mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
checkpoint changelog and general polishing
svn:r8497
This commit is contained in:
parent
bc848c8740
commit
ad430b9561
105
ChangeLog
105
ChangeLog
@ -1,51 +1,106 @@
|
||||
Changes in version 0.1.2.2-alpha - 2006-??-??
|
||||
o Major features:
|
||||
- Add server-side support for "reverse" DNS lookups (using PTR
|
||||
records so clients can determine the canonical hostname for a given
|
||||
IPv4 address). This has been specified for a long time, but was
|
||||
previously never implemented. This is only supported by eventdns;
|
||||
servers now announce in their descriptors whether they support
|
||||
eventdns.
|
||||
records so clients can determine the canonical hostname for a
|
||||
given IPv4 address). This has been specified for a long time,
|
||||
but was previously never implemented. This is only supported by
|
||||
eventdns; servers now announce in their descriptors whether they
|
||||
support eventdns.
|
||||
- Specify and implement client-side SOCKS5 interface for reverse DNS
|
||||
lookups; see doc/socks-extensions.txt for full information.
|
||||
|
||||
o Minor features:
|
||||
- Check for name servers (like Earthlink's) that hijack failing DNS
|
||||
requests and replace the 'no such server' answer with a "helpful"
|
||||
redirect to an advertising-driven search portal. We're a little clever
|
||||
about this, in order to work around DNS hijackers who "helpfully"
|
||||
decline to hijack known-invalid RFC2606 addresses. [Resolves bug 330.]
|
||||
requests and replace the no-such-server answer with a "helpful"
|
||||
redirect to an advertising-driven search portal. We're a little
|
||||
clever about this, in order to work around DNS hijackers who
|
||||
"helpfully" decline to hijack known-invalid RFC2606 addresses.
|
||||
Config option "ServerDNSDetectHijacking 0" lets you turn it off.
|
||||
- When asked to resolve a hostname, don't use non-exit servers unless
|
||||
requested to do so. This allows servers with broken DNS be useful to
|
||||
the network.
|
||||
requested to do so. This allows servers with broken DNS to
|
||||
be useful to the network.
|
||||
|
||||
o Security Fixes, minor
|
||||
o Security Fixes, minor:
|
||||
- If a client asked for a server by name, and we didn't have a
|
||||
descriptor for a named server with that name, we might return an old
|
||||
one.
|
||||
descriptor for a named server with that name, we might return an
|
||||
old one.
|
||||
- Fix NetBSD bug that could allow someone to force uninitialized RAM
|
||||
to be sent to a server's DNS resolver. This only affects NetBSD
|
||||
and other platforms that do not bounds-check tolower().
|
||||
|
||||
o Major bugfixes
|
||||
- When a client asks us to resolve (not connect to) an address,
|
||||
and we have a cached answer, give them the cached answer.
|
||||
Previously, we would give them no answer at all.
|
||||
o Major bugfixes:
|
||||
- Avoiding crashing on race condition in dns.c:
|
||||
tor_assert(! resolve->expire)
|
||||
- When a client asks the server to resolve (not connect to)
|
||||
an address, and it has a cached answer, give them the cached answer.
|
||||
Previously, the server would give them no answer at all.
|
||||
|
||||
o Minor Bugfixes
|
||||
- Small performance improvements on parsing descriptors (x2).
|
||||
- Major performance descriptor on inserting descriptors; change
|
||||
o Minor Bugfixes:
|
||||
- Two small performance improvements on parsing descriptors.
|
||||
- Major performance improvement on inserting descriptors: change
|
||||
algorithm from O(n^2) to O(n).
|
||||
- Make the common memory allocation path faster on machines where
|
||||
malloc(0) returns a pointer.
|
||||
- Fix a debug log message in eventdns to say "X resolved to Y"
|
||||
instead of "X resolved to X".
|
||||
- Prevent the 'exitlist' script from printing the same result more
|
||||
than once.
|
||||
- Build correctly for use on OS X platforms with case-sensitive
|
||||
filesystems.
|
||||
- Prevent the contrib/exitlist script from printing the same
|
||||
result more than once.
|
||||
- Resume building on non-gcc compilers and ancient gcc. Resume
|
||||
building with the -O0 compile flag. Resume building cleanly on
|
||||
Debian woody.
|
||||
- Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
|
||||
- Improve Tor's chances of building and running on Cygwin again.
