mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 23:53:32 +01:00
8340 lines
420 KiB
Plaintext
8340 lines
420 KiB
Plaintext
Changes in version 0.2.2.3-alpha - 2009-??-??
|
|
|
|
Changes in version 0.2.2.2-alpha - 2009-09-21
|
|
o Major features:
|
|
- Tor now tracks how long it takes to build client-side circuits
|
|
over time, and adapts its timeout to local network performance.
|
|
Since a circuit that takes a long time to build will also provide
|
|
bad performance, we get significant latency improvements by
|
|
discarding the slowest 20% of circuits. Specifically, Tor creates
|
|
circuits more aggressively than usual until it has enough data
|
|
points for a good timeout estimate. Implements proposal 151.
|
|
We are especially looking for reports (good and bad) from users with
|
|
both EDGE and broadband connections that can move from broadband
|
|
to EDGE and find out if the build-time data in the .tor/state gets
|
|
reset without loss of Tor usability. You should also see a notice
|
|
log message telling you that Tor has reset its timeout.
|
|
- Directory authorities can now vote on arbitary integer values as
|
|
part of the consensus process. This is designed to help set
|
|
network-wide parameters. Implements proposal 167.
|
|
- Tor now reads the "circwindow" parameter out of the consensus,
|
|
and uses that value for its circuit package window rather than the
|
|
default of 1000 cells. Begins the implementation of proposal 168.
|
|
|
|
o Major bugfixes:
|
|
- Fix a remotely triggerable memory leak when a consensus document
|
|
contains more than one signature from the same voter. Bugfix on
|
|
0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an extremely rare infinite recursion bug that could occur if
|
|
we tried to log a message after shutting down the log subsystem.
|
|
Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
|
|
- Fix parsing for memory or time units given without a space between
|
|
the number and the unit. Bugfix on 0.2.2.1-alpha; fixes bug 1076.
|
|
- A networkstatus vote must contain exactly one signature. Spec
|
|
conformance issue. Bugfix on 0.2.0.3-alpha.
|
|
- Fix an obscure bug where hidden services on 64-bit big-endian
|
|
systems might mis-read the timestamp in v3 introduce cells, and
|
|
refuse to connect back to the client. Discovered by "rotor".
|
|
Bugfix on 0.2.1.6-alpha.
|
|
- We were triggering a CLOCK_SKEW controller status event whenever
|
|
we connect via the v2 connection protocol to any relay that has
|
|
a wrong clock. Instead, we should only inform the controller when
|
|
it's a trusted authority that claims our clock is wrong. Bugfix
|
|
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
|
|
- We were telling the controller about CHECKING_REACHABILITY and
|
|
REACHABILITY_FAILED status events whenever we launch a testing
|
|
circuit or notice that one has failed. Instead, only tell the
|
|
controller when we want to inform the user of overall success or
|
|
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
|
|
by SwissTorExit.
|
|
- Don't warn when we're using a circuit that ends with a node
|
|
excluded in ExcludeExitNodes, but the circuit is not used to access
|
|
the outside world. This should help fix bug 1090, but more problems
|
|
remain. Bugfix on 0.2.1.6-alpha.
|
|
- Work around a small memory leak in some versions of OpenSSL that
|
|
stopped the memory used by the hostname TLS extension from being
|
|
freed.
|
|
- Make our 'torify' script more portable; if we have only one of
|
|
'torsocks' or 'tsocks' installed, don't complain to the user;
|
|
and explain our warning about tsocks better.
|
|
|
|
o Minor features:
|
|
- Add a "getinfo status/accepted-server-descriptor" controller
|
|
command, which is the recommended way for controllers to learn
|
|
whether our server descriptor has been successfully received by at
|
|
least on directory authority. Un-recommend good-server-descriptor
|
|
getinfo and status events until we have a better design for them.
|
|
- Update to the "September 4 2009" ip-to-country file.
|
|
|
|
|
|
Changes in version 0.2.2.1-alpha - 2009-08-26
|
|
o Security fixes:
|
|
- Start the process of disabling ".exit" address notation, since it
|
|
can be used for a variety of esoteric application-level attacks
|
|
on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix
|
|
on 0.0.9rc5.
|
|
|
|
o New directory authorities:
|
|
- Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
|
|
authority.
|
|
|
|
o Major features:
|
|
- New AccelName and AccelDir options add support for dynamic OpenSSL
|
|
hardware crypto acceleration engines.
|
|
- Tor now supports tunneling all of its outgoing connections over
|
|
a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy
|
|
configuration options. Code by Christopher Davis.
|
|
|
|
o Major bugfixes:
|
|
- Send circuit or stream sendme cells when our window has decreased
|
|
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
|
|
by Karsten when testing the "reduce circuit window" performance
|
|
patch. Bugfix on the 54th commit on Tor -- from July 2002,
|
|
before the release of Tor 0.0.0. This is the new winner of the
|
|
oldest-bug prize.
|
|
|
|
o New options for gathering stats safely:
|
|
- Directories that set "DirReqStatistics 1" write statistics on
|
|
directory request to disk every 24 hours. As compared to the
|
|
--enable-geoip-stats flag in 0.2.1.x, there are a few improvements:
|
|
1) stats are written to disk exactly every 24 hours; 2) estimated
|
|
shares of v2 and v3 requests are determined as mean values, not at
|
|
the end of a measurement period; 3) unresolved requests are listed
|
|
with country code '??'; 4) directories also measure download times.
|
|
- Exit nodes that set "ExitPortStatistics 1" write statistics on the
|
|
number of exit streams and transferred bytes per port to disk every
|
|
24 hours.
|
|
- Relays that set "CellStatistics 1" write statistics on how long
|
|
cells spend in their circuit queues to disk every 24 hours.
|
|
- Entry nodes that set "EntryStatistics 1" write statistics on the
|
|
rough number and origins of connecting clients to disk every 24
|
|
hours.
|
|
- Relays that write any of the above statistics to disk and set
|
|
"ExtraInfoStatistics 1" include the past 24 hours of statistics in
|
|
their extra-info documents.
|
|
|
|
o Minor features:
|
|
- New --digests command-line switch to output the digests of the
|
|
source files Tor was built with.
|
|
- The "torify" script now uses torsocks where available.
|
|
- The memarea code now uses a sentinel value at the end of each area
|
|
to make sure nothing writes beyond the end of an area. This might
|
|
help debug some conceivable causes of bug 930.
|
|
- Time and memory units in the configuration file can now be set to
|
|
fractional units. For example, "2.5 GB" is now a valid value for
|
|
AccountingMax.
|
|
- Certain Tor clients (such as those behind check.torproject.org) may
|
|
want to fetch the consensus in an extra early manner. To enable this
|
|
a user may now set FetchDirInfoExtraEarly to 1. This also depends on
|
|
setting FetchDirInfoEarly to 1. Previous behavior will stay the same
|
|
as only certain clients who must have this information sooner should
|
|
set this option.
|
|
- Instead of adding the svn revision to the Tor version string, report
|
|
the git commit (when we're building from a git checkout).
|
|
|
|
o Minor bugfixes:
|
|
- If any the v3 certs we download are unparseable, we should actually
|
|
notice the failure so we don't retry indefinitely. Bugfix on
|
|
0.2.0.x; reported by "rotator".
|
|
- If the cached cert file is unparseable, warn but don't exit.
|
|
- Fix possible segmentation fault on directory authorities. Bugfix on
|
|
0.2.1.14-rc.
|
|
- When Tor fails to parse a descriptor of any kind, dump it to disk.
|
|
Might help diagnosing bug 1051.
|
|
|
|
o Deprecated and removed features:
|
|
- The controller no longer accepts the old obsolete "addr-mappings/"
|
|
or "unregistered-servers-" GETINFO values.
|
|
- Hidden services no longer publish version 0 descriptors, and clients
|
|
do not request or use version 0 descriptors. However, the old hidden
|
|
service authorities still accept and serve version 0 descriptors
|
|
when contacted by older hidden services/clients.
|
|
- The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now
|
|
always on; using them is necessary for correct forward-compatible
|
|
controllers.
|
|
- Remove support for .noconnect style addresses. Nobody was using
|
|
them, and they provided another avenue for detecting Tor users
|
|
via application-level web tricks.
|
|
|
|
o Packaging changes:
|
|
- Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
|
|
installer bundles. See
|
|
https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHANGELOG
|
|
for details of what's new in Vidalia 0.2.3.
|
|
- Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
|
|
- OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
|
|
configuration file, rather than the old Privoxy.
|
|
- OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
|
|
x86-only for better compatibility with OS X 10.6, aka Snow Leopard.
|
|
- OS X Tor Expert Bundle: Tor is compiled as x86-only for
|
|
better compatibility with OS X 10.6, aka Snow Leopard.
|
|
- OS X Vidalia Bundle: The multi-package installer is now replaced
|
|
by a simple drag and drop to the /Applications folder. This change
|
|
occurred with the upgrade to Vidalia 0.2.3.
|
|
|
|
|
|
Changes in version 0.2.1.20 - 2009-??-??
|
|
o Major bugfixes:
|
|
- Send circuit or stream sendme cells when our window has decreased
|
|
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
|
|
by Karsten when testing the "reduce circuit window" performance
|
|
patch. Bugfix on the 54th commit on Tor -- from July 2002,
|
|
before the release of Tor 0.0.0. This is the new winner of the
|
|
oldest-bug prize.
|
|
- Fix a remotely triggerable memory leak when a consensus document
|
|
contains more than one signature from the same voter. Bugfix on
|
|
0.2.0.3-alpha.
|
|
|
|
o New directory authorities:
|
|
- Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
|
|
authority.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a signed/unsigned compile warning in 0.2.1.19.
|
|
- Fix possible segmentation fault on directory authorities. Bugfix on
|
|
0.2.1.14-rc.
|
|
- Fix an extremely rare infinite recursion bug that could occur if
|
|
we tried to log a message after shutting down the log subsystem.
|
|
Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
|
|
- Fix an obscure bug where hidden services on 64-bit big-endian
|
|
systems might mis-read the timestamp in v3 introduce cells, and
|
|
refuse to connect back to the client. Discovered by "rotor".
|
|
Bugfix on 0.2.1.6-alpha.
|
|
- We were triggering a CLOCK_SKEW controller status event whenever
|
|
we connect via the v2 connection protocol to any relay that has
|
|
a wrong clock. Instead, we should only inform the controller when
|
|
it's a trusted authority that claims our clock is wrong. Bugfix
|
|
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
|
|
- We were telling the controller about CHECKING_REACHABILITY and
|
|
REACHABILITY_FAILED status events whenever we launch a testing
|
|
circuit or notice that one has failed. Instead, only tell the
|
|
controller when we want to inform the user of overall success or
|
|
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
|
|
by SwissTorExit.
|
|
- Don't warn when we're using a circuit that ends with a node
|
|
excluded in ExcludeExitNodes, but the circuit is not used to access
|
|
the outside world. This should help fix bug 1090. Bugfix on
|
|
0.2.1.6-alpha.
|
|
- Avoid segfault in rare cases when finishing an introduction circuit
|
|
as a client and finding out that we don't have an introduction key
|
|
for it. Fixes bug 1073. Reported by Aaron Swartz.
|
|
- Work around a small memory leak in some versions of OpenSSL that
|
|
stopped the memory used by the hostname TLS extension from being
|
|
freed.
|
|
|
|
o Minor features:
|
|
- Add a "getinfo status/accepted-server-descriptor" controller
|
|
command, which is the recommended way for controllers to learn
|
|
whether our server descriptor has been successfully received by at
|
|
least on directory authority. Un-recommend good-server-descriptor
|
|
getinfo and status events until we have a better design for them.
|
|
|
|
|
|
Changes in version 0.2.1.19 - 2009-07-28
|
|
Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
|
|
services on Tor 0.2.1.3-alpha through 0.2.1.18.
|
|
|
|
o Major bugfixes:
|
|
- Make accessing hidden services on 0.2.1.x work right again.
|
|
Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
|
|
part of patch provided by "optimist".
|
|
|
|
o Minor features:
|
|
- When a relay/bridge is writing out its identity key fingerprint to
|
|
the "fingerprint" file and to its logs, write it without spaces. Now
|
|
it will look like the fingerprints in our bridges documentation,
|
|
and confuse fewer users.
|
|
|
|
o Minor bugfixes:
|
|
- Relays no longer publish a new server descriptor if they change
|
|
their MaxAdvertisedBandwidth config option but it doesn't end up
|
|
changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
|
|
fixes bug 1026. Patch from Sebastian.
|
|
- Avoid leaking memory every time we get a create cell but we have
|
|
so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
|
|
fixes bug 1034. Reported by BarkerJr.
|
|
|
|
|
|
Changes in version 0.2.1.18 - 2009-07-24
|
|
Tor 0.2.1.18 lays the foundations for performance improvements,
|
|
adds status events to help users diagnose bootstrap problems, adds
|
|
optional authentication/authorization for hidden services, fixes a
|
|
variety of potential anonymity problems, and includes a huge pile of
|
|
other features and bug fixes.
|
|
|
|
o Build fixes:
|
|
- Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
|
|
|
|
|
|
Changes in version 0.2.1.17-rc - 2009-07-07
|
|
Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
|
|
candidate for the 0.2.1.x series. It lays the groundwork for further
|
|
client performance improvements, and also fixes a big bug with directory
|
|
authorities that were causing them to assign Guard and Stable flags
|
|
poorly.
|
|
|
|
The Windows bundles also finally include the geoip database that we
|
|
thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
|
|
should actually install Torbutton rather than giving you a cryptic
|
|
failure message (oops).
|
|
|
|
o Major features:
|
|
- Clients now use the bandwidth values in the consensus, rather than
|
|
the bandwidth values in each relay descriptor. This approach opens
|
|
the door to more accurate bandwidth estimates once the directory
|
|
authorities start doing active measurements. Implements more of
|
|
proposal 141.
|
|
|
|
o Major bugfixes:
|
|
- When Tor clients restart after 1-5 days, they discard all their
|
|
cached descriptors as too old, but they still use the cached
|
|
consensus document. This approach is good for robustness, but
|
|
bad for performance: since they don't know any bandwidths, they
|
|
end up choosing at random rather than weighting their choice by
|
|
speed. Fixed by the above feature of putting bandwidths in the
|
|
consensus. Bugfix on 0.2.0.x.
|
|
- Directory authorities were neglecting to mark relays down in their
|
|
internal histories if the relays fall off the routerlist without
|
|
ever being found unreachable. So there were relays in the histories
|
|
that haven't been seen for eight months, and are listed as being
|
|
up for eight months. This wreaked havoc on the "median wfu"
|
|
and "median mtbf" calculations, in turn making Guard and Stable
|
|
flags very wrong, hurting network performance. Fixes bugs 696 and
|
|
969. Bugfix on 0.2.0.6-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Serve the DirPortFrontPage page even when we have been approaching
|
|
our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
|
|
- The control port would close the connection before flushing long
|
|
replies, such as the network consensus, if a QUIT command was issued
|
|
before the reply had completed. Now, the control port flushes all
|
|
pending replies before closing the connection. Also fixed a spurious
|
|
warning when a QUIT command is issued after a malformed or rejected
|
|
AUTHENTICATE command, but before the connection was closed. Patch
|
|
by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
|
|
- When we can't find an intro key for a v2 hidden service descriptor,
|
|
fall back to the v0 hidden service descriptor and log a bug message.
|
|
Workaround for bug 1024.
|
|
- Fix a log message that did not respect the SafeLogging option.
|
|
Resolves bug 1027.
|
|
|
|
o Minor features:
|
|
- If we're a relay and we change our IP address, be more verbose
|
|
about the reason that made us change. Should help track down
|
|
further bugs for relays on dynamic IP addresses.
|
|
|
|
|
|
Changes in version 0.2.0.35 - 2009-06-24
|
|
o Security fix:
|
|
- Avoid crashing in the presence of certain malformed descriptors.
|
|
Found by lark, and by automated fuzzing.
|
|
- Fix an edge case where a malicious exit relay could convince a
|
|
controller that the client's DNS question resolves to an internal IP
|
|
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
|
|
|
o Major bugfixes:
|
|
- Finally fix the bug where dynamic-IP relays disappear when their
|
|
IP address changes: directory mirrors were mistakenly telling
|
|
them their old address if they asked via begin_dir, so they
|
|
never got an accurate answer about their new address, so they
|
|
just vanished after a day. For belt-and-suspenders, relays that
|
|
don't set Address in their config now avoid using begin_dir for
|
|
all direct connections. Should fix bugs 827, 883, and 900.
|
|
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
|
that would occur on some exit nodes when DNS failures and timeouts
|
|
occurred in certain patterns. Fix for bug 957.
