mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-23 20:03:31 +01:00
forward-port the 0.1.0.9 changelog
svn:r4365
This commit is contained in:
parent
d922fa7b10
commit
47fe49c2a0
628
ChangeLog
628
ChangeLog
@ -1,319 +1,67 @@
|
|||||||
Changes in version 0.1.0.8-rc - 2005-05-23
|
Changes in version 0.1.0.9 (first stable release of 0.1.0.x)
|
||||||
o Bugfixes:
|
o Fixes on Win32:
|
||||||
- It turns out that kqueue on OS X 10.3.9 was causing kernel
|
- Make NT services work and start on startup on Win32 (based on
|
||||||
panics. Disable kqueue on all OS X Tors.
|
patch by Matt Edman). See the FAQ entry for details.
|
||||||
- Fix RPM: remove duplicate line accidentally added to the rpm
|
- Make 'platform' string in descriptor more accurate for Win32
|
||||||
spec file.
|
servers, so it's not just "unknown platform".
|
||||||
- Disable threads on openbsd too, since its gethostaddr is not
|
- REUSEADDR on normal platforms means you can rebind to the port
|
||||||
reentrant either.
|
right after somebody else has let it go. But REUSEADDR on Win32
|
||||||
- Tolerate libevent 0.8 since it still works, even though it's
|
means you can bind to the port _even when somebody else already
|
||||||
ancient.
|
has it bound_! So, don't do that on Win32.
|
||||||
- Enable building on Red Hat 9.0 again.
|
- Clean up the log messages when starting on Win32 with no config
|
||||||
- Allow the middle hop of the testing circuit to be running any
|
file.
|
||||||
version, now that most of them have the bugfix to let them connect
|
|
||||||
to unknown servers. This will allow reachability testing to work
|
|
||||||
even when 0.0.9.7-0.0.9.9 become obsolete.
|
|
||||||
- Handle relay cells with rh.length too large. This prevents
|
|
||||||
a potential attack that could read arbitrary memory (maybe even
|
|
||||||
keys) from the exit server's process.
|
|
||||||
- We screwed up the dirport reachability testing when we don't yet
|
|
||||||
have a cached version of the directory. Hopefully now fixed.
|
|
||||||
- Clean up router_load_single_router() (used by the controller),
|
|
||||||
so it doesn't seg fault on error.
|
|
||||||
- Fix a minor memory leak when somebody establishes an introduction
|
|
||||||
point at your Tor server.
|
|
||||||
- If a socks connection ends because read fails, don't warn that
|
|
||||||
you're not sending a socks reply back.
|
|
||||||
|
|
||||||
o Features:
|
o Assert / crash bugs:
|
||||||
- Add HttpProxyAuthenticator config option too, that works like
|
- Refuse relay cells that claim to have a length larger than the
|
||||||
the HttpsProxyAuthenticator config option.
|
maximum allowed. This prevents a potential attack that could read
|
||||||
- Encode hashed controller passwords in hex instead of base64,
|
arbitrary memory (e.g. keys) from an exit server's process.
|
||||||
to make it easier to write controllers.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.1.0.7-rc - 2005-05-17
|
|
||||||
o Bugfixes:
|
|
||||||
- Fix a bug in the OS X package installer that prevented it from
|
|
||||||
installing on Tiger.
|
|
||||||
- Fix a script bug in the OS X package installer that made it
|
|
||||||
complain during installation.
|
|
||||||
- Find libevent even if it's hiding in /usr/local/ and your
|
|
||||||
CFLAGS and LDFLAGS don't tell you to look there.
|
|
||||||
- Be able to link with libevent as a shared library (the default
|
|
||||||
after 1.0d), even if it's hiding in /usr/local/lib and even
|
|
||||||
if you haven't added /usr/local/lib to your /etc/ld.so.conf,
|
|
||||||
assuming you're running gcc. Otherwise fail and give a useful
|
|
||||||
error message.
|
|
||||||
- Fix a bug in the RPM packager: set home directory for _tor to
|
|
||||||
something more reasonable when first installing.
|
|
||||||
- Free a minor amount of memory that is still reachable on exit.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.1.0.6-rc - 2005-05-14
|
|
||||||
o Bugfixes:
|
|
||||||
- Implement --disable-threads configure option. Disable threads on
|
|
||||||
netbsd by default, because it appears to have no reentrant resolver
|
|
||||||
functions.
|
|
||||||
- Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent
|
|
||||||
release (1.1) detects and disables kqueue if it's broken.
|
|
||||||
- Append default exit policy before checking for implicit internal
|
|
||||||
addresses. Now we don't log a bunch of complaints on startup
|
|
||||||
when using the default exit policy.
|
|
||||||
- Some people were putting "Address " in their torrc, and they had
|
|
||||||
a buggy resolver that resolved " " to 0.0.0.0. Oops.
|
|
||||||
- If DataDir is ~/.tor, and that expands to /.tor, then default to
|
|
||||||
LOCALSTATEDIR/tor instead.
|
|
||||||
- Fix fragmented-message bug in TorControl.py.
|
|
||||||
- Resolve a minor bug which would prevent unreachable dirports
|
|
||||||
from getting suppressed in the published descriptor.
|
|
||||||
- When the controller gave us a new descriptor, we weren't resolving
|
|
||||||
it immediately, so Tor would think its address was 0.0.0.0 until
|
|
||||||
we fetched a new directory.
