From a6df62b053955249106ec89655a8e336c9d26210 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Fri, 26 Jan 2007 06:34:48 +0000 Subject: [PATCH] break out 0.1.1 changelog entries svn:r9418 --- ChangeLog | 1524 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 1018 insertions(+), 506 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4356a457d2..a88213ab43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -871,418 +871,270 @@ Changes in version 0.1.1.21 - 2006-06-10 Changes in version 0.1.1.20 - 2006-05-23 - o Crash and assert fixes from 0.1.0.17: - - Fix assert bug in close_logs() on exit: when we close and delete - logs, remove them all from the global "logfiles" list. - - Fix an assert error when we're out of space in the connection_list - and we try to post a hidden service descriptor (reported by Peter - Palfrader). - - Fix a rare assert error when we've tried all intro points for - a hidden service and we try fetching the service descriptor again: - "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed". - - Setconf SocksListenAddress kills Tor if it fails to bind. Now back - out and refuse the setconf if it would fail. - - If you specify a relative torrc path and you set RunAsDaemon in - your torrc, then it chdir()'s to the new directory. If you then - HUP, it tries to load the new torrc location, fails, and exits. - The fix: no longer allow a relative path to torrc when using -f. - - Check for integer overflows in more places, when adding elements - to smartlists. This could possibly prevent a buffer overflow - on malicious huge inputs. + o Bugfixes: + - Downgrade a log severity where servers complain that they're + invalid. + - Avoid a compile warning on FreeBSD. + - Remove string size limit on NEWDESC messages; solve bug 291. + - Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon + more thoroughly when we're running on windows. - o Security fixes, major: - - When we're printing strings from the network, don't try to print - non-printable characters. Now we're safer against shell escape - sequence exploits, and also against attacks to fool users into - misreading their logs. - - Implement entry guards: automatically choose a handful of entry - nodes and stick with them for all circuits. Only pick new guards - when the ones you have are unsuitable, and if the old guards - become suitable again, switch back. This will increase security - dramatically against certain end-point attacks. The EntryNodes - config option now provides some hints about which entry guards you - want to use most; and StrictEntryNodes means to only use those. - Fixes CVE-2006-0414. - - Implement exit enclaves: if we know an IP address for the - destination, and there's a running Tor server at that address - which allows exit to the destination, then extend the circuit to - that exit first. This provides end-to-end encryption and end-to-end - authentication. Also, if the user wants a .exit address or enclave, - use 4 hops rather than 3, and cannibalize a general circ for it - if you can. - - Obey our firewall options more faithfully: - . If we can't get to a dirserver directly, try going via Tor. - . Don't ever try to connect (as a client) to a place our - firewall options forbid. - . If we specify a proxy and also firewall options, obey the - firewall options even when we're using the proxy: some proxies - can only proxy to certain destinations. - - Make clients regenerate their keys when their IP address changes. - - For the OS X package's modified privoxy config file, comment - out the "logfile" line so we don't log everything passed - through privoxy. - - Our TLS handshakes were generating a single public/private - keypair for the TLS context, rather than making a new one for - each new connection. Oops. (But we were still rotating them - periodically, so it's not so bad.) - - When we were cannibalizing a circuit with a particular exit - node in mind, we weren't checking to see if that exit node was - already present earlier in the circuit. Now we are. - - Require server descriptors to list IPv4 addresses -- hostnames - are no longer allowed. This also fixes potential vulnerabilities - to servers providing hostnames as their address and then - preferentially resolving them so they can partition users. - - Our logic to decide if the OR we connected to was the right guy - was brittle and maybe open to a mitm for invalid routers. - o Security fixes, minor: - - Adjust tor-spec.txt to parameterize cell and key lengths. Now - Ian Goldberg can prove things about our handshake protocol more - easily. - - Make directory authorities generate a separate "guard" flag to - mean "would make a good entry guard". Clients now honor the - is_guard flag rather than looking at is_fast or is_stable. - - Try to list MyFamily elements by key, not by nickname, and warn - if we've not heard of a server. - - Start using RAND_bytes rather than RAND_pseudo_bytes from - OpenSSL. Also, reseed our entropy every hour, not just at - startup. And add entropy in 512-bit chunks, not 160-bit chunks. - - Refuse server descriptors where the fingerprint line doesn't match - the included identity key. Tor doesn't care, but other apps (and - humans) might actually be trusting the fingerprint line. - - We used to kill the circuit when we receive a relay command we - don't recognize. Now we just drop that cell. - - Fix a bug found by Lasse Overlier: when we were making internal - circuits (intended to be cannibalized later for rendezvous and - introduction circuits), we were picking them so that they had - useful exit nodes. There was no need for this, and it actually - aids some statistical attacks. - - Start treating internal circuits and exit circuits separately. - It's important to keep them separate because internal circuits - have their last hops picked like middle hops, rather than like - exit hops. So exiting on them will break the user's expectations. - - Fix a possible way to DoS dirservers. - - When the client asked for a rendezvous port that the hidden - service didn't want to provide, we were sending an IP address - back along with the end cell. Fortunately, it was zero. But stop - that anyway. - - o Packaging improvements: - - Implement --with-libevent-dir option to ./configure. Improve - search techniques to find libevent, and use those for openssl too. - - Fix a couple of bugs in OpenSSL detection. Deal better when - there are multiple SSLs installed with different versions. - - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD. - - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of - "-Wall -g -O2". - - Make unit tests (and other invocations that aren't the real Tor) - run without launching listeners, creating subdirectories, and so on. - - The OS X installer was adding a symlink for tor_resolve but - the binary was called tor-resolve (reported by Thomas Hardly). - - Now we can target arch and OS in rpm builds (contributed by - Phobos). Also make the resulting dist-rpm filename match the - target arch. - - Apply Matt Ghali's --with-syslog-facility patch to ./configure - if you log to syslog and want something other than LOG_DAEMON. - - Fix the torify (tsocks) config file to not use Tor for localhost - connections. - - Start shipping socks-extensions.txt, tor-doc-unix.html, - tor-doc-server.html, and stylesheet.css in the tarball. - - Stop shipping tor-doc.html, INSTALL, and README in the tarball. - They are useless now. - - Add Peter Palfrader's contributed check-tor script. It lets you - easily check whether a given server (referenced by nickname) - is reachable by you. - - Add BSD-style contributed startup script "rc.subr" from Peter - Thoenen. - - o Directory improvements -- new directory protocol: - - See tor/doc/dir-spec.txt for all the juicy details. Key points: - - Authorities and caches publish individual descriptors (by - digest, by fingerprint, by "all", and by "tell me yours"). - - Clients don't download or use the old directory anymore. Now they - download network-statuses from the directory authorities, and - fetch individual server descriptors as needed from mirrors. - - Clients don't download descriptors of non-running servers. - - Download descriptors by digest, not by fingerprint. Caches try to - download all listed digests from authorities; clients try to - download "best" digests from caches. This avoids partitioning - and isolating attacks better. - - Only upload a new server descriptor when options change, 18 - hours have passed, uptime is reset, or bandwidth changes a lot. - - Directory authorities silently throw away new descriptors that - haven't changed much if the timestamps are similar. We do this to - tolerate older Tor servers that upload a new descriptor every 15 - minutes. (It seemed like a good idea at the time.) - - Clients choose directory servers from the network status lists, - not from their internal list of router descriptors. Now they can - go to caches directly rather than needing to go to authorities - to bootstrap the first set of descriptors. - - When picking a random directory, prefer non-authorities if any - are known. - - Add a new flag to network-status indicating whether the server - can answer v2 directory requests too. - - Directory mirrors now cache up to 16 unrecognized network-status - docs, so new directory authorities will be cached too. - - Stop parsing, storing, or using running-routers output (but - mirrors still cache and serve it). - - Clients consider a threshold of "versioning" directory authorities - before deciding whether to warn the user that he's obsolete. - - Authorities publish separate sorted lists of recommended versions - for clients and for servers. - - Change DirServers config line to note which dirs are v1 authorities. - - Put nicknames on the DirServer line, so we can refer to them - without requiring all our users to memorize their IP addresses. - - Remove option when getting directory cache to see whether they - support running-routers; they all do now. Replace it with one - to see whether caches support v2 stuff. - - Stop listing down or invalid nodes in the v1 directory. This - reduces its bulk by about 1/3, and reduces load on mirrors. - - Mirrors no longer cache the v1 directory as often. - - If we as a directory mirror don't know of any v1 directory - authorities, then don't try to cache any v1 directories. - - o Other directory improvements: - - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and - fifth authoritative directory servers. - - Directory authorities