|
|
|
|
o Minor bugfixes:
|
|
- When starting with a cache over a few days old, do not leak
|
|
memory for the obsolete router descriptors in it. Bugfix on
|
|
0.2.0.33; fixes bug 672.
|
|
- Hidden service clients didn't use a cached service descriptor that
|
|
was older than 15 minutes, but wouldn't fetch a new one either,
|
|
because there was already one in the cache. Now, fetch a v2
|
|
descriptor unless the same descriptor was added to the cache within
|
|
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
|
|
|
|
|
Changes in version 0.2.1.16-rc - 2009-06-20
|
|
Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
|
|
a bunch of minor bugs.
|
|
|
|
o Security fixes:
|
|
- Fix an edge case where a malicious exit relay could convince a
|
|
controller that the client's DNS question resolves to an internal IP
|
|
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
|
|
|
o Major performance improvements (on 0.2.0.x):
|
|
- Disable and refactor some debugging checks that forced a linear scan
|
|
over the whole server-side DNS cache. These accounted for over 50%
|
|
of CPU time on a relatively busy exit node's gprof profile. Found
|
|
by Jacob.
|
|
- Disable some debugging checks that appeared in exit node profile
|
|
data.
|
|
|
|
o Minor features:
|
|
- Update to the "June 3 2009" ip-to-country file.
|
|
- Do not have tor-resolve automatically refuse all .onion addresses;
|
|
if AutomapHostsOnResolve is set in your torrc, this will work fine.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Log correct error messages for DNS-related network errors on
|
|
Windows.
|
|
- Fix a race condition that could cause crashes or memory corruption
|
|
when running as a server with a controller listening for log
|
|
messages.
|
|
- Avoid crashing when we have a policy specified in a DirPolicy or
|
|
SocksPolicy or ReachableAddresses option with ports set on it,
|
|
and we re-load the policy. May fix bug 996.
|
|
- Hidden service clients didn't use a cached service descriptor that
|
|
was older than 15 minutes, but wouldn't fetch a new one either,
|
|
because there was already one in the cache. Now, fetch a v2
|
|
descriptor unless the same descriptor was added to the cache within
|
|
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Don't warn users about low port and hibernation mix when they
|
|
provide a *ListenAddress directive to fix that. Bugfix on
|
|
0.2.1.15-rc.
|
|
- When switching back and forth between bridge mode, do not start
|
|
gathering GeoIP data until two hours have passed.
|
|
- Do not complain that the user has requested an excluded node as
|
|
an exit when the node is not really an exit. This could happen
|
|
because the circuit was for testing, or an introduction point.
|
|
Fix for bug 984.
|
|
|
|
|
|
Changes in version 0.2.1.15-rc - 2009-05-25
|
|
Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
|
|
series. It fixes a major bug on fast exit relays, as well as a variety
|
|
of more minor bugs.
|
|
|
|
o Major bugfixes (on 0.2.0.x):
|
|
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
|
that would occur on some exit nodes when DNS failures and timeouts
|
|
occurred in certain patterns. Fix for bug 957.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Actually return -1 in the error case for read_bandwidth_usage().
|
|
Harmless bug, since we currently don't care about the return value
|
|
anywhere. Bugfix on 0.2.0.9-alpha.
|
|
- Provide a more useful log message if bug 977 (related to buffer
|
|
freelists) ever reappears, and do not crash right away.
|
|
- Fix an assertion failure on 64-bit platforms when we allocated
|
|
memory right up to the end of a memarea, then realigned the memory
|
|
one step beyond the end. Fixes a possible cause of bug 930.
|
|
- Protect the count of open sockets with a mutex, so we can't
|
|
corrupt it when two threads are closing or opening sockets at once.
|
|
Fix for bug 939. Bugfix on 0.2.0.1-alpha.
|
|
- Don't allow a bridge to publish its router descriptor to a
|
|
non-bridge directory authority. Fixes part of bug 932.
|
|
- When we change to or from being a bridge, reset our counts of
|
|
client usage by country. Fixes bug 932.
|
|
- Fix a bug that made stream bandwidth get misreported to the
|
|
controller.
|
|
- Stop using malloc_usable_size() to use more area than we had
|
|
actually allocated: it was safe, but made valgrind really unhappy.
|
|
- Fix a memory leak when v3 directory authorities load their keys
|
|
and cert from disk. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Fix use of freed memory when deciding to mark a non-addable
|
|
descriptor as never-downloadable. Bugfix on 0.2.1.9-alpha.
|
|
|
|
|
|
Changes in version 0.2.1.14-rc - 2009-04-12
|
|
Tor 0.2.1.14-rc marks the first release candidate for the 0.2.1.x
|
|
series. It begins fixing some major performance problems, and also
|
|
finally addresses the bug that was causing relays on dynamic IP
|
|
addresses to fall out of the directory.
|
|
|
|
o Major features:
|
|
- Clients replace entry guards that were chosen more than a few months
|
|
ago. This change should significantly improve client performance,
|
|
especially once more people upgrade, since relays that have been
|
|
a guard for a long time are currently overloaded.
|
|
|
|
o Major bugfixes (on 0.2.0):
|
|
- Finally fix the bug where dynamic-IP relays disappear when their
|
|
IP address changes: directory mirrors were mistakenly telling
|
|
them their old address if they asked via begin_dir, so they
|
|
never got an accurate answer about their new address, so they
|
|
just vanished after a day. For belt-and-suspenders, relays that
|
|
don't set Address in their config now avoid using begin_dir for
|
|
all direct connections. Should fix bugs 827, 883, and 900.
|
|
- Relays were falling out of the networkstatus consensus for
|
|
part of a day if they changed their local config but the
|
|
authorities discarded their new descriptor as "not sufficiently
|
|
different". Now directory authorities accept a descriptor as changed
|
|
if bandwidthrate or bandwidthburst changed. Partial fix for bug 962;
|
|
patch by Sebastian.
|
|
- Avoid crashing in the presence of certain malformed descriptors.
|
|
Found by lark, and by automated fuzzing.
|
|
|
|
o Minor features:
|
|
- When generating circuit events with verbose nicknames for
|
|
controllers, try harder to look up nicknames for routers on a
|
|
circuit. (Previously, we would look in the router descriptors we had
|
|
for nicknames, but not in the consensus.) Partial fix for bug 941.
|
|
- If the bridge config line doesn't specify a port, assume 443.
|
|
This makes bridge lines a bit smaller and easier for users to
|
|
understand.
|
|
- Raise the minimum bandwidth to be a relay from 20000 bytes to 20480
|
|
bytes (aka 20KB/s), to match our documentation. Also update
|
|
directory authorities so they always assign the Fast flag to relays
|
|
with 20KB/s of capacity. Now people running relays won't suddenly
|
|
find themselves not seeing any use, if the network gets faster
|
|
on average.
|
|
- Update to the "April 3 2009" ip-to-country file.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid trying to print raw memory to the logs when we decide to
|
|
give up on downloading a given relay descriptor. Bugfix on
|
|
0.2.1.9-alpha.
|
|
- In tor-resolve, when the Tor client to use is specified by
|
|
<hostname>:<port>, actually use the specified port rather than
|
|
defaulting to 9050. Bugfix on 0.2.1.6-alpha.
|
|
- Make directory usage recording work again. Bugfix on 0.2.1.6-alpha.
|
|
- When starting with a cache over a few days old, do not leak
|
|
memory for the obsolete router descriptors in it. Bugfix on
|
|
0.2.0.33.
|
|
- Avoid double-free on list of successfully uploaded hidden
|
|
service discriptors. Fix for bug 948. Bugfix on 0.2.1.6-alpha.
|
|
- Change memarea_strndup() implementation to work even when
|
|
duplicating a string at the end of a page. This bug was
|
|
harmless for now, but could have meant crashes later. Fix by
|
|
lark. Bugfix on 0.2.1.1-alpha.
|
|
- Limit uploaded directory documents to be 16M rather than 500K.
|
|
The directory authorities were refusing v3 consensus votes from
|
|
other authorities, since the votes are now 504K. Fixes bug 959;
|
|
bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
|
|
- Directory authorities should never send a 503 "busy" response to
|
|
requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
|
|
bug 959.
|
|
|
|
|
|
Changes in version 0.2.1.13-alpha - 2009-03-09
|
|
Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
|
|
cleanups. We're finally getting close to a release candidate.
|
|
|
|
o Major bugfixes:
|
|
- Correctly update the list of which countries we exclude as
|
|
exits, when the GeoIP file is loaded or reloaded. Diagnosed by
|
|
lark. Bugfix on 0.2.1.6-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.0.x and earlier):
|
|
- Automatically detect MacOSX versions earlier than 10.4.0, and
|
|
disable kqueue from inside Tor when running with these versions.
|
|
We previously did this from the startup script, but that was no
|
|
help to people who didn't use the startup script. Resolves bug 863.
|
|
- When we had picked an exit node for a connection, but marked it as
|
|
"optional", and it turned out we had no onion key for the exit,
|
|
stop wanting that exit and try again. This situation may not
|
|
be possible now, but will probably become feasible with proposal
|
|
158. Spotted by rovv. Fixes another case of bug 752.
|
|
- Clients no longer cache certificates for authorities they do not
|
|
recognize. Bugfix on 0.2.0.9-alpha.
|
|
- When we can't transmit a DNS request due to a network error, retry
|
|
it after a while, and eventually transmit a failing response to
|
|
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
|
|
- If the controller claimed responsibility for a stream, but that
|
|
stream never finished making its connection, it would live
|
|
forever in circuit_wait state. Now we close it after SocksTimeout
|
|
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
|
|
- Drop begin cells to a hidden service if they come from the middle
|
|
of a circuit. Patch from lark.
|
|
- When we erroneously receive two EXTEND cells for the same circuit
|
|
ID on the same connection, drop the second. Patch from lark.
|
|
- Fix a crash that occurs on exit nodes when a nameserver request
|
|
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
|
|
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
|
|
bug 929.
|
|
- Do not assume that a stack-allocated character array will be
|
|
64-bit aligned on platforms that demand that uint64_t access is
|
|
aligned. Possible fix for bug 604.
|
|
- Parse dates and IPv4 addresses in a locale- and libc-independent
|
|
manner, to avoid platform-dependent behavior on malformed input.
|
|
- Build correctly when configured to build outside the main source
|
|
path. Patch from Michael Gold.
|
|
- We were already rejecting relay begin cells with destination port
|
|
of 0. Now also reject extend cells with destination port or address
|
|
of 0. Suggested by lark.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Don't re-extend introduction circuits if we ran out of RELAY_EARLY
|
|
cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
|
|
- If we're an exit node, scrub the IP address to which we are exiting
|
|
in the logs. Bugfix on 0.2.1.8-alpha.
|
|
|
|
o Minor features:
|
|
- On Linux, use the prctl call to re-enable core dumps when the user
|
|
is option is set.
|
|
- New controller event NEWCONSENSUS that lists the networkstatus
|
|
lines for every recommended relay. Now controllers like Torflow
|
|
can keep up-to-date on which relays they should be using.
|
|
- Update to the "February 26 2009" ip-to-country file.
|
|
|
|
|
|
Changes in version 0.2.0.34 - 2009-02-08
|
|
Tor 0.2.0.34 features several more security-related fixes. You should
|
|
upgrade, especially if you run an exit relay (remote crash) or a
|
|
directory authority (remote infinite loop), or you're on an older
|
|
(pre-XP) or not-recently-patched Windows (remote exploit).
|
|
|
|
This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
|
|
have many known flaws, and nobody should be using them. You should
|
|
upgrade. If you're using a Linux or BSD and its packages are obsolete,
|
|
stop using those packages and upgrade anyway.
|
|
|
|
o Security fixes:
|
|
- Fix an infinite-loop bug on handling corrupt votes under certain
|
|
circumstances. Bugfix on 0.2.0.8-alpha.
|
|
- Fix a temporary DoS vulnerability that could be performed by
|
|
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
|
|
- Avoid a potential crash on exit nodes when processing malformed
|
|
input. Remote DoS opportunity. Bugfix on 0.2.0.33.
|
|
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
|
|
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compilation on systems where time_t is a 64-bit integer.
|
|
Patch from Matthias Drochner.
|
|
- Don't consider expiring already-closed client connections. Fixes
|
|
bug 893. Bugfix on 0.0.2pre20.
|
|
|
|
|
|
Changes in version 0.2.1.12-alpha - 2009-02-08
|
|
Tor 0.2.1.12-alpha features several more security-related fixes. You
|
|
should upgrade, especially if you run an exit relay (remote crash) or
|
|
a directory authority (remote infinite loop), or you're on an older
|
|
(pre-XP) or not-recently-patched Windows (remote exploit). It also
|
|
includes a big pile of minor bugfixes and cleanups.
|
|
|
|
o Security fixes:
|
|
- Fix an infinite-loop bug on handling corrupt votes under certain
|
|
circumstances. Bugfix on 0.2.0.8-alpha.
|
|
- Fix a temporary DoS vulnerability that could be performed by
|
|
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
|
|
- Avoid a potential crash on exit nodes when processing malformed
|
|
input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Let controllers actually ask for the "clients_seen" event for
|
|
getting usage summaries on bridge relays. Bugfix on 0.2.1.10-alpha;
|
|
reported by Matt Edman.
|
|
- Fix a compile warning on OSX Panther. Fixes bug 913; bugfix against
|
|
0.2.1.11-alpha.
|
|
- Fix a bug in address parsing that was preventing bridges or hidden
|
|
service targets from being at IPv6 addresses.
|
|
- Solve a bug that kept hardware crypto acceleration from getting
|
|
enabled when accounting was turned on. Fixes bug 907. Bugfix on
|
|
0.0.9pre6.
|
|
- Remove a bash-ism from configure.in to build properly on non-Linux
|
|
platforms. Bugfix on 0.2.1.1-alpha.
|
|
- Fix code so authorities _actually_ send back X-Descriptor-Not-New
|
|
headers. Bugfix on 0.2.0.10-alpha.
|
|
- Don't consider expiring already-closed client connections. Fixes
|
|
bug 893. Bugfix on 0.0.2pre20.
|
|
- Fix another interesting corner-case of bug 891 spotted by rovv:
|
|
Previously, if two hosts had different amounts of clock drift, and
|
|
one of them created a new connection with just the wrong timing,
|
|
the other might decide to deprecate the new connection erroneously.
|
|
Bugfix on 0.1.1.13-alpha.
|
|
- Resolve a very rare crash bug that could occur when the user forced
|
|
a nameserver reconfiguration during the middle of a nameserver
|
|
probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
|
|
- Support changing value of ServerDNSRandomizeCase during SIGHUP.
|
|
Bugfix on 0.2.1.7-alpha.
|
|
- If we're using bridges and our network goes away, be more willing
|
|
to forgive our bridges and try again when we get an application
|
|
request. Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- Support platforms where time_t is 64 bits long. (Congratulations,
|
|
NetBSD!) Patch from Matthias Drochner.
|
|
- Add a 'getinfo status/clients-seen' controller command, in case
|
|
controllers want to hear clients_seen events but connect late.
|
|
|
|
o Build changes:
|
|
- Disable GCC's strict alias optimization by default, to avoid the
|
|
likelihood of its introducing subtle bugs whenever our code violates
|
|
the letter of C99's alias rules.
|
|
|
|
|
|
Changes in version 0.2.0.33 - 2009-01-21
|
|
Tor 0.2.0.33 fixes a variety of bugs that were making relays less
|
|
useful to users. It also finally fixes a bug where a relay or client
|
|
that's been off for many days would take a long time to bootstrap.
|
|
|
|
This update also fixes an important security-related bug reported by
|
|
Ilja van Sprundel. You should upgrade. (We'll send out more details
|
|
about the bug once people have had some time to upgrade.)
|
|
|
|
o Security fixes:
|
|
- Fix a heap-corruption bug that may be remotely triggerable on
|
|
some platforms. Reported by Ilja van Sprundel.
|
|
|
|
o Major bugfixes:
|
|
- When a stream at an exit relay is in state "resolving" or
|
|
"connecting" and it receives an "end" relay cell, the exit relay
|
|
would silently ignore the end cell and not close the stream. If
|
|
the client never closes the circuit, then the exit relay never
|
|
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
|
|
reported by "wood".
|
|
- When sending CREATED cells back for a given circuit, use a 64-bit
|
|
connection ID to find the right connection, rather than an addr:port
|
|
combination. Now that we can have multiple OR connections between
|
|
the same ORs, it is no longer possible to use addr:port to uniquely
|
|
identify a connection.
