mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 05:03:43 +01:00
first draft of the Tor 0.2.0.x Release Notes.
svn:r15572
This commit is contained in:
parent
45742ce0b0
commit
bce6a96624
761
ReleaseNotes
761
ReleaseNotes
@ -3,6 +3,767 @@ This document summarizes new features and bugfixes in each stable release
|
||||
of Tor. If you want to see more detailed descriptions of the changes in
|
||||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.2.0.30 - 2008-07-xx
|
||||
This new stable release switches to a more efficient directory
|
||||
distribution design, adds features to make Tor harder to block,
|
||||
allows Tor to act as a DNS proxy,
|
||||
|
||||
o New v3 directory design:
|
||||
- Tor now uses a new way to learn about and distribute information
|
||||
about the network: the directory authorities vote on a common
|
||||
network status document rather than each publishing their own
|
||||
opinion. Now clients and caches download only one networkstatus
|
||||
document to bootstrap, rather than downloading one for each
|
||||
authority. Clients only download router descriptors listed in
|
||||
the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
|
||||
for details.
|
||||
- Set up moria1, tor26, and dizum as v3 directory authorities
|
||||
in addition to being v2 authorities. Also add three new ones:
|
||||
ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
|
||||
dannenberg (run by CCC).
|
||||
- Switch to multi-level keys for directory authorities: now their
|
||||
long-term identity key can be kept offline, and they periodically
|
||||
generate a new signing key. Clients fetch the "key certificates"
|
||||
to keep up to date on the right keys. Add a standalone tool
|
||||
"tor-gencert" to generate key certificates. Implements proposal 103.
|
||||
- Add a new V3AuthUseLegacyKey config option to make it easier for
|
||||
v3 authorities to change their identity keys if another bug like
|
||||
Debian's OpenSSL RNG flaw appears.
|
||||
- Authorities and caches fetch the v2 networkstatus documents
|
||||
less often, now that v3 is recommended.
|
||||
|
||||
o Make Tor connections stand out less on the wire:
|
||||
- Use an improved TLS handshake designed by Steven Murdoch in proposal
|
||||
124, as revised in proposal 130. The new handshake is meant to
|
||||
be harder for censors to fingerprint, and it adds the ability
|
||||
to detect certain kinds of man-in-the-middle traffic analysis
|
||||
attacks. The new handshake format includes version negotiation for
|
||||
OR connections as described in proposal 105, which will allow us
|
||||
to improve Tor's link protocol more safely in the future.
|
||||
- Enable encrypted directory connections by default for non-relays,
|
||||
so censor tools that block Tor directory connections based on their
|
||||
plaintext patterns will no longer work. This means Tor works in
|
||||
certain censored countries by default again.
|
||||
- Stop including recognizeable strings in the commonname part of
|
||||
Tor's x509 certificates.
|
||||
|
||||
o Implement bridge relays:
|
||||
- Bridge relays (or "bridges" for short) are Tor relays that aren't
|
||||
listed in the main Tor directory. Since there is no complete public
|
||||
list of them, even an ISP that is filtering connections to all the
|
||||
known Tor relays probably won't be able to block all the bridges.
|
||||
See doc/design-paper/blocking.pdf and proposal 125 for details.
|
||||
- New config option BridgeRelay that specifies you want to be a
|
||||
bridge relay rather than a normal relay. When BridgeRelay is set
|
||||
to 1, then a) you cache dir info even if your DirPort ins't on,
|
||||
and b) the default for PublishServerDescriptor is now "bridge"
|
||||
rather than "v2,v3".
|
||||
- New config option "UseBridges 1" for clients that want to use bridge
|
||||
relays instead of ordinary entry guards. Clients then specify
|
||||
bridge relays by adding "Bridge" lines to their config file. Users
|
||||
can learn about a bridge relay either manually through word of
|
||||
mouth, or by one of our rate-limited mechanisms for giving out
|
||||
bridge addresses without letting an attacker easily enumerate them
|
||||
all. See https://www.torproject.org/bridges for details.
|
||||
- Bridge relays behave like clients with respect to time intervals
|
||||
for downloading new v3 consensus documents -- otherwise they
|
||||
stand out. Bridge users now wait until the end of the interval,
|
||||
so their bridge relay will be sure to have a new consensus document.
|
||||
|
||||
o Implement bridge directory authorities:
|
||||
- Bridge authorities are like normal directory authorities, except
|
||||
they don't serve a list of known bridges. Therefore users that know
|
||||
a bridge's fingerprint can fetch a relay descriptor for that bridge,
|
||||
including fetching updates e.g. if the bridge changes IP address,
|
||||
yet an attacker can't just fetch a list of all the bridges.
|
||||
- Set up Tonga as the default bridge directory authority.
|
||||
- Bridge authorities refuse to serve bridge descriptors or other
|
||||
bridge information over unencrypted connections (that is, when
|
||||
responding to direct DirPort requests rather than begin_dir cells.)
|
||||
- Bridge directory authorities do reachability testing on the
|
||||
bridges they know. They provide router status summaries to the
|
||||
controller via "getinfo ns/purpose/bridge", and also dump summaries
|
||||
to a file periodically, so we can keep internal stats about which
|
||||
bridges are functioning.
|
||||
- If bridge users set the UpdateBridgesFromAuthority config option,
|
||||
but the digest they ask for is a 404 on the bridge authority,
|
||||
they fall back to contacting the bridge directly.
|
||||
- Bridges always use begin_dir to publish their server descriptor to
|
||||
the bridge authority using an anonymous encrypted tunnel.
