either a) we could hibernate or b) our capacity is low and - we're using a default DirPort. - - Use OpenSSL's AES when OpenSSL has version 0.9.7 or later. - - o New features (minor): - - Try to be smart about when to retry network-status and - server-descriptor fetches. Still needs some tuning. - - Stop parsing, storing, or using running-routers output (but - mirrors still cache and serve it). - - Consider a threshold of versioning dirservers (dirservers who have - an opinion about which Tor versions are still recommended) before - deciding whether to warn the user that he's obsolete. - - Dirservers can now reject/invalidate by key and IP, with the - config options "AuthDirInvalid" and "AuthDirReject". This is - useful since currently we automatically list servers as running - and usable even if we know they're jerks. - - Provide dire warnings to any users who set DirServer; move it out - of torrc.sample and into torrc.complete. - - Add MyFamily to torrc.sample in the server section. - - Add nicknames to the DirServer line, so we can refer to them - without requiring all our users to memorize their IP addresses. - - When we get an EOF or a timeout on a directory connection, note - how many bytes of serverdesc we are dropping. This will help - us determine whether it is smart to parse incomplete serverdesc - responses. - - Add a new function to "change pseudonyms" -- that is, to stop - using any currently-dirty circuits for new streams, so we don't - link new actions to old actions. Currently it's only called on - HUP (or SIGNAL RELOAD). - - On sighup, if UseHelperNodes changed to 1, use new circuits. - - Start using RAND_bytes rather than RAND_pseudo_bytes from - OpenSSL. Also, reseed our entropy every hour, not just at - startup. And entropy in 512-bit chunks, not 160-bit chunks. - - o Fixes on 0.1.1.7-alpha: - - Nobody ever implemented EVENT_ADDRMAP for control protocol - version 0, so don't let version 0 controllers ask for it. - - If you requested something with too many newlines via the - v1 controller protocol, you could crash tor. - - Fix a number of memory leaks, including some pretty serious ones. - - Re-enable DirPort testing again, so Tor servers will be willing - to advertise their DirPort if it's reachable. - - On TLS handshake, only check the other router's nickname against - its expected nickname if is_named is set. - - o Fixes forward-ported from 0.1.0.15: - - Don't crash when we don't have any spare file descriptors and we - try to spawn a dns or cpu worker. - - Make the numbers in read-history and write-history into uint64s, - so they don't overflow and publish negatives in the descriptor. - - o Fixes on 0.1.0.x: - - For the OS X package's modified privoxy config file, comment - out the "logfile" line so we don't log everything passed - through privoxy. - - We were whining about using socks4 or socks5-with-local-lookup - even when it's an IP in the "virtual" range we designed exactly - for this case. - - We were leaking some memory every time the client changes IPs. - - Never call free() on tor_malloc()d memory. This will help us - use dmalloc to detect memory leaks. - - Check for named servers when looking them up by nickname; - warn when we'recalling a non-named server by its nickname; - don't warn twice about the same name. - - Try to list MyFamily elements by key, not by nickname, and warn - if we've not heard of the server. - - Make windows platform detection (uname equivalent) smarter. - - It turns out sparc64 doesn't like unaligned access either. - - -Changes in version 0.1.1.7-alpha - 2005-09-14 - o Fixes on 0.1.1.6-alpha: - - Exit servers were crashing when people asked them to make a - connection to an address not in their exit policy. - - Looking up a non-existent stream for a v1 control connection would - cause a segfault. - - Fix a seg fault if we ask a dirserver for a descriptor by - fingerprint but he doesn't know about him. - - SETCONF was appending items to linelists, not clearing them. - - SETCONF SocksBindAddress killed Tor if it fails to bind. Now back - out and refuse the setconf if it would fail. - - Downgrade the dirserver log messages when whining about - unreachability. - - o New features: - - Add Peter Palfrader's check-tor script to tor/contrib/ - It lets you easily check whether a given server (referenced by - nickname) is reachable by you. - - Numerous changes to move towards client-side v2 directories. Not - enabled yet. - - o Fixes on 0.1.0.x: - - If the user gave tor an odd number of command-line arguments, - we were silently ignoring the last one. Now we complain and fail. - [This wins the oldest-bug prize -- this bug has been present since - November 2002, as released in Tor 0.0.0.] - - Do not use unaligned memory access on alpha, mips, or mipsel. - It *works*, but is very slow, so we treat them as if it doesn't. - - Retry directory requests if we fail to get an answer we like - from a given dirserver (we were retrying before, but only if - we fail to connect). - - When writing the RecommendedVersions line, sort them first. - - When the client asked for a rendezvous port that the hidden - service didn't want to provide, we were sending an IP address - back along with the end cell. Fortunately, it was zero. But stop - that anyway. - - Correct "your server is reachable" log entries to indicate that - it was self-testing that told us so. - - -Changes in version 0.1.1.6-alpha - 2005-09-09 - o Fixes on 0.1.1.5-alpha: - - We broke