|
|
||||||
- Fix an uppercase/lowercase case error in suppressing a bogus
|
|
||||||
libevent warning on some Linuxes.
|
|
||||||
|
|
||||||
o Features:
|
|
||||||
- Begin scrubbing sensitive strings from logs by default. Turn off
|
|
||||||
the config option SafeLogging if you need to do debugging.
|
|
||||||
- Switch to a new buffer management algorithm, which tries to avoid
|
|
||||||
reallocing and copying quite as much. In first tests it looks like
|
|
||||||
it uses *more* memory on average, but less cpu.
|
|
||||||
- First cut at support for "create-fast" cells. Clients can use
|
|
||||||
these when extending to their first hop, since the TLS already
|
|
||||||
provides forward secrecy and authentication. Not enabled on
|
|
||||||
clients yet.
|
|
||||||
- When dirservers refuse a router descriptor, we now log its
|
|
||||||
contactinfo, platform, and the poster's IP address.
|
|
||||||
- Call tor_free_all instead of connections_free_all after forking, to
|
|
||||||
save memory on systems that need to fork.
|
|
||||||
- Whine at you if you're a server and you don't set your contactinfo.
|
|
||||||
- Implement --verify-config command-line option to check if your torrc
|
|
||||||
is valid without actually launching Tor.
|
|
||||||
- Rewrite address "serifos.exit" to "externalIP.serifos.exit"
|
|
||||||
rather than just rejecting it.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.1.0.5-rc - 2005-04-27
|
|
||||||
o Bugfixes:
|
|
||||||
- Stop trying to print a null pointer if an OR conn fails because
|
|
||||||
we didn't like its cert.
|
|
||||||
o Features:
|
|
||||||
- Switch our internal buffers implementation to use a ring buffer,
|
|
||||||
to hopefully improve performance for fast servers a lot.
|
|
||||||
- Add HttpsProxyAuthenticator support (basic auth only), based
|
|
||||||
on patch from Adam Langley.
|
|
||||||
- Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
|
|
||||||
the fast servers that have been joining lately.
|
|
||||||
- Give hidden service accesses extra time on the first attempt,
|
|
||||||
since 60 seconds is often only barely enough. This might improve
|
|
||||||
robustness more.
|
|
||||||
- Improve performance for dirservers: stop re-parsing the whole
|
|
||||||
directory every time you regenerate it.
|
|
||||||
- Add more debugging info to help us find the weird dns netbsd
|
|
||||||
pthreads bug; cleaner debug messages to help track future issues.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.1.0.4-rc - 2005-04-23
|
|
||||||
o Bugfixes:
|
|
||||||
- If unofficial Tor clients connect and send weird TLS certs, our
|
- If unofficial Tor clients connect and send weird TLS certs, our
|
||||||
Tor server triggers an assert. Stop asserting, and start handling
|
Tor server triggers an assert. Stop asserting, and start handling
|
||||||
TLS errors better in other situations too.
|
TLS errors better in other situations too.
|
||||||
- When the controller asks us to tell it about all the debug-level
|
- Fix a race condition that can trigger an assert when we have a
|
||||||
logs, it turns out we were generating debug-level logs while
|
pending create cell and an OR connection attempt fails.
|
||||||
telling it about them, which turns into a bad loop. Now keep
|
|
||||||
track of whether you're sending a debug log to the controller,
|
|
||||||
and don't log when you are.
|
|
||||||
- Fix the "postdescriptor" feature of the controller interface: on
|
|
||||||
non-complete success, only say "done" once.
|
|
||||||
o Features:
|
|
||||||
- Clients are now willing to load balance over up to 2mB, not 1mB,
|
|
||||||
of advertised bandwidth capacity.
|
|
||||||
- Add a NoPublish config option, so you can be a server (e.g. for
|
|
||||||
testing running Tor servers in other Tor networks) without
|
|
||||||
publishing your descriptor to the primary dirservers.
|
|
||||||
|
|
||||||
|
o Resource leaks:
|
||||||
Changes in version 0.1.0.3-rc - 2005-04-08
|
- Use pthreads for worker processes rather than forking. This was
|
||||||
o Improvements on 0.1.0.2-rc:
|
forced because when we forked, we ended up wasting a lot of
|
||||||
- Client now retries when streams end early for 'hibernating' or
|
duplicate ram over time.
|
||||||
'resource limit' reasons, rather than failing them.
|
- Also switch to foo_r versions of some library calls to allow
|
||||||
- More automated handling for dirserver operators:
|
reentry and threadsafeness.
|
||||||
- Automatically approve nodes running 0.1.0.2-rc or later,
|
- Implement --disable-threads configure option. Disable threads on
|
||||||
now that the the reachability detection stuff is working.
|
netbsd and openbsd by default, because they have no reentrant
|
||||||
- Now we allow two unverified servers with the same nickname
|
resolver functions (!).
|
||||||
but different keys. But if a nickname is verified, only that
|
|
||||||
nickname+key are allowed.
|
|
||||||
- If you're an authdirserver connecting to an address:port,
|
|
||||||
and it's not the OR you were expecting, forget about that
|
|
||||||
descriptor. If he *was* the one you were expecting, then forget
|
|
||||||
about all other descriptors for that address:port.
|
|
||||||
- Allow servers to publish descriptors from 12 hours in the future.