|
||||
- Early work on a "bridge community" design: if bridge authorities set
|
||||
the BridgePassword config option, they will serve a snapshot of
|
||||
known bridge routerstatuses from their DirPort to anybody who
|
||||
knows that password. Unset by default.
|
||||
- Tor now includes an IP-to-country GeoIP file, so bridge relays can
|
||||
report sanitized aggregated summaries in their extra-info documents
|
||||
privately to the bridge authority, listing which countries are
|
||||
able to reach them. We hope this mechanism will let us learn when
|
||||
certain countries start trying to block bridges.
|
||||
- Bridge authorities write bridge descriptors to disk, so they can
|
||||
reload them after a reboot. They can also export the descriptors
|
||||
to other programs, so we can distribute them to blocked users via
|
||||
the BridgeDB interface, e.g. via https://bridges.torproject.org/
|
||||
and bridges@torproject.org.
|
||||
|
||||
o Tor can be a DNS proxy:
|
||||
- The new client-side DNS proxy feature replaces the need for
|
||||
dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
|
||||
for DNS requests on port 9999, use the Tor network to resolve them
|
||||
anonymously, and send the reply back like a regular DNS server.
|
||||
The code still only implements a subset of DNS.
|
||||
- Add a new AutomapHostsOnResolve option: when it is enabled, any
|
||||
resolve request for hosts matching a given pattern causes Tor to
|
||||
generate an internal virtual address mapping for that host. This
|
||||
allows DNSPort to work sensibly with hidden service users. By
|
||||
default, .exit and .onion addresses are remapped; the list of
|
||||
patterns can be reconfigured with AutomapHostsSuffixes.
|
||||
- Add an "-F" option to tor-resolve to force a resolve for a .onion
|
||||
address. Thanks to the AutomapHostsOnResolve option, this is no
|
||||
longer a completely silly thing to do.
|
||||
|
||||
o Major features (relay usability):
|
||||
- New config options RelayBandwidthRate and RelayBandwidthBurst:
|
||||
a separate set of token buckets for relayed traffic. Right now
|
||||
relayed traffic is defined as answers to directory requests, and
|
||||
OR connections that don't have any local circuits on them. See
|
||||
proposal 111 for details.
|
||||
- Create listener connections before we setuid to the configured
|
||||
User and Group. Now non-Windows users can choose port values
|
||||
under 1024, start Tor as root, and have Tor bind those ports
|
||||
before it changes to another UID. (Windows users could already
|
||||
pick these ports.)
|
||||
- Added a new ConstrainedSockets config option to set SO_SNDBUF and
|
||||
SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
|
||||
on "vserver" accounts. Patch from coderman.
|
||||
|
||||
o Major features (directory authorities):
|
||||
- Directory authorities track weighted fractional uptime and weighted
|
||||
mean-time-between failures for relays. WFU is suitable for deciding
|
||||
whether a node is "usually up", while MTBF is suitable for deciding
|
||||
whether a node is "likely to stay up." We need both, because
|
||||
"usually up" is a good requirement for guards, while "likely to
|
||||
stay up" is a good requirement for long-lived connections.
|
||||
- Directory authorities use a new formula for selecting which relays
|
||||
to advertise as Guards: they must be in the top 7/8 in terms of
|
||||
how long we have known about them, and above the median of those
|
||||
nodes in terms of weighted fractional uptime.
|
||||
- Directory authorities use a new formula for selecting which relays
|
||||
to advertise as Stable: when we have 4 or more days of data, use
|
||||
median measured MTBF rather than median declared uptime. Implements
|
||||
proposal 108.
|
||||
- Directory authorities accept and serve "extra info" documents for
|
||||
routers. Routers now publish their bandwidth-history lines in the
|
||||
extra-info docs rather than the main descriptor. This step saves
|
||||
60% (!) on compressed router descriptor downloads. Servers upload
|
||||
extra-info docs to any authority that accepts them; directory
|
||||
authorities now allow multiple router descriptors and/or extra
|
||||
info documents to be uploaded in a single go. Authorities, and
|
||||
caches that have been configured to download extra-info documents,
|
||||
download them as needed. Implements proposal 104.
|
||||
- Authorities now list relays who have the same nickname as
|
||||
a different named relay, but list them with a new flag:
|
||||
"Unnamed". Now we can make use of relays that happen to pick the
|
||||
same nickname as a server that registered two years ago and then
|
||||
disappeared. Implements proposal 122.
|
||||
- Store routers in a file called cached-descriptors instead of in
|
||||
cached-routers. Initialize cached-descriptors from cached-routers
|
||||
if the old format is around. The new format allows us to store
|
||||
annotations along with descriptors, to record the time we received
|
||||
each descriptor, its source, and its purpose: currently one of
|
||||
general, controller, or bridge.
|
||||
|
||||
o Major features (other):
|
||||
- New config options WarnPlaintextPorts and RejectPlaintextPorts so
|
||||
Tor can warn and/or refuse connections to ports commonly used with
|
||||
vulnerable-plaintext protocols. Currently we warn on ports 23,
|
||||
109, 110, and 143, but we don't reject any. Based on proposal 129
|
||||
by Kevin Bauer and Damon McCoy.
|
||||
- Integrate Karsten Loesing's Google Summer of Code project to publish
|
||||
hidden service descriptors on a set of redundant relays that are a
|
||||
function of the hidden service address. Now we don't have to rely
|
||||
on three central hidden service authorities for publishing and
|
||||
fetching every hidden service descriptor. Implements proposal 114.