no longer require an open connection from - a server to consider him "reachable". We need this change because - when we add new directory authorities, old servers won't know not - to hang up on them. - - Dir authorities now do their own external reachability testing - of each server, and only list as running the ones they found to - be reachable. We also send back warnings to the server's logs if - it uploads a descriptor that we already believe is unreachable. - - Spread the directory authorities' reachability testing over the - entire testing interval, so we don't try to do 500 TLS's at once - every 20 minutes. - - Make the "stable" router flag in network-status be the median of - the uptimes of running valid servers, and make clients pay - attention to the network-status flags. Thus the cutoff adapts - to the stability of the network as a whole, making IRC, IM, etc - connections more reliable. - - Make the v2 dir's "Fast" flag based on relative capacity, just - like "Stable" is based on median uptime. Name everything in the - top 7/8 Fast, and only the top 1/2 gets to be a Guard. - - Retry directory requests if we fail to get an answer we like - from a given dirserver (we were retrying before, but only if - we fail to connect). - - Return a robots.txt on our dirport to discourage google indexing. - - o Controller protocol improvements: - - Revised controller protocol (version 1) that uses ascii rather - than binary: tor/doc/control-spec.txt. Add supporting libraries - in python and java and c# so you can use the controller from your - applications without caring how our protocol works. - - Allow the DEBUG controller event to work again. Mark certain log - entries as "don't tell this to controllers", so we avoid cycles. - - New controller function "getinfo accounting", to ask how - many bytes we've used in this time period. - - Add a "resetconf" command so you can set config options like - AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give - a config option in the torrc with no value, then it clears it - entirely (rather than setting it to its default). - - Add a "getinfo config-file" to tell us where torrc is. Also - expose guard nodes, config options/names. - - Add a "quit" command (when when using the controller manually). - - Add a new signal "newnym" to "change pseudonyms" -- that is, to - stop using any currently-dirty circuits for new streams, so we - don't link new actions to old actions. This also occurs on HUP - or "signal reload". - - If we would close a stream early (e.g. it asks for a .exit that - we know would refuse it) but the LeaveStreamsUnattached config - option is set by the controller, then don't close it. - - Add a new controller event type "authdir_newdescs" that allows - controllers to get all server descriptors that were uploaded to - a router in its role as directory authority. - - New controller option "getinfo desc/all-recent" to fetch the - latest server descriptor for every router that Tor knows about. - - Fix the controller's "attachstream 0" command to treat conn like - it just connected, doing address remapping, handling .exit and - .onion idioms, and so on. Now we're more uniform in making sure - that the controller hears about new and closing connections. - - Permit transitioning from ORPort==0 to ORPort!=0, and back, from - the controller. Also, rotate dns and cpu workers if the controller - changes options that will affect them; and initialize the dns - worker cache tree whether or not we start out as a server. - - Add a new circuit purpose 'controller' to let the controller ask - for a circuit that Tor won't try to use. Extend the "extendcircuit" - controller command to let you specify the purpose if you're starting - a new circuit. Add a new "setcircuitpurpose" controller command to - let you change a circuit's purpose after it's been created. - - Let the controller ask for "getinfo dir/server/foo" so it can ask - directly rather than connecting to the dir port. "getinfo - dir/status/foo" also works, but currently only if your DirPort - is enabled. - - Let the controller tell us about certain router descriptors - that it doesn't want Tor to use in circuits. Implement - "setrouterpurpose" and modify "+postdescriptor" to do this. - - If the controller's *setconf commands fail, collect an error - message in a string and hand it back to the controller -- don't - just tell them to go read their logs. - - o Scalability, resource management, and performance: - - Fix a major load balance bug: we were round-robin reading in 16 KB - chunks, and servers with bandwidthrate of 20 KB, while downloading - a 600 KB directory, would starve their other connections. Now we - try to be a bit more fair. - - Be more conservative about whether to advertise our DirPort. - The main change is to not advertise if we're running at capacity - and either a) we could hibernate ever or b) our capacity is low - and we're using a default DirPort. - - We weren't cannibalizing circuits correctly for - CIRCUIT_PURPOSE_C_ESTABLISH_REND and - CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to - build those from scratch. This should make hidden services faster. - - Predict required circuits better, with an eye toward making hidden - services faster on the service end. - - Compress exit policies even more: look for duplicate lines and - remove them. - - Generate 18.0.0.0/8 address policy format in descs when we can; - warn when the mask is not reducible to a bit-prefix. - - There used to be two ways to specify your listening ports in a - server descriptor: on the "router" line and with a separate "ports" - line. Remove support for the "ports" line. - - Reduce memory requirements in our structs by changing the order - of fields. Replace balanced trees with hash tables. Inline - bottleneck smartlist functions. Add a "Map from digest to void*" - abstraction so we can do less hex encoding/decoding, and use it - in router_get_by_digest(). Many other CPU and memory improvements. - - Allow tor_gzip_uncompress to extract as much as possible from - truncated compressed data. Try to extract as many - descriptors as possible from truncated http responses (when - purpose is DIR_PURPOSE_FETCH_ROUTERDESC). - - Make circ->onionskin a pointer, not a static array. moria2 was using - 125000 circuit_t's after it had been up for a few weeks, which - translates to 20+ megs of wasted space. - - The private half of our EDH handshake keys are now chosen out - of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.) - - Stop doing the complex voodoo overkill checking for insecure - Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy. - - Do round-robin writes for TLS of at most 16 kB per write. This - might be more fair on loaded Tor servers. - - Do not use unaligned memory access on alpha, mips, or mipsel. - It *works*, but is very slow, so we treat them as if it doesn't. - - o Other bugfixes and improvements: - - Start storing useful information to $DATADIR/state, so we can - remember things across invocations of Tor. Retain unrecognized - lines so we can be forward-compatible, and write a TorVersion line - so we can be backward-compatible. - - If ORPort is set, Address is not explicitly set, and our hostname - resolves to a private IP address, try to use an interface address - if it has a public address. Now Windows machines that think of - themselves as localhost can guess their address. +Changes in version 0.1.1.19-rc - 2006-05-03 + o Minor bugs: - Regenerate our local descriptor if it's dirty and we try to use it locally (e.g. if it changes during reachability detection). - This was causing some Tor servers to keep publishing the same - initial descriptor forever. - - Tor servers with dynamic IP addresses were needing to wait 18 - hours before they could start doing reachability testing using - the new IP address and ports. This is because they were using - the internal descriptor to learn what to test, yet they were only - rebuilding the descriptor once they decided they were reachable. - - It turns out we couldn't bootstrap a network since we added - reachability detection in 0.1.0.1-rc. Good thing the Tor network - has never gone down. Add an AssumeReachable config option to let - servers and authorities bootstrap. When we're trying to build a - high-uptime or high-bandwidth circuit but there aren't enough - suitable servers, try being less picky rather than simply failing. - - Newly bootstrapped Tor networks couldn't establish hidden service - circuits until they had nodes with high uptime. Be more tolerant. - - Really busy servers were keeping enough circuits open on stable - connections that they were wrapping around the circuit_id - space. (It's only two bytes.) This exposed a bug where we would - feel free to reuse a circuit_id even if it still exists but has - been marked for close. Try to fix this bug. Some bug remains. + - If we setconf our ORPort to 0, we continued to listen on the + old ORPort and receive connections. + - Avoid a second warning about machine/limits.h on Debian + GNU/kFreeBSD. + - Be willing to add our own routerinfo into the routerlist. + Now authorities will include themselves in their directories + and network-statuses. + - Stop trying to upload rendezvous descriptors to every + directory authority: only try the v1 authorities. + - Servers no longer complain when they think they're not + registered with the directory authorities. There were too many + false positives. + - Backport dist-rpm changes so rpms can be built without errors. + + o Features: + - Implement an option, VirtualAddrMask, to set which addresses + get handed out in response to mapaddress requests. This works + around a bug in tsocks where 127.0.0.0/8 is never socksified. + + +Changes in version 0.1.1.18-rc - 2006-04-10 + o Major fixes: + - Work harder to download live network-statuses from all the + directory authorities we know about. Improve the threshold + decision logic so we're more robust to edge cases. + - When fetching rendezvous descriptors, we were willing to ask + v2 authorities too, which would always return 404. + + o Minor fixes: + - Stop listing down or invalid nodes in the v1 directory. This will + reduce its bulk by about 1/3, and reduce load on directory + mirrors. + - When deciding whether a router is Fast or Guard-worthy, consider + his advertised BandwidthRate and not just the BandwidthCapacity. + - No longer ship INSTALL and README files -- they are useless now. + - Force rpmbuild to behave and honor