|
|
||||||
Corollary: only whine about clock skew from the dirserver if
|
|
||||||
he's a trusted dirserver (since now even verified servers could
|
|
||||||
have quite wrong clocks).
|
|
||||||
- Adjust maximum skew and age for rendezvous descriptors: let skew
|
|
||||||
be 48 hours rather than 90 minutes.
|
|
||||||
- Efficiency improvements:
|
|
||||||
- Keep a big splay tree of (circid,orconn)->circuit mappings to make
|
|
||||||
it much faster to look up a circuit for each relay cell.
|
|
||||||
- Remove most calls to assert_all_pending_dns_resolves_ok(),
|
|
||||||
since they're eating our cpu on exit nodes.
|
|
||||||
- Stop wasting time doing a case insensitive comparison for every
|
|
||||||
dns name every time we do any lookup. Canonicalize the names to
|
|
||||||
lowercase and be done with it.
|
|
||||||
- Start sending 'truncated' cells back rather than destroy cells,
|
|
||||||
if the circuit closes in front of you. This means we won't have
|
|
||||||
to abandon partially built circuits.
|
|
||||||
- Only warn once per nickname from add_nickname_list_to_smartlist
|
|
||||||
per failure, so an entrynode or exitnode choice that's down won't
|
|
||||||
yell so much.
|
|
||||||
- Put a note in the torrc about abuse potential with the default
|
|
||||||
exit policy.
|
|
||||||
- Revise control spec and implementation to allow all log messages to
|
|
||||||
be sent to controller with their severities intact (suggested by
|
|
||||||
Matt Edman). Update TorControl to handle new log event types.
|
|
||||||
- Provide better explanation messages when controller's POSTDESCRIPTOR
|
|
||||||
fails.
|
|
||||||
- Stop putting nodename in the Platform string in server descriptors.
|
|
||||||
It doesn't actually help, and it is confusing/upsetting some people.
|
|
||||||
|
|
||||||
o Bugfixes on 0.1.0.2-rc:
|
|
||||||
- We were printing the host mask wrong in exit policies in server
|
|
||||||
descriptors. This isn't a critical bug though, since we were still
|
|
||||||
obeying the exit policy internally.
|
|
||||||
- Fix Tor when compiled with libevent but without pthreads: move
|
|
||||||
connection_unregister() from _connection_free() to
|
|
||||||
connection_free().
|
|
||||||
- Fix an assert trigger (already fixed in 0.0.9.x): when we have
|
|
||||||
the rare mysterious case of accepting a conn on 0.0.0.0:0, then
|
|
||||||
when we look through the connection array, we'll find any of the
|
|
||||||
cpu/dnsworkers. This is no good.
|
|
||||||
|
|
||||||
o Bugfixes on 0.0.9.x:
|
|
||||||
- Fix possible bug on threading platforms (e.g. win32) which was
|
- Fix possible bug on threading platforms (e.g. win32) which was
|
||||||
leaking a file descriptor whenever a cpuworker or dnsworker died.
|
leaking a file descriptor whenever a cpuworker or dnsworker died.
|
||||||
- When using preferred entry or exit nodes, ignore whether the
|
- Fix a minor memory leak when somebody establishes an introduction
|
||||||
circuit wants uptime or capacity. They asked for the nodes, they
|
point at your Tor server.
|
||||||
get the nodes.
|
- Add ./configure --with-dmalloc option, to track memory leaks.
|
||||||
- chdir() to your datadirectory at the *end* of the daemonize process,
|
- And try to free all memory on closing, so we can detect what
|
||||||
not the beginning. This was a problem because the first time you
|
we're leaking.
|
||||||
run tor, if your datadir isn't there, and you have runasdaemon set
|
|
||||||
to 1, it will try to chdir to it before it tries to create it. Oops.
|
o Protocol correctness:
|
||||||
|
- When we've connected to an OR and handshaked but didn't like
|
||||||
|
the result, we were closing the conn without sending destroy
|
||||||
|
cells back for pending circuits. Now send those destroys.
|
||||||
|
- Start sending 'truncated' cells back rather than destroy cells
|
||||||
|
if the circuit closes in front of you. This means we won't have
|
||||||
|
to abandon partially built circuits.
|
||||||
- Handle changed router status correctly when dirserver reloads
|
- Handle changed router status correctly when dirserver reloads
|
||||||
fingerprint file. We used to be dropping all unverified descriptors
|
fingerprint file. We used to be dropping all unverified descriptors
|
||||||
right then. The bug was hidden because we would immediately
|
right then. The bug was hidden because we would immediately
|
||||||
fetch a directory from another dirserver, which would include the
|
fetch a directory from another dirserver, which would include the
|
||||||
descriptors we just dropped.
|
descriptors we just dropped.
|
||||||
- When we're connecting to an OR and he's got a different nickname/key
|
- Revise tor-spec to add more/better stream end reasons.
|
||||||
than we were expecting, only complain loudly if we're an OP or a
|
- Revise all calls to connection_edge_end to avoid sending 'misc',
|
||||||
dirserver. Complaining loudly to the OR admins just confuses them.
|
and to take errno into account where possible.
|
||||||
- Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
|
- Client now retries when streams end early for 'hibernating' or
|
||||||
artificially capped at 500kB.
|
'resource limit' reasons, rather than failing them.
|
||||||
|
- Try to be more zealous about calling connection_edge_end when
|
||||||
|
things go bad with edge conns in connection.c.