|
||||
- Allow tunnelled directory connections to ask for an encrypted
|
||||
"begin_dir" connection or an anonymized "uses a full Tor circuit"
|
||||
connection independently. Now we can make anonymized begin_dir
|
||||
connections for (e.g.) more secure hidden service posting and
|
||||
fetching.
|
||||
|
||||
o Major bugfixes (crashes and assert failures):
|
||||
- Stop imposing an arbitrary maximum on the number of file descriptors
|
||||
used for busy servers. Bug reported by Olaf Selke; patch from
|
||||
Sebastian Hahn.
|
||||
- Avoid possible failures when generating a directory with routers
|
||||
with over-long versions strings, or too many flags set.
|
||||
- Fix a rare assert error when we're closing one of our threads:
|
||||
use a mutex to protect the list of logs, so we never write to the
|
||||
list as it's being freed. Fixes the very rare bug 575, which is
|
||||
kind of the revenge of bug 222.
|
||||
- Avoid segfault in the case where a badly behaved v2 versioning
|
||||
directory sends a signed networkstatus with missing client-versions.
|
||||
- When we hit an EOF on a log (probably because we're shutting down),
|
||||
don't try to remove the log from the list: just mark it as
|
||||
unusable. (Bulletproofs against bug 222.)
|
||||
|
||||
o Major bugfixes (code security fixes):
|
||||
- Detect size overflow in zlib code. Reported by Justin Ferguson and
|
||||
Dan Kaminsky.
|
||||
- Rewrite directory tokenization code to never run off the end of
|
||||
a string. Fixes bug 455. Patch from croup.
|
||||
- Be more paranoid about overwriting sensitive memory on free(),
|
||||
as a defensive programming tactic to ensure forward secrecy.
|
||||
|
||||
o Major bugfixes (anonymity fixes):
|
||||
- Reject requests for reverse-dns lookup of names that are in
|
||||
a private address space. Patch from lodger.
|
||||
- Never report that we've used more bandwidth than we're willing to
|
||||
relay: it leaks how much non-relay traffic we're using. Resolves
|
||||
bug 516.
|
||||
- As a client, do not believe any server that tells us that an
|
||||
address maps to an internal address space.
|
||||
- Warn about unsafe ControlPort configurations.
|
||||
- Directory authorities now call routers Fast if their bandwidth is
|
||||
at least 100KB/s, and consider their bandwidth adequate to be a
|
||||
Guard if it is at least 250KB/s, no matter the medians. This fix
|
||||
complements proposal 107.
|
||||
- Directory authorities now never mark more than 3 servers per IP as
|
||||
Valid and Running. Implements proposal 109, by Kevin Bauer and
|
||||
Damon McCoy.
|
||||
- If we're a relay, avoid picking ourselves as an introduction point,
|
||||
a rendezvous point, or as the final hop for internal circuits. Bug
|
||||
reported by taranis and lodger.
|
||||
- Exit relays that are used as a client can now reach themselves
|
||||
using the .exit notation, rather than just launching an infinite
|
||||
pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
|
||||
- Fix a bug where, when we were choosing the 'end stream reason' to
|
||||
put in our relay end cell that we send to the exit relay, Tor
|
||||
clients on Windows were sometimes sending the wrong 'reason'. The
|
||||
anonymity problem is that exit relays may be able to guess whether
|
||||
the client is running Windows, thus helping partition the anonymity
|
||||
set. Down the road we should stop sending reasons to exit relays,
|
||||
or otherwise prevent future versions of this bug.
|
||||
- Only update guard status (usable / not usable) once we have
|
||||
enough directory information. This was causing us to discard all our
|
||||
guards on startup if we hadn't been running for a few weeks. Fixes
|
||||
bug 448.
|
||||
- When our directory information has been expired for a while, stop
|
||||
being willing to build circuits using it. Fixes bug 401.
|
||||
|
||||
o Major bugfixes (peace of mind for relay operators)
|
||||
- Non-exit relays no longer answer "resolve" relay cells, so they
|
||||
can't be induced to do arbitrary DNS requests. (Tor clients already
|
||||
avoid using non-exit relays for resolve cells, but now servers
|
||||
enforce this too.) Fixes bug 619. Patch from lodger.
|
||||
- When we setconf ClientOnly to 1, close any current OR and Dir
|
||||
listeners. Reported by mwenge.
|
||||
|
||||
o Major bugfixes (other):
|
||||
- If we only ever used Tor for hidden service lookups or posts, we
|
||||
would stop building circuits and start refusing connections after
|
||||
24 hours, since we falsely believed that Tor was dormant. Reported
|
||||
by nwf.
|
||||
- Add a new __HashedControlSessionPassword option for controllers
|
||||
to use for one-off session password hashes that shouldn't get
|
||||
saved to disk by SAVECONF --- Vidalia users were accumulating a
|
||||
pile of HashedControlPassword lines in their torrc files, one for
|
||||
each time they had restarted Tor and then clicked Save. Make Tor
|
||||
automatically convert "HashedControlPassword" to this new option but
|
||||
only when it's given on the command line. Partial fix for bug 586.
|
||||
- Patch from "Andrew S. Lists" to catch when we contact a directory
|
||||
mirror at IP address X and he says we look like we're coming from
|
||||
IP address X. Otherwise this would screw up our address detection.
|
||||
- Reject uploaded descriptors and extrainfo documents if they're
|
||||
huge. Otherwise we'll cache them all over the network and it'll
|
||||
clog everything up. Suggested by Aljosha Judmayer.