target_cpu. + - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD. + - Start to include translated versions of the tor-doc-*.html + files, along with the screenshots. Still needs more work. + - Start sending back 512 and 451 errors if mapaddress fails, + rather than not sending anything back at all. - When we fail to bind or listen on an incoming or outgoing - socket, we now close it before refusing, rather than just - leaking it. (Thanks to Peter Palfrader for finding.) - - Fix a file descriptor leak in start_daemon(). - - On Windows, you can't always reopen a port right after you've - closed it. So change retry_listeners() to only close and re-open - ports that have changed. - - Workaround a problem with some http proxies that refuse GET - requests that specify "Content-Length: 0". Reported by Adrian. - - Recover better from TCP connections to Tor servers that are - broken but don't tell you (it happens!); and rotate TLS - connections once a week. - - Fix a scary-looking but apparently harmless bug where circuits - would sometimes start out in state CIRCUIT_STATE_OR_WAIT at - servers, and never switch to state CIRCUIT_STATE_OPEN. - - Check for even more Windows version flags when writing the platform - string in server descriptors, and note any we don't recognize. - - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can - get a better idea of why their circuits failed. Not used yet. - - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells. - We don't use them yet, but maybe one day our DNS resolver will be - able to discover them. - - Let people type "tor --install" as well as "tor -install" when they - want to make it an NT service. - - Looks like we were never delivering deflated (i.e. compressed) - running-routers lists, even when asked. Oops. - - We were leaking some memory every time the client changed IPs. - - Clean up more of the OpenSSL memory when exiting, so we can detect - memory leaks better. - - Never call free() on tor_malloc()d memory. This will help us - use dmalloc to detect memory leaks. - - Some Tor servers process billions of cells per day. These - statistics are now uint64_t's. - - Check [X-]Forwarded-For headers in HTTP requests when generating - log messages. This lets people run dirservers (and caches) behind - Apache but still know which IP addresses are causing warnings. - - Fix minor integer overflow in calculating when we expect to use up - our bandwidth allocation before hibernating. + socket, we should close it before failing. otherwise we just + leak it. (thanks to weasel for finding.) + - Allow "getinfo dir/status/foo" to work, as long as your DirPort + is enabled. (This is a hack, and will be fixed in 0.1.2.x.) + - Make NoPublish (even though deprecated) work again. + - Fix a minor security flaw where a versioning auth dirserver + could list a recommended version many times in a row to make + clients more convinced that it's recommended. + - Fix crash bug if there are two unregistered servers running + with the same nickname, one of them is down, and you ask for + them by nickname in your EntryNodes or ExitNodes. Also, try + to pick the one that's running rather than an arbitrary one. + - Fix an infinite loop we could hit if we go offline for too long. + - Complain when we hit WSAENOBUFS on recv() or write() too. + Perhaps this will help us hunt the bug. + - If you're not a versioning dirserver, don't put the string + "client-versions \nserver-versions \n" in your network-status. - Lower the minimum required number of file descriptors to 1000, so we can have some overhead for Valgrind on Linux, where the default ulimit -n is 1024. - - Stop writing the "router.desc" file, ever. Nothing uses it anymore, - and its existence is confusing some users. - o Config option fixes: - - Add a new config option ExitPolicyRejectPrivate which defaults - to on. Now all exit policies will begin with rejecting private - addresses, unless the server operator explicitly turns it off. - - Bump the default bandwidthrate to 3 MB, and burst to 6 MB. - - Add new ReachableORAddresses and ReachableDirAddresses options - that understand address policies. FascistFirewall is now a synonym - for "ReachableORAddresses *:443", "ReachableDirAddresses *:80". - - Start calling it FooListenAddress rather than FooBindAddress, - since few of our users know what it means to bind an address - or port. - - If the user gave Tor an odd number of command-line arguments, - we were silently ignoring the last one. Now we complain and fail. - This wins the oldest-bug prize -- this bug has been present since - November 2002, as released in Tor 0.0.0. - - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your - torrc rather than "HiddenServicePort 6667 127.0.0.1:6668", - it would silently ignore the 6668. - - If we get a linelist or linelist_s config option from the torrc, - e.g. ExitPolicy, and it has no value, warn and skip rather than - silently resetting it to its default. - - Setconf was appending items to linelists, not clearing them. - - Add MyFamily to torrc.sample in the server section, so operators - will be more likely to learn that it exists. - - Make ContactInfo mandatory for authoritative directory servers. - - MaxConn has been obsolete for a while now. Document the ConnLimit - config option, which is a *minimum* number of file descriptors - that must be available else Tor refuses to start. - - Get rid of IgnoreVersion undocumented config option, and make us - only warn, never exit, when we're running an obsolete version. - - Make MonthlyAccountingStart config option truly obsolete now. - - Correct the man page entry on TrackHostExitsExpire. - - Let directory authorities start even if they don't specify an - Address config option. + o New features: + - Add tor.dizum.com as the fifth authoritative directory server. + - Add a new config option FetchUselessDescriptors, off by default, + for when you plan to run "exitlist" on your client and you want + to know about even the non-running descriptors. + + +Changes in version 0.1.1.17-rc - 2006-03-28 + o Major fixes: + - Clients and servers since 0.1.1.10-alpha have been expiring + connections whenever they are idle for 5 minutes and they *do* + have circuits on them. Oops. With this new version, clients will + discard their previous entry guard choices and avoid choosing + entry guards running these flawed versions. + - Fix memory leak when uncompressing concatenated zlib streams. This + was causing substantial leaks over time on Tor servers. + - The v1 directory was including servers as much as 48 hours old, + because that's how the new routerlist->routers works. Now only + include them if they're 20 hours old or less. + + o Minor fixes: + - Resume building on irix64, netbsd 2.0, etc. + - On non-gcc compilers (e.g. solaris), use "-g -O" instead of + "-Wall -g -O2". + - Stop writing the "router.desc" file, ever. Nothing uses it anymore, + and it is confusing some users. + - Mirrors stop caching the v1 directory so often. + - Make the max number of old descriptors that a cache will hold + rise with the number of directory authorities, so we can scale. + - Change our win32 uname() hack to be more forgiving about what + win32 versions it thinks it's found. + + o New features: + - Add lefkada.eecs.harvard.edu as a fourth authoritative directory + server. + - When the controller's *setconf commands fail, collect an error + message in a string and hand it back to the controller. + - Make the v2 dir's "Fast" flag based on relative capacity, just + like "Stable" is based on median uptime. Name everything in the + top 7/8 Fast, and only the top 1/2 gets to be a Guard. + - Log server fingerprint on startup, so new server operators don't + have to go hunting around their filesystem for it. + - Return a robots.txt on our dirport to discourage google indexing. + - Let the controller ask for GETINFO dir/status/foo so it can ask + directly rather than connecting to the dir port. Only works when + dirport is set for now. + + o New config options rather than constants in the code: + - SocksTimeout: How long do we let a socks connection wait + unattached before we fail it? + - CircuitBuildTimeout: Cull non-open circuits that were born + at least this many seconds ago. + - CircuitIdleTimeout: Cull open clean circuits that were born + at least this many seconds ago. + + +Changes in version 0.1.1.16-rc - 2006-03-18 + o Bugfixes on 0.1.1.15-rc: + - Fix assert when the controller asks to attachstream a connect-wait + or resolve-wait stream. + - Now do address rewriting when the controller asks us to attach + to a particular circuit too. This will let Blossom specify + "moria2.exit" without having to learn what moria2's IP address is. + - Make the "tor --verify-config" command-line work again, so people + can automatically check if their torrc will parse. + - Authoritative dirservers no longer require an open connection from + a server to consider him "reachable". We need this change because + when we add new auth dirservers, old servers won't know not to + hang up on them. + - Let Tor build on Sun CC again. + - Fix an off-by-one buffer size in dirserv.c that magically never + hit our three authorities but broke sjmurdoch's own tor network. + - If we as a directory mirror don't know of any v1 directory + authorities, then don't try to cache any v1 directories. + - Stop warning about unknown servers in our family when they are + given as hex digests. + - Stop complaining as quickly to the server operator that he + hasn't registered his nickname/key binding. + - Various cleanups so we can add new V2 Auth Dirservers. - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to reflect the updated flags in our v2 dir protocol. + - Resume allowing non-printable characters for exit streams (both + for connecting and for resolving). Now we tolerate applications + that don't follow the RFCs. But continue to block malformed names + at the socks side. - o Config option features: - - Add a new config option FastFirstHopPK (on by default) so clients - do a trivial crypto handshake for their first hop, since TLS has - already taken care of confidentiality and authentication. - - Let the user set ControlListenAddress in the torrc. This can be + o Bugfixes on 0.1.0.x: + - Fix assert bug in close_logs(): when we close and delete logs, + remove them all from the global "logfiles" list. + - Fix minor integer overflow in calculating when we expect to use up + our bandwidth allocation before hibernating. + - Fix a couple of bugs