|
||||||
|
|
||||||
|
o Robustness improvements:
|
||||||
Changes in version 0.1.0.2-rc - 2005-04-01
|
|
||||||
o Bugfixes on 0.1.0.1-rc:
|
|
||||||
- Fixes on reachability detection:
|
|
||||||
- Don't check for reachability while hibernating.
|
|
||||||
- If ORPort is reachable but DirPort isn't, still publish the
|
|
||||||
descriptor, but zero out DirPort until it's found reachable.
|
|
||||||
- When building testing circs for ORPort testing, use only
|
|
||||||
high-bandwidth nodes, so fewer circuits fail.
|
|
||||||
- Complain about unreachable ORPort separately from unreachable
|
|
||||||
DirPort, so the user knows what's going on.
|
|
||||||
- Make sure we only conclude ORPort reachability if we didn't
|
|
||||||
initiate the conn. Otherwise we could falsely conclude that
|
|
||||||
we're reachable just because we connected to the guy earlier
|
|
||||||
and he used that same pipe to extend to us.
|
|
||||||
- Authdirservers shouldn't do ORPort reachability detection,
|
|
||||||
since they're in clique mode, so it will be rare to find a
|
|
||||||
server not already connected to them.
|
|
||||||
- When building testing circuits, always pick middle hops running
|
|
||||||
Tor 0.0.9.7, so we avoid the "can't extend to unknown routers"
|
|
||||||
bug. (This is a kludge; it will go away when 0.0.9.x becomes
|
|
||||||
obsolete.)
|
|
||||||
- When we decide we're reachable, actually publish our descriptor
|
|
||||||
right then.
|
|
||||||
- Fix bug in redirectstream in the controller.
|
|
||||||
- Fix the state descriptor strings so logs don't claim edge streams
|
|
||||||
are in a different state than they actually are.
|
|
||||||
- Use recent libevent features when possible (this only really affects
|
|
||||||
win32 and osx right now, because the new libevent with these
|
|
||||||
features hasn't been released yet). Add code to suppress spurious
|
|
||||||
libevent log msgs.
|
|
||||||
- Prevent possible segfault in connection_close_unattached_ap().
|
|
||||||
- Fix newlines on torrc in win32.
|
|
||||||
- Improve error msgs when tor-resolve fails.
|
|
||||||
|
|
||||||
o Improvements on 0.0.9.x:
|
|
||||||
- New experimental script tor/contrib/ExerciseServer.py (needs more
|
|
||||||
work) that uses the controller interface to build circuits and
|
|
||||||
fetch pages over them. This will help us bootstrap servers that
|
|
||||||
have lots of capacity but haven't noticed it yet.
|
|
||||||
- New experimental script tor/contrib/PathDemo.py (needs more work)
|
|
||||||
that uses the controller interface to let you choose whole paths
|
|
||||||
via addresses like
|
|
||||||
"<hostname>.<path,separated by dots>.<length of path>.path"
|
|
||||||
- When we've connected to an OR and handshaked but didn't like
|
|
||||||
the result, we were closing the conn without sending destroy
|
|
||||||
cells back for pending circuits. Now send those destroys.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.1.0.1-rc - 2005-03-28
|
|
||||||
o New features:
|
|
||||||
- Add reachability testing. Your Tor server will automatically try
|
|
||||||
to see if its ORPort and DirPort are reachable from the outside,
|
|
||||||
and it won't upload its descriptor until it decides they are.
|
|
||||||
- Handle unavailable hidden services better. Handle slow or busy
|
|
||||||
hidden services better.
|
|
||||||
- Add support for CONNECTing through https proxies, with "HttpsProxy"
|
|
||||||
config option.
|
|
||||||
- New exit policy: accept most low-numbered ports, rather than
|
|
||||||
rejecting most low-numbered ports.
|
|
||||||
- More Tor controller support (still experimental). See
|
|
||||||
http://tor.eff.org/doc/control-spec.txt for all the new features,
|
|
||||||
including signals to emulate unix signals from any platform;
|
|
||||||
redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
|
||||||
closestream; closecircuit; etc.
|
|
||||||
- Make nt services work and start on startup on win32 (based on
|
|
||||||
patch by Matt Edman).
|
|
||||||
- Add a new AddressMap config directive to rewrite incoming socks
|
|
||||||
addresses. This lets you, for example, declare an implicit
|
|
||||||
required exit node for certain sites.
|
|
||||||
- Add a new TrackHostExits config directive to trigger addressmaps
|
|
||||||
for certain incoming socks addresses -- for sites that break when
|
|
||||||
your exit keeps changing (based on patch from Mike Perry).
|
|
||||||
- Redo the client-side dns cache so it's just an addressmap too.
|
|
||||||
- Notice when our IP changes, and reset stats/uptime/reachability.
|
|
||||||
- When an application is using socks5, give him the whole variety of
|
|
||||||
potential socks5 responses (connect refused, host unreachable, etc),
|
|
||||||
rather than just "success" or "failure".
|
|
||||||
- A more sane version numbering system. See
|
|
||||||
http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
|
||||||
- New contributed script "exitlist": a simple python script to
|
|
||||||
parse directories and find Tor nodes that exit to listed
|
|
||||||
addresses/ports.
|
|
||||||
- New contributed script "privoxy-tor-toggle" to toggle whether
|
|
||||||
Privoxy uses Tor. Seems to be configured for Debian by default.