|
||||
|
||||
o Rate limiting and load balancing improvements:
|
||||
- When we add data to a write buffer in response to the data on that
|
||||
write buffer getting low because of a flush, do not consider the
|
||||
newly added data as a candidate for immediate flushing, but rather
|
||||
make it wait until the next round of writing. Otherwise, we flush
|
||||
and refill recursively, and a single greedy TLS connection can
|
||||
eat all of our bandwidth.
|
||||
- When counting the number of bytes written on a TLS connection,
|
||||
look at the BIO actually used for writing to the network, not
|
||||
at the BIO used (sometimes) to buffer data for the network.
|
||||
Looking at different BIOs could result in write counts on the
|
||||
order of ULONG_MAX. Fixes bug 614.
|
||||
- If we change our MaxAdvertisedBandwidth and then reload torrc,
|
||||
Tor won't realize it should publish a new relay descriptor. Fixes
|
||||
bug 688, reported by mfr.
|
||||
- Avoid using too little bandwidth when our clock skips a few seconds.
|
||||
- Choose which bridge to use proportional to its advertised bandwidth,
|
||||
rather than uniformly at random. This should speed up Tor for
|
||||
bridge users. Also do this for people who set StrictEntryNodes.
|
||||
|
||||
o Bootstrapping faster and building circuits more intelligently:
|
||||
- Fix bug 660 that was preventing us from knowing that we should
|
||||
preemptively build circuits to handle expected directory requests.
|
||||
- When we're checking if we have enough dir info for each relay
|
||||
to begin establishing circuits, make sure that we actually have
|
||||
the descriptor listed in the consensus, not just any descriptor.
|
||||
- Correctly notify one-hop connections when a circuit build has
|
||||
failed. Possible fix for bug 669. Found by lodger.
|
||||
- Clients now hold circuitless TLS connections open for 1.5 times
|
||||
MaxCircuitDirtiness (15 minutes), since it is likely that they'll
|
||||
rebuild a new circuit over them within that timeframe. Previously,
|
||||
they held them open only for KeepalivePeriod (5 minutes).
|
||||
|
||||
o Performance improvements (memory):
|
||||
- Add OpenBSD malloc code from "phk" as an optional malloc
|
||||
replacement on Linux: some glibc libraries do very poorly with
|
||||
Tor's memory allocation patterns. Pass --enable-openbsd-malloc to
|
||||
./configure to get the replacement malloc code.
|
||||
- Switch our old ring buffer implementation for one more like that
|
||||
used by free Unix kernels. The wasted space in a buffer with 1mb
|
||||
of data will now be more like 8k than 1mb. The new implementation
|
||||
also avoids realloc();realloc(); patterns that can contribute to
|
||||
memory fragmentation.
|
||||
- Change the way that Tor buffers data that it is waiting to write.
|
||||
Instead of queueing data cells in an enormous ring buffer for each
|
||||
client->OR or OR->OR connection, we now queue cells on a separate
|
||||
queue for each circuit. This lets us use less slack memory, and
|
||||
will eventually let us be smarter about prioritizing different kinds
|
||||
of traffic.
|
||||
- Reference-count and share copies of address policy entries; only 5%
|
||||
of them were actually distinct.
|
||||
- Tune parameters for cell pool allocation to minimize amount of
|
||||
RAM overhead used.
|
||||
- Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
|
||||
for every single inactive connection_t. Free items from the
|
||||
4k/16k-buffer free lists when they haven't been used for a while.
|
||||
- Make memory debugging information describe more about history
|
||||
of cell allocation, so we can help reduce our memory use.
|
||||
- Be even more aggressive about releasing RAM from small
|
||||
empty buffers. Thanks to our free-list code, this shouldn't be too
|
||||
performance-intensive.
|
||||
- Log malloc statistics from mallinfo() on platforms where it exists.
|
||||
- Use memory pools to allocate cells with better speed and memory
|
||||
efficiency, especially on platforms where malloc() is inefficient.
|
||||
- Add a --with-tcmalloc option to the configure script to link
|
||||
against tcmalloc (if present). Does not yet search for non-system
|
||||
include paths.
|
||||
|
||||
o Performance improvements (socket management):
|
||||
- Count the number of open sockets separately from the number of
|
||||
active connection_t objects. This will let us avoid underusing
|
||||
our allocated connection limit.
|
||||
- We no longer use socket pairs to link an edge connection to an
|
||||
anonymous directory connection or a DirPort test connection.
|
||||
Instead, we track the link internally and transfer the data
|
||||
in-process. This saves two sockets per "linked" connection (at the
|
||||
client and at the server), and avoids the nasty Windows socketpair()
|
||||
workaround.
|
||||
- We were leaking a file descriptor if Tor started with a zero-length
|
||||
cached-descriptors file. Patch by "freddy77".
|
||||
|
||||
o Performance improvements (CPU use):
|
||||
- Never walk through the list of logs if we know that no log target
|
||||
is interested in a given message.
|
||||
- Call routerlist_remove_old_routers() much less often. This should
|
||||
speed startup, especially on directory caches.
|
||||
- Base64 decoding was actually showing up on our profile when parsing
|
||||
the initial descriptor file; switch to an in-process all-at-once
|
||||
implementation that's about 3.5x times faster than calling out to
|
||||
OpenSSL.
|
||||
- Use a slightly simpler string hashing algorithm (copying Python's
|
||||
instead of Java's) and optimize our digest hashing algorithm to take
|
||||
advantage of 64-bit platforms and to remove some possibly-costly
|
||||
voodoo.
|
||||
- When implementing AES counter mode, update only the portions of the
|
||||
counter buffer that need to change, and don't keep separate
|
||||
network-order and host-order counters on big-endian hosts (where
|
||||
they are the same).