|
||||
- If we're a directory mirror and we ask for "all" network status
|
||||
documents, we would discard status documents from authorities
|
||||
we don't recognize.
|
||||
|
||||
o Documentation
|
||||
- Documented (and renamed) ServerDNSSearchDomains and
|
||||
ServerDNSResolvConfFile options.
|
||||
|
||||
|
||||
|
||||
o Packaging:
|
||||
- Patches so Tor builds with MinGW on Windows.
|
||||
- The Debian package now uses --verify-config when (re)starting,
|
||||
to distinguish configuration errors from other errors.
|
||||
- Update rpms to require libevent 1.1b.
|
||||
- Remove architecture from OS X builds. The official builds are
|
||||
now universal binaries.
|
||||
|
||||
- Make eventdns on-by-default.
|
||||
- Divide eventdns log messages into warn and info messages.
|
||||
- Add new config option "ResolvConf" to let the server operator
|
||||
choose an alternate resolve.conf file.
|
||||
|
||||
- Allow really slow clients to not hang up five minutes into their
|
||||
directory downloads (suggested by Adam J. Richter).
|
||||
- Apply patch from Adam Langley: fix assert() in eventdns.c.
|
||||
- Finally fix the openssl warnings with newer gccs that believe that
|
||||
ignoring a return value is okay, but casting a return value and
|
||||
then ignoring it is a sign of madness.
|
||||
- Don't crash when the controller receives a third argument to an
|
||||
"extendcircuit" request.
|
||||
- Add a "getinfo address" controller command.
|
||||
- Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
||||
response; fix error code when "getinfo dir/status/" fails.
|
||||
- Start remembering X-Your-Address-Is directory hints even if you're
|
||||
a client, so you can become a server more smoothly.
|
||||
- Avoid crash when telling controller stream-status and a stream
|
||||
is detached.
|
||||
- Avoid crashing when we mmap a router cache file of size 0.
|
||||
- Avoid duplicate entries on MyFamily line in server descriptor.
|
||||
- Patch from Steve Hildrey: Generate network status correctly on
|
||||
non-versioning dirservers.
|
||||
- Send out a burst of long-range drop cells after we've established
|
||||
that we're reachable. Spread them over 4 circuits, so hopefully
|
||||
a few will be fast. This exercises our bandwidth and bootstraps
|
||||
us quicker.
|
||||
- Remove 8888 as a long lived port, and add 6697 (ircs).
|
||||
|
||||
(stopped at r8478)
|
||||
|
||||
|
||||
Changes in version 0.1.2.1-alpha - 2006-08-27
|
||||
o Major features:
|
||||
- Add "eventdns" async dns library from Adam Langley, tweaked to
|
||||
|
4
doc/TODO
4
doc/TODO
@ -270,6 +270,10 @@ Deferred from 0.1.2.x:
|
||||
- Implement
|
||||
|
||||
Minor items for 0.1.2.x as time permits:
|
||||
- Don't let 'newnym' be triggered more often than every n seconds.
|
||||
- change log_fn() to log() on notice/warn/err logs where we can.
|
||||
- the deb now uses --verify-config to distinguish between configuration
|
||||
errors and other errors. Should the rpm, the ports, etc do this too?
|
||||
X If we try to publish as a nickname that's already claimed, should
|
||||
we append a number (or increment the number) and try again? This
|
||||
way people who read their logs can fix it as before, but people
|
||||
|
@ -347,7 +347,7 @@ $Id$
|
||||
set through any mechanism.
|
||||
|
||||
"address" -- the best guess at our external IP address. If we
|
||||
have no guess, return a 551 error.
|
||||
have no guess, return a 551 error. (Added in 0.1.2.2-alpha)
|
||||
|
||||
"circuit-status"
|
||||
A series of lines as for a circuit status event. Each line is of
|
||||
|
@ -47,10 +47,11 @@ Tor's extensions to the SOCKS protocol
|
||||
(We support RESOLVE in SOCKS4 too, even though it is unnecessary.)
|
||||
|
||||
For SOCKS5 only, we support reverse resolution with a new command value,
|
||||
"RESOLVE_PTR". In response to a "RESOLVE_PTR" SOCKS5 command with an IPv4
|
||||
address as its target, Tor attempts to find the canonical hostname for that
|
||||
IPv4 record, and returns it in the "server bound address" portion of the
|
||||
reply. (This was not supported before Tor 0.1.2.2-alpha)
|
||||
"RESOLVE_PTR" [F1]. In response to a "RESOLVE_PTR" SOCKS5 command with
|
||||
an IPv4 address as its target, Tor attempts to find the canonical
|
||||
hostname for that IPv4 record, and returns it in the "server bound
|
||||
address" portion of the reply.