|
|
||||||
- Report HTTP reasons to client when getting a response from directory
|
|
||||||
servers -- so you can actually know what went wrong.
|
|
||||||
- New config option MaxAdvertisedBandwidth which lets you advertise
|
|
||||||
a low bandwidthrate (to not attract as many circuits) while still
|
|
||||||
allowing a higher bandwidthrate in reality.
|
|
||||||
|
|
||||||
o Robustness/stability fixes:
|
|
||||||
- Make Tor use Niels Provos's libevent instead of its current
|
|
||||||
poll-but-sometimes-select mess. This will let us use faster async
|
|
||||||
cores (like epoll, kpoll, and /dev/poll), and hopefully work better
|
|
||||||
on Windows too.
|
|
||||||
- pthread support now too. This was forced because when we forked,
|
|
||||||
we ended up wasting a lot of duplicate ram over time. Also switch
|
|
||||||
to foo_r versions of some library calls to allow reentry and
|
|
||||||
threadsafeness.
|
|
||||||
- Better handling for heterogeneous / unreliable nodes:
|
- Better handling for heterogeneous / unreliable nodes:
|
||||||
- Annotate circuits w/ whether they aim to contain high uptime nodes
|
- Annotate circuits with whether they aim to contain high uptime
|
||||||
and/or high capacity nodes. When building circuits, choose
|
nodes and/or high capacity nodes. When building circuits, choose
|
||||||
appropriate nodes.
|
appropriate nodes.
|
||||||
- This means that every single node in an intro rend circuit,
|
- This means that every single node in an intro rend circuit,
|
||||||
not just the last one, will have a minimum uptime.
|
not just the last one, will have a minimum uptime.
|
||||||
@ -323,98 +71,240 @@ Changes in version 0.1.0.1-rc - 2005-03-28
|
|||||||
hopefully reflects stability of the server's network connectivity.
|
hopefully reflects stability of the server's network connectivity.
|
||||||
- If somebody starts his tor server in Jan 2004 and then fixes his
|
- If somebody starts his tor server in Jan 2004 and then fixes his
|
||||||
clock, don't make his published uptime be a year.
|
clock, don't make his published uptime be a year.
|
||||||
- Reset published uptime when you wake up from hibernation.
|
- Reset published uptime when we wake up from hibernation.
|
||||||
- Introduce a notion of 'internal' circs, which are chosen without
|
- Introduce a notion of 'internal' circs, which are chosen without
|
||||||
regard to the exit policy of the last hop. Intro and rendezvous
|
regard to the exit policy of the last hop. Intro and rendezvous
|
||||||
circs must be internal circs, to avoid leaking information. Resolve
|
circs must be internal circs, to avoid leaking information. Resolve
|
||||||
and connect streams can use internal circs if they want.
|
and connect streams can use internal circs if they want.
|
||||||
- New circuit pooling algorithm: make sure to have enough circs around
|
- New circuit pooling algorithm: keep track of what destination ports
|
||||||
to satisfy any predicted ports, and also make sure to have 2 internal
|
we've used recently (start out assuming we'll want to use 80), and
|
||||||
circs around if we've required internal circs lately (and with high
|
make sure to have enough circs around to satisfy these ports. Also
|
||||||
uptime if we've seen that lately too).
|
make sure to have 2 internal circs around if we've required internal
|
||||||
|
circs lately (and with high uptime if we've seen that lately too).
|
||||||
|
- Turn addr_policy_compare from a tristate to a quadstate; this should
|
||||||
|
help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
||||||
|
for google.com" problem.
|
||||||
|
- When a client asks us for a dir mirror and we don't have one,
|
||||||
|
launch an attempt to get a fresh one.
|
||||||
|
- First cut at support for "create-fast" cells. Clients can use
|
||||||
|
these when extending to their first hop, since the TLS already
|
||||||
|
provides forward secrecy and authentication. Not enabled on
|
||||||
|
clients yet.
|
||||||
|
|
||||||
|
o Reachability testing.
|
||||||
|
- Your Tor server will automatically try to see if its ORPort and
|
||||||
|
DirPort are reachable from the outside, and it won't upload its
|
||||||
|
descriptor until it decides at least ORPort is reachable (when
|
||||||
|
DirPort is not yet found reachable, publish it as zero).
|
||||||
|
- When building testing circs for ORPort testing, use only
|
||||||
|
high-bandwidth nodes, so fewer circuits fail.
|
||||||
|
- Notice when our IP changes, and reset stats/uptime/reachability.
|
||||||
|
- Authdirservers don't do ORPort reachability detection, since
|
||||||
|
they're in clique mode, so it will be rare to find a server not
|
||||||
|
already connected to them.
|
||||||
|
- Authdirservers now automatically approve nodes running 0.1.0.2-rc
|
||||||
|
or later.
|
||||||
|
|
||||||
|
o Dirserver fixes:
|
||||||
|
- Now we allow two unverified servers with the same nickname
|
||||||
|
but different keys. But if a nickname is verified, only that
|
||||||
|
nickname+key are allowed.
|
||||||
|
- If you're an authdirserver connecting to an address:port,
|
||||||
|
and it's not the OR you were expecting, forget about that
|
||||||
|
descriptor. If he *was* the one you were expecting, then forget
|
||||||
|
about all other descriptors for that address:port.
|
||||||
|
- Allow servers to publish descriptors from 12 hours in the future.