in OpenSSL detection. Also, deal better when + there are multiple SSLs installed with different versions. + - When we try to be a server and Address is not explicitly set and + our hostname resolves to a private IP address, try to use an + interface address if it has a public address. Now Windows machines + that think of themselves as localhost can work by default. + + o New features: + - Let the controller ask for GETINFO dir/server/foo so it can ask + directly rather than connecting to the dir port. + - Let the controller tell us about certain router descriptors + that it doesn't want Tor to use in circuits. Implement + SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this. + - New config option SafeSocks to reject all application connections + using unsafe socks protocols. Defaults to off. + + +Changes in version 0.1.1.15-rc - 2006-03-11 + o Bugfixes and cleanups: + - When we're printing strings from the network, don't try to print + non-printable characters. This protects us against shell escape + sequence exploits, and also against attacks to fool humans into + misreading their logs. + - Fix a bug where Tor would fail to establish any connections if you + left it off for 24 hours and then started it: we were happy with + the obsolete network statuses, but they all referred to router + descriptors that were too old to fetch, so we ended up with no + valid router descriptors. + - Fix a seg fault in the controller's "getinfo orconn-status" + command while listing status on incoming handshaking connections. + Introduce a status name "NEW" for these connections. + - If we get a linelist or linelist_s config option from the torrc + (e.g. ExitPolicy) and it has no value, warn and skip rather than + silently resetting it to its default. + - Don't abandon entry guards until they've been down or gone for + a whole month. + - Cleaner and quieter log messages. + + o New features: + - New controller signal NEWNYM that makes new application requests + use clean circuits. + - Add a new circuit purpose 'controller' to let the controller ask + for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT + controller command to let you specify the purpose if you're + starting a new circuit. Add a new SETCIRCUITPURPOSE controller + command to let you change a circuit's purpose after it's been + created. + - Accept "private:*" in routerdesc exit policies; not generated yet + because older Tors do not understand it. + - Add BSD-style contributed startup script "rc.subr" from Peter + Thoenen. + + +Changes in version 0.1.1.14-alpha - 2006-02-20 + o Bugfixes on 0.1.1.x: + - Don't die if we ask for a stdout or stderr log (even implicitly) + and we're set to RunAsDaemon -- just warn. + - We still had a few bugs in the OR connection rotation code that + caused directory servers to slowly aggregate connections to other + fast Tor servers. This time for sure! + - Make log entries on Win32 include the name of the function again. + - We were treating a pair of exit policies if they were equal even + if one said accept and the other said reject -- causing us to + not always publish a new descriptor since we thought nothing + had changed. + - Retry pending server downloads as well as pending networkstatus + downloads when we unexpectedly get a socks request. + - We were ignoring the IS_FAST flag in the directory status, + meaning we were willing to pick trivial-bandwidth nodes for "fast" + connections. + - If the controller's SAVECONF command fails (e.g. due to file + permissions), let the controller know that it failed. + + o Features: + - If we're trying to be a Tor server and running Windows 95/98/ME + as a server, explain that we'll likely crash. + - When we're a server, a client asks for an old-style directory, + and our write bucket is empty, don't give it to him. This way + small servers can continue to serve the directory *sometimes*, + without getting overloaded. + - Compress exit policies even more -- look for duplicate lines + and remove them. + - Clients now honor the "guard" flag in the router status when + picking entry guards, rather than looking at is_fast or is_stable. + - Retain unrecognized lines in $DATADIR/state file, so that we can + be forward-compatible. + - Generate 18.0.0.0/8 address policy format in descs when we can; + warn when the mask is not reducible to a bit-prefix. + - Let the user set ControlListenAddress in the torrc. This can be dangerous, but there are some cases (like a secured LAN) where it makes sense. + - Split ReachableAddresses into ReachableDirAddresses and + ReachableORAddresses, so we can restrict Dir conns to port 80 + and OR conns to port 443. + - Now we can target arch and OS in rpm builds (contributed by + Phobos). Also make the resulting dist-rpm filename match the + target arch. - New config options to help controllers: FetchServerDescriptors and FetchHidServDescriptors for whether to fetch server info and hidserv info or let the controller do it, and @@ -1290,113 +1142,6 @@ Changes in version 0.1.1.20 - 2006-05-23 - Also let the controller set the __AllDirActionsPrivate config option if you want all directory fetches/publishes to happen via Tor (it assumes your controller bootstraps your circuits). - - Add "HardwareAccel" config option: support for crypto hardware - accelerators via OpenSSL. Off by default, until we find somebody - smart who can test it for us. (It appears to produce seg faults - in at least some cases.) - - New config option "AuthDirRejectUnlisted" for directory authorities - as a panic button: if we get flooded with unusable servers we can - revert to only listing servers in the approved-routers file. - - Directory authorities can now reject/invalidate by key and IP, - with the config options "AuthDirInvalid" and "AuthDirReject", or - by marking a fingerprint as "!reject" or "!invalid" (as its - nickname) in the approved-routers file. This is useful since - currently we automatically list servers as running and usable - even if we know they're jerks. - - Add a new config option TestSocks so people can see whether their - applications are using socks4, socks4a, socks5-with-ip, or - socks5-with-fqdn. This way they don't have to keep mucking - with tcpdump and wondering if something got cached somewhere. - - Add "private:*" as an alias in configuration for policies. Now - you can simplify your exit policy rather than needing to list - every single internal or nonroutable network space. - - Accept "private:*" in routerdesc exit policies; not generated yet - because older Tors do not understand it. - - Add configuration option "V1AuthoritativeDirectory 1" which - moria1, moria2, and tor26 have set. - - Implement an option, VirtualAddrMask, to set which addresses - get handed out in response to mapaddress requests. This works - around a bug in tsocks where 127.0.0.0/8 is never socksified. - - Add a new config option FetchUselessDescriptors, off by default, - for when you plan to run "exitlist" on your client and you want - to know about even the non-running descriptors. - - SocksTimeout: How long do we let a socks connection wait - unattached before we fail it? - - CircuitBuildTimeout: Cull non-open circuits that were born - at least this many seconds ago. - - CircuitIdleTimeout: Cull open clean circuits that were born - at least this many seconds ago. - - New config option SafeSocks to reject all application connections - using unsafe socks protocols. Defaults to off. - - o Improved and clearer log messages: - - Reduce clutter in server logs. We're going to try to make - them actually usable now. New config option ProtocolWarnings that - lets you hear about how _other Tors_ are breaking the protocol. Off - by default. - - Divide log messages into logging domains. Once we put some sort - of interface on this, it will let people looking at more verbose - log levels specify the topics they want to hear more about. - - Log server fingerprint on startup, so new server operators don't - have to go hunting around their filesystem for it. - - Provide dire warnings to any users who set DirServer manually; - move it out of torrc.sample and into torrc.complete. - - Make the log message less scary when all the dirservers are - temporarily unreachable. - - When tor_socketpair() fails in Windows, give a reasonable - Windows-style errno back. - - Improve tor_gettimeofday() granularity on windows. - - We were printing the number of idle dns workers incorrectly when - culling them. - - Handle duplicate lines in approved-routers files without warning. - - We were whining about using socks4 or socks5-with-local-lookup - even when it's an IP address in the "virtual" range we designed - exactly for this case. - - Check for named servers when looking them up by nickname; - warn when we're calling a non-named server by its nickname; - don't warn twice about the same name. - - Downgrade the dirserver log messages when whining about - unreachability. - - Correct "your server is reachable" log entries to indicate that - it was self-testing that told us so. - - If we're trying to be a Tor server and running Windows 95/98/ME - as a server, explain that we'll likely crash. - - Provide a more useful warn message when our onion queue gets full: - the CPU is too slow or the exit policy is too liberal. - - Don't warn when we receive a 503 from a dirserver/cache -- this - will pave the way for them being able to refuse if they're busy. - - When we fail to bind a listener, try to provide a more useful - log message: e.g., "Is Tor already running?" - - Only start testing reachability once we've established a - circuit. This will make startup on dir authorities less noisy. - - Don't try to upload hidden service descriptors until we have - established a circuit. - - Tor didn't warn when it failed to open a log file. - - Warn when listening on a public address for socks. We suspect a - lot of people are setting themselves up as open socks proxies, - and they have no idea that jerks on the Internet are using them, - since they simply proxy the traffic into the Tor network. - - Give a useful message when people run Tor as the wrong user, - rather than telling them to start chowning random directories. - - Fix a harmless bug that was causing Tor servers to log - "Got an end because of misc error, but we're not an AP. Closing." - - Fix wrong log message when you add a "HiddenServiceNodes" config - line without any HiddenServiceDir line (reported by Chris Thomas). - - Directory authorities now stop whining so loudly about bad - descriptors that they fetch from other dirservers. So when there's - a log complaint, it's for sure from a freshly uploaded descriptor. - - When logging via syslog, include the pid whenever we provide - a log entry. Suggested by Todd Fries. - - When we're shutting down and we do something like try to post a - server descriptor or rendezvous descriptor, don't complain that - we seem to be unreachable. Of course we are, we're shutting down. - - Change log line for unreachability to explicitly suggest /etc/hosts - as the culprit. Also make it clearer what IP address and ports we're - testing for reachability. - - Put quotes around user-supplied strings when logging so users are - more likely to realize if they add bad characters (like quotes) - to the torrc. - - NT service patch from Matt Edman to improve error messages on Win32. Changes in version 0.1.0.17 - 2006-02-17 @@ -1425,6 +1170,227 @@ Changes in version 0.1.0.17 - 2006-02-17 from 20 minutes to 1 hour. +Changes in version 0.1.1.13-alpha - 2006-02-09 + o Crashes in 0.1.1.x: + - When you tried to setconf ORPort via the controller, Tor would + crash. So people using TorCP to become a server were sad. + - Solve (I hope) the stack-smashing bug that we were seeing on fast + servers. The problem appears to be something do with OpenSSL's + random number generation, or how we call it, or something. Let me + know if the crashes continue. + - Turn crypto hardware acceleration off by default, until we find + somebody smart who can test it for us. (It appears to produce + seg faults in at least some cases.) + - Fix a rare assert error when we've tried all intro points for + a hidden service and we try fetching the service descriptor again: + "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed" + + o Major fixes: + - Fix a major load balance bug: we were round-robining in 16 KB + chunks, and servers with bandwidthrate of 20 KB, while downloading + a 600 KB directory, would starve their other connections. Now we + try to be a bit more fair. + - Dir authorities and mirrors were never expiring the newest + descriptor for each server, causing memory and directory bloat. + - Fix memory-bloating and connection-bloating bug on servers: We + were never closing any connection that had ever had a circuit on + it, because we were checking conn->n_circuits == 0, yet we had a + bug that let it go negative. + - Make Tor work using squid as your http proxy again -- squid + returns an error if you ask for a URL that's too long, and it uses + a really generic error message. Plus, many people are behind a + transparent squid so they don't even realize it. + - On platforms that don't have getrlimit (like Windows), we were + artificially constraining ourselves to a max of 1024 + connections. Now just assume that we can handle as many as 15000 + connections. Hopefully this won't cause other problems. + - Add a new config option ExitPolicyRejectPrivate which defaults to + 1. This means all exit policies will begin with rejecting private + addresses, unless the server operator explicitly turns it off. + + o Major features: + - Clients not longer download descriptors for non-running + descriptors. + - Before we add new directory authorities, we should make it + clear that only v1 authorities should receive/publish hidden + service descriptors. + + o Minor features: + - As soon as we've fetched some more directory info, immediately + try to download more server descriptors. This way we don't have + a 10 second pause during initial bootstrapping. + - Remove even more loud log messages that the server operator can't + do anything about. + - When we're running an obsolete or un-recommended version, make + the log message more clear about what the problem is and what + versions *are* still recommended. + - Provide a more useful warn message when our onion queue gets full: + the CPU is too slow or the exit policy is too liberal. + - Don't warn when we receive a 503 from a dirserver/cache -- this + will pave the way for them being able to refuse if they're busy. + - When we fail to bind a listener, try to provide a more useful + log message: e.g., "Is Tor already running?" + - Adjust tor-spec to parameterize cell and key lengths. Now Ian + Goldberg can prove things about our handshake protocol more + easily. + - MaxConn has been obsolete for a while now. Document the ConnLimit + config option, which is a *minimum* number of file descriptors + that must be available else Tor refuses to start. + - Apply Matt Ghali's --with-syslog-facility patch to ./configure + if you log to syslog and want something other than LOG_DAEMON. + - Make dirservers generate a separate "guard" flag to mean, + "would make a good entry guard". Make clients parse it and vote + on it. Not used by clients yet. + - Implement --with-libevent-dir option to ./configure. Also, improve + search techniques to find libevent, and use those for openssl too. + - Bump the default bandwidthrate to 3 MB, and burst to 6 MB + - Only start testing reachability once we've established a + circuit. This will make startup on dirservers less noisy. + - Don't try to upload hidden service descriptors until we have + established a circuit. + - Fix the controller's "attachstream 0" command to treat conn like + it just connected, doing address remapping, handling .exit and + .onion idioms, and so on. Now we're more uniform in making sure + that the controller hears about new and closing connections. + + +Changes in version 0.1.1.12-alpha - 2006-01-11 + o Bugfixes on 0.1.1.x: + - The fix to close duplicate server connections was closing all + Tor client connections if they didn't establish a circuit + quickly enough. Oops. + - Fix minor memory issue (double-free) that happened on exit. + + o Bugfixes on 0.1.0.x: + - Tor didn't warn when it failed to open a log file. + + +Changes in version 0.1.1.11-alpha - 2006-01-10 + o Crashes in 0.1.1.x: + - Include all the assert/crash fixes from 0.1.0.16. + - If you start Tor and then quit very quickly, there were some + races that tried to free things that weren't allocated yet. + - Fix a rare memory stomp if you're running hidden services. + - Fix segfault when specifying DirServer in config without nickname. + - Fix a seg fault when you finish connecting to a server but at + that moment you dump his server descriptor. + - Extendcircuit and Attachstream controller commands would + assert/crash if you don't give them enough arguments. + - Fix an assert error when we're out of space in the connection_list + and we try to post a hidden service descriptor (reported by weasel). + - If you specify a relative torrc path and you set RunAsDaemon in + your torrc, then it chdir()'s to the new directory. If you HUP, + it tries to load the new torrc location, fails, and exits. + The fix: no longer allow a relative path to torrc using -f. + + o Major features: + - Implement "entry guards": automatically choose a handful of entry + nodes and stick with them for all circuits. Only pick new guards + when the ones you have are unsuitable, and if the old guards + become suitable again, switch back. This will increase security + dramatically against certain end-point attacks. The EntryNodes + config option now provides some hints about which entry guards you + want to use most; and StrictEntryNodes means to only use those. + - New directory logic: download by descriptor digest, not by + fingerprint. Caches try to download all listed digests from + authorities; clients try to download "best" digests from caches. + This avoids partitioning and isolating attacks better. + - Make the "stable" router flag in network-status be the median of + the uptimes of running valid servers, and make clients pay + attention to the network-status flags. Thus the cutoff adapts + to the stability of the network as a whole, making IRC, IM, etc + connections more reliable. + + o Major fixes: + - Tor servers with dynamic IP addresses were needing to wait 18 + hours before they could start doing reachability testing using + the new IP address and ports. This is because they were using + the internal descriptor to learn what to test, yet they were only + rebuilding the descriptor once they decided they were reachable. + - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients + to download certain server descriptors, throw them away, and then + fetch them again after 30 minutes. Now mirrors throw away these + server descriptors so clients can't get them. + - We were leaving duplicate connections to other ORs open for a week, + rather than closing them once we detect a duplicate. This only + really affected authdirservers, but it affected them a lot. + - Spread the authdirservers' reachability testing over the entire + testing interval, so we don't try to do 500 TLS's at once every + 20 minutes. + + o Minor fixes: + - If the network is down, and we try to connect to a conn because + we have a circuit in mind, and we timeout (30 seconds) because the + network never answers, we were expiring the circuit, but we weren't + obsoleting the connection or telling the entry_guards functions. + - Some Tor servers process billions of cells per day. These statistics + need to be uint64_t's. + - Check for integer overflows in more places, when adding elements + to smartlists. This could possibly prevent a buffer overflow + on malicious huge inputs. I don't see any, but I haven't looked + carefully. + - ReachableAddresses kept growing new "reject *:*" lines on every + setconf/reload. + - When you "setconf log" via the controller, it should remove all + logs. We were automatically adding back in a "log notice stdout". + - Newly bootstrapped Tor networks couldn't establish hidden service + circuits until they had nodes with high uptime. Be more tolerant. + - We were marking servers down when they could not answer every piece + of the directory request we sent them. This was far too harsh. + - Fix the torify (tsocks) config file to not use Tor for localhost + connections. + - Directory authorities now go to the proper authority when asking for + a networkstatus, even when they want a compressed one. + - Fix a harmless bug that was causing Tor servers to log + "Got an end because of misc error, but we're not an AP. Closing." + - Authorities were treating their own descriptor changes as cosmetic, + meaning the descriptor available in the network-status and the + descriptor that clients downloaded were different. + - The OS X installer was adding a symlink for tor_resolve but + the binary was