|
|
- Bridge relays that had DirPort set to 0 would stop fetching
|
|
descriptors shortly after startup, and then briefly resume
|
|
after a new bandwidth test and/or after publishing a new bridge
|
|
descriptor. Bridge users that try to bootstrap from them would
|
|
get a recent networkstatus but would get descriptors from up to
|
|
18 hours earlier, meaning most of the descriptors were obsolete
|
|
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
|
|
- Prevent bridge relays from serving their 'extrainfo' document
|
|
to anybody who asks, now that extrainfo docs include potentially
|
|
sensitive aggregated client geoip summaries. Bugfix on
|
|
0.2.0.13-alpha.
|
|
- If the cached networkstatus consensus is more than five days old,
|
|
discard it rather than trying to use it. In theory it could be
|
|
useful because it lists alternate directory mirrors, but in practice
|
|
it just means we spend many minutes trying directory mirrors that
|
|
are long gone from the network. Also discard router descriptors as
|
|
we load them if they are more than five days old, since the onion
|
|
key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
|
|
|
|
o Minor bugfixes:
|
|
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
|
|
could make gcc generate non-functional binary search code. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- Build correctly on platforms without socklen_t.
|
|
- Compile without warnings on solaris.
|
|
- Avoid potential crash on internal error during signature collection.
|
|
Fixes bug 864. Patch from rovv.
|
|
- Correct handling of possible malformed authority signing key
|
|
certificates with internal signature types. Fixes bug 880.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Fix a hard-to-trigger resource leak when logging credential status.
|
|
CID 349.
|
|
- When we can't initialize DNS because the network is down, do not
|
|
automatically stop Tor from starting. Instead, we retry failed
|
|
dns_init() every 10 minutes, and change the exit policy to reject
|
|
*:* until one succeeds. Fixes bug 691.
|
|
- Use 64 bits instead of 32 bits for connection identifiers used with
|
|
the controller protocol, to greatly reduce risk of identifier reuse.
|
|
- When we're choosing an exit node for a circuit, and we have
|
|
no pending streams, choose a good general exit rather than one that
|
|
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
|
|
- Fix another case of assuming, when a specific exit is requested,
|
|
that we know more than the user about what hosts it allows.
|
|
Fixes one case of bug 752. Patch from rovv.
|
|
- Clip the MaxCircuitDirtiness config option to a minimum of 10
|
|
seconds. Warn the user if lower values are given in the
|
|
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
|
|
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
|
|
user if lower values are given in the configuration. Bugfix on
|
|
0.1.1.17-rc. Patch by Sebastian.
|
|
- Fix a memory leak when we decline to add a v2 rendezvous descriptor to
|
|
the cache because we already had a v0 descriptor with the same ID.
|
|
Bugfix on 0.2.0.18-alpha.
|
|
- Fix a race condition when freeing keys shared between main thread
|
|
and CPU workers that could result in a memory leak. Bugfix on
|
|
0.1.0.1-rc. Fixes bug 889.
|
|
- Send a valid END cell back when a client tries to connect to a
|
|
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
|
|
840. Patch from rovv.
|
|
- Check which hops rendezvous stream cells are associated with to
|
|
prevent possible guess-the-streamid injection attacks from
|
|
intermediate hops. Fixes another case of bug 446. Based on patch
|
|
from rovv.
|
|
- If a broken client asks a non-exit router to connect somewhere,
|
|
do not even do the DNS lookup before rejecting the connection.
|
|
Fixes another case of bug 619. Patch from rovv.
|
|
- When a relay gets a create cell it can't decrypt (e.g. because it's
|
|
using the wrong onion key), we were dropping it and letting the
|
|
client time out. Now actually answer with a destroy cell. Fixes
|
|
bug 904. Bugfix on 0.0.2pre8.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Do not throw away existing introduction points on SIGHUP. Bugfix on
|
|
0.0.6pre1. Patch by Karsten. Fixes bug 874.
|
|
|
|
o Minor features:
|
|
- Report the case where all signatures in a detached set are rejected
|
|
differently than the case where there is an error handling the
|
|
detached set.
|
|
- When we realize that another process has modified our cached
|
|
descriptors, print out a more useful error message rather than
|
|
triggering an assertion. Fixes bug 885. Patch from Karsten.
|
|
- Implement the 0x20 hack to better resist DNS poisoning: set the
|
|
case on outgoing DNS requests randomly, and reject responses that do
|
|
not match the case correctly. This logic can be disabled with the
|
|
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
|
|
of servers that do not reliably preserve case in replies. See
|
|
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
|
|
for more info.
|
|
- Check DNS replies for more matching fields to better resist DNS
|
|
poisoning.
|
|
- Never use OpenSSL compression: it wastes RAM and CPU trying to
|
|
compress cells, which are basically all encrypted, compressed, or
|
|
both.
|
|
|
|
|
|
Changes in version 0.2.1.11-alpha - 2009-01-20
|
|
Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a
|
|
week it will take a long time to bootstrap again" bug. It also fixes
|
|
an important security-related bug reported by Ilja van Sprundel. You
|
|
should upgrade. (We'll send out more details about the bug once people
|
|
have had some time to upgrade.)
|
|
|
|
o Security fixes:
|
|
- Fix a heap-corruption bug that may be remotely triggerable on
|
|
some platforms. Reported by Ilja van Sprundel.
|
|
|
|
o Major bugfixes:
|
|
- Discard router descriptors as we load them if they are more than
|
|
five days old. Otherwise if Tor is off for a long time and then
|
|
starts with cached descriptors, it will try to use the onion
|
|
keys in those obsolete descriptors when building circuits. Bugfix
|
|
on 0.2.0.x. Fixes bug 887.
|
|
|
|
o Minor features:
|
|
- Try to make sure that the version of Libevent we're running with
|
|
is binary-compatible with the one we built with. May address bug
|
|
897 and others.
|
|
- Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
|
|
for bug 905. Bugfix on 0.2.1.7-alpha.
|
|
- Add a new --enable-local-appdata configuration switch to change
|
|
the default location of the datadir on win32 from APPDATA to
|
|
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
|
|
entirely. Patch from coderman.
|
|
|
|
o Minor bugfixes:
|
|
- Make outbound DNS packets respect the OutboundBindAddress setting.
|
|
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
|
|
- When our circuit fails at the first hop (e.g. we get a destroy
|
|
cell back), avoid using that OR connection anymore, and also
|
|
tell all the one-hop directory requests waiting for it that they
|
|
should fail. Bugfix on 0.2.1.3-alpha.
|
|
- In the torify(1) manpage, mention that tsocks will leak your
|
|
DNS requests.
|
|
|
|
|
|
Changes in version 0.2.1.10-alpha - 2009-01-06
|
|
Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that
|
|
would make the bridge relay not so useful if it had DirPort set to 0,
|
|
and one that could let an attacker learn a little bit of information
|
|
about the bridge's users), and a bug that would cause your Tor relay
|
|
to ignore a circuit create request it can't decrypt (rather than reply
|
|
with an error). It also fixes a wide variety of other bugs.
|
|
|
|
o Major bugfixes:
|
|
- If the cached networkstatus consensus is more than five days old,
|
|
discard it rather than trying to use it. In theory it could
|
|
be useful because it lists alternate directory mirrors, but in
|
|
practice it just means we spend many minutes trying directory
|
|
mirrors that are long gone from the network. Helps bug 887 a bit;
|
|
bugfix on 0.2.0.x.
|
|
- Bridge relays that had DirPort set to 0 would stop fetching
|
|
descriptors shortly after startup, and then briefly resume
|
|
after a new bandwidth test and/or after publishing a new bridge
|
|
descriptor. Bridge users that try to bootstrap from them would
|
|
get a recent networkstatus but would get descriptors from up to
|
|
18 hours earlier, meaning most of the descriptors were obsolete
|
|
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
|
|
- Prevent bridge relays from serving their 'extrainfo' document
|
|
to anybody who asks, now that extrainfo docs include potentially
|
|
sensitive aggregated client geoip summaries. Bugfix on
|
|
0.2.0.13-alpha.
|
|
|
|
o Minor features:
|
|
- New controller event "clients_seen" to report a geoip-based summary
|
|
of which countries we've seen clients from recently. Now controllers
|
|
like Vidalia can show bridge operators that they're actually making
|
|
a difference.
|
|
- Build correctly against versions of OpenSSL 0.9.8 or later built
|
|
without support for deprecated functions.
|
|
- Update to the "December 19 2008" ip-to-country file.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Authorities now vote for the Stable flag for any router whose
|
|
weighted MTBF is at least 5 days, regardless of the mean MTBF.
|
|
- Do not remove routers as too old if we do not have any consensus
|
|
document. Bugfix on 0.2.0.7-alpha.
|
|
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
|
|
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
|
|
- When an exit relay resolves a stream address to a local IP address,
|
|
do not just keep retrying that same exit relay over and
|
|
over. Instead, just close the stream. Addresses bug 872. Bugfix
|
|
on 0.2.0.32. Patch from rovv.
|
|
- If a hidden service sends us an END cell, do not consider
|
|
retrying the connection; just close it. Patch from rovv.
|
|
- When we made bridge authorities stop serving bridge descriptors over
|
|
unencrypted links, we also broke DirPort reachability testing for
|
|
bridges. So bridges with a non-zero DirPort were printing spurious
|
|
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
|
|
- When a relay gets a create cell it can't decrypt (e.g. because it's
|
|
using the wrong onion key), we were dropping it and letting the
|
|
client time out. Now actually answer with a destroy cell. Fixes
|
|
bug 904. Bugfix on 0.0.2pre8.
|
|
- Squeeze 2-5% out of client performance (according to oprofile) by
|
|
improving the implementation of some policy-manipulation functions.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Make get_interface_address() function work properly again; stop
|
|
guessing the wrong parts of our address as our address.
|
|
- Do not cannibalize a circuit if we're out of RELAY_EARLY cells to
|
|
send on that circuit. Otherwise we might violate the proposal-110
|
|
limit. Bugfix on 0.2.1.3-alpha. Partial fix for bug 878. Diagnosis
|
|
thanks to Karsten.
|
|
- When we're sending non-EXTEND cells to the first hop in a circuit,
|
|
for example to use an encrypted directory connection, we don't need
|
|
to use RELAY_EARLY cells: the first hop knows what kind of cell
|
|
it is, and nobody else can even see the cell type. Conserving
|
|
RELAY_EARLY cells makes it easier to cannibalize circuits like
|
|
this later.
|
|
- Stop logging nameserver addresses in reverse order.
|
|
- If we are retrying a directory download slowly over and over, do
|
|
not automatically give up after the 254th failure. Bugfix on
|
|
0.2.1.9-alpha.
|
|
- Resume reporting accurate "stream end" reasons to the local control
|
|
port. They were lost in the changes for Proposal 148. Bugfix on
|
|
0.2.1.9-alpha.
|
|
|
|
o Deprecated and removed features:
|
|
- The old "tor --version --version" command, which would print out
|
|
the subversion "Id" of most of the source files, is now removed. It
|
|
turned out to be less useful than we'd expected, and harder to
|
|
maintain.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Change our header file guard macros to be less likely to conflict
|
|
with system headers. Adam Langley noticed that we were conflicting
|
|
with log.h on Android.
|
|
- Tool-assisted documentation cleanup. Nearly every function or
|
|
static variable in Tor should have its own documentation now.
|
|
|
|
|
|
Changes in version 0.2.1.9-alpha - 2008-12-25
|
|
Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.
|
|
|
|
o New directory authorities:
|
|
- gabelmoo (the authority run by Karsten Loesing) now has a new
|
|
IP address.
|
|
|
|
o Security fixes:
|
|
- Never use a connection with a mismatched address to extend a
|
|
circuit, unless that connection is canonical. A canonical
|
|
connection is one whose address is authenticated by the router's
|
|
identity key, either in a NETINFO cell or in a router descriptor.
|
|
- Avoid a possible memory corruption bug when receiving hidden service
|
|
descriptors. Bugfix on 0.2.1.6-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix a logic error that would automatically reject all but the first
|
|
configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for
|
|
part of bug 813/868. Bug spotted by coderman.
|
|
- When a stream at an exit relay is in state "resolving" or
|
|
"connecting" and it receives an "end" relay cell, the exit relay
|
|
would silently ignore the end cell and not close the stream. If
|
|
the client never closes the circuit, then the exit relay never
|
|
closes the TCP connection. Bug introduced in 0.1.2.1-alpha;
|
|
reported by "wood".
|
|
- When we can't initialize DNS because the network is down, do not
|
|
automatically stop Tor from starting. Instead, retry failed
|
|
dns_init() every 10 minutes, and change the exit policy to reject
|
|
*:* until one succeeds. Fixes bug 691.
|
|
|
|
o Minor features:
|
|
- Give a better error message when an overzealous init script says
|
|
"sudo -u username tor --user username". Makes Bug 882 easier for
|
|
users to diagnose.
|
|
- When a directory authority gives us a new guess for our IP address,
|
|
log which authority we used. Hopefully this will help us debug
|
|
the recent complaints about bad IP address guesses.
|
|
- Detect svn revision properly when we're using git-svn.
|
|
- Try not to open more than one descriptor-downloading connection
|
|
to an authority at once. This should reduce load on directory
|
|
authorities. Fixes bug 366.
|
|
- Add cross-certification to newly generated certificates, so that
|
|
a signing key is enough information to look up a certificate.
|
|
Partial implementation of proposal 157.
|
|
- Start serving certificates by <identity digest, signing key digest>
|
|
pairs. Partial implementation of proposal 157.
|
|
- Clients now never report any stream end reason except 'MISC'.
|
|
Implements proposal 148.
|
|
- On platforms with a maximum syslog string length, truncate syslog
|
|
messages to that length ourselves, rather than relying on the
|
|
system to do it for us.
|
|
- Optimize out calls to time(NULL) that occur for every IO operation,
|
|
or for every cell. On systems where time() is a slow syscall,
|
|
this fix will be slightly helpful.
|
|
- Exit servers can now answer resolve requests for ip6.arpa addresses.
|
|
- When we download a descriptor that we then immediately (as
|
|
a directory authority) reject, do not retry downloading it right
|
|
away. Should save some bandwidth on authorities. Fix for bug
|
|
888. Patch by Sebastian Hahn.
|
|
- When a download gets us zero good descriptors, do not notify
|
|
Tor that new directory information has arrived.
|
|
- Avoid some nasty corner cases in the logic for marking connections
|
|
as too old or obsolete or noncanonical for circuits. Partial
|
|
bugfix on bug 891.
|
|
|
|
o Minor features (controller):
|
|
- New CONSENSUS_ARRIVED event to note when a new consensus has
|
|
been fetched and validated.
|
|
- When we realize that another process has modified our cached
|
|
descriptors file, print out a more useful error message rather
|
|
than triggering an assertion. Fixes bug 885. Patch from Karsten.
|
|
- Add an internal-use-only __ReloadTorrcOnSIGHUP option for
|
|
controllers to prevent SIGHUP from reloading the
|
|
configuration. Fixes bug 856.
|
|
|
|
o Minor bugfixes:
|
|
- Resume using the correct "REASON=" stream when telling the
|
|
controller why we closed a stream. Bugfix in 0.2.1.1-alpha.
|
|
- When a canonical connection appears later in our internal list
|
|
than a noncanonical one for a given OR ID, always use the
|
|
canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
|
|
Spotted by rovv.
|
|
- Clip the MaxCircuitDirtiness config option to a minimum of 10
|
|
seconds. Warn the user if lower values are given in the
|
|
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
|
|
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
|
|
user if lower values are given in the configuration. Bugfix on
|
|
0.1.1.17-rc. Patch by Sebastian.
|
|
- Fix a race condition when freeing keys shared between main thread
|
|
and CPU workers that could result in a memory leak. Bugfix on
|
|
0.1.0.1-rc. Fixes bug 889.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Do not throw away existing introduction points on SIGHUP (bugfix on
|
|
0.0.6pre1); also, do not stall hidden services because we're
|
|
throwing away introduction points; bugfix on 0.2.1.7-alpha. Spotted
|
|
by John Brooks. Patch by Karsten. Fixes bug 874.
|
|
- Fix a memory leak when we decline to add a v2 rendezvous
|
|
descriptor to the cache because we already had a v0 descriptor
|
|
with the same ID. Bugfix on 0.2.0.18-alpha.
|
|
|
|
o Deprecated and removed features:
|
|
- RedirectExits has been removed. It was deprecated since
|
|
0.2.0.3-alpha.
|
|
- Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
|
|
has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
|
|
- Cell pools are now always enabled; --disable-cell-pools is ignored.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Rename the confusing or_is_obsolete field to the more appropriate
|
|
is_bad_for_new_circs, and move it to or_connection_t where it
|
|
belongs.
|
|
- Move edge-only flags from connection_t to edge_connection_t: not
|
|
only is this better coding, but on machines of plausible alignment,
|
|
it should save 4-8 bytes per connection_t. "Every little bit helps."