fascistfirewall in 0.1.1.5-alpha. Oops. - - Fix segfault in unit tests in 0.1.1.5-alpha. Oops. - - Fix bug with tor_memmem finding a match at the end of the string. - - Make unit tests run without segfaulting. - - Resolve some solaris x86 compile warnings. - - Handle duplicate lines in approved-routers files without warning. - - Fix bug where as soon as a server refused any requests due to his - exit policy (e.g. when we ask for localhost and he tells us that's - 127.0.0.1 and he won't do it), we decided he wasn't obeying his - exit policy and stopped using him for any exits. - - Only do openssl hardware accelerator stuff if openssl version is - at least 0.9.7. - - o New controller features/fixes: - - Add a "RESETCONF" command so you can set config options like - AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give - a config option in the torrc with no value, then it clears it - entirely (rather than setting it to its default). - - Add a "GETINFO config-file" to tell us where torrc is. - - Avoid sending blank lines when GETINFO replies should be empty. - - Add a QUIT command for the controller (for using it manually). - - Fix a bug in SAVECONF that was adding default dirservers and - other redundant entries to the torrc file. - - o Start on the new directory design: - - Generate, publish, cache, serve new network-status format. - - Publish individual descriptors (by fingerprint, by "all", and by - "tell me yours"). - - Publish client and server recommended versions separately. - - Allow tor_gzip_uncompress() to handle multiple concatenated - compressed strings. Serve compressed groups of router - descriptors. The compression logic here could be more - memory-efficient. - - Distinguish v1 authorities (all currently trusted directories) - from v2 authorities (all trusted directories). - - Change DirServers config line to note which dirs are v1 authorities. - - Add configuration option "V1AuthoritativeDirectory 1" which - moria1, moria2, and tor26 should set. - - Remove option when getting directory cache to see whether they - support running-routers; they all do now. Replace it with one - to see whether caches support v2 stuff. - - o New features: - - Dirservers now do their own external reachability testing of each - Tor server, and only list them as running if they've been found to - be reachable. We also send back warnings to the server's logs if - it uploads a descriptor that we already believe is unreachable. - - Implement exit enclaves: if we know an IP address for the - destination, and there's a running Tor server at that address - which allows exit to the destination, then extend the circuit to - that exit first. This provides end-to-end encryption and end-to-end - authentication. Also, if the user wants a .exit address or enclave, - use 4 hops rather than 3, and cannibalize a general circ for it - if you can. - - Permit transitioning from ORPort=0 to ORPort!=0, and back, from the - controller. Also, rotate dns and cpu workers if the controller - changes options that will affect them; and initialize the dns - worker cache tree whether or not we start out as a server. - - Only upload a new server descriptor when options change, 18 - hours have passed, uptime is reset, or bandwidth changes a lot. - - Check [X-]Forwarded-For headers in HTTP requests when generating - log messages. This lets people run dirservers (and caches) behind - Apache but still know which IP addresses are causing warnings. - - o Config option changes: - - Replace (Fascist)Firewall* config options with a new - ReachableAddresses option that understands address policies. - For example, "ReachableAddresses *:80,*:443" - - Get rid of IgnoreVersion undocumented config option, and make us - only warn, never exit, when we're running an obsolete version. - - Make MonthlyAccountingStart config option truly obsolete now. - - o Fixes on 0.1.0.x: - - Reject ports 465 and 587 in the default exit policy, since - people have started using them for spam too. - - It turns out we couldn't bootstrap a network since we added - reachability detection in 0.1.0.1-rc. Good thing the Tor network - has never gone down. Add an AssumeReachable config option to let - servers and dirservers bootstrap. When we're trying to build a - high-uptime or high-bandwidth circuit but there aren't enough - suitable servers, try being less picky rather than simply failing. - - Our logic to decide if the OR we connected to was the right guy - was brittle and maybe open to a mitm for unverified routers. - - We weren't cannibalizing circuits correctly for - CIRCUIT_PURPOSE_C_ESTABLISH_REND and - CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to - build those from scratch. This should make hidden services faster. - - Predict required circuits better, with an eye toward making hidden - services faster on the service end. - - Retry streams if the exit node sends back a 'misc' failure. This - should result in fewer random failures. Also, after failing - from resolve failed or misc, reset the num failures, so we give - it a fair shake next time we try. - - Clean up the rendezvous warn log msgs, and downgrade some to info. - - Reduce severity on logs about dns worker spawning and culling. - - When we're shutting down and we do something like try to post a - server descriptor or rendezvous descriptor, don't complain that - we seem to be unreachable. Of course we are, we're shutting down. - - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells. - We