|
||||||
|
Corollary: only whine about clock skew from the dirserver if
|
||||||
|
he's a trusted dirserver (since now even verified servers could
|
||||||
|
have quite wrong clocks).
|
||||||
|
|
||||||
|
o Code efficiency improvements:
|
||||||
|
- Use libevent. Now we can use faster async cores (like epoll, kpoll,
|
||||||
|
and /dev/poll), and hopefully work better on Windows too.
|
||||||
|
- Apple's OS X 10.4.0 ships with a broken kqueue API, and using
|
||||||
|
kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X.
|
||||||
|
- Find libevent even if it's hiding in /usr/local/ and your
|
||||||
|
CFLAGS and LDFLAGS don't tell you to look there.
|
||||||
|
- Be able to link with libevent as a shared library (the default
|
||||||
|
after 1.0d), even if it's hiding in /usr/local/lib and even
|
||||||
|
if you haven't added /usr/local/lib to your /etc/ld.so.conf,
|
||||||
|
assuming you're running gcc. Otherwise fail and give a useful
|
||||||
|
error message.
|
||||||
|
- Switch to a new buffer management algorithm, which tries to avoid
|
||||||
|
reallocing and copying quite as much. In first tests it looks like
|
||||||
|
it uses *more* memory on average, but less cpu.
|
||||||
|
- Switch our internal buffers implementation to use a ring buffer,
|
||||||
|
to hopefully improve performance for fast servers a lot.
|
||||||
|
- Improve performance for dirservers: stop re-parsing the whole
|
||||||
|
directory every time you regenerate it.
|
||||||
|
- Keep a big splay tree of (circid,orconn)->circuit mappings to make
|
||||||
|
it much faster to look up a circuit for each relay cell.
|
||||||
|
- Remove most calls to assert_all_pending_dns_resolves_ok(),
|
||||||
|
since they're eating our cpu on exit nodes.
|
||||||
|
- Stop wasting time doing a case insensitive comparison for every
|
||||||
|
dns name every time we do any lookup. Canonicalize the names to
|
||||||
|
lowercase when you first see them.
|
||||||
|
|
||||||
|
o Hidden services:
|
||||||
|
- Handle unavailable hidden services better. Handle slow or busy
|
||||||
|
hidden services better.
|
||||||
|
- Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
||||||
|
circ as necessary, if there are any completed ones lying around
|
||||||
|
when we try to launch one.
|
||||||
|
- Make hidden services try to establish a rendezvous for 30 seconds
|
||||||
|
after fetching the descriptor, rather than for n (where n=3)
|
||||||
|
attempts to build a circuit.
|
||||||
|
- Adjust maximum skew and age for rendezvous descriptors: let skew
|
||||||
|
be 48 hours rather than 90 minutes.
|
||||||
|
|
||||||
|
o Controller:
|
||||||
|
- More Tor controller support. See
|
||||||
|
http://tor.eff.org/doc/control-spec.txt for all the new features,
|
||||||
|
including signals to emulate unix signals from any platform;
|
||||||
|
redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
||||||
|
closestream; closecircuit; etc.
|
||||||
|
- Encode hashed controller passwords in hex instead of base64,
|
||||||
|
to make it easier to write controllers.
|
||||||
|
- Revise control spec and implementation to allow all log messages to
|
||||||
|
be sent to controller with their severities intact (suggested by
|
||||||
|
Matt Edman). Disable debug-level logs while delivering a debug-level
|
||||||
|
log to the controller, to prevent loop. Update TorControl to handle
|
||||||
|
new log event types.
|
||||||
|
|
||||||
|
o New config options/defaults:
|
||||||
|
- Begin scrubbing sensitive strings from logs by default. Turn off
|
||||||
|
the config option SafeLogging if you need to do debugging.
|
||||||
|
- New exit policy: accept most low-numbered ports, rather than
|
||||||
|
rejecting most low-numbered ports.
|
||||||
|
- Put a note in the torrc about abuse potential with the default
|
||||||
|
exit policy.
|
||||||
|
- Add support for CONNECTing through https proxies, with "HttpsProxy"
|
||||||
|
config option.
|
||||||
|
- Add HttpProxyAuthenticator and HttpsProxyAuthenticator support
|
||||||
|
based on patch from Adam Langley (basic auth only).
|
||||||
|
- Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
|
||||||
|
the fast servers that have been joining lately. (Clients are now
|
||||||
|
willing to load balance over up to 2 MB of advertised bandwidth
|
||||||
|
capacity too.)
|
||||||
|
- New config option MaxAdvertisedBandwidth which lets you advertise
|
||||||
|
a low bandwidthrate (to not attract as many circuits) while still
|
||||||
|
allowing a higher bandwidthrate in reality.
|
||||||
|
- Require BandwidthRate to be at least 20kB/s for servers.
|
||||||
|
- Add a NoPublish config option, so you can be a server (e.g. for
|
||||||
|
testing running Tor servers in other Tor networks) without
|
||||||
|
publishing your descriptor to the primary dirservers.
|
||||||
|
- Add a new AddressMap config directive to rewrite incoming socks
|
||||||
|
addresses. This lets you, for example, declare an implicit
|
||||||
|
required exit node for certain sites.
|
||||||
|
- Add a new TrackHostExits config directive to trigger addressmaps
|
||||||
|
for certain incoming socks addresses -- for sites that break when
|
||||||
|
your exit keeps changing (based on patch from Mike Perry).