|
|
- Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
|
|
for consistency; keep old option working for backward compatibility.
|
|
- Simplify the code for finding connections to use for a circuit.
|
|
|
|
|
|
Changes in version 0.2.1.8-alpha - 2008-12-08
|
|
Tor 0.2.1.8-alpha fixes some crash bugs in earlier alpha releases,
|
|
builds better on unusual platforms like Solaris and old OS X, and
|
|
fixes a variety of other issues.
|
|
|
|
o Major features:
|
|
- New DirPortFrontPage option that takes an html file and publishes
|
|
it as "/" on the DirPort. Now relay operators can provide a
|
|
disclaimer without needing to set up a separate webserver. There's
|
|
a sample disclaimer in contrib/tor-exit-notice.html.
|
|
|
|
o Security fixes:
|
|
- When the client is choosing entry guards, now it selects at most
|
|
one guard from a given relay family. Otherwise we could end up with
|
|
all of our entry points into the network run by the same operator.
|
|
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix a DOS opportunity during the voting signature collection process
|
|
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
|
|
- Fix a possible segfault when establishing an exit connection. Bugfix
|
|
on 0.2.1.5-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Get file locking working on win32. Bugfix on 0.2.1.6-alpha. Fixes
|
|
bug 859.
|
|
- Made Tor a little less aggressive about deleting expired
|
|
certificates. Partial fix for bug 854.
|
|
- Stop doing unaligned memory access that generated bus errors on
|
|
sparc64. Bugfix on 0.2.0.10-alpha. Fix for bug 862.
|
|
- Fix a crash bug when changing EntryNodes from the controller. Bugfix
|
|
on 0.2.1.6-alpha. Fix for bug 867. Patched by Sebastian.
|
|
- Make USR2 log-level switch take effect immediately. Bugfix on
|
|
0.1.2.8-beta.
|
|
- If one win32 nameserver fails to get added, continue adding the
|
|
rest, and don't automatically fail.
|
|
- Use fcntl() for locking when flock() is not available. Should fix
|
|
compilation on Solaris. Should fix Bug 873. Bugfix on 0.2.1.6-alpha.
|
|
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
|
|
could make gcc generate non-functional binary search code. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- Build correctly on platforms without socklen_t.
|
|
- Avoid potential crash on internal error during signature collection.
|
|
Fixes bug 864. Patch from rovv.
|
|
- Do not use C's stdio library for writing to log files. This will
|
|
improve logging performance by a minute amount, and will stop
|
|
leaking fds when our disk is full. Fixes bug 861.
|
|
- Stop erroneous use of O_APPEND in cases where we did not in fact
|
|
want to re-seek to the end of a file before every last write().
|
|
- Correct handling of possible malformed authority signing key
|
|
certificates with internal signature types. Fixes bug 880. Bugfix
|
|
on 0.2.0.3-alpha.
|
|
- Fix a hard-to-trigger resource leak when logging credential status.
|
|
CID 349.
|
|
|
|
o Minor features:
|
|
- Directory mirrors no longer fetch the v1 directory or
|
|
running-routers files. They are obsolete, and nobody asks for them
|
|
anymore. This is the first step to making v1 authorities obsolete.
|
|
|
|
o Minor features (controller):
|
|
- Return circuit purposes in response to GETINFO circuit-status. Fixes
|
|
bug 858.
|
|
|
|
|
|
Changes in version 0.2.0.32 - 2008-11-20
|
|
Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
|
|
packages (and maybe other packages) noticed by Theo de Raadt, fixes
|
|
a smaller security flaw that might allow an attacker to access local
|
|
services, further improves hidden service performance, and fixes a
|
|
variety of other issues.
|
|
|
|
o Security fixes:
|
|
- The "User" and "Group" config options did not clear the
|
|
supplementary group entries for the Tor process. The "User" option
|
|
is now more robust, and we now set the groups to the specified
|
|
user's primary group. The "Group" option is now ignored. For more
|
|
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
|
|
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
|
|
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
|
|
- The "ClientDNSRejectInternalAddresses" config option wasn't being
|
|
consistently obeyed: if an exit relay refuses a stream because its
|
|
exit policy doesn't allow it, we would remember what IP address
|
|
the relay said the destination address resolves to, even if it's
|
|
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
|
|
|
|
o Major bugfixes:
|
|
- Fix a DOS opportunity during the voting signature collection process
|
|
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- When fetching v0 and v2 rendezvous service descriptors in parallel,
|
|
we were failing the whole hidden service request when the v0
|
|
descriptor fetch fails, even if the v2 fetch is still pending and
|
|
might succeed. Similarly, if the last v2 fetch fails, we were
|
|
failing the whole hidden service request even if a v0 fetch is
|
|
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
|
|
- When extending a circuit to a hidden service directory to upload a
|
|
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
|
|
requests failed, because the router descriptor has not been
|
|
downloaded yet. In these cases, do not attempt to upload the
|
|
rendezvous descriptor, but wait until the router descriptor is
|
|
downloaded and retry. Likewise, do not attempt to fetch a rendezvous
|
|
descriptor from a hidden service directory for which the router
|
|
descriptor has not yet been downloaded. Fixes bug 767. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix several infrequent memory leaks spotted by Coverity.
|
|
- When testing for libevent functions, set the LDFLAGS variable
|
|
correctly. Found by Riastradh.
|
|
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
|
|
bootstrapping with tunneled directory connections. Bugfix on
|
|
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
|
|
- When asked to connect to A.B.exit:80, if we don't know the IP for A
|
|
and we know that server B rejects most-but-not all connections to
|
|
port 80, we would previously reject the connection. Now, we assume
|
|
the user knows what they were asking for. Fixes bug 752. Bugfix
|
|
on 0.0.9rc5. Diagnosed by BarkerJr.
|
|
- If we overrun our per-second write limits a little, count this as
|
|
having used up our write allocation for the second, and choke
|
|
outgoing directory writes. Previously, we had only counted this when
|
|
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
|
|
Bugfix on 0.2.0.x (??).
|
|
- Remove the old v2 directory authority 'lefkada' from the default
|
|
list. It has been gone for many months.
|
|
- Stop doing unaligned memory access that generated bus errors on
|
|
sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
|
|
- Make USR2 log-level switch take effect immediately. Bugfix on
|
|
0.1.2.8-beta.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
|
|
0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
|
|
|
|
|
|
Changes in version 0.2.1.7-alpha - 2008-11-08
|
|
Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
|
|
packages (and maybe other packages) noticed by Theo de Raadt, fixes
|
|
a smaller security flaw that might allow an attacker to access local
|
|
services, adds better defense against DNS poisoning attacks on exit
|
|
relays, further improves hidden service performance, and fixes a
|
|
variety of other issues.
|
|
|
|
o Security fixes:
|
|
- The "ClientDNSRejectInternalAddresses" config option wasn't being
|
|
consistently obeyed: if an exit relay refuses a stream because its
|
|
exit policy doesn't allow it, we would remember what IP address
|
|
the relay said the destination address resolves to, even if it's
|
|
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
|
|
- The "User" and "Group" config options did not clear the
|
|
supplementary group entries for the Tor process. The "User" option
|
|
is now more robust, and we now set the groups to the specified
|
|
user's primary group. The "Group" option is now ignored. For more
|
|
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
|
|
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
|
|
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
|
|
- Do not use or believe expired v3 authority certificates. Patch
|
|
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
|
|
|
|
o Minor features:
|
|
- Now NodeFamily and MyFamily config options allow spaces in
|
|
identity fingerprints, so it's easier to paste them in.
|
|
Suggested by Lucky Green.
|
|
- Implement the 0x20 hack to better resist DNS poisoning: set the
|
|
case on outgoing DNS requests randomly, and reject responses that do
|
|
not match the case correctly. This logic can be disabled with the
|
|
ServerDNSRandomizeCase setting, if you are using one of the 0.3%
|
|
of servers that do not reliably preserve case in replies. See
|
|
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
|
|
for more info.
|
|
- Preserve case in replies to DNSPort requests in order to support
|
|
the 0x20 hack for resisting DNS poisoning attacks.
|
|
|
|
o Hidden service performance improvements:
|
|
- When the client launches an introduction circuit, retry with a
|
|
new circuit after 30 seconds rather than 60 seconds.
|
|
- Launch a second client-side introduction circuit in parallel
|
|
after a delay of 15 seconds (based on work by Christian Wilms).
|
|
- Hidden services start out building five intro circuits rather
|
|
than three, and when the first three finish they publish a service
|
|
descriptor using those. Now we publish our service descriptor much
|
|
faster after restart.
|
|
|
|
o Minor bugfixes:
|
|
- Minor fix in the warning messages when you're having problems
|
|
bootstrapping; also, be more forgiving of bootstrap problems when
|
|
we're still making incremental progress on a given bootstrap phase.
|
|
- When we're choosing an exit node for a circuit, and we have
|
|
no pending streams, choose a good general exit rather than one that
|
|
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
|
|
- Send a valid END cell back when a client tries to connect to a
|
|
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
|
|
840. Patch from rovv.
|
|
- If a broken client asks a non-exit router to connect somewhere,
|
|
do not even do the DNS lookup before rejecting the connection.
|
|
Fixes another case of bug 619. Patch from rovv.
|
|
- Fix another case of assuming, when a specific exit is requested,
|
|
that we know more than the user about what hosts it allows.
|
|
Fixes another case of bug 752. Patch from rovv.
|
|
- Check which hops rendezvous stream cells are associated with to
|
|
prevent possible guess-the-streamid injection attacks from
|
|
intermediate hops. Fixes another case of bug 446. Based on patch
|
|
from rovv.
|
|
- Avoid using a negative right-shift when comparing 32-bit
|
|
addresses. Possible fix for bug 845 and bug 811.
|
|
- Make the assert_circuit_ok() function work correctly on circuits that
|
|
have already been marked for close.
|
|
- Fix read-off-the-end-of-string error in unit tests when decoding
|
|
introduction points.
|
|
- Fix uninitialized size field for memory area allocation: may improve
|
|
memory performance during directory parsing.
|
|
- Treat duplicate certificate fetches as failures, so that we do
|
|
not try to re-fetch an expired certificate over and over and over.
|
|
- Do not say we're fetching a certificate when we'll in fact skip it
|
|
because of a pending download.
|
|
|
|
|
|
Changes in version 0.2.1.6-alpha - 2008-09-30
|
|
Tor 0.2.1.6-alpha further improves performance and robustness of
|
|
hidden services, starts work on supporting per-country relay selection,
|
|
and fixes a variety of smaller issues.
|
|
|
|
o Major features:
|
|
- Implement proposal 121: make it possible to build hidden services
|
|
that only certain clients are allowed to connect to. This is
|
|
enforced at several points, so that unauthorized clients are unable
|
|
to send INTRODUCE cells to the service, or even (depending on the
|
|
type of authentication) to learn introduction points. This feature
|
|
raises the bar for certain kinds of active attacks against hidden
|
|
services. Code by Karsten Loesing.
|
|
- Relays now store and serve v2 hidden service descriptors by default,
|
|
i.e., the new default value for HidServDirectoryV2 is 1. This is
|
|
the last step in proposal 114, which aims to make hidden service
|
|
lookups more reliable.
|
|
- Start work to allow node restrictions to include country codes. The
|
|
syntax to exclude nodes in a country with country code XX is
|
|
"ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
|
|
refinement to decide what config options should take priority if
|
|
you ask to both use a particular node and exclude it.
|
|
- Allow ExitNodes list to include IP ranges and country codes, just
|
|
like the Exclude*Nodes lists. Patch from Robert Hogan.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug when parsing ports in tor_addr_port_parse() that caused
|
|
Tor to fail to start if you had it configured to use a bridge
|
|
relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
|
|
- When extending a circuit to a hidden service directory to upload a
|
|
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
|
|
requests failed, because the router descriptor had not been
|
|
downloaded yet. In these cases, we now wait until the router
|
|
descriptor is downloaded, and then retry. Likewise, clients
|
|
now skip over a hidden service directory if they don't yet have
|
|
its router descriptor, rather than futilely requesting it and
|
|
putting mysterious complaints in the logs. Fixes bug 767. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- When fetching v0 and v2 rendezvous service descriptors in parallel,
|
|
we were failing the whole hidden service request when the v0
|
|
descriptor fetch fails, even if the v2 fetch is still pending and
|
|
might succeed. Similarly, if the last v2 fetch fails, we were
|
|
failing the whole hidden service request even if a v0 fetch is
|
|
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
|
|
- DNS replies need to have names matching their requests, but
|
|
these names should be in the questions section, not necessarily
|
|
in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the "September 1 2008" ip-to-country file.
|
|
- Allow ports 465 and 587 in the default exit policy again. We had
|
|
rejected them in 0.1.0.15, because back in 2005 they were commonly
|
|
misconfigured and ended up as spam targets. We hear they are better
|
|
locked down these days.
|
|
- Use a lockfile to make sure that two Tor processes are not
|
|
simultaneously running with the same datadir.
|
|
- Serve the latest v3 networkstatus consensus via the control
|
|
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
|
|
- Better logging about stability/reliability calculations on directory
|
|
servers.
|
|
- Drop the requirement to have an open dir port for storing and
|
|
serving v2 hidden service descriptors.
|
|
- Directory authorities now serve a /tor/dbg-stability.txt URL to
|
|
help debug WFU and MTBF calculations.
|
|
- Implement most of Proposal 152: allow specialized servers to permit
|
|
single-hop circuits, and clients to use those servers to build
|
|
single-hop circuits when using a specialized controller. Patch
|
|
from Josh Albrecht. Resolves feature request 768.
|
|
- Add a -p option to tor-resolve for specifying the SOCKS port: some
|
|
people find host:port too confusing.
|
|
- Make TrackHostExit mappings expire a while after their last use, not
|
|
after their creation. Patch from Robert Hogan.
|
|
- Provide circuit purposes along with circuit events to the controller.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
|
|
Reported by Tas.
|
|
- Fixed some memory leaks -- some quite frequent, some almost
|
|
impossible to trigger -- based on results from Coverity.
|
|
- When testing for libevent functions, set the LDFLAGS variable
|
|
correctly. Found by Riastradh.
|
|
- Fix an assertion bug in parsing policy-related options; possible fix
|
|
for bug 811.
|
|
- Catch and report a few more bootstrapping failure cases when Tor
|
|
fails to establish a TCP connection. Cleanup on 0.2.1.x.
|
|
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
|
|
bootstrapping with tunneled directory connections. Bugfix on
|
|
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
|
|
- When asked to connect to A.B.exit:80, if we don't know the IP for A
|
|
and we know that server B rejects most-but-not all connections to
|
|
port 80, we would previously reject the connection. Now, we assume
|
|
the user knows what they were asking for. Fixes bug 752. Bugfix
|
|
on 0.0.9rc5. Diagnosed by BarkerJr.
|
|
- If we are not using BEGIN_DIR cells, don't attempt to contact hidden
|
|
service directories if they have no advertised dir port. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- If we overrun our per-second write limits a little, count this as
|
|
having used up our write allocation for the second, and choke
|
|
outgoing directory writes. Previously, we had only counted this when
|
|
we had met our limits precisely. Fixes bug 824. Patch by rovv.
|
|
Bugfix on 0.2.0.x (??).
|
|
- Avoid a "0 divided by 0" calculation when calculating router uptime
|
|
at directory authorities. Bugfix on 0.2.0.8-alpha.
|
|
- Make DNS resolved controller events into "CLOSED", not
|
|
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
|
|
bug 807.
|
|
- Fix a bug where an unreachable relay would establish enough
|
|
reachability testing circuits to do a bandwidth test -- if
|
|
we already have a connection to the middle hop of the testing
|
|
circuit, then it could establish the last hop by using the existing
|
|
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
|
|
circuits no longer use entry guards in 0.2.1.3-alpha.
|
|
- If we have correct permissions on $datadir, we complain to stdout
|
|
and fail to start. But dangerous permissions on
|
|
$datadir/cached-status/ would cause us to open a log and complain
|
|
there. Now complain to stdout and fail to start in both cases. Fixes
|
|
bug 820, reported by seeess.
|
|
- Remove the old v2 directory authority 'lefkada' from the default
|
|
list. It has been gone for many months.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Revise the connection_new functions so that a more typesafe variant
|
|
exists. This will work better with Coverity, and let us find any
|
|
actual mistakes we're making here.
|
|
- Refactor unit testing logic so that dmalloc can be used sensibly
|
|
with unit tests to check for memory leaks.
|
|
- Move all hidden-service related fields from connection and circuit
|
|
structure to substructures: this way they won't eat so much memory.