|
||||
(This command was not supported before Tor 0.1.2.2-alpha.)
|
||||
|
||||
3. HTTP-resistance
|
||||
|
||||
|
@ -73,7 +73,7 @@ Type "make install"
|
||||
OR
|
||||
|
||||
Make zlib1.dll:
|
||||
Type "cd tor-mingw/zlib-1.2.3"/
|
||||
Type "cd tor-mingw/zlib-1.2.3/"
|
||||
Type "./configure"
|
||||
Type "make -f win32/Makefile.gcc"
|
||||
|
||||
|
@ -635,7 +635,7 @@ next day. All times are local, and given in 24-hour time. (Defaults to
|
||||
\fBServerDNSResolvConfFile \fR\fIfilename\fP
|
||||
Overrides the default DNS configuration with the configuration in
|
||||
\fIfilename\fP. The file format is the same as the standard Unix
|
||||
"\fBresolv.conf\fP" file (7). This option only effects name lookup for
|
||||
"\fBresolv.conf\fP" file (7). This option only affects name lookup for
|
||||
addresses requested by clients; and only takes effect if Tor was built with
|
||||
eventdns support. (Defaults to use the system DNS configuration.)
|
||||
.LP
|
||||
@ -645,7 +645,7 @@ If set to \fB1\fP, then we will search for addresses in the local search
|
||||
domain. For example, if this system is configured to believe it is in
|
||||
"example.com", and a client tries to connect to "www", the client will be
|
||||
connected to "www.example.com".
|
||||
This option only effects name lookup for addresses requested by clients.
|
||||
This option only affects name lookup for addresses requested by clients.
|
||||
(Defaults to "0".)
|
||||
.LP
|
||||
.TP
|
||||
@ -653,7 +653,7 @@ This option only effects name lookup for addresses requested by clients.
|
||||
When this option is set to 1, we will test periodically to determine whether
|
||||
our local nameservers have been configured to hijack failing DNS requests
|
||||
(usually to an advertising site). If they are, we will attempt to correct
|
||||
this. This option only effects name lookup for addresses requested by
|
||||
this. This option only affects name lookup for addresses requested by
|
||||
clients; and only takes effect if Tor was built with eventdns support.
|
||||
(Defaults to "1".)
|
||||
|
||||
|
@ -1326,7 +1326,8 @@ list_getinfo_options(void)
|
||||
|
||||
/** Lookup the 'getinfo' entry <b>question</b>, and return
|
||||
* the answer in <b>*answer</b> (or NULL if key not recognized).
|
||||
* Return 0 if success, or -1 if recognized but internal error. */
|
||||
* Return 0 if success or unrecognized, or -1 if recognized but
|
||||
* internal error. */
|
||||
static int
|
||||
handle_getinfo_helper(const char *question, char **answer)
|
||||
{
|
||||
@ -1572,7 +1573,7 @@ handle_getinfo_helper(const char *question, char **answer)
|
||||
} else if (!strcmpstart(question, "exit-policy/")) {
|
||||
return policies_getinfo_helper(question, answer);
|
||||
}
|
||||
return 0;
|
||||
return 0; /* unrecognized */
|
||||
}
|
||||
|
||||
/** Called when we receive a GETINFO command. Try to fetch all requested
|
||||
|
@ -1025,8 +1025,8 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
|
||||
} else {
|
||||
/* Can we even end up here? -- weasel*/
|
||||
source = NS_FROM_DIR_BY_FP;
|
||||
log_warn(LD_BUG, "we received a networkstatus but we did neither ask"
|
||||
"for it by fp/ nor did we ask for all.");
|
||||
log_warn(LD_BUG, "we received a networkstatus but we didn't ask"
|
||||
"for it by fp/ or ask for all.");
|
||||
}
|
||||
cp = body;
|
||||
while (*cp) {
|
||||
|
16
src/or/dns.c
16
src/or/dns.c
@ -525,8 +525,8 @@ parse_inaddr_arpa_address(const char *address, struct in_addr *in)
|
||||
* if resolve valid, put it into <b>exitconn</b>-\>addr and return 1.