|
||||
- Add an in-place version of aes_crypt() so that we can avoid doing a
|
||||
needless memcpy() call on each cell payload.
|
||||
- Use Critical Sections rather than Mutexes for synchronizing threads
|
||||
on win32; Mutexes are heavier-weight, and designed for synchronizing
|
||||
between processes.
|
||||
|
||||
o Performance improvements (bandwidth use):
|
||||
- Don't try to launch new descriptor downloads quite so often when we
|
||||
already have enough directory information to build circuits.
|
||||
- Version 1 directories are no longer generated in full. Instead,
|
||||
authorities generate and serve "stub" v1 directories that list
|
||||
no servers. This will stop Tor versions 0.1.0.x and earlier from
|
||||
working, but (for security reasons) nobody should be running those
|
||||
versions anyway.
|
||||
- Avoid going directly to the directory authorities even if you're a
|
||||
relay, if you haven't found yourself reachable yet or if you've
|
||||
decided not to advertise your dirport yet. Addresses bug 556.
|
||||
- If we've gone 12 hours since our last bandwidth check, and we
|
||||
estimate we have less than 50KB bandwidth capacity but we could
|
||||
handle more, do another bandwidth test.
|
||||
- Support "If-Modified-Since" when answering HTTP requests for
|
||||
directories, running-routers documents, and v2 and v3 networkstatus
|
||||
documents. (There's no need to support it for router descriptors,
|
||||
since those are downloaded by descriptor digest.)
|
||||
- Stop fetching directory info so aggressively if your DirPort is
|
||||
on but your ORPort is off; stop fetching v2 dir info entirely.
|
||||
You can override these choices with the new FetchDirInfoEarly
|
||||
config option.
|
||||
|
||||
o Changed config option behavior (features):
|
||||
- Configuration files now accept C-style strings as values. This
|
||||
helps encode characters not allowed in the current configuration
|
||||
file format, such as newline or #. Addresses bug 557.
|
||||
- Add hidden services and DNSPorts to the list of things that make
|
||||
Tor accept that it has running ports. Change starting Tor with no
|
||||
ports from a fatal error to a warning; we might change it back if
|
||||
this turns out to confuse anybody. Fixes bug 579.
|
||||
- Make PublishServerDescriptor default to 1, so the default doesn't
|
||||
have to change as we invent new directory protocol versions.
|
||||
- Allow people to say PreferTunnelledDirConns rather than
|
||||
PreferTunneledDirConns, for those alternate-spellers out there.
|
||||
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
|
||||
accommodate the growing number of servers that use the default
|
||||
and are reaching it.
|
||||
- Make it possible to enable HashedControlPassword and
|
||||
CookieAuthentication at the same time.
|
||||
- When a TrackHostExits-chosen exit fails too many times in a row,
|
||||
stop using it. Fixes bug 437.
|
||||
|
||||
o Changed config option behavior (bugfixes):
|
||||
- Do not read the configuration file when we've only been told to
|
||||
generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
|
||||
based on patch from Sebastian Hahn.
|
||||
- Actually validate the options passed to AuthDirReject,
|
||||
AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
|
||||
- Make "ClientOnly 1" config option disable directory ports too.
|
||||
- Don't stop fetching descriptors when FetchUselessDescriptors is
|
||||
set, even if we stop asking for circuits. Bug reported by tup
|
||||
and ioerror.
|
||||
- Servers used to decline to publish their DirPort if their
|
||||
BandwidthRate or MaxAdvertisedBandwidth were below a threshold. Now
|
||||
they look only at BandwidthRate and RelayBandwidthRate.
|
||||
- Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
|
||||
minus 1 byte: the actual maximum declared bandwidth.
|
||||
- Make "TrackHostExits ." actually work. Bugfix on 0.1.0.x.
|
||||
- Make the NodeFamilies config option work. (Reported by
|
||||
lodger -- it has never actually worked, even though we added it
|
||||
in Oct 2004.)
|
||||
- If Tor is invoked from something that isn't a shell (e.g. Vidalia),
|
||||
now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
|
||||
|
||||
o New config options:
|
||||
- New configuration options to override default maximum number of
|
||||
servers allowed on a single IP address. This is important for
|
||||
running a test network on a single host. XXX
|
||||
- Three new config options (AlternateDirAuthority,
|
||||
AlternateBridgeAuthority, and AlternateHSAuthority) that let the
|
||||
user selectively replace the default directory authorities by type,
|
||||
rather than the all-or-nothing replacement that DirServer offers.
|
||||
- New config options AuthDirBadDir and AuthDirListBadDirs for
|
||||
authorities to mark certain relays as "bad directories" in the
|
||||
networkstatus documents. Also supports the "!baddir" directive in
|
||||
the approved-routers file.
|
||||
- New config option V2AuthoritativeDirectory that all v2 directory
|
||||
authorities must set. This lets v3 authorities choose not to serve
|
||||
v2 directory information.
|
||||
|
||||
o Minor features (other):
|
||||
- When we're not serving v2 directory information, there is no reason
|
||||
to actually keep any around. Remove the obsolete files and directory
|
||||
on startup if they are very old and we aren't going to serve them.
|
||||
- When we negotiate a v2 link-layer connection (not yet implemented),
|
||||
accept RELAY_EARLY cells and turn them into RELAY cells if we've
|
||||
negotiated a v1 connection for their next step. Initial steps for
|
||||
proposal 110.
|
||||
- When we have no consensus, check FallbackNetworkstatusFile (defaults
|
||||
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
|
||||
we can start out knowing some directory caches. We don't ship with
|
||||
a fallback consensus by default though, because it wasn't making
|
||||
bootstrapping take too long while we tried many down relays.