don't use them yet, but maybe one day our DNS resolver will be - able to discover them. - - Make ContactInfo mandatory for authoritative directory servers. - - Require server descriptors to list IPv4 addresses -- hostnames - are no longer allowed. This also fixes some potential security - problems with people providing hostnames as their address and then - preferentially resolving them to partition users. - - Change log line for unreachability to explicitly suggest /etc/hosts - as the culprit. Also make it clearer what IP address and ports we're - testing for reachability. - - Put quotes around user-supplied strings when logging so users are - more likely to realize if they add bad characters (like quotes) - to the torrc. - - Let auth dir servers start without specifying an Address config - option. - - Make unit tests (and other invocations that aren't the real Tor) - run without launching listeners, creating subdirectories, and so on. - - -Changes in version 0.1.1.5-alpha - 2005-08-08 - o Bugfixes included in 0.1.0.14. - - o Bugfixes on 0.1.0.x: - - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your - torrc rather than "HiddenServicePort 6667 127.0.0.1:6668", - it would silently using ignore the 6668. - - -Changes in version 0.1.1.4-alpha - 2005-08-04 - o Bugfixes included in 0.1.0.13. - - o Features: - - Improve tor_gettimeofday() granularity on windows. - - Make clients regenerate their keys when their IP address changes. - - Implement some more GETINFO goodness: expose helper nodes, config - options, getinfo keys. - - -Changes in version 0.1.1.3-alpha - 2005-07-25 - o Bugfixes on 0.1.1.2-alpha: - - Fix a bug in handling the controller's "post descriptor" - function. - - Fix several bugs in handling the controller's "extend circuit" - function. - - Fix a bug in handling the controller's "stream status" event. - - Fix an assert failure if we have a controller listening for - circuit events and we go offline. - - Re-allow hidden service descriptors to publish 0 intro points. - - Fix a crash when generating your hidden service descriptor if - you don't have enough intro points already. - - o New features on 0.1.1.2-alpha: - - New controller function "getinfo accounting", to ask how - many bytes we've used in this time period. - - Experimental support for helper nodes: a lot of the risk from - a small static adversary comes because users pick new random - nodes every time they rebuild a circuit. Now users will try to - stick to the same small set of entry nodes if they can. Not - enabled by default yet. - - o Bugfixes on 0.1.0.12: - - If you're an auth dir server, always publish your dirport, - even if you haven't yet found yourself to be reachable. - - Fix a size_t underflow in smartlist_join_strings2() that made - it do bad things when you hand it an empty smartlist. - - -Changes in version 0.1.1.2-alpha - 2005-07-14 - o New directory servers: - - tor26 has changed IP address. - - o Bugfixes on 0.1.0.x, crashes/leaks: - - Port the servers-not-obeying-their-exit-policies fix from 0.1.0.11. - - Fix an fd leak in start_daemon(). - - On Windows, you can't always reopen a port right after you've - closed it. So change retry_listeners() to only close and re-open - ports that have changed. - - Fix a possible double-free in tor_gzip_uncompress(). - - o Bugfixes on 0.1.0.x, usability: - - When tor_socketpair() fails in Windows, give a reasonable - Windows-style errno back. - - Let people type "tor --install" as well as "tor -install" when they - want to make it an NT service. - - NT service patch from Matt Edman to improve error messages. - - When the controller asks for a config option with an abbreviated - name, give the full name in our response. - - Correct the man page entry on TrackHostExitsExpire. - - Looks like we were never delivering deflated (i.e. compressed) - running-routers lists, even when asked. Oops. - - When --disable-threads is set, do not search for or link against - pthreads libraries. - - o Bugfixes on 0.1.1.x: - - Fix a seg fault with autodetecting which controller version is - being used. - - o Features: - - New hidden service descriptor format: put a version in it, and - let people specify introduction/rendezvous points that aren't - in "the directory" (which is subjective anyway). - - Allow the DEBUG controller event to work again. Mark certain log - entries as "don't tell this to controllers", so we avoid cycles. - - -Changes in version 0.1.1.1-alpha - 2005-06-29 - o Bugfixes: - - Make OS X init script check for missing argument, so we don't - confuse users who invoke it incorrectly. - - Fix a seg fault in "tor --hash-password foo". - - Fix a possible way to DoS dirservers. - - When we complain that your exit policy implicitly allows local or - private address spaces, name them explicitly so operators can - fix it. - - Make the log message less scary when all the dirservers are - temporarily unreachable. - - We were printing the number of idle dns workers incorrectly when - culling them. - - o Features: - - Revised controller protocol (version 1) that uses ascii rather - than binary. Add supporting libraries in python and java so you - can use the controller from your applications without caring how - our protocol works. - - Spiffy new support for crypto hardware accelerators. Can somebody - test this? - - Changes in version 0.1.0.17 - 2006-02-17 o Crash bugfixes on 0.1.0.x: - When servers with a non-zero DirPort came out of hibernation, |