called tor-resolve (reported by Thomas Hardly). + - Workaround a problem with some http proxies where they refuse GET + requests that specify "Content-Length: 0" (reported by Adrian). + - Fix wrong log message when you add a "HiddenServiceNodes" config + line without any HiddenServiceDir line (reported by Chris Thomas). + + o Minor features: + - Write the TorVersion into the state file so we have a prayer of + keeping forward and backward compatibility. + - Revive the FascistFirewall config option rather than eliminating it: + now it's a synonym for ReachableAddresses *:80,*:443. + - Clients choose directory servers from the network status lists, + not from their internal list of router descriptors. Now they can + go to caches directly rather than needing to go to authorities + to bootstrap. + - Directory authorities ignore router descriptors that have only + cosmetic differences: do this for 0.1.0.x servers now too. + - Add a new flag to network-status indicating whether the server + can answer v2 directory requests too. + - Authdirs now stop whining so loudly about bad descriptors that + they fetch from other dirservers. So when there's a log complaint, + it's for sure from a freshly uploaded descriptor. + - Reduce memory requirements in our structs by changing the order + of fields. + - There used to be two ways to specify your listening ports in a + server descriptor: on the "router" line and with a separate "ports" + line. Remove support for the "ports" line. + - New config option "AuthDirRejectUnlisted" for auth dirservers as + a panic button: if we get flooded with unusable servers we can + revert to only listing servers in the approved-routers file. + - Auth dir servers can now mark a fingerprint as "!reject" or + "!invalid" in the approved-routers file (as its nickname), to + refuse descriptors outright or include them but marked as invalid. + - Servers store bandwidth history across restarts/crashes. + - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can + get a better idea of why their circuits failed. Not used yet. + - Directory mirrors now cache up to 16 unrecognized network-status + docs. Now we can add new authdirservers and they'll be cached too. + - When picking a random directory, prefer non-authorities if any + are known. + - New controller option "getinfo desc/all-recent" to fetch the + latest server descriptor for every router that Tor knows about. + + Changes in version 0.1.0.16 - 2006-01-02 o Crash bugfixes on 0.1.0.x: - On Windows, build with a libevent patch from "I-M Weasel" to avoid @@ -1467,6 +1433,281 @@ Changes in version 0.1.0.16 - 2006-01-02 reset its failure count so we can try again and get all three tries. +Changes in version 0.1.1.10-alpha - 2005-12-11 + o Correctness bugfixes on 0.1.0.x: + - On Windows, build with a libevent patch from "I-M Weasel" to avoid + corrupting the heap, losing FDs, or crashing when we need to resize + the fd_sets. (This affects the Win32 binaries, not Tor's sources.) + - Stop doing the complex voodoo overkill checking for insecure + Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy. + - When we were closing connections, there was a rare case that + stomped on memory, triggering seg faults and asserts. + - We were neglecting to unlink marked circuits from soon-to-close OR + connections, which caused some rare scribbling on freed memory. + - When we're deciding whether a stream has enough circuits around + that can handle it, count the freshly dirty ones and not the ones + that are so dirty they won't be able to handle it. + - Recover better from TCP connections to Tor servers that are + broken but don't tell you (it happens!); and rotate TLS + connections once a week. + - When we're expiring old circuits, we had a logic error that caused + us to close new rendezvous circuits rather than old ones. + - Fix a scary-looking but apparently harmless bug where circuits + would sometimes start out in state CIRCUIT_STATE_OR_WAIT at + servers, and never switch to state CIRCUIT_STATE_OPEN. + - When building with -static or on Solaris, we sometimes needed to + build with -ldl. + - Give a useful message when people run Tor as the wrong user, + rather than telling them to start chowning random directories. + - We were failing to inform the controller about new .onion streams. + + o Security bugfixes on 0.1.0.x: + - Refuse server descriptors if the fingerprint line doesn't match + the included identity key. Tor doesn't care, but other apps (and + humans) might actually be trusting the fingerprint line. + - We used to kill the circuit when we receive a relay command we + don't recognize. Now we just drop it. + - Start obeying our firewall options more rigorously: + . If we can't get to a dirserver directly, try going via Tor. + . Don't ever try to connect (as a client) to a place our + firewall options forbid. + . If we specify a proxy and also firewall options, obey the + firewall options even when we're using the proxy: some proxies + can only proxy to certain destinations. + - Fix a bug found by Lasse Overlier: when we were making internal + circuits (intended to be cannibalized later for rendezvous and + introduction circuits), we were picking them so that they had + useful exit nodes. There was no need for this, and it actually + aids some statistical attacks. + - Start treating internal circuits and exit circuits separately. + It's important to keep them separate because internal circuits + have their last hops picked like middle hops, rather than like + exit hops. So exiting on them will break the user's expectations. + + o Bugfixes on 0.1.1.x: + - Take out the mis-feature where we tried to detect IP address + flapping for people with DynDNS, and chose not to upload a new + server descriptor sometimes. + - Try to be compatible with OpenSSL 0.9.6 again. + - Log fix: when the controller is logging about .onion addresses, + sometimes it didn't include the ".onion" part of the address. + - Don't try to modify options->DirServers internally -- if the + user didn't specify any, just add the default ones directly to + the trusted dirserver list. This fixes a bug where people running + controllers would use SETCONF on some totally unrelated config + option, and Tor would start yelling at them about changing their + DirServer lines. + - Let the controller's redirectstream command specify a port, in + case the controller wants to change that too. + - When we requested a pile of server descriptors, we sometimes + accidentally launched a duplicate request for the first one. + - Bugfix for trackhostexits: write down the fingerprint of the + chosen exit, not its nickname, because the chosen exit might not + be verified. + - When parsing foo.exit, if foo is unknown, and we are leaving + circuits unattached, set the chosen_exit field and leave the + address empty. This matters because controllers got confused + otherwise. + - Directory authorities no longer try to download server + descriptors that they know they will reject. + + o Features and updates: + - Replace balanced trees with hash tables: this should make stuff + significantly faster. + - Resume using the AES counter-mode implementation that we ship, + rather than OpenSSL's. Ours is significantly faster. + - Many other CPU and memory improvements. + - Add a new config option FastFirstHopPK (on by default) so clients + do a trivial crypto handshake for their first hop, since TLS has + already taken care of confidentiality and authentication. + - Add a new config option TestSocks so people can see if their + applications are using socks4, socks4a, socks5-with-ip, or + socks5-with-hostname. This way they don't have to keep mucking + with tcpdump and wondering if something got cached somewhere. + - Warn when listening on a public address for socks. I suspect a + lot of people are setting themselves up as open socks proxies, + and they have no idea that jerks on the Internet are using them, + since they simply proxy the traffic into the Tor network. + - Add "private:*" as an alias in configuration for policies. Now + you can simplify your exit policy rather than needing to list + every single internal or nonroutable network space. + - Add a new controller event type that allows controllers to get + all server descriptors that were uploaded to a router in its role + as authoritative dirserver. + - Start shipping socks-extensions.txt, tor-doc-unix.html, + tor-doc-server.html, and stylesheet.css in the tarball. + - Stop shipping tor-doc.html in the tarball. + + +Changes in version 0.1.1.9-alpha - 2005-11-15 + o Usability improvements: + - Start calling it FooListenAddress rather than FooBindAddress, + since few of our users know what it means to bind an address + or port. + - Reduce clutter in server logs. We're going to try to make + them actually usable now. New config option ProtocolWarnings that + lets you hear about how _other Tors_ are breaking the protocol. Off + by default. + - Divide log messages into logging domains. Once we put some sort + of interface on this, it will let people looking at more verbose + log levels specify the topics they want to hear more about. + - Make directory servers return better http 404 error messages + instead of a generic "Servers unavailable". + - Check for even more Windows version flags when writing the platform + string in server descriptors, and note any we don't recognize. + - Clean up more of the OpenSSL memory when exiting, so we can detect + memory leaks better. + - Make directory authorities be non-versioning, non-naming by + default. Now we can add new directory servers without requiring + their operators to pay close attention. + - When logging via syslog, include the pid whenever we provide + a log entry. Suggested by Todd Fries. + + o Performance improvements: + - Directory servers now silently throw away new descriptors that + haven't changed much if the timestamps are similar. We do this to + tolerate older Tor servers that upload a new descriptor every 15 + minutes. (It seemed like a good idea at the time.) + - Inline bottleneck smartlist functions; use fast versions by default. + - Add a "Map from digest to void*" abstraction digestmap_t so we + can do less hex encoding/decoding. Use it in router_get_by_digest() + to resolve a performance bottleneck. + - Allow tor_gzip_uncompress to extract as much as possible from + truncated compressed data. Try to extract as many + descriptors as possible from truncated http responses (when + DIR_PURPOSE_FETCH_ROUTERDESC). + - Make