|
|
|
|
|
|
Changes in version 0.2.0.31 - 2008-09-03
|
|
Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
|
|
a big bug we're seeing where in rare cases traffic from one Tor stream
|
|
gets mixed into another stream, and fixes a variety of smaller issues.
|
|
|
|
o Major bugfixes:
|
|
- Make sure that two circuits can never exist on the same connection
|
|
with the same circuit ID, even if one is marked for close. This
|
|
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
|
|
- Relays now reject risky extend cells: if the extend cell includes
|
|
a digest of all zeroes, or asks to extend back to the relay that
|
|
sent the extend cell, tear down the circuit. Ideas suggested
|
|
by rovv.
|
|
- If not enough of our entry guards are available so we add a new
|
|
one, we might use the new one even if it overlapped with the
|
|
current circuit's exit relay (or its family). Anonymity bugfix
|
|
pointed out by rovv.
|
|
|
|
o Minor bugfixes:
|
|
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
|
|
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
|
|
- Correctly detect the presence of the linux/netfilter_ipv4.h header
|
|
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
|
|
- Pick size of default geoip filename string correctly on windows.
|
|
Fixes bug 806. Bugfix on 0.2.0.30.
|
|
- Make the autoconf script accept the obsolete --with-ssl-dir
|
|
option as an alias for the actually-working --with-openssl-dir
|
|
option. Fix the help documentation to recommend --with-openssl-dir.
|
|
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
|
|
- When using the TransPort option on OpenBSD, and using the User
|
|
option to change UID and drop privileges, make sure to open
|
|
/dev/pf before dropping privileges. Fixes bug 782. Patch from
|
|
Christopher Davis. Bugfix on 0.1.2.1-alpha.
|
|
- Try to attach connections immediately upon receiving a RENDEZVOUS2
|
|
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
|
|
on the client side when connecting to a hidden service. Bugfix
|
|
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
|
|
- When closing an application-side connection because its circuit is
|
|
getting torn down, generate the stream event correctly. Bugfix on
|
|
0.1.2.x. Anonymous patch.
|
|
|
|
|
|
Changes in version 0.2.1.5-alpha - 2008-08-31
|
|
Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
|
|
in a lot of the infrastructure for adding authorization to hidden
|
|
services, lays the groundwork for having clients read their load
|
|
balancing information out of the networkstatus consensus rather than
|
|
the individual router descriptors, addresses two potential anonymity
|
|
issues, and fixes a variety of smaller issues.
|
|
|
|
o Major features:
|
|
- Convert many internal address representations to optionally hold
|
|
IPv6 addresses.
|
|
- Generate and accept IPv6 addresses in many protocol elements.
|
|
- Make resolver code handle nameservers located at ipv6 addresses.
|
|
- Begin implementation of proposal 121 ("Client authorization for
|
|
hidden services"): configure hidden services with client
|
|
authorization, publish descriptors for them, and configure
|
|
authorization data for hidden services at clients. The next
|
|
step is to actually access hidden services that perform client
|
|
authorization.
|
|
- More progress toward proposal 141: Network status consensus
|
|
documents and votes now contain bandwidth information for each
|
|
router and a summary of that router's exit policy. Eventually this
|
|
will be used by clients so that they do not have to download every
|
|
known descriptor before building circuits.
|
|
|
|
o Major bugfixes (on 0.2.0.x and before):
|
|
- When sending CREATED cells back for a given circuit, use a 64-bit
|
|
connection ID to find the right connection, rather than an addr:port
|
|
combination. Now that we can have multiple OR connections between
|
|
the same ORs, it is no longer possible to use addr:port to uniquely
|
|
identify a connection.
|
|
- Relays now reject risky extend cells: if the extend cell includes
|
|
a digest of all zeroes, or asks to extend back to the relay that
|
|
sent the extend cell, tear down the circuit. Ideas suggested
|
|
by rovv.
|
|
- If not enough of our entry guards are available so we add a new
|
|
one, we might use the new one even if it overlapped with the
|
|
current circuit's exit relay (or its family). Anonymity bugfix
|
|
pointed out by rovv.
|
|
|
|
o Minor bugfixes:
|
|
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
|
|
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
|
|
- When using the TransPort option on OpenBSD, and using the User
|
|
option to change UID and drop privileges, make sure to open /dev/pf
|
|
before dropping privileges. Fixes bug 782. Patch from Christopher
|
|
Davis. Bugfix on 0.1.2.1-alpha.
|
|
- Correctly detect the presence of the linux/netfilter_ipv4.h header
|
|
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
|
|
- Add a missing safe_str() call for a debug log message.
|
|
- Use 64 bits instead of 32 bits for connection identifiers used with
|
|
the controller protocol, to greatly reduce risk of identifier reuse.
|
|
- Make the autoconf script accept the obsolete --with-ssl-dir
|
|
option as an alias for the actually-working --with-openssl-dir
|
|
option. Fix the help documentation to recommend --with-openssl-dir.
|
|
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Rate-limit too-many-sockets messages: when they happen, they happen
|
|
a lot. Resolves bug 748.
|
|
- Resist DNS poisoning a little better by making sure that names in
|
|
answer sections match.
|
|
- Print the SOCKS5 error message string as well as the error code
|
|
when a tor-resolve request fails. Patch from Jacob.
|
|
|
|
|
|
Changes in version 0.2.1.4-alpha - 2008-08-04
|
|
Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.
|
|
|
|
o Major bugfixes:
|
|
- The address part of exit policies was not correctly written
|
|
to router descriptors. This generated router descriptors that failed
|
|
their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
|
|
on 0.2.1.3-alpha.
|
|
- Tor triggered a false assert when extending a circuit to a relay
|
|
but we already have a connection open to that relay. Noticed by
|
|
phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a hidden service logging bug: in some edge cases, the router
|
|
descriptor of a previously picked introduction point becomes
|
|
obsolete and we need to give up on it rather than continually
|
|
complaining that it has become obsolete. Observed by xiando. Bugfix
|
|
on 0.2.1.3-alpha.
|
|
|
|
o Removed features:
|
|
- Take out the TestVia config option, since it was a workaround for
|
|
a bug that was fixed in Tor 0.1.1.21.
|
|
|
|
|
|
Changes in version 0.2.1.3-alpha - 2008-08-03
|
|
Tor 0.2.1.3-alpha implements most of the pieces to prevent
|
|
infinite-length circuit attacks (see proposal 110); fixes a bug that
|
|
might cause exit relays to corrupt streams they send back; allows
|
|
address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
|
|
ExcludeExitNodes config options; and fixes a big pile of bugs.
|
|
|
|
o Bootstrapping bugfixes (on 0.2.1.x-alpha):
|
|
- Send a bootstrap problem "warn" event on the first problem if the
|
|
reason is NO_ROUTE (that is, our network is down).
|
|
|
|
o Major features:
|
|
- Implement most of proposal 110: The first K cells to be sent
|
|
along a circuit are marked as special "early" cells; only K "early"
|
|
cells will be allowed. Once this code is universal, we can block
|
|
certain kinds of DOS attack by requiring that EXTEND commands must
|
|
be sent using an "early" cell.
|
|
|
|
o Major bugfixes:
|
|
- Try to attach connections immediately upon receiving a RENDEZVOUS2
|
|
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
|
|
on the client side when connecting to a hidden service. Bugfix
|
|
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
|
|
- Ensure that two circuits can never exist on the same connection
|
|
with the same circuit ID, even if one is marked for close. This
|
|
is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
|
|
|
|
o Minor features:
|
|
- When relays do their initial bandwidth measurement, don't limit
|
|
to just our entry guards for the test circuits. Otherwise we tend
|
|
to have multiple test circuits going through a single entry guard,
|
|
which makes our bandwidth test less accurate. Fixes part of bug 654;
|
|
patch contributed by Josh Albrecht.
|
|
- Add an ExcludeExitNodes option so users can list a set of nodes
|
|
that should be be excluded from the exit node position, but
|
|
allowed elsewhere. Implements proposal 151.
|
|
- Allow address patterns (e.g., 255.128.0.0/16) to appear in
|
|
ExcludeNodes and ExcludeExitNodes lists.
|
|
- Change the implementation of ExcludeNodes and ExcludeExitNodes to
|
|
be more efficient. Formerly it was quadratic in the number of
|
|
servers; now it should be linear. Fixes bug 509.
|
|
- Save 16-22 bytes per open circuit by moving the n_addr, n_port,
|
|
and n_conn_id_digest fields into a separate structure that's
|
|
only needed when the circuit has not yet attached to an n_conn.
|
|
|
|
o Minor bugfixes:
|
|
- Change the contrib/tor.logrotate script so it makes the new
|
|
logs as "_tor:_tor" rather than the default, which is generally
|
|
"root:wheel". Fixes bug 676, reported by Serge Koksharov.
|
|
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
|
|
warnings (occasionally), but it can also cause the compiler to
|
|
eliminate error-checking code. Suggested by Peter Gutmann.
|
|
- When a hidden service is giving up on an introduction point candidate
|
|
that was not included in the last published rendezvous descriptor,
|
|
don't reschedule publication of the next descriptor. Fixes bug 763.
|
|
Bugfix on 0.0.9.3.
|
|
- Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
|
|
HiddenServiceExcludeNodes as obsolete: they never worked properly,
|
|
and nobody claims to be using them. Fixes bug 754. Bugfix on
|
|
0.1.0.1-rc. Patch from Christian Wilms.
|
|
- Fix a small alignment and memory-wasting bug on buffer chunks.
|
|
Spotted by rovv.
|
|
|
|
o Minor bugfixes (controller):
|
|
- When closing an application-side connection because its circuit
|
|
is getting torn down, generate the stream event correctly.
|
|
Bugfix on 0.1.2.x. Anonymous patch.
|
|
|
|
o Removed features:
|
|
- Remove all backward-compatibility code to support relays running
|
|
versions of Tor so old that they no longer work at all on the
|
|
Tor network.
|
|
|
|
|
|
Changes in version 0.2.0.30 - 2008-07-15
|
|
o Minor bugfixes:
|
|
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
|
|
warnings (occasionally), but it can also cause the compiler to
|
|
eliminate error-checking code. Suggested by Peter Gutmann.
|
|
|
|
|
|
Changes in version 0.2.0.29-rc - 2008-07-08
|
|
Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
|
|
hidden-service performance bugs, and fixes a bunch of smaller bugs.
|
|
|
|
o Major bugfixes:
|
|
- If you have more than one bridge but don't know their keys,
|
|
you would only launch a request for the descriptor of the first one
|
|
on your list. (Tor considered launching requests for the others, but
|
|
found that it already had a connection on the way for $0000...0000
|
|
so it didn't open another.) Bugfix on 0.2.0.x.
|
|
- If you have more than one bridge but don't know their keys, and the
|
|
connection to one of the bridges failed, you would cancel all
|
|
pending bridge connections. (After all, they all have the same
|
|
digest.) Bugfix on 0.2.0.x.
|
|
- When a hidden service was trying to establish an introduction point,
|
|
and Tor had built circuits preemptively for such purposes, we
|
|
were ignoring all the preemptive circuits and launching a new one
|
|
instead. Bugfix on 0.2.0.14-alpha.
|
|
- When a hidden service was trying to establish an introduction point,
|
|
and Tor *did* manage to reuse one of the preemptively built
|
|
circuits, it didn't correctly remember which one it used,
|
|
so it asked for another one soon after, until there were no
|
|
more preemptive circuits, at which point it launched one from
|
|
scratch. Bugfix on 0.0.9.x.
|
|
- Make directory servers include the X-Your-Address-Is: http header in
|
|
their responses even for begin_dir conns. Now clients who only
|
|
ever use begin_dir connections still have a way to learn their IP
|
|
address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a macro/CPP interaction that was confusing some compilers:
|
|
some GCCs don't like #if/#endif pairs inside macro arguments.
|
|
Fixes bug 707.
|
|
- Fix macro collision between OpenSSL 0.9.8h and Windows headers.
|
|
Fixes bug 704; fix from Steven Murdoch.
|
|
- When opening /dev/null in finish_daemonize(), do not pass the
|
|
O_CREAT flag. Fortify was complaining, and correctly so. Fixes
|
|
bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
|
|
- Correctly detect transparent proxy support on Linux hosts that
|
|
require in.h to be included before netfilter_ipv4.h. Patch
|
|
from coderman.
|
|
- Disallow session resumption attempts during the renegotiation
|
|
stage of the v2 handshake protocol. Clients should never be trying
|
|
session resumption at this point, but apparently some did, in
|
|
ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
|
|
found by Geoff Goodell.
|
|
|
|
|
|
Changes in version 0.2.1.2-alpha - 2008-06-20
|
|
Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
|
|
make it easier to set up your own private Tor network; fixes several
|
|
big bugs with using more than one bridge relay; fixes a big bug with
|
|
offering hidden services quickly after Tor starts; and uses a better
|
|
API for reporting potential bootstrapping problems to the controller.
|
|
|
|
o Major features:
|
|
- New TestingTorNetwork config option to allow adjustment of
|
|
previously constant values that, while reasonable, could slow
|
|
bootstrapping. Implements proposal 135. Patch from Karsten.
|
|
|
|
o Major bugfixes:
|
|
- If you have more than one bridge but don't know their digests,
|
|
you would only learn a request for the descriptor of the first one
|
|
on your list. (Tor considered launching requests for the others, but
|
|
found that it already had a connection on the way for $0000...0000
|
|
so it didn't open another.) Bugfix on 0.2.0.x.
|
|
- If you have more than one bridge but don't know their digests,
|
|
and the connection to one of the bridges failed, you would cancel
|
|
all pending bridge connections. (After all, they all have the
|
|
same digest.) Bugfix on 0.2.0.x.
|
|
- When establishing a hidden service, introduction points that
|
|
originate from cannibalized circuits are completely ignored and not
|
|
included in rendezvous service descriptors. This might be another
|
|
reason for delay in making a hidden service available. Bugfix
|
|
from long ago (0.0.9.x?)
|
|
|
|
o Minor features:
|
|
- Allow OpenSSL to use dynamic locks if it wants.
|
|
- When building a consensus, do not include routers that are down.
|
|
This will cut down 30% to 40% on consensus size. Implements
|
|
proposal 138.
|
|
- In directory authorities' approved-routers files, allow
|
|
fingerprints with or without space.
|
|
- Add a "GETINFO /status/bootstrap-phase" controller option, so the
|
|
controller can query our current bootstrap state in case it attaches
|
|
partway through and wants to catch up.
|
|
- Send an initial "Starting" bootstrap status event, so we have a
|
|
state to start out in.
|
|
|
|
o Minor bugfixes:
|
|
- Asking for a conditional consensus at .../consensus/<fingerprints>
|
|
would crash a dirserver if it did not already have a
|
|
consensus. Bugfix on 0.2.1.1-alpha.
|
|
- Clean up some macro/CPP interactions: some GCC versions don't like
|
|
#if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
|
|
0.2.0.x.
|
|
|
|
o Bootstrapping bugfixes (on 0.2.1.1-alpha):
|
|
- Directory authorities shouldn't complain about bootstrapping
|
|
problems just because they do a lot of reachability testing and
|
|
some of the connection attempts fail.
|
|
- Start sending "count" and "recommendation" key/value pairs in
|
|
bootstrap problem status events, so the controller can hear about
|
|
problems even before Tor decides they're worth reporting for sure.
|
|
- If you're using bridges, generate "bootstrap problem" warnings
|
|
as soon as you run out of working bridges, rather than waiting
|
|
for ten failures -- which will never happen if you have less than
|
|
ten bridges.
|
|
- If we close our OR connection because there's been a circuit
|
|
pending on it for too long, we were telling our bootstrap status
|
|
events "REASON=NONE". Now tell them "REASON=TIMEOUT".
|
|
|
|
|
|
Changes in version 0.2.1.1-alpha - 2008-06-13
|
|
Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
|
|
were making the Tor process bloat especially on Linux; makes our TLS
|
|
handshake blend in better; sends "bootstrap phase" status events to
|
|
the controller, so it can keep the user informed of progress (and
|
|
problems) fetching directory information and establishing circuits;
|
|
and adds a variety of smaller features.
|
|
|
|
o Major features:
|
|
- More work on making our TLS handshake blend in: modify the list
|
|
of ciphers advertised by OpenSSL in client mode to even more
|
|
closely resemble a common web browser. We cheat a little so that
|
|
we can advertise ciphers that the locally installed OpenSSL doesn't
|
|
know about.
|
|
- Start sending "bootstrap phase" status events to the controller,
|
|
so it can keep the user informed of progress fetching directory
|
|
information and establishing circuits. Also inform the controller
|
|
if we think we're stuck at a particular bootstrap phase. Implements
|
|
proposal 137.