|
||||||
- Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
- Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
||||||
which describes how often we retry making new circuits if current
|
which describes how often we retry making new circuits if current
|
||||||
ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
||||||
how long we're willing to make use of an already-dirty circuit.
|
how long we're willing to make use of an already-dirty circuit.
|
||||||
- Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
- Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to
|
||||||
circ as necessary, if there are any completed ones lying around
|
a config option "ShutdownWaitLength" (when using kill -INT on
|
||||||
when we try to launch one.
|
servers).
|
||||||
- Make hidden services try to establish a rendezvous for 30 seconds,
|
- Fix an edge case in parsing config options: if they say "--"
|
||||||
rather than for n (where n=3) attempts to build a circuit.
|
on the commandline, it's not a config option (thanks weasel).
|
||||||
- Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
|
- New config option DirAllowPrivateAddresses for authdirservers.
|
||||||
"ShutdownWaitLength".
|
Now by default they refuse router descriptors that have non-IP or
|
||||||
- Try to be more zealous about calling connection_edge_end when
|
private-IP addresses.
|
||||||
things go bad with edge conns in connection.c.
|
- Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
||||||
- Revise tor-spec to add more/better stream end reasons.
|
smart" default value: low for servers and high for clients.
|
||||||
- Revise all calls to connection_edge_end to avoid sending "misc",
|
- Some people were putting "Address " in their torrc, and they had
|
||||||
and to take errno into account where possible.
|
a buggy resolver that resolved " " to 0.0.0.0. Oops.
|
||||||
|
- If DataDir is ~/.tor, and that expands to /.tor, then default to
|
||||||
|
LOCALSTATEDIR/tor instead.
|
||||||
|
- Implement --verify-config command-line option to check if your torrc
|
||||||
|
is valid without actually launching Tor.
|
||||||
|
|
||||||
o Bug fixes:
|
o Logging improvements:
|
||||||
- Fix a race condition that can trigger an assert, when we have a
|
- When dirservers refuse a server descriptor, we now log its
|
||||||
pending create cell and an OR connection fails right then.
|
contactinfo, platform, and the poster's IP address.
|
||||||
|
- Only warn once per nickname from add_nickname_list_to_smartlist()
|
||||||
|
per failure, so an entrynode or exitnode choice that's down won't
|
||||||
|
yell so much.
|
||||||
|
- When we're connecting to an OR and he's got a different nickname/key
|
||||||
|
than we were expecting, only complain loudly if we're an OP or a
|
||||||
|
dirserver. Complaining loudly to the OR admins just confuses them.
|
||||||
|
- Whine at you if you're a server and you don't set your contactinfo.
|
||||||
|
- Warn when exit policy implicitly allows local addresses.
|
||||||
|
- Give a better warning when some other server advertises an
|
||||||
|
ORPort that is actually an apache running ssl.
|
||||||
|
- If we get an incredibly skewed timestamp from a dirserver mirror
|
||||||
|
that isn't a verified OR, don't warn -- it's probably him that's
|
||||||
|
wrong.
|
||||||
|
- When a dirserver causes you to give a warn, mention which dirserver
|
||||||
|
it was.
|
||||||
|
|
||||||
|
o New contrib scripts:
|
||||||
|
- New experimental script tor/contrib/exitlist: a simple python
|
||||||
|
script to parse directories and find Tor nodes that exit to listed
|
||||||
|
addresses/ports.
|
||||||
|
- New experimental script tor/contrib/ExerciseServer.py (needs more
|
||||||
|
work) that uses the controller interface to build circuits and
|
||||||
|
fetch pages over them. This will help us bootstrap servers that
|
||||||
|
have lots of capacity but haven't noticed it yet.
|
||||||
|
- New experimental script tor/contrib/PathDemo.py (needs more work)
|
||||||
|
that uses the controller interface to let you choose whole paths
|
||||||
|
via addresses like
|
||||||
|
"<hostname>.<path,separated by dots>.<length of path>.path"
|
||||||
|
- New contributed script "privoxy-tor-toggle" to toggle whether
|
||||||
|
Privoxy uses Tor. Seems to be configured for Debian by default.
|
||||||
|
|
||||||
|
o Misc bugfixes:
|
||||||
|
- chdir() to your datadirectory at the *end* of the daemonize process,
|
||||||
|
not the beginning. This was a problem because the first time you
|
||||||
|
run tor, if your datadir isn't there, and you have runasdaemon set
|
||||||
|
to 1, it will try to chdir to it before it tries to create it. Oops.
|
||||||
- Fix several double-mark-for-close bugs, e.g. where we were finding
|
- Fix several double-mark-for-close bugs, e.g. where we were finding
|
||||||
a conn for a cell even if that conn is already marked for close.
|
a conn for a cell even if that conn is already marked for close.
|
||||||
- Make sequence of log messages when starting on win32 with no config
|
- Stop most cases of hanging up on a socks connection without sending
|
||||||
file more reasonable.
|
the socks reject.
|
||||||
- When choosing an exit node for a new non-internal circ, don't take
|
- Fix a bug in the RPM package: set home directory for _tor to
|
||||||
into account whether it'll be useful for any pending x.onion
|
something more reasonable when first installing.
|
||||||
addresses -- it won't.
|
- Stop putting nodename in the Platform string in server descriptors.