circ->onionskin a pointer, not a static array. moria2 was using + 125000 circuit_t's after it had been up for a few weeks, which + translates to 20+ megs of wasted space. + - The private half of our EDH handshake keys are now chosen out + of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.) + + o Security improvements: + - Start making directory caches retain old routerinfos, so soon + clients can start asking by digest of descriptor rather than by + fingerprint of server. + - Add half our entropy from RAND_poll in OpenSSL. This knows how + to use egd (if present), openbsd weirdness (if present), vms/os2 + weirdness (if we ever port there), and more in the future. + + o Bugfixes on 0.1.0.x: + - Do round-robin writes of at most 16 kB per write. This might be + more fair on loaded Tor servers, and it might resolve our Windows + crash bug. It might also slow things down. + - Our TLS handshakes were generating a single public/private + keypair for the TLS context, rather than making a new one for + each new connections. Oops. (But we were still rotating them + periodically, so it's not so bad.) + - When we were cannibalizing a circuit with a particular exit + node in mind, we weren't checking to see if that exit node was + already present earlier in the circuit. Oops. + - When a Tor server's IP changes (e.g. from a dyndns address), + upload a new descriptor so clients will learn too. + - Really busy servers were keeping enough circuits open on stable + connections that they were wrapping around the circuit_id + space. (It's only two bytes.) This exposed a bug where we would + feel free to reuse a circuit_id even if it still exists but has + been marked for close. Try to fix this bug. Some bug remains. + - If we would close a stream early (e.g. it asks for a .exit that + we know would refuse it) but the LeaveStreamsUnattached config + option is set by the controller, then don't close it. + + o Bugfixes on 0.1.1.8-alpha: + - Fix a big pile of memory leaks, some of them serious. + - Do not try to download a routerdesc if we would immediately reject + it as obsolete. + - Resume inserting a newline between all router descriptors when + generating (old style) signed directories, since our spec says + we do. + - When providing content-type application/octet-stream for + server descriptors using .z, we were leaving out the + content-encoding header. Oops. (Everything tolerated this just + fine, but that doesn't mean we need to be part of the problem.) + - Fix a potential seg fault in getconf and getinfo using version 1 + of the controller protocol. + - Avoid crash: do not check whether DirPort is reachable when we + are suppressing it because of hibernation. + - Make --hash-password not crash on exit. + + +Changes in version 0.1.1.8-alpha - 2005-10-07 + o New features (major): + - Clients don't download or use the directory anymore. Now they + download and use network-statuses from the trusted dirservers, + and fetch individual server descriptors as needed from mirrors. + See dir-spec.txt for all the gory details. + - Be more conservative about whether to advertise our DirPort. + The main change is to not advertise if we're running at capacity + and either a) we could hibernate or b) our capacity is low and + we're using a default DirPort. + - Use OpenSSL's AES when OpenSSL has version 0.9.7 or later. + + o New features (minor): + - Try to be smart about when to retry network-status and + server-descriptor fetches. Still needs some tuning. + - Stop parsing, storing, or using running-routers output (but + mirrors still cache and serve it). + - Consider a threshold of versioning dirservers (dirservers who have + an opinion about which Tor versions are still recommended) before + deciding whether to warn the user that he's obsolete. + - Dirservers can now reject/invalidate by key and IP, with the + config options "AuthDirInvalid" and "AuthDirReject". This is + useful since currently we automatically list servers as running + and usable even if we know they're jerks. + - Provide dire warnings to any users who set DirServer; move it out + of torrc.sample and into torrc.complete. + - Add MyFamily to torrc.sample in the server section. + - Add nicknames to the DirServer line, so we can refer to them + without requiring all our users to memorize their IP addresses. + - When we get an EOF or a timeout on a directory connection, note + how many bytes of serverdesc we are dropping. This will help + us determine whether it is smart to parse incomplete serverdesc + responses. + - Add a new function to "change pseudonyms" -- that is, to stop + using any currently-dirty circuits for new streams, so we don't + link new actions to old actions. Currently it's only called on + HUP (or SIGNAL RELOAD). + - On sighup, if UseHelperNodes changed to 1, use new circuits. + - Start using RAND_bytes rather than RAND_pseudo_bytes from + OpenSSL. Also, reseed our entropy every hour, not just at + startup. And entropy in 512-bit chunks, not 160-bit chunks. + + o Fixes on 0.1.1.7-alpha: + - Nobody ever implemented EVENT_ADDRMAP for control protocol + version 0, so don't let version 0 controllers ask for it. + - If you requested something with too many newlines via the + v1 controller protocol, you could crash tor. + - Fix a number of memory leaks, including some pretty serious ones. + - Re-enable DirPort testing again, so Tor servers will be willing + to advertise their DirPort if it's reachable. + - On TLS handshake, only check the other router's nickname against + its expected nickname if is_named is set. + + o Fixes forward-ported from 0.1.0.15: + - Don't crash when we don't have any spare file descriptors and we + try to spawn a dns or cpu worker. + - Make the numbers in read-history and write-history into uint64s, + so they don't overflow and publish negatives in the descriptor. + + o Fixes on 0.1.0.x: + - For the OS X package's modified privoxy config file, comment + out the "logfile" line so we don't log everything passed + through privoxy. + - We were whining about using socks4 or socks5-with-local-lookup + even when it's an IP in the "virtual" range we designed exactly + for this case. + - We were leaking some memory every time the client changes IPs. + - Never call free() on tor_malloc()d memory. This will help us + use dmalloc to detect memory leaks. + - Check for named servers when looking them up by nickname; + warn when we'recalling a non-named server by its nickname; + don't warn twice about the same name. + - Try to list MyFamily elements by key, not by nickname, and warn + if we've not heard of the server. + - Make windows platform detection (uname equivalent) smarter. + - It turns out sparc64 doesn't like unaligned access either. + + Changes in version 0.1.0.15 - 2005-09-23 o Bugfixes on 0.1.0.x: - Reject ports 465 and 587 (spam targets) in default exit policy. @@ -1484,6 +1725,175 @@ Changes in version 0.1.0.15 - 2005-09-23 - Clean up log entries that pointed to old URLs. +Changes in version 0.1.1.7-alpha - 2005-09-14 + o Fixes on 0.1.1.6-alpha: + - Exit servers were crashing when people asked them to make a + connection to an address not in their exit policy. + - Looking up a non-existent stream for a v1 control connection would + cause a segfault. + - Fix a seg fault if we ask a dirserver for a descriptor by + fingerprint but he doesn't know about him. + - SETCONF was appending items to linelists, not clearing them. + - SETCONF SocksBindAddress killed Tor if it fails to bind. Now back + out and refuse the setconf if it would fail. + - Downgrade the dirserver log messages when whining about + unreachability. + + o New features: + - Add Peter Palfrader's check-tor script to tor/contrib/ + It lets you easily check whether a given server (referenced by + nickname) is reachable by you. + - Numerous changes to move towards client-side v2 directories. Not + enabled yet. + + o Fixes on 0.1.0.x: + - If the user gave tor an odd number of command-line arguments, + we were silently ignoring the last one. Now we complain and fail. + [This wins the oldest-bug prize -- this bug has been present since + November 2002, as released in Tor 0.0.0.] + - Do not use unaligned memory access on alpha, mips, or mipsel. + It *works*, but is very slow, so we treat them as if it doesn't. + - Retry directory requests if we fail to get an answer we like + from a given dirserver (we were retrying before, but only if + we fail to connect). + - When writing the RecommendedVersions line, sort them first. + - When the client asked for a rendezvous port that the hidden + service didn't want to provide, we were sending an IP address + back along with the end cell. Fortunately, it was zero. But stop + that anyway. + - Correct "your server is reachable" log entries to indicate that + it was self-testing that told us so. + + +Changes in version 0.1.1.6-alpha - 2005-09-09 + o Fixes on 0.1.1.5-alpha: + - We broke fascistfirewall in 0.1.1.5-alpha. Oops. + - Fix segfault in unit tests in 0.1.1.5-alpha. Oops. + - Fix bug with tor_memmem finding a match at the end of the string. + - Make unit tests run without segfaulting. + - Resolve some solaris x86 compile warnings. + - Handle duplicate lines in approved-routers files without warning. + - Fix bug where as soon as a server refused any requests due to his + exit policy (e.g. when we ask for localhost and he tells us that's + 127.0.0.1 and he won't do it), we decided he wasn't obeying his + exit policy using him for any exits. + - Only do openssl hardware accelerator stuff if openssl version is + at least 0.9.7. + + o New controller features/fixes: + - Add a "RESETCONF" command so you can set config options like + AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give + a config option in the torrc with no value, then it clears it + entirely (rather than setting it to its default). + - Add a "GETINFO config-file" to tell us where torrc is. + - Avoid sending blank lines when GETINFO replies should be empty. + - Add a QUIT command for the controller (for using it manually). + - Fix a bug in SAVECONF that was adding default dirservers and + other redundant entries to the torrc file. + + o Start on the new directory design: + - Generate, publish, cache, serve new network-status format. + - Publish individual descriptors (by fingerprint, by "all", and by + "tell me yours"). + - Publish client and server recommended versions separately. + - Allow tor_gzip_uncompress() to handle multiple concatenated + compressed strings. Serve compressed groups of router + descriptors. The compression logic here could be more + memory-efficient. + - Distinguish v1 authorities (all currently trusted directories) + from v2 authorities (all trusted directories). + - Change DirServers config line to note which dirs are v1 authorities. + - Add configuration option "V1AuthoritativeDirectory 1" which + moria1, moria2, and tor26 should set. + - Remove option when getting directory cache to see whether they + support running-routers; they all do now. Replace it with one + to see whether caches support v2 stuff. + + o New features: + - Dirservers now do their own external reachability testing of each + Tor server, and only list them as running if they've been found to + be reachable. We also send back warnings to the server's logs if + it uploads a descriptor that we already believe is unreachable. + - Implement exit enclaves: if we know an IP address for the + destination, and there's a running Tor server at that address + which allows exit to the destination, then extend the circuit to + that exit first. This provides end-to-end encryption and end-to-end + authentication. Also, if the user wants a .exit address or enclave, + use 4 hops rather than 3, and cannibalize a general circ for it + if you can. + - Permit transitioning from ORPort=0 to ORPort!