|
||||
* If resolve failed, unlink exitconn if needed, free it, and return -1.
|
||||
*
|
||||
* If <b>circ</b> is provided, and this is a resolve request, we have
|
||||
* a cached answer, send the answer back along circ; otherwise, send
|
||||
* If <b>oncirc</b> is provided, and this is a resolve request, we have
|
||||
* a cached answer, send the answer back along oncirc; otherwise, send
|
||||
* the answer back along <b>exitconn</b>'s attached circuit.
|
||||
*
|
||||
* Else, if seen before and pending, add conn to the pending list,
|
||||
@ -571,7 +571,7 @@ dns_resolve(edge_connection_t *exitconn, or_circuit_t *oncirc)
|
||||
|
||||
/* Check whether this is a reverse lookup. If it's malformed, or it's a
|
||||
* .in-addr.arpa address but this isn't a resolve request, kill the
|
||||
* connecction.
|
||||
* connection.
|
||||
*/
|
||||
if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) {
|
||||
if (r == 1)
|
||||
@ -833,8 +833,8 @@ dns_cancel_pending_resolve(const char *address)
|
||||
}
|
||||
|
||||
/** Helper: adds an entry to the DNS cache mapping <b>address</b> to the ipv4
|
||||
* address <b>addr</b> (if is_reverse is 0) or the hostname <b>hostname</b> if
|
||||
* (is_reverse is 1). <b>ttl</b> is a cache ttl; <b>outcome</b> is one of
|
||||
* address <b>addr</b> (if is_reverse is 0) or the hostname <b>hostname</b> (if
|
||||
* is_reverse is 1). <b>ttl</b> is a cache ttl; <b>outcome</b> is one of
|
||||
* DNS_RESOLVE_{FAILED_TRANSIENT|FAILED_PERMANENT|SUCCEEDED}.
|
||||
**/
|
||||
static void
|
||||
@ -1727,15 +1727,15 @@ dns_launch_wildcard_checks(void)
|
||||
for (i = 0; i < N_WILDCARD_CHECKS; ++i) {
|
||||
/* RFC2606 reserves these. Sadly, some DNS hijackers, in a silly attempt
|
||||
* to 'comply' with rfc2606, refrain from giving A records for these.
|
||||
* This is the standards-complaince equivalent of making sure that your
|
||||
* This is the standards-compliance equivalent of making sure that your
|
||||
* crackhouse's elevator inspection certificate is up to date.
|
||||
*/
|
||||
launch_wildcard_check(2, 16, "%s.invalid");
|
||||
launch_wildcard_check(2, 16, "%s.test");
|
||||
|
||||
/* Thy somese will break specs if there are ever any number of
|
||||
/* These will break specs if there are ever any number of
|
||||
* 8+-character top-level domains. */
|
||||
launch_wildcard_check(8, 16,"");
|
||||
launch_wildcard_check(8, 16, "");
|
||||
|
||||
/* Try some random .com/org/net domains. This will work fine so long as
|
||||
* not too many resolve to the same place. */
|
||||
|
@ -348,7 +348,9 @@ typedef enum {
|
||||
#define _DIR_PURPOSE_MAX 9
|
||||
|
||||
#define _EXIT_PURPOSE_MIN 1
|
||||
/** This exit stream wants to do an ordinary connect. */
|
||||
#define EXIT_PURPOSE_CONNECT 1
|
||||
/** This exit stream wants to do a resolve (either normal or reverse). */
|
||||
#define EXIT_PURPOSE_RESOLVE 2
|
||||
#define _EXIT_PURPOSE_MAX 2
|
||||
|
||||
@ -1575,10 +1577,10 @@ typedef struct {
|
||||
* addresses to be FQDNs, but rather search for them in
|
||||
* the local domains. */
|
||||
int ServerDNSDetectHijacking; /**< Boolean: If true, check for DNS failure
|
||||
* hijacking */
|
||||
* hijacking. */
|
||||
char *ServerDNSResolvConfFile; /**< If provided, we configure our internal
|
||||
* resolver from the file here rather than from
|
||||
* /etc/resolv.conf (unix) or the registry (windows) */
|
||||
* /etc/resolv.conf (Unix) or the registry (Windows). */
|
||||
} or_options_t;
|
||||
|
||||
/** Persistent state for an onion router, as saved to disk. */
|
||||
|
Loading…
Reference in New Issue
Block a user