|
||||||
- Turn addr_policy_compare from a tristate to a quadstate; this should
|
It doesn't actually help, and it is confusing/upsetting some people.
|
||||||
help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
- When using preferred entry or exit nodes, ignore whether the
|
||||||
for google.com" problem.
|
circuit wants uptime or capacity. They asked for the nodes, they
|
||||||
- Make "platform" string in descriptor more accurate for Win32 servers,
|
get the nodes.
|
||||||
so it's not just "unknown platform".
|
- Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
|
||||||
- Fix an edge case in parsing config options (thanks weasel).
|
artificially capped at 500kB.
|
||||||
If they say "--" on the commandline, it's not an option.
|
- Cache local dns resolves correctly even when they're .exit
|
||||||
- Reject odd-looking addresses at the client (e.g. addresses that
|
addresses.
|
||||||
contain a colon), rather than having the server drop them because
|
- If we're hibernating and we get a SIGINT, exit immediately.
|
||||||
they're malformed.
|
|
||||||
- tor-resolve requests were ignoring .exit if there was a working circuit
|
- tor-resolve requests were ignoring .exit if there was a working circuit
|
||||||
they could use instead.
|
they could use instead.
|
||||||
- REUSEADDR on normal platforms means you can rebind to the port
|
|
||||||
right after somebody else has let it go. But REUSEADDR on win32
|
o Misc features:
|
||||||
means to let you bind to the port _even when somebody else
|
- Rewrite address "serifos.exit" to "externalIP.serifos.exit"
|
||||||
already has it bound_! So, don't do that on Win32.
|
rather than just rejecting it.
|
||||||
|
- If our clock jumps forward by 100 seconds or more, assume something
|
||||||
|
has gone wrong with our network and abandon all not-yet-used circs.
|
||||||
|
- When an application is using socks5, give him the whole variety of
|
||||||
|
potential socks5 responses (connect refused, host unreachable, etc),
|
||||||
|
rather than just "success" or "failure".
|
||||||
|
- A more sane version numbering system. See
|
||||||
|
http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
||||||
- Change version parsing logic: a version is "obsolete" if it is not
|
- Change version parsing logic: a version is "obsolete" if it is not
|
||||||
recommended and (1) there is a newer recommended version in the
|
recommended and (1) there is a newer recommended version in the
|
||||||
same series, or (2) there are no recommended versions in the same
|
same series, or (2) there are no recommended versions in the same
|
||||||
series, but there are some recommended versions in a newer series.
|
series, but there are some recommended versions in a newer series.
|
||||||
A version is "new" if it is newer than any recommended version in
|
A version is "new" if it is newer than any recommended version in
|
||||||
the same series.
|
the same series.
|
||||||
- Stop most cases of hanging up on a socks connection without sending
|
- Report HTTP reasons to client when getting a response from directory
|
||||||
the socks reject.
|
servers -- so you can actually know what went wrong.
|
||||||
|
- Reject odd-looking addresses at the client (e.g. addresses that
|
||||||
o Helpful fixes:
|
contain a colon), rather than having the server drop them because
|
||||||
- Require BandwidthRate to be at least 20kB/s for servers.
|
they're malformed.
|
||||||
- When a dirserver causes you to give a warn, mention which dirserver
|
|
||||||
it was.
|
|
||||||
- New config option DirAllowPrivateAddresses for authdirservers.
|
|
||||||
Now by default they refuse router descriptors that have non-IP or
|
|
||||||
private-IP addresses.
|
|
||||||
- Stop publishing socksport in the directory, since it's not
|
- Stop publishing socksport in the directory, since it's not
|
||||||
actually meant to be public. For compatibility, publish a 0 there
|
actually meant to be public. For compatibility, publish a 0 there
|
||||||
for now.
|
for now.
|
||||||
- Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
|
||||||
smart" value, that is low for servers and high for clients.
|
|
||||||
- If our clock jumps forward by 100 seconds or more, assume something
|
|
||||||
has gone wrong with our network and abandon all not-yet-used circs.
|
|
||||||
- Warn when exit policy implicitly allows local addresses.
|
|
||||||
- If we get an incredibly skewed timestamp from a dirserver mirror
|
|
||||||
that isn't a verified OR, don't warn -- it's probably him that's
|
|
||||||
wrong.
|
|
||||||
- Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
- Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
||||||
cookies to disk and doesn't log each web request to disk. (Thanks
|
cookies to disk and doesn't log each web request to disk. (Thanks
|
||||||
to Brett Carrington for pointing this out.)
|
to Brett Carrington for pointing this out.)
|
||||||
- When a client asks us for a dir mirror and we don't have one,
|
|
||||||
launch an attempt to get a fresh one.
|
|
||||||
- If we're hibernating and we get a SIGINT, exit immediately.
|
|
||||||
- Add --with-dmalloc ./configure option, to track memory leaks.
|
|
||||||
- And try to free all memory on closing, so we can detect what
|
|
||||||
we're leaking.
|
|
||||||
- Cache local dns resolves correctly even when they're .exit
|
|
||||||
addresses.
|
|
||||||
- Give a better warning when some other server advertises an
|
|
||||||
ORPort that is actually an apache running ssl.
|
|
||||||
- Add "opt hibernating 1" to server descriptor to make it clearer
|
- Add "opt hibernating 1" to server descriptor to make it clearer
|
||||||
whether the server is hibernating.
|
whether the server is hibernating.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user