|
||||
- Authorities send back an X-Descriptor-Not-New header in response to
|
||||
an accepted-but-discarded descriptor upload. Partially implements
|
||||
fix for bug 535.
|
||||
- If we find a cached-routers file that's been sitting around for more
|
||||
than 28 days unmodified, then most likely it's a leftover from
|
||||
when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
|
||||
routers anyway.
|
||||
- When we (as a cache) download a descriptor because it was listed
|
||||
in a consensus, remember when the consensus was supposed to expire,
|
||||
and don't expire the descriptor until then.
|
||||
- Optionally (if built with -DEXPORTMALLINFO) export the output
|
||||
of mallinfo via http, as tor/mallinfo.txt. Only accessible
|
||||
from localhost.
|
||||
- Tag every guard node in our state file with the version that
|
||||
we believe added it, or with our own version if we add it. This way,
|
||||
if a user temporarily runs an old version of Tor and then switches
|
||||
back to a new one, she doesn't automatically lose her guards.
|
||||
- When somebody requests a list of statuses or servers, and we have
|
||||
none of those, return a 404 rather than an empty 200.
|
||||
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
|
||||
from croup.)
|
||||
- Add an HSAuthorityRecordStats option that hidden service authorities
|
||||
can use to track statistics of overall hidden service usage without
|
||||
logging information that would be as useful to an attacker.
|
||||
- Allow multiple HiddenServicePort directives with the same virtual
|
||||
port; when they occur, the user is sent round-robin to one
|
||||
of the target ports chosen at random. Partially fixes bug 393 by
|
||||
adding limited ad-hoc round-robining.
|
||||
- Revamp file-writing logic so we don't need to have the entire
|
||||
contents of a file in memory at once before we write to disk. Tor,
|
||||
meet stdio.
|
||||
|
||||
o Minor bugfixes (other):
|
||||
- Alter the code that tries to recover from unhandled write
|
||||
errors, to not try to flush onto a socket that's given us
|
||||
unhandled errors.
|
||||
- Directory mirrors no longer include a guess at the client's IP
|
||||
address if the connection appears to be coming from the same /24
|
||||
network; it was producing too many wrong guesses.
|
||||
- If we're trying to flush the last bytes on a connection (for
|
||||
example, when answering a directory request), reset the
|
||||
time-to-give-up timeout every time we manage to write something
|
||||
on the socket.
|
||||
- Reject router descriptors with out-of-range bandwidthcapacity or
|
||||
bandwidthburst values.
|
||||
- If we can't expand our list of entry guards (e.g. because we're
|
||||
using bridges or we have StrictEntryNodes set), don't mark relays
|
||||
down when they fail a directory request. Otherwise we're too quick
|
||||
to mark all our entry points down.
|
||||
- Authorities no longer send back "400 you're unreachable please fix
|
||||
it" errors to Tor servers that aren't online all the time. We're
|
||||
supposed to tolerate these servers now.
|
||||
- Let directory authorities startup even when they can't generate
|
||||
a descriptor immediately, e.g. because they don't know their
|
||||
address.
|
||||
- Correctly enforce that elements of directory objects do not appear
|
||||
more often than they are allowed to appear.
|
||||
- Stop allowing hibernating servers to be "stable" or "fast".
|
||||
- On Windows, we were preventing other processes from reading
|
||||
cached-routers while Tor was running. (Reported by janbar)
|
||||
- Check return values from pthread_mutex functions.
|
||||
|
||||
o Controller features:
|
||||
- The GETCONF command now escapes and quotes configuration values
|
||||
that don't otherwise fit into the torrc file.
|
||||
- The SETCONF command now handles quoted values correctly.
|
||||
- Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
|
||||
ask about source, timestamp of arrival, purpose, etc. We need
|
||||
something like this to help Vidalia not do GeoIP lookups on bridge
|
||||
addresses.
|
||||
- Allow multiple HashedControlPassword config lines, to support
|
||||
multiple controller passwords.
|
||||
- Accept LF instead of CRLF on controller, since some software has a
|
||||
hard time generating real Internet newlines.
|
||||
- Add GETINFO values for the server status events
|
||||
"REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
|
||||
Robert Hogan.
|
||||
- There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
|
||||
GETINFO for Torstat to use until it can switch to using extrainfos.
|
||||
- New config option CookieAuthFile to choose a new location for the
|
||||
cookie authentication file, and config option
|
||||
CookieAuthFileGroupReadable to make it group-readable.
|
||||
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
|
||||
match requests to applications. Patch from Robert Hogan.
|
||||
- Add a RESOLVE command to launch hostname lookups. Original patch
|
||||
from Robert Hogan.
|
||||
- Add GETINFO status/enough-dir-info to let controllers tell whether
|
||||
Tor has downloaded sufficient directory information. Patch from Tup.
|
||||
- You can now use the ControlSocket option to tell Tor to listen for
|
||||
controller connections on Unix domain sockets on systems that
|
||||
support them. Patch from Peter Palfrader.
|
||||
- New "GETINFO address-mappings/*" command to get address mappings
|
||||
with expiry information. "addr-mappings/*" is now deprecated.
|
||||
Patch from Tup.
|
||||
- Add a new config option __DisablePredictedCircuits designed for
|
||||
use by the controller, when we don't want Tor to build any circuits
|
||||
preemptively.
|
||||
- Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
|
||||
so we can exit from the middle of the circuit.
|
||||
- Implement "getinfo status/circuit-established".