|
|
- Resume using OpenSSL's RAND_poll() for better (and more portable)
|
|
cross-platform entropy collection again. We used to use it, then
|
|
stopped using it because of a bug that could crash systems that
|
|
called RAND_poll when they had a lot of fds open. It looks like the
|
|
bug got fixed in late 2006. Our new behavior is to call RAND_poll()
|
|
at startup, and to call RAND_poll() when we reseed later only if
|
|
we have a non-buggy OpenSSL version.
|
|
|
|
o Major bugfixes:
|
|
- When we choose to abandon a new entry guard because we think our
|
|
older ones might be better, close any circuits pending on that
|
|
new entry guard connection. This fix should make us recover much
|
|
faster when our network is down and then comes back. Bugfix on
|
|
0.1.2.8-beta; found by lodger.
|
|
|
|
o Memory fixes and improvements:
|
|
- Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
|
|
to avoid unused RAM in buffer chunks and memory pools.
|
|
- Speed up parsing and cut down on memory fragmentation by using
|
|
stack-style allocations for parsing directory objects. Previously,
|
|
this accounted for over 40% of allocations from within Tor's code
|
|
on a typical directory cache.
|
|
- Use a Bloom filter rather than a digest-based set to track which
|
|
descriptors we need to keep around when we're cleaning out old
|
|
router descriptors. This speeds up the computation significantly,
|
|
and may reduce fragmentation.
|
|
- Reduce the default smartlist size from 32 to 16; it turns out that
|
|
most smartlists hold around 8-12 elements tops.
|
|
- Make dumpstats() log the fullness and size of openssl-internal
|
|
buffers.
|
|
- If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
|
|
patch to their OpenSSL, turn it on to save memory on servers. This
|
|
patch will (with any luck) get included in a mainline distribution
|
|
before too long.
|
|
- Never use OpenSSL compression: it wastes RAM and CPU trying to
|
|
compress cells, which are basically all encrypted, compressed,
|
|
or both.
|
|
|
|
o Minor bugfixes:
|
|
- Stop reloading the router list from disk for no reason when we
|
|
run out of reachable directory mirrors. Once upon a time reloading
|
|
it would set the 'is_running' flag back to 1 for them. It hasn't
|
|
done that for a long time.
|
|
- In very rare situations new hidden service descriptors were
|
|
published earlier than 30 seconds after the last change to the
|
|
service. (We currently think that a hidden service descriptor
|
|
that's been stable for 30 seconds is worth publishing.)
|
|
|
|
o Minor features:
|
|
- Allow separate log levels to be configured for different logging
|
|
domains. For example, this allows one to log all notices, warnings,
|
|
or errors, plus all memory management messages of level debug or
|
|
higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
|
|
- Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
|
|
and stop using a warning that had become unfixably verbose under
|
|
GCC 4.3.
|
|
- New --hush command-line option similar to --quiet. While --quiet
|
|
disables all logging to the console on startup, --hush limits the
|
|
output to messages of warning and error severity.
|
|
- Servers support a new URL scheme for consensus downloads that
|
|
allows the client to specify which authorities are trusted.
|
|
The server then only sends the consensus if the client will trust
|
|
it. Otherwise a 404 error is sent back. Clients use this
|
|
new scheme when the server supports it (meaning it's running
|
|
0.2.1.1-alpha or later). Implements proposal 134.
|
|
- New configure/torrc options (--enable-geoip-stats,
|
|
DirRecordUsageByCountry) to record how many IPs we've served
|
|
directory info to in each country code, how many status documents
|
|
total we've sent to each country code, and what share of the total
|
|
directory requests we should expect to see.
|
|
- Use the TLS1 hostname extension to more closely resemble browser
|
|
behavior.
|
|
- Lots of new unit tests.
|
|
- Add a macro to implement the common pattern of iterating through
|
|
two parallel lists in lockstep.
|
|
|
|
|
|
Changes in version 0.2.0.28-rc - 2008-06-13
|
|
Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
|
|
performance bug, and fixes a bunch of smaller bugs.
|
|
|
|
o Anonymity fixes:
|
|
- Fix a bug where, when we were choosing the 'end stream reason' to
|
|
put in our relay end cell that we send to the exit relay, Tor
|
|
clients on Windows were sometimes sending the wrong 'reason'. The
|
|
anonymity problem is that exit relays may be able to guess whether
|
|
the client is running Windows, thus helping partition the anonymity
|
|
set. Down the road we should stop sending reasons to exit relays,
|
|
or otherwise prevent future versions of this bug.
|
|
|
|
o Major bugfixes:
|
|
- While setting up a hidden service, some valid introduction circuits
|
|
were overlooked and abandoned. This might be the reason for
|
|
the long delay in making a hidden service available. Bugfix on
|
|
0.2.0.14-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the "June 9 2008" ip-to-country file.
|
|
- Run 'make test' as part of 'make dist', so we stop releasing so
|
|
many development snapshots that fail their unit tests.
|
|
|
|
o Minor bugfixes:
|
|
- When we're checking if we have enough dir info for each relay
|
|
to begin establishing circuits, make sure that we actually have
|
|
the descriptor listed in the consensus, not just any descriptor.
|
|
Bugfix on 0.1.2.x.
|
|
- Bridge relays no longer print "xx=0" in their extrainfo document
|
|
for every single country code in the geoip db. Bugfix on
|
|
0.2.0.27-rc.
|
|
- Only warn when we fail to load the geoip file if we were planning to
|
|
include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
|
|
- If we change our MaxAdvertisedBandwidth and then reload torrc,
|
|
Tor won't realize it should publish a new relay descriptor. Fixes
|
|
bug 688, reported by mfr. Bugfix on 0.1.2.x.
|
|
- When we haven't had any application requests lately, don't bother
|
|
logging that we have expired a bunch of descriptors. Bugfix
|
|
on 0.1.2.x.
|
|
- Make relay cells written on a connection count as non-padding when
|
|
tracking how long a connection has been in use. Bugfix on
|
|
0.2.0.1-alpha. Spotted by lodger.
|
|
- Fix unit tests in 0.2.0.27-rc.
|
|
- Fix compile on Windows.
|
|
|
|
|
|
Changes in version 0.2.0.27-rc - 2008-06-03
|
|
Tor 0.2.0.27-rc adds a few features we left out of the earlier
|
|
release candidates. In particular, we now include an IP-to-country
|
|
GeoIP database, so controllers can easily look up what country a
|
|
given relay is in, and so bridge relays can give us some sanitized
|
|
summaries about which countries are making use of bridges. (See proposal
|
|
126-geoip-fetching.txt for details.)
|
|
|
|
o Major features:
|
|
- Include an IP-to-country GeoIP file in the tarball, so bridge
|
|
relays can report sanitized summaries of the usage they're seeing.
|
|
|
|
o Minor features:
|
|
- Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
|
|
Robert Hogan. Fixes the first part of bug 681.
|
|
- Make bridge authorities never serve extrainfo docs.
|
|
- Add support to detect Libevent versions in the 1.4.x series
|
|
on mingw.
|
|
- Fix build on gcc 4.3 with --enable-gcc-warnings set.
|
|
- Include a new contrib/tor-exit-notice.html file that exit relay
|
|
operators can put on their website to help reduce abuse queries.
|
|
|
|
o Minor bugfixes:
|
|
- When tunneling an encrypted directory connection, and its first
|
|
circuit fails, do not leave it unattached and ask the controller
|
|
to deal. Fixes the second part of bug 681.
|
|
- Make bridge authorities correctly expire old extrainfo documents
|
|
from time to time.
|
|
|
|
|
|
Changes in version 0.2.0.26-rc - 2008-05-13
|
|
Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
|
|
in Debian's OpenSSL packages. All users running any 0.2.0.x version
|
|
should upgrade, whether they're running Debian or not.
|
|
|
|
o Major security fixes:
|
|
- Use new V3 directory authority keys on the tor26, gabelmoo, and
|
|
moria1 V3 directory authorities. The old keys were generated with
|
|
a vulnerable version of Debian's OpenSSL package, and must be
|
|
considered compromised. Other authorities' keys were not generated
|
|
with an affected version of OpenSSL.
|
|
|
|
o Major bugfixes:
|
|
- List authority signatures as "unrecognized" based on DirServer
|
|
lines, not on cert cache. Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- Add a new V3AuthUseLegacyKey option to make it easier for
|
|
authorities to change their identity keys if they have to.
|
|
|
|
|
|
Changes in version 0.2.0.25-rc - 2008-04-23
|
|
Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.
|
|
|
|
o Major bugfixes:
|
|
- Remember to initialize threading before initializing logging.
|
|
Otherwise, many BSD-family implementations will crash hard on
|
|
startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.
|
|
|
|
o Minor bugfixes:
|
|
- Authorities correctly free policies on bad servers on
|
|
exit. Fixes bug 672. Bugfix on 0.2.0.x.
|
|
|
|
|
|
Changes in version 0.2.0.24-rc - 2008-04-22
|
|
Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
|
|
v3 directory authority, makes relays with dynamic IP addresses and no
|
|
DirPort notice more quickly when their IP address changes, fixes a few
|
|
rare crashes and memory leaks, and fixes a few other miscellaneous bugs.
|
|
|
|
o New directory authorities:
|
|
- Take lefkada out of the list of v3 directory authorities, since
|
|
it has been down for months.
|
|
- Set up dizum (run by Alex de Joode) as the new sixth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Detect address changes more quickly on non-directory mirror
|
|
relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.
|
|
|
|
o Minor features (security):
|
|
- Reject requests for reverse-dns lookup of names that are in
|
|
a private address space. Patch from lodger.
|
|
- Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
|
|
from lodger.
|
|
|
|
o Minor bugfixes (crashes):
|
|
- Avoid a rare assert that can trigger when Tor doesn't have much
|
|
directory information yet and it tries to fetch a v2 hidden
|
|
service descriptor. Fixes bug 651, reported by nwf.
|
|
- Initialize log mutex before initializing dmalloc. Otherwise,
|
|
running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
|
|
- Use recursive pthread mutexes in order to avoid deadlock when
|
|
logging debug-level messages to a controller. Bug spotted by nwf,
|
|
bugfix on 0.2.0.16-alpha.
|
|
|
|
o Minor bugfixes (resource management):
|
|
- Keep address policies from leaking memory: start their refcount
|
|
at 1, not 2. Bugfix on 0.2.0.16-alpha.
|
|
- Free authority certificates on exit, so they don't look like memory
|
|
leaks. Bugfix on 0.2.0.19-alpha.
|
|
- Free static hashtables for policy maps and for TLS connections on
|
|
shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
|
|
- Avoid allocating extra space when computing consensuses on 64-bit
|
|
platforms. Bug spotted by aakova.
|
|
|
|
o Minor bugfixes (misc):
|
|
- Do not read the configuration file when we've only been told to
|
|
generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
|
|
based on patch from Sebastian Hahn.
|
|
- Exit relays that are used as a client can now reach themselves
|
|
using the .exit notation, rather than just launching an infinite
|
|
pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
|
|
- When attempting to open a logfile fails, tell us why.
|
|
- Fix a dumb bug that was preventing us from knowing that we should
|
|
preemptively build circuits to handle expected directory requests.
|
|
Fixes bug 660. Bugfix on 0.1.2.x.
|
|
- Warn less verbosely about clock skew from netinfo cells from
|
|
untrusted sources. Fixes bug 663.
|
|
- Make controller stream events for DNS requests more consistent,
|
|
by adding "new stream" events for DNS requests, and removing
|
|
spurious "stream closed" events" for cached reverse resolves.
|
|
Patch from mwenge. Fixes bug 646.
|
|
- Correctly notify one-hop connections when a circuit build has
|
|
failed. Possible fix for bug 669. Found by lodger.
|
|
|
|
|
|
Changes in version 0.2.0.23-rc - 2008-03-24
|
|
Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
|
|
makes bootstrapping faster if the first directory mirror you contact
|
|
is down. The bundles also include the new Vidalia 0.1.2 release.
|
|
|
|
o Major bugfixes:
|
|
- When a tunneled directory request is made to a directory server
|
|
that's down, notice after 30 seconds rather than 120 seconds. Also,
|
|
fail any begindir streams that are pending on it, so they can
|
|
retry elsewhere. This was causing multi-minute delays on bootstrap.
|
|
|
|
|
|
Changes in version 0.2.0.22-rc - 2008-03-18
|
|
Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
|
|
enables encrypted directory connections by default for non-relays, fixes
|
|
some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
|
|
other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
|
|
|
|
o Major features:
|
|
- Enable encrypted directory connections by default for non-relays,
|
|
so censor tools that block Tor directory connections based on their
|
|
plaintext patterns will no longer work. This means Tor works in
|
|
certain censored countries by default again.
|
|
|
|
o Major bugfixes:
|
|
- Make sure servers always request certificates from clients during
|
|
TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
|
|
- Do not enter a CPU-eating loop when a connection is closed in
|
|
the middle of client-side TLS renegotiation. Fixes bug 622. Bug
|
|
diagnosed by lodger; bugfix on 0.2.0.20-rc.
|
|
- Fix assertion failure that could occur when a blocked circuit
|
|
became unblocked, and it had pending client DNS requests. Bugfix
|
|
on 0.2.0.1-alpha. Fixes bug 632.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- Generate "STATUS_SERVER" events rather than misspelled
|
|
"STATUS_SEVER" events. Caught by mwenge.
|
|
- When counting the number of bytes written on a TLS connection,
|
|
look at the BIO actually used for writing to the network, not
|
|
at the BIO used (sometimes) to buffer data for the network.
|
|
Looking at different BIOs could result in write counts on the
|
|
order of ULONG_MAX. Fixes bug 614.
|
|
- On Windows, correctly detect errors when listing the contents of
|
|
a directory. Fix from lodger.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Downgrade "sslv3 alert handshake failure" message to INFO.
|
|
- If we set RelayBandwidthRate and RelayBandwidthBurst very high but
|
|
left BandwidthRate and BandwidthBurst at the default, we would be
|
|
silently limited by those defaults. Now raise them to match the
|
|
RelayBandwidth* values.
|
|
- Fix the SVK version detection logic to work correctly on a branch.
|
|
- Make --enable-openbsd-malloc work correctly on Linux with alpha
|
|
CPUs. Fixes bug 625.
|
|
- Logging functions now check that the passed severity is sane.
|
|
- Use proper log levels in the testsuite call of
|
|
get_interface_address6().
|
|
- When using a nonstandard malloc, do not use the platform values for
|
|
HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
|
|
- Make the openbsd malloc code use 8k pages on alpha CPUs and
|
|
16k pages on ia64.
|
|
- Detect mismatched page sizes when using --enable-openbsd-malloc.
|
|
- Avoid double-marked-for-close warning when certain kinds of invalid
|
|
.in-addr.arpa addresses are passed to the DNSPort. Part of a fix
|
|
for bug 617. Bugfix on 0.2.0.1-alpha.
|
|
- Make sure that the "NULL-means-reject *:*" convention is followed by
|
|
all the policy manipulation functions, avoiding some possible crash
|
|
bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
|
|
- Fix the implementation of ClientDNSRejectInternalAddresses so that it
|
|
actually works, and doesn't warn about every single reverse lookup.
|
|
Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Only log guard node status when guard node status has changed.
|
|
- Downgrade the 3 most common "INFO" messages to "DEBUG". This will
|
|
make "INFO" 75% less verbose.
|
|
|
|
|
|
Changes in version 0.2.0.21-rc - 2008-03-02
|
|
Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
|
|
makes Tor work well with Vidalia again, fixes a rare assert bug,
|
|
and fixes a pair of more minor bugs. The bundles also include Vidalia
|
|
0.1.0 and Torbutton 1.1.16.
|
|
|
|
o Major bugfixes:
|
|
- The control port should declare that it requires password auth
|
|
when HashedControlSessionPassword is set too. Patch from Matt Edman;
|
|
bugfix on 0.2.0.20-rc. Fixes bug 615.
|
|
- Downgrade assert in connection_buckets_decrement() to a log message.
|
|
This may help us solve bug 614, and in any case will make its
|
|
symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
|
|
- We were sometimes miscounting the number of bytes read from the
|
|
network, causing our rate limiting to not be followed exactly.
|
|
Bugfix on 0.2.0.16-alpha. Reported by lodger.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compilation with OpenSSL 0.9.8 and 0.9.8a. All other supported
|
|
OpenSSL versions should have been working fine. Diagnosis and patch
|
|
from lodger, Karsten Loesing, and Sebastian Hahn. Fixes bug 616.
|
|
Bugfix on 0.2.0.20-rc.