=0, and back, from the + controller. Also, rotate dns and cpu workers if the controller + changes options that will affect them; and initialize the dns + worker cache tree whether or not we start out as a server. + - Only upload a new server descriptor when options change, 18 + hours have passed, uptime is reset, or bandwidth changes a lot. + - Check [X-]Forwarded-For headers in HTTP requests when generating + log messages. This lets people run dirservers (and caches) behind + Apache but still know which IP addresses are causing warnings. + + o Config option changes: + - Replace (Fascist)Firewall* config options with a new + ReachableAddresses option that understands address policies. + For example, "ReachableAddresses *:80,*:443" + - Get rid of IgnoreVersion undocumented config option, and make us + only warn, never exit, when we're running an obsolete version. + - Make MonthlyAccountingStart config option truly obsolete now. + + o Fixes on 0.1.0.x: + - Reject ports 465 and 587 in the default exit policy, since + people have started using them for spam too. + - It turns out we couldn't bootstrap a network since we added + reachability detection in 0.1.0.1-rc. Good thing the Tor network + has never gone down. Add an AssumeReachable config option to let + servers and dirservers bootstrap. When we're trying to build a + high-uptime or high-bandwidth circuit but there aren't enough + suitable servers, try being less picky rather than simply failing. + - Our logic to decide if the OR we connected to was the right guy + was brittle and maybe open to a mitm for unverified routers. + - We weren't cannibalizing circuits correctly for + CIRCUIT_PURPOSE_C_ESTABLISH_REND and + CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to + build those from scratch. This should make hidden services faster. + - Predict required circuits better, with an eye toward making hidden + services faster on the service end. + - Retry streams if the exit node sends back a 'misc' failure. This + should result in fewer random failures. Also, after failing + from resolve failed or misc, reset the num failures, so we give + it a fair shake next time we try. + - Clean up the rendezvous warn log msgs, and downgrade some to info. + - Reduce severity on logs about dns worker spawning and culling. + - When we're shutting down and we do something like try to post a + server descriptor or rendezvous descriptor, don't complain that + we seem to be unreachable. Of course we are, we're shutting down. + - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells. + We don't use them yet, but maybe one day our DNS resolver will be + able to discover them. + - Make ContactInfo mandatory for authoritative directory servers. + - Require server descriptors to list IPv4 addresses -- hostnames + are no longer allowed. This also fixes some potential security + problems with people providing hostnames as their address and then + preferentially resolving them to partition users. + - Change log line for unreachability to explicitly suggest /etc/hosts + as the culprit. Also make it clearer what IP address and ports we're + testing for reachability. + - Put quotes around user-supplied strings when logging so users are + more likely to realize if they add bad characters (like quotes) + to the torrc. + - Let auth dir servers start without specifying an Address config + option. + - Make unit tests (and other invocations that aren't the real Tor) + run without launching listeners, creating subdirectories, and so on. + + +Changes in version 0.1.1.5-alpha - 2005-08-08 + o Bugfixes included in 0.1.0.14. + + o Bugfixes on 0.1.0.x: + - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your + torrc rather than "HiddenServicePort 6667 127.0.0.1:6668", + it would silently using ignore the 6668. + + Changes in version 0.1.0.14 - 2005-08-08 o Bugfixes on 0.1.0.x: - Fix the other half of the bug with crypto handshakes @@ -1492,6 +1902,16 @@ Changes in version 0.1.0.14 - 2005-08-08 controller when it's listening for 'event info' messages. +Changes in version 0.1.1.4-alpha - 2005-08-04 + o Bugfixes included in 0.1.0.13. + + o Features: + - Improve tor_gettimeofday() granularity on windows. + - Make clients regenerate their keys when their IP address changes. + - Implement some more GETINFO goodness: expose helper nodes, config + options, getinfo keys. + + Changes in version 0.1.0.13 - 2005-08-04 o Bugfixes on 0.1.0.x: - Fix a critical bug in the security of our crypto handshakes. @@ -1505,6 +1925,35 @@ Changes in version 0.1.0.13 - 2005-08-04 not-broken. +Changes in version 0.1.1.3-alpha - 2005-07-23 + o Bugfixes on 0.1.1.2-alpha: + - Fix a bug in handling the controller's "post descriptor" + function. + - Fix several bugs in handling the controller's "extend circuit" + function. + - Fix a bug in handling the controller's "stream status" event. + - Fix an assert failure if we have a controller listening for + circuit events and we go offline. + - Re-allow hidden service descriptors to publish 0 intro points. + - Fix a crash when generating your hidden service descriptor if + you don't have enough intro points already. + + o New features on 0.1.1.2-alpha: + - New controller function "getinfo accounting", to ask how + many bytes we've used in this time period. + - Experimental support for helper nodes: a lot of the risk from + a small static adversary comes because users pick new random + nodes every time they rebuild a circuit. Now users will try to + stick to the same small set of entry nodes if they can. Not + enabled by default yet. + + o Bugfixes on 0.1.0.12: + - If you're an auth dir server, always publish your dirport, + even if you haven't yet found yourself to be reachable. + - Fix a size_t underflow in smartlist_join_strings2() that made + it do bad things when you hand it an empty smartlist. + + Changes in version 0.1.0.12 - 2005-07-18 o New directory servers: - tor26 has changed IP address. @@ -1520,6 +1969,46 @@ Changes in version 0.1.0.12 - 2005-07-18 Edman for the fix. +Changes in version 0.1.1.2-alpha - 2005-07-15 + o New directory servers: + - tor26 has changed IP address. + + o Bugfixes on 0.1.0.x, crashes/leaks: + - Port the servers-not-obeying-their-exit-policies fix from + 0.1.0.11. + - Fix an fd leak in start_daemon(). + - On Windows, you can't always reopen a port right after you've + closed it. So change retry_listeners() to only close and re-open + ports that have changed. + - Fix a possible double-free in tor_gzip_uncompress(). + + o Bugfixes on 0.1.0.x, usability: + - When tor_socketpair() fails in Windows, give a reasonable + Windows-style errno back. + - Let people type "tor --install" as well as "tor -install" when + they + want to make it an NT service. + - NT service patch from Matt Edman to improve error messages. + - When the controller asks for a config option with an abbreviated + name, give the full name in our response. + - Correct the man page entry on TrackHostExitsExpire. + - Looks like we were never delivering deflated (i.e. compressed) + running-routers lists, even when asked. Oops. + - When --disable-threads is set, do not search for or link against + pthreads libraries. + + o Bugfixes on 0.1.1.x: + - Fix a seg fault with autodetecting which controller version is + being used. + + o Features: + - New hidden service descriptor format: put a version in it, and + let people specify introduction/rendezvous points that aren't + in "the directory" (which is subjective anyway). + - Allow the DEBUG controller event to work again. Mark certain log + entries as "don't tell this to controllers", so we avoid cycles. + + Changes in version 0.1.0.11 - 2005-06-30 o Bugfixes on 0.1.0.x: - Fix major security bug: servers were disregarding their @@ -1530,6 +2019,29 @@ Changes in version 0.1.0.11 - 2005-06-30 - The MAPADDRESS control command was broken. +Changes in version 0.1.1.1-alpha - 2005-06-29 + o Bugfixes: + - Make OS X init script check for missing argument, so we don't + confuse users who invoke it incorrectly. + - Fix a seg fault in "tor --hash-password foo". + - Fix a possible way to DoS dirservers. + - When we complain that your exit policy implicitly allows local or + private address spaces, name them explicitly so operators can + fix it. + - Make the log message less scary when all the dirservers are + temporarily unreachable. + - We were printing the number of idle dns workers incorrectly when + culling them. + + o Features: + - Revised controller protocol (version 1) that uses ascii rather + than binary. Add supporting libraries in python and java so you + can use the controller from your applications without caring how + our protocol works. + - Spiffy new support for crypto hardware accelerators. Can somebody + test this? + + Changes in version 0.0.9.10 - 2005-06-16 o Bugfixes on 0.0.9.x (backported from 0.1.0.10): - Refuse relay cells that claim to have a length larger than the @@ -2181,7 +2693,7 @@ Changes in version 0.0.9.2 - 2005-01-04 now that we're shipping binary distributions more regularly. -Changes in version 0.0.9.1 - 2004-12-16 +Changes in version 0.0.9.1 - 2004-12-15 o Bugfixes on 0.0.9: - Make hibernation actually work. - Make HashedControlPassword config option work.