|
||||
- Implement "getinfo status/version/..." so a controller can tell
|
||||
whether the current version is recommended, and whether any versions
|
||||
are good, and how many authorities agree. Patch from "shibz".
|
||||
- Controllers should now specify cache=no or cache=yes when using
|
||||
the +POSTDESCRIPTOR command.
|
||||
- Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
|
||||
Robert Hogan. Fixes the first part of bug 681.
|
||||
- When reporting clock skew, and we know that the clock is _at least
|
||||
as skewed_ as some value, but we don't know the actual value,
|
||||
report the value as a "minimum skew."
|
||||
|
||||
o Controller bugfixes:
|
||||
- Generate "STATUS_SERVER" events rather than misspelled
|
||||
"STATUS_SEVER" events. Caught by mwenge.
|
||||
- Reject controller commands over 1MB in length, so rogue
|
||||
processes can't run us out of memory.
|
||||
- Change the behavior of "getinfo status/good-server-descriptor"
|
||||
so it doesn't return failure when any authority disappears.
|
||||
- Send NAMESERVER_STATUS messages for a single failed nameserver
|
||||
correctly.
|
||||
- When the DANGEROUS_VERSION controller status event told us we're
|
||||
running an obsolete version, it used the string "OLD" to describe
|
||||
it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
|
||||
"OBSOLETE" in both cases.
|
||||
- Respond to INT and TERM SIGNAL commands before we execute the
|
||||
signal, in case the signal shuts us down. We had a patch in
|
||||
0.1.2.1-alpha that tried to do this by queueing the response on
|
||||
the connection's buffer before shutting down, but that really
|
||||
isn't the same thing at all. Bug located by Matt Edman.
|
||||
- Provide DNS expiry times in GMT, not in local time. For backward
|
||||
compatibility, ADDRMAP events only provide GMT expiry in an extended
|
||||
field. "GETINFO address-mappings" always does the right thing.
|
||||
- Use CRLF line endings properly in NS events.
|
||||
- Make 'getinfo fingerprint' return a 551 error if we're not a
|
||||
server, so we match what the control spec claims we do. Reported
|
||||
by daejees.
|
||||
- Fix a typo in an error message when extendcircuit fails that
|
||||
caused us to not follow the \r\n-based delimiter protocol. Reported
|
||||
by daejees.
|
||||
- When tunneling an encrypted directory connection, and its first
|
||||
circuit fails, do not leave it unattached and ask the controller
|
||||
to deal. Fixes the second part of bug 681.
|
||||
- Treat some 403 responses from directory servers as INFO rather than
|
||||
WARN-severity events.
|
||||
|
||||
o Portability / building / compiling:
|
||||
- When building with --enable-gcc-warnings, check for whether Apple's
|
||||
warning "-Wshorten-64-to-32" is available.
|
||||
- Support compilation to target iPhone; patch from cjacker huang.
|
||||
To build for iPhone, pass the --enable-iphone option to configure.
|
||||
- Detect non-ASCII platforms (if any still exist) and refuse to
|
||||
build there: some of our code assumes that 'A' is 65 and so on.
|
||||
- Clear up some MIPSPro compiler warnings.
|
||||
- Make autoconf search for libevent, openssl, and zlib consistently.
|
||||
- Update deprecated macros in configure.in.
|
||||
- When warning about missing headers, tell the user to let us
|
||||
know if the compile succeeds anyway, so we can downgrade the
|
||||
warning.
|
||||
- Include the current subversion revision as part of the version
|
||||
string: either fetch it directly if we're in an SVN checkout, do
|
||||
some magic to guess it if we're in an SVK checkout, or use
|
||||
the last-detected version if we're building from a .tar.gz.
|
||||
Use this version consistently in log messages.
|
||||
- Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
|
||||
- Read resolv.conf files correctly on platforms where read() returns
|
||||
partial results on small file reads.
|
||||
- Build without verbose warnings even on gcc 4.2 and 4.3.
|
||||
- On Windows, correctly detect errors when listing the contents of
|
||||
a directory. Fix from lodger.
|
||||
- Run 'make test' as part of 'make dist', so we stop releasing so
|
||||
many development snapshots that fail their unit tests.
|
||||
- Add support to detect Libevent versions in the 1.4.x series
|
||||
on mingw.
|
||||
- Add command-line arguments to unit-test executable so that we can
|
||||
invoke any chosen test from the command line rather than having
|
||||
to run the whole test suite at once; and so that we can turn on
|
||||
logging for the unit tests.
|
||||
- Do not automatically run configure from autogen.sh. This
|
||||
non-standard behavior tended to annoy people who have built other
|
||||
programs.
|
||||
|
||||
o Logging improvements:
|
||||
- When we haven't had any application requests lately, don't bother
|
||||
logging that we have expired a bunch of descriptors.
|
||||
- When attempting to open a logfile fails, tell us why.
|
||||
- Only log guard node status when guard node status has changed.
|
||||
- Downgrade the 3 most common "INFO" messages to "DEBUG". This will
|
||||
make "INFO" 75% less verbose.
|
||||
- When SafeLogging is disabled, log addresses along with all TLS
|
||||
errors.
|
||||
- Report TLS "zero return" case as a "clean close" and "IO error"
|
||||
as a "close". Stop calling closes "unexpected closes": existing
|
||||
Tors don't use SSL_close(), so having a connection close without
|
||||
the TLS shutdown handshake is hardly unexpected.
|
||||
- When we receive a consensus from the future, warn about skew.
|
||||
- Make "not enough dir info yet" warnings describe *why* Tor feels
|
||||
it doesn't have enough directory info yet.