|
|
|
|
|
|
Changes in version 0.2.0.20-rc - 2008-02-24
|
|
Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
|
|
makes more progress towards normalizing Tor's TLS handshake, makes
|
|
hidden services work better again, helps relays bootstrap if they don't
|
|
know their IP address, adds optional support for linking in openbsd's
|
|
allocator or tcmalloc, allows really fast relays to scale past 15000
|
|
sockets, and fixes a bunch of minor bugs reported by Veracode.
|
|
|
|
o Major features:
|
|
- Enable the revised TLS handshake based on the one designed by
|
|
Steven Murdoch in proposal 124, as revised in proposal 130. It
|
|
includes version negotiation for OR connections as described in
|
|
proposal 105. The new handshake is meant to be harder for censors
|
|
to fingerprint, and it adds the ability to detect certain kinds of
|
|
man-in-the-middle traffic analysis attacks. The version negotiation
|
|
feature will allow us to improve Tor's link protocol more safely
|
|
in the future.
|
|
- Choose which bridge to use proportional to its advertised bandwidth,
|
|
rather than uniformly at random. This should speed up Tor for
|
|
bridge users. Also do this for people who set StrictEntryNodes.
|
|
- When a TrackHostExits-chosen exit fails too many times in a row,
|
|
stop using it. Bugfix on 0.1.2.x; fixes bug 437.
|
|
|
|
o Major bugfixes:
|
|
- Resolved problems with (re-)fetching hidden service descriptors.
|
|
Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
|
|
and 0.2.0.19-alpha.
|
|
- If we only ever used Tor for hidden service lookups or posts, we
|
|
would stop building circuits and start refusing connections after
|
|
24 hours, since we falsely believed that Tor was dormant. Reported
|
|
by nwf; bugfix on 0.1.2.x.
|
|
- Servers that don't know their own IP address should go to the
|
|
authorities for their first directory fetch, even if their DirPort
|
|
is off or if they don't know they're reachable yet. This will help
|
|
them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
|
|
- When counting the number of open sockets, count not only the number
|
|
of sockets we have received from the socket() call, but also
|
|
the number we've gotten from accept() and socketpair(). This bug
|
|
made us fail to count all sockets that we were using for incoming
|
|
connections. Bugfix on 0.2.0.x.
|
|
- Fix code used to find strings within buffers, when those strings
|
|
are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
|
|
- Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
|
|
- Add a new __HashedControlSessionPassword option for controllers
|
|
to use for one-off session password hashes that shouldn't get
|
|
saved to disk by SAVECONF --- Vidalia users were accumulating a
|
|
pile of HashedControlPassword lines in their torrc files, one for
|
|
each time they had restarted Tor and then clicked Save. Make Tor
|
|
automatically convert "HashedControlPassword" to this new option but
|
|
only when it's given on the command line. Partial fix for bug 586.
|
|
|
|
o Minor features (performance):
|
|
- Tune parameters for cell pool allocation to minimize amount of
|
|
RAM overhead used.
|
|
- Add OpenBSD malloc code from phk as an optional malloc
|
|
replacement on Linux: some glibc libraries do very poorly
|
|
with Tor's memory allocation patterns. Pass
|
|
--enable-openbsd-malloc to get the replacement malloc code.
|
|
- Add a --with-tcmalloc option to the configure script to link
|
|
against tcmalloc (if present). Does not yet search for
|
|
non-system include paths.
|
|
- Stop imposing an arbitrary maximum on the number of file descriptors
|
|
used for busy servers. Bug reported by Olaf Selke; patch from
|
|
Sebastian Hahn.
|
|
|
|
o Minor features (other):
|
|
- When SafeLogging is disabled, log addresses along with all TLS
|
|
errors.
|
|
- When building with --enable-gcc-warnings, check for whether Apple's
|
|
warning "-Wshorten-64-to-32" is available.
|
|
- Add a --passphrase-fd argument to the tor-gencert command for
|
|
scriptability.
|
|
|
|
o Minor bugfixes (memory leaks and code problems):
|
|
- We were leaking a file descriptor if Tor started with a zero-length
|
|
cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
|
|
- Detect size overflow in zlib code. Reported by Justin Ferguson and
|
|
Dan Kaminsky.
|
|
- We were comparing the raw BridgePassword entry with a base64'ed
|
|
version of it, when handling a "/tor/networkstatus-bridges"
|
|
directory request. Now compare correctly. Noticed by Veracode.
|
|
- Recover from bad tracked-since value in MTBF-history file.
|
|
Should fix bug 537.
|
|
- Alter the code that tries to recover from unhandled write
|
|
errors, to not try to flush onto a socket that's given us
|
|
unhandled errors. Bugfix on 0.1.2.x.
|
|
- Make Unix controlsockets work correctly on OpenBSD. Patch from
|
|
tup. Bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (other):
|
|
- If we have an extra-info document for our server, always make
|
|
it available on the control port, even if we haven't gotten
|
|
a copy of it from an authority yet. Patch from mwenge.
|
|
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
|
|
- Directory mirrors no longer include a guess at the client's IP
|
|
address if the connection appears to be coming from the same /24
|
|
network; it was producing too many wrong guesses.
|
|
- Make the new hidden service code respect the SafeLogging setting.
|
|
Bugfix on 0.2.0.x. Patch from Karsten.
|
|
- When starting as an authority, do not overwrite all certificates
|
|
cached from other authorities. Bugfix on 0.2.0.x. Fixes bug 606.
|
|
- If we're trying to flush the last bytes on a connection (for
|
|
example, when answering a directory request), reset the
|
|
time-to-give-up timeout every time we manage to write something
|
|
on the socket. Bugfix on 0.1.2.x.
|
|
- Change the behavior of "getinfo status/good-server-descriptor"
|
|
so it doesn't return failure when any authority disappears.
|
|
- Even though the man page said that "TrackHostExits ." should
|
|
work, nobody had ever implemented it. Bugfix on 0.1.0.x.
|
|
- Report TLS "zero return" case as a "clean close" and "IO error"
|
|
as a "close". Stop calling closes "unexpected closes": existing
|
|
Tors don't use SSL_close(), so having a connection close without
|
|
the TLS shutdown handshake is hardly unexpected.
|
|
- Send NAMESERVER_STATUS messages for a single failed nameserver
|
|
correctly.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove the tor_strpartition function: its logic was confused,
|
|
and it was only used for one thing that could be implemented far
|
|
more easily.
|
|
|
|
|
|
Changes in version 0.2.0.19-alpha - 2008-02-09
|
|
Tor 0.2.0.19-alpha makes more progress towards normalizing Tor's TLS
|
|
handshake, makes path selection for relays more secure and IP address
|
|
guessing more robust, and generally fixes a lot of bugs in preparation
|
|
for calling the 0.2.0 branch stable.
|
|
|
|
o Major features:
|
|
- Do not include recognizeable strings in the commonname part of
|
|
Tor's x509 certificates.
|
|
|
|
o Major bugfixes:
|
|
- If we're a relay, avoid picking ourselves as an introduction point,
|
|
a rendezvous point, or as the final hop for internal circuits. Bug
|
|
reported by taranis and lodger. Bugfix on 0.1.2.x.
|
|
- Patch from "Andrew S. Lists" to catch when we contact a directory
|
|
mirror at IP address X and he says we look like we're coming from
|
|
IP address X. Bugfix on 0.1.2.x.
|
|
|
|
o Minor features (security):
|
|
- Be more paranoid about overwriting sensitive memory on free(),
|
|
as a defensive programming tactic to ensure forward secrecy.
|
|
|
|
o Minor features (directory authority):
|
|
- Actually validate the options passed to AuthDirReject,
|
|
AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
|
|
- Reject router descriptors with out-of-range bandwidthcapacity or
|
|
bandwidthburst values.
|
|
|
|
o Minor features (controller):
|
|
- Reject controller commands over 1MB in length. This keeps rogue
|
|
processes from running us out of memory.
|
|
|
|
o Minor features (misc):
|
|
- Give more descriptive well-formedness errors for out-of-range
|
|
hidden service descriptor/protocol versions.
|
|
- Make memory debugging information describe more about history
|
|
of cell allocation, so we can help reduce our memory use.
|
|
|
|
o Deprecated features (controller):
|
|
- The status/version/num-versioning and status/version/num-concurring
|
|
GETINFO options are no longer useful in the v3 directory protocol:
|
|
treat them as deprecated, and warn when they're used.
|
|
|
|
o Minor bugfixes:
|
|
- When our consensus networkstatus has been expired for a while, stop
|
|
being willing to build circuits using it. Fixes bug 401. Bugfix
|
|
on 0.1.2.x.
|
|
- Directory caches now fetch certificates from all authorities
|
|
listed in a networkstatus consensus, even when they do not
|
|
recognize them. Fixes bug 571. Bugfix on 0.2.0.x.
|
|
- When connecting to a bridge without specifying its key, insert
|
|
the connection into the identity-to-connection map as soon as
|
|
a key is learned. Fixes bug 574. Bugfix on 0.2.0.x.
|
|
- Detect versions of OS X where malloc_good_size() is present in the
|
|
library but never actually declared. Resolves bug 587. Bugfix
|
|
on 0.2.0.x.
|
|
- Stop incorrectly truncating zlib responses to directory authority
|
|
signature download requests. Fixes bug 593. Bugfix on 0.2.0.x.
|
|
- Stop recommending that every server operator send mail to tor-ops.
|
|
Resolves bug 597. Bugfix on 0.1.2.x.
|
|
- Don't trigger an assert if we start a directory authority with a
|
|
private IP address (like 127.0.0.1).
|
|
- Avoid possible failures when generating a directory with routers
|
|
with over-long versions strings, or too many flags set. Bugfix
|
|
on 0.1.2.x.
|
|
- If an attempt to launch a DNS resolve request over the control
|
|
port fails because we have overrun the limit on the number of
|
|
connections, tell the controller that the request has failed.
|
|
- Avoid using too little bandwidth when our clock skips a few
|
|
seconds. Bugfix on 0.1.2.x.
|
|
- Fix shell error when warning about missing packages in configure
|
|
script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x.
|
|
- Do not become confused when receiving a spurious VERSIONS-like
|
|
cell from a confused v1 client. Bugfix on 0.2.0.x.
|
|
- Re-fetch v2 (as well as v0) rendezvous descriptors when all
|
|
introduction points for a hidden service have failed. Patch from
|
|
Karsten Loesing. Bugfix on 0.2.0.x.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove some needless generality from cpuworker code, for improved
|
|
type-safety.
|
|
- Stop overloading the circuit_t.onionskin field for both "onionskin
|
|
from a CREATE cell that we are waiting for a cpuworker to be
|
|
assigned" and "onionskin from an EXTEND cell that we are going to
|
|
send to an OR as soon as we are connected". Might help with bug 600.
|
|
- Add an in-place version of aes_crypt() so that we can avoid doing a
|
|
needless memcpy() call on each cell payload.
|
|
|
|
|
|
Changes in version 0.2.0.18-alpha - 2008-01-25
|
|
Tor 0.2.0.18-alpha adds a sixth v3 directory authority run by CCC,
|
|
fixes a big memory leak in 0.2.0.17-alpha, and adds new config options
|
|
that can warn or reject connections to ports generally associated with
|
|
vulnerable-plaintext protocols.
|
|
|
|
o New directory authorities:
|
|
- Set up dannenberg (run by CCC) as the sixth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Fix a major memory leak when attempting to use the v2 TLS
|
|
handshake code. Bugfix on 0.2.0.x; fixes bug 589.
|
|
- We accidentally enabled the under-development v2 TLS handshake
|
|
code, which was causing log entries like "TLS error while
|
|
renegotiating handshake". Disable it again. Resolves bug 590.
|
|
- We were computing the wrong Content-Length: header for directory
|
|
responses that need to be compressed on the fly, causing clients
|
|
asking for those items to always fail. Bugfix on 0.2.0.x; partially
|
|
fixes bug 593.
|
|
|
|
o Major features:
|
|
- Avoid going directly to the directory authorities even if you're a
|
|
relay, if you haven't found yourself reachable yet or if you've
|
|
decided not to advertise your dirport yet. Addresses bug 556.
|
|
- If we've gone 12 hours since our last bandwidth check, and we
|
|
estimate we have less than 50KB bandwidth capacity but we could
|
|
handle more, do another bandwidth test.
|
|
- New config options WarnPlaintextPorts and RejectPlaintextPorts so
|
|
Tor can warn and/or refuse connections to ports commonly used with
|
|
vulnerable-plaintext protocols. Currently we warn on ports 23,
|
|
109, 110, and 143, but we don't reject any.
|
|
|
|
o Minor bugfixes:
|
|
- When we setconf ClientOnly to 1, close any current OR and Dir
|
|
listeners. Reported by mwenge.
|
|
- When we get a consensus that's been signed by more people than
|
|
we expect, don't log about it; it's not a big deal. Reported
|
|
by Kyle Williams.
|
|
|
|
o Minor features:
|
|
- Don't answer "/tor/networkstatus-bridges" directory requests if
|
|
the request isn't encrypted.
|
|
- Make "ClientOnly 1" config option disable directory ports too.
|
|
- Patches from Karsten Loesing to make v2 hidden services more
|
|
robust: work even when there aren't enough HSDir relays available;
|
|
retry when a v2 rend desc fetch fails; but don't retry if we
|
|
already have a usable v0 rend desc.
|
|
|
|
|
|
Changes in version 0.2.0.17-alpha - 2008-01-17
|
|
Tor 0.2.0.17-alpha makes the tarball build cleanly again (whoops).
|
|
|
|
o Compile fixes:
|
|
- Make the tor-gencert man page get included correctly in the tarball.
|
|
|
|
|
|
Changes in version 0.2.0.16-alpha - 2008-01-17
|
|
Tor 0.2.0.16-alpha adds a fifth v3 directory authority run by Karsten
|
|
Loesing, and generally cleans up a lot of features and minor bugs.
|
|
|
|
o New directory authorities:
|
|
- Set up gabelmoo (run by Karsten Loesing) as the fifth v3 directory
|
|
authority.
|
|
|
|
o Major performance improvements:
|
|
- Switch our old ring buffer implementation for one more like that
|
|
used by free Unix kernels. The wasted space in a buffer with 1mb
|
|
of data will now be more like 8k than 1mb. The new implementation
|
|
also avoids realloc();realloc(); patterns that can contribute to
|
|
memory fragmentation.
|
|
|
|
o Minor features:
|
|
- Configuration files now accept C-style strings as values. This
|
|
helps encode characters not allowed in the current configuration
|
|
file format, such as newline or #. Addresses bug 557.
|
|
- Although we fixed bug 539 (where servers would send HTTP status 503
|
|
responses _and_ send a body too), there are still servers out
|
|
there that haven't upgraded. Therefore, make clients parse such
|
|
bodies when they receive them.
|
|
- When we're not serving v2 directory information, there is no reason
|
|
to actually keep any around. Remove the obsolete files and directory
|
|
on startup if they are very old and we aren't going to serve them.
|
|
|
|
o Minor performance improvements:
|
|
- Reference-count and share copies of address policy entries; only 5%
|
|
of them were actually distinct.
|
|
- Never walk through the list of logs if we know that no log is
|
|
interested in a given message.
|
|
|
|
o Minor bugfixes:
|
|
- When an authority has not signed a consensus, do not try to
|
|
download a nonexistent "certificate with key 00000000". Bugfix
|
|
on 0.2.0.x. Fixes bug 569.
|
|
- Fix a rare assert error when we're closing one of our threads:
|
|
use a mutex to protect the list of logs, so we never write to the
|
|
list as it's being freed. Bugfix on 0.1.2.x. Fixes the very rare
|
|
bug 575, which is kind of the revenge of bug 222.
|
|
- Patch from Karsten Loesing to complain less at both the client
|
|
and the relay when a relay used to have the HSDir flag but doesn't
|
|
anymore, and we try to upload a hidden service descriptor.
|
|
- Stop leaking one cert per TLS context. Fixes bug 582. Bugfix on
|
|
0.2.0.15-alpha.
|
|
- Do not try to download missing certificates until we have tried
|
|
to check our fallback consensus. Fixes bug 583.
|
|
- Make bridges round reported GeoIP stats info up to the nearest
|
|
estimate, not down. Now we can distinguish between "0 people from
|
|
this country" and "1 person from this country".
|
|
- Avoid a spurious free on base64 failure. Bugfix on 0.1.2.
|
|
- Avoid possible segfault if key generation fails in
|
|
crypto_pk_hybrid_encrypt. Bugfix on 0.2.0.
|
|
- Avoid segfault in the case where a badly behaved v2 versioning
|
|
directory sends a signed networkstatus with missing client-versions.
|
|
Bugfix on 0.1.2.
|
|
- Avoid segfaults on certain complex invocations of
|
|
router_get_by_hexdigest(). Bugfix on 0.1.2.