|
||||
- On the USR1 signal, when dmalloc is in use, log the top 10 memory
|
||||
consumers. (We already do this on HUP.)
|
||||
- Give more descriptive well-formedness errors for out-of-range
|
||||
hidden service descriptor/protocol versions.
|
||||
- Stop recommending that every server operator send mail to tor-ops.
|
||||
Resolves bug 597. Bugfix on 0.1.2.x.
|
||||
- Improve skew reporting: try to give the user a better log message
|
||||
about how skewed they are, and how much this matters.
|
||||
- New --quiet command-line option to suppress the default console log.
|
||||
Good in combination with --hash-password.
|
||||
- Don't complain that "your server has not managed to confirm that its
|
||||
ports are reachable" if we haven't been able to build any circuits
|
||||
yet.
|
||||
- Detect the reason for failing to mmap a descriptor file we just
|
||||
wrote, and give a more useful log message. Fixes bug 533.
|
||||
- Always prepend "Bug: " to any log message about a bug.
|
||||
- When dumping memory usage, list bytes used in buffer memory
|
||||
free-lists.
|
||||
- When running with dmalloc, dump more stats on hup and on exit.
|
||||
- Put a platform string (e.g. "Linux i686") in the startup log
|
||||
message, so when people paste just their logs, we know if it's
|
||||
OpenBSD or Windows or what.
|
||||
- When logging memory usage, break down memory used in buffers by
|
||||
buffer type.
|
||||
- When we are reporting the DirServer line we just parsed, we were
|
||||
logging the second stanza of the key fingerprint, not the first.
|
||||
- Even though Windows is equally happy with / and \ as path separators,
|
||||
try to use \ consistently on Windows and / consistently on Unix: it
|
||||
makes the log messages nicer.
|
||||
- On OSX, stop warning the user that kqueue support in libevent is
|
||||
"experimental", since it seems to have worked fine for ages.
|
||||
|
||||
o Contributed scripts and tools:
|
||||
- Update linux-tor-prio.sh script to allow QoS based on the uid of
|
||||
the Tor process. Patch from Marco Bonetti with tweaks from Mike
|
||||
Perry.
|
||||
- Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
|
||||
Unix users an easy way to script their Tor process (e.g. by
|
||||
adjusting bandwidth based on the time of the day).
|
||||
- In the exitlist script, only consider the most recently published
|
||||
server descriptor for each server. Also, when the user requests
|
||||
a list of servers that _reject_ connections to a given address,
|
||||
explicitly exclude the IPs that also have servers that accept
|
||||
connections to that address. Resolves bug 405.
|
||||
- Include a new contrib/tor-exit-notice.html file that exit relay
|
||||
operators can put on their website to help reduce abuse queries.
|
||||
|
||||
o Newly deprecated features:
|
||||
- The status/version/num-versioning and status/version/num-concurring
|
||||
GETINFO controller options are no longer useful in the v3 directory
|
||||
protocol: treat them as deprecated, and warn when they're used.
|
||||
- The RedirectExits config option is now deprecated.
|
||||
|
||||
o Removed features:
|
||||
- Drop the old code to choke directory connections when the
|
||||
corresponding OR connections got full: thanks to the cell queue
|
||||
feature, OR conns don't get full any more.
|
||||
- Remove the old "dns worker" server DNS code: it hasn't been default
|
||||
since 0.1.2.2-alpha, and all the servers are using the new
|
||||
eventdns code.
|
||||
- Remove the code to generate the oldest (v1) directory format.
|
||||
- Remove support for the old bw_accounting file: we've been storing
|
||||
bandwidth accounting information in the state file since
|
||||
0.1.2.5-alpha. This may result in bandwidth accounting errors
|
||||
if you try to upgrade from 0.1.1.x or earlier, or if you try to
|
||||
downgrade to 0.1.1.x or earlier.
|
||||
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
|
||||
it, it had no AES, and it hasn't seen any security patches since
|
||||
2004.
|
||||
- Stop overloading the circuit_t.onionskin field for both "onionskin
|
||||
from a CREATE cell that we are waiting for a cpuworker to be
|
||||
assigned" and "onionskin from an EXTEND cell that we are going to
|
||||
send to an OR as soon as we are connected". Might help with bug 600.
|
||||
- Remove the tor_strpartition() function: its logic was confused,
|
||||
and it was only used for one thing that could be implemented far
|
||||
more easily.
|
||||
- Remove the contrib scripts ExerciseServer.py, PathDemo.py,
|
||||
and TorControl.py, as they use the old v0 controller protocol,
|
||||
and are obsoleted by TorFlow anyway.
|
||||
- Drop support for v1 rendezvous descriptors, since we never used
|
||||
them anyway, and the code has probably rotted by now. Based on
|
||||
patch from Karsten Loesing.
|
||||
- Stop allowing address masks that do not correspond to bit prefixes.
|
||||
We have warned about these for a really long time; now it's time
|
||||
to reject them. (Patch from croup.)
|
||||
- Remove an optimization in the AES counter-mode code that assumed
|
||||
that the counter never exceeded 2^68. When the counter can be set
|
||||
arbitrarily as an IV (as it is by Karsten's new hidden services
|
||||
code), this assumption no longer holds.
|
||||
- Disable the SETROUTERPURPOSE controller command: it is now
|
||||
obsolete.
|
||||
|
||||
|
||||
Changes in version 0.1.2.19 - 2008-01-17
|
||||
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
|
||||
exit policy a little bit more conservative so it's safer to run an
|
||||
|
Loading…
Reference in New Issue
Block a user