|
|
- Correct bad index on array access in parse_http_time(). Bugfix
|
|
on 0.2.0.
|
|
- Fix possible bug in vote generation when server versions are present
|
|
but client versions are not.
|
|
- Fix rare bug on REDIRECTSTREAM control command when called with no
|
|
port set: it could erroneously report an error when none had
|
|
happened.
|
|
- Avoid bogus crash-prone, leak-prone tor_realloc when we're
|
|
compressing large objects and find ourselves with more than 4k
|
|
left over. Bugfix on 0.2.0.
|
|
- Fix a small memory leak when setting up a hidden service.
|
|
- Fix a few memory leaks that could in theory happen under bizarre
|
|
error conditions.
|
|
- Fix an assert if we post a general-purpose descriptor via the
|
|
control port but that descriptor isn't mentioned in our current
|
|
network consensus. Bug reported by Jon McLachlan; bugfix on
|
|
0.2.0.9-alpha.
|
|
|
|
o Minor features (controller):
|
|
- Get NS events working again. Patch from tup.
|
|
- The GETCONF command now escapes and quotes configuration values
|
|
that don't otherwise fit into the torrc file.
|
|
- The SETCONF command now handles quoted values correctly.
|
|
|
|
o Minor features (directory authorities):
|
|
- New configuration options to override default maximum number of
|
|
servers allowed on a single IP address. This is important for
|
|
running a test network on a single host.
|
|
- Actually implement the -s option to tor-gencert.
|
|
- Add a manual page for tor-gencert.
|
|
|
|
o Minor features (bridges):
|
|
- Bridge authorities no longer serve bridge descriptors over
|
|
unencrypted connections.
|
|
|
|
o Minor features (other):
|
|
- Add hidden services and DNSPorts to the list of things that make
|
|
Tor accept that it has running ports. Change starting Tor with no
|
|
ports from a fatal error to a warning; we might change it back if
|
|
this turns out to confuse anybody. Fixes bug 579.
|
|
|
|
|
|
Changes in version 0.1.2.19 - 2008-01-17
|
|
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
|
|
exit policy a little bit more conservative so it's safer to run an
|
|
exit relay on a home system, and fixes a variety of smaller issues.
|
|
|
|
o Security fixes:
|
|
- Exit policies now reject connections that are addressed to a
|
|
relay's public (external) IP address too, unless
|
|
ExitPolicyRejectPrivate is turned off. We do this because too
|
|
many relays are running nearby to services that trust them based
|
|
on network address.
|
|
|
|
o Major bugfixes:
|
|
- When the clock jumps forward a lot, do not allow the bandwidth
|
|
buckets to become negative. Fixes bug 544.
|
|
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
|
|
on every successful resolve. Reported by Mike Perry.
|
|
- Purge old entries from the "rephist" database and the hidden
|
|
service descriptor database even when DirPort is zero.
|
|
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
|
|
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
|
|
crashing or mis-answering these requests.
|
|
- When we decide to send a 503 response to a request for servers, do
|
|
not then also send the server descriptors: this defeats the whole
|
|
purpose. Fixes bug 539.
|
|
|
|
o Minor bugfixes:
|
|
- Changing the ExitPolicyRejectPrivate setting should cause us to
|
|
rebuild our server descriptor.
|
|
- Fix handling of hex nicknames when answering controller requests for
|
|
networkstatus by name, or when deciding whether to warn about
|
|
unknown routers in a config option. (Patch from mwenge.)
|
|
- Fix a couple of hard-to-trigger autoconf problems that could result
|
|
in really weird results on platforms whose sys/types.h files define
|
|
nonstandard integer types.
|
|
- Don't try to create the datadir when running --verify-config or
|
|
--hash-password. Resolves bug 540.
|
|
- If we were having problems getting a particular descriptor from the
|
|
directory caches, and then we learned about a new descriptor for
|
|
that router, we weren't resetting our failure count. Reported
|
|
by lodger.
|
|
- Although we fixed bug 539 (where servers would send HTTP status 503
|
|
responses _and_ send a body too), there are still servers out there
|
|
that haven't upgraded. Therefore, make clients parse such bodies
|
|
when they receive them.
|
|
- Run correctly on systems where rlim_t is larger than unsigned long.
|
|
This includes some 64-bit systems.
|
|
- Run correctly on platforms (like some versions of OS X 10.5) where
|
|
the real limit for number of open files is OPEN_FILES, not rlim_max
|
|
from getrlimit(RLIMIT_NOFILES).
|
|
- Avoid a spurious free on base64 failure.
|
|
- Avoid segfaults on certain complex invocations of
|
|
router_get_by_hexdigest().
|
|
- Fix rare bug on REDIRECTSTREAM control command when called with no
|
|
port set: it could erroneously report an error when none had
|
|
happened.
|
|
|
|
|
|
Changes in version 0.2.0.15-alpha - 2007-12-25
|
|
Tor 0.2.0.14-alpha and 0.2.0.15-alpha fix a bunch of bugs with the
|
|
features added in 0.2.0.13-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix several remotely triggerable asserts based on DirPort requests
|
|
for a v2 or v3 networkstatus object before we were prepared. This
|
|
was particularly bad for 0.2.0.13 and later bridge relays, who
|
|
would never have a v2 networkstatus and would thus always crash
|
|
when used. Bugfixes on 0.2.0.x.
|
|
- Estimate the v3 networkstatus size more accurately, rather than
|
|
estimating it at zero bytes and giving it artificially high priority
|
|
compared to other directory requests. Bugfix on 0.2.0.x.
|
|
|
|
o Minor bugfixes:
|
|
- Fix configure.in logic for cross-compilation.
|
|
- When we load a bridge descriptor from the cache, and it was
|
|
previously unreachable, mark it as retriable so we won't just
|
|
ignore it. Also, try fetching a new copy immediately. Bugfixes
|
|
on 0.2.0.13-alpha.
|
|
- The bridge GeoIP stats were counting other relays, for example
|
|
self-reachability and authority-reachability tests.
|
|
|
|
o Minor features:
|
|
- Support compilation to target iPhone; patch from cjacker huang.
|
|
To build for iPhone, pass the --enable-iphone option to configure.
|
|
|
|
|
|
Changes in version 0.2.0.14-alpha - 2007-12-23
|
|
o Major bugfixes:
|
|
- Fix a crash on startup if you install Tor 0.2.0.13-alpha fresh
|
|
without a datadirectory from a previous Tor install. Reported
|
|
by Zax.
|
|
- Fix a crash when we fetch a descriptor that turns out to be
|
|
unexpected (it used to be in our networkstatus when we started
|
|
fetching it, but it isn't in our current networkstatus), and we
|
|
aren't using bridges. Bugfix on 0.2.0.x.
|
|
- Fix a crash when accessing hidden services: it would work the first
|
|
time you use a given introduction point for your service, but
|
|
on subsequent requests we'd be using garbage memory. Fixed by
|
|
Karsten Loesing. Bugfix on 0.2.0.13-alpha.
|
|
- Fix a crash when we load a bridge descriptor from disk but we don't
|
|
currently have a Bridge line for it in our torrc. Bugfix on
|
|
0.2.0.13-alpha.
|
|
|
|
o Major features:
|
|
- If bridge authorities set BridgePassword, they will serve a
|
|
snapshot of known bridge routerstatuses from their DirPort to
|
|
anybody who knows that password. Unset by default.
|
|
|
|
o Minor bugfixes:
|
|
- Make the unit tests build again.
|
|
- Make "GETINFO/desc-annotations/id/<OR digest>" actually work.
|
|
- Make PublishServerDescriptor default to 1, so the default doesn't
|
|
have to change as we invent new directory protocol versions.
|
|
- Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to
|
|
be included unless sys/time.h is already included. Fixes
|
|
bug 553. Bugfix on 0.2.0.x.
|
|
- If we receive a general-purpose descriptor and then receive an
|
|
identical bridge-purpose descriptor soon after, don't discard
|
|
the next one as a duplicate.
|
|
|
|
o Minor features:
|
|
- If BridgeRelay is set to 1, then the default for
|
|
PublishServerDescriptor is now "bridge" rather than "v2,v3".
|
|
- If the user sets RelayBandwidthRate but doesn't set
|
|
RelayBandwidthBurst, then make them equal rather than erroring out.
|
|
|
|
|
|
Changes in version 0.2.0.13-alpha - 2007-12-21
|
|
Tor 0.2.0.13-alpha adds a fourth v3 directory authority run by Geoff
|
|
Goodell, fixes many more bugs, and adds a lot of infrastructure for
|
|
upcoming features.
|
|
|
|
o New directory authorities:
|
|
- Set up lefkada (run by Geoff Goodell) as the fourth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Only update guard status (usable / not usable) once we have
|
|
enough directory information. This was causing us to always pick
|
|
two new guards on startup (bugfix on 0.2.0.9-alpha), and it was
|
|
causing us to discard all our guards on startup if we hadn't been
|
|
running for a few weeks (bugfix on 0.1.2.x). Fixes bug 448.
|
|
- Purge old entries from the "rephist" database and the hidden
|
|
service descriptor databases even when DirPort is zero. Bugfix
|
|
on 0.1.2.x.
|
|
- We were ignoring our RelayBandwidthRate for the first 30 seconds
|
|
after opening a circuit -- even a relayed circuit. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
|
|
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
|
|
crashing or mis-answering these types of requests.
|
|
- Relays were publishing their server descriptor to v1 and v2
|
|
directory authorities, but they didn't try publishing to v3-only
|
|
authorities. Fix this; and also stop publishing to v1 authorities.
|
|
Bugfix on 0.2.0.x.
|
|
- When we were reading router descriptors from cache, we were ignoring
|
|
the annotations -- so for example we were reading in bridge-purpose
|
|
descriptors as general-purpose descriptors. Bugfix on 0.2.0.8-alpha.
|
|
- When we decided to send a 503 response to a request for servers, we
|
|
were then also sending the server descriptors: this defeats the
|
|
whole purpose. Fixes bug 539; bugfix on 0.1.2.x.
|
|
|
|
o Major features:
|
|
- Bridge relays now behave like clients with respect to time
|
|
intervals for downloading new consensus documents -- otherwise they
|
|
stand out. Bridge users now wait until the end of the interval,
|
|
so their bridge relay will be sure to have a new consensus document.
|
|
- Three new config options (AlternateDirAuthority,
|
|
AlternateBridgeAuthority, and AlternateHSAuthority) that let the
|
|
user selectively replace the default directory authorities by type,
|
|
rather than the all-or-nothing replacement that DirServer offers.
|
|
- Tor can now be configured to read a GeoIP file from disk in one
|
|
of two formats. This can be used by controllers to map IP addresses
|
|
to countries. Eventually, it may support exit-by-country.
|
|
- When possible, bridge relays remember which countries users
|
|
are coming from, and report aggregate information in their
|
|
extra-info documents, so that the bridge authorities can learn
|
|
where Tor is blocked.
|
|
- Bridge directory authorities now do reachability testing on the
|
|
bridges they know. They provide router status summaries to the
|
|
controller via "getinfo ns/purpose/bridge", and also dump summaries
|
|
to a file periodically.
|
|
- Stop fetching directory info so aggressively if your DirPort is
|
|
on but your ORPort is off; stop fetching v2 dir info entirely.
|
|
You can override these choices with the new FetchDirInfoEarly
|
|
config option.
|
|
|
|
o Minor bugfixes:
|
|
- The fix in 0.2.0.12-alpha cleared the "hsdir" flag in v3 network
|
|
consensus documents when there are too many relays at a single
|
|
IP address. Now clear it in v2 network status documents too, and
|
|
also clear it in routerinfo_t when the relay is no longer listed
|
|
in the relevant networkstatus document.
|
|
- Don't crash if we get an unexpected value for the
|
|
PublishServerDescriptor config option. Reported by Matt Edman;
|
|
bugfix on 0.2.0.9-alpha.
|
|
- Our new v2 hidden service descriptor format allows descriptors
|
|
that have no introduction points. But Tor crashed when we tried
|
|
to build a descriptor with no intro points (and it would have
|
|
crashed if we had tried to parse one). Bugfix on 0.2.0.x; patch
|
|
by Karsten Loesing.
|
|
- Fix building with dmalloc 5.5.2 with glibc.
|
|
- Reject uploaded descriptors and extrainfo documents if they're
|
|
huge. Otherwise we'll cache them all over the network and it'll
|
|
clog everything up. Reported by Aljosha Judmayer.
|
|
- Check for presence of s6_addr16 and s6_addr32 fields in in6_addr
|
|
via autoconf. Should fix compile on solaris. Bugfix on 0.2.0.x.
|
|
- When the DANGEROUS_VERSION controller status event told us we're
|
|
running an obsolete version, it used the string "OLD" to describe
|
|
it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
|
|
"OBSOLETE" in both cases. Bugfix on 0.1.2.x.
|
|
- If we can't expand our list of entry guards (e.g. because we're
|
|
using bridges or we have StrictEntryNodes set), don't mark relays
|
|
down when they fail a directory request. Otherwise we're too quick
|
|
to mark all our entry points down. Bugfix on 0.1.2.x.
|
|
- Fix handling of hex nicknames when answering controller requests for
|
|
networkstatus by name, or when deciding whether to warn about unknown
|
|
routers in a config option. Bugfix on 0.1.2.x. (Patch from mwenge.)
|
|
- Fix a couple of hard-to-trigger autoconf problems that could result
|
|
in really weird results on platforms whose sys/types.h files define
|
|
nonstandard integer types. Bugfix on 0.1.2.x.
|
|
- Fix compilation with --disable-threads set. Bugfix on 0.2.0.x.
|
|
- Don't crash on name lookup when we have no current consensus. Fixes
|
|
bug 538; bugfix on 0.2.0.x.
|
|
- Only Tors that want to mirror the v2 directory info should
|
|
create the "cached-status" directory in their datadir. (All Tors
|
|
used to create it.) Bugfix on 0.2.0.9-alpha.
|
|
- Directory authorities should only automatically download Extra Info
|
|
documents if they're v1, v2, or v3 authorities. Bugfix on 0.1.2.x.
|
|
|
|
o Minor features:
|
|
- On the USR1 signal, when dmalloc is in use, log the top 10 memory
|
|
consumers. (We already do this on HUP.)
|
|
- Authorities and caches fetch the v2 networkstatus documents
|
|
less often, now that v3 is encouraged.
|
|
- Add a new config option BridgeRelay that specifies you want to
|
|
be a bridge relay. Right now the only difference is that it makes
|
|
you answer begin_dir requests, and it makes you cache dir info,
|
|
even if your DirPort isn't on.
|
|
- Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
|
|
ask about source, timestamp of arrival, purpose, etc. We need
|
|
something like this to help Vidalia not do GeoIP lookups on bridge
|
|
addresses.
|
|
- Allow multiple HashedControlPassword config lines, to support
|
|
multiple controller passwords.
|
|
- Authorities now decide whether they're authoritative for a given
|
|
router based on the router's purpose.
|
|
- New config options AuthDirBadDir and AuthDirListBadDirs for
|
|
authorities to mark certain relays as "bad directories" in the
|
|
networkstatus documents. Also supports the "!baddir" directive in
|
|
the approved-routers file.
|
|
|
|
|
|
Changes in version 0.2.0.12-alpha - 2007-11-16
|
|
This twelfth development snapshot fixes some more build problems as
|
|
well as a few minor bugs.
|
|
|
|
o Compile fixes:
|
|
- Make it build on OpenBSD again. Patch from tup.
|
|
- Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes
|
|
package-building for Red Hat, OS X, etc.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- Changing the ExitPolicyRejectPrivate setting should cause us to
|
|
rebuild our server descriptor.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- When we're lacking a consensus, don't try to perform rendezvous
|
|
operations. Reported by Karsten Loesing.
|
|
- Fix a small memory leak whenever we decide against using a
|
|
newly picked entry guard. Reported by Mike Perry.
|
|
- When authorities detected more than two relays running on the same
|
|
IP address, they were clearing all the status flags but forgetting
|
|
to clear the "hsdir" flag. So clients were being told that a
|
|
given relay was the right choice for a v2 hsdir lookup, yet they
|
|
never had its descriptor because it was marked as 'not running'
|
|
in the consensus.
|
|
- If we're trying to fetch a bridge descriptor and there's no way
|
|
the bridge authority could help us (for example, we don't know
|
|
a digest, or there is no bridge authority), don't be so eager to
|
|
fall back to asking the bridge authority.
|
|
- If we're using bridges or have strictentrynodes set, and our
|
|
chosen exit is in the same family as all our bridges/entry guards,
|
|
then be flexible about families.
|
|
|
|
o Minor features:
|
|
- When we negotiate a v2 link-layer connection (not yet implemented),
|
|
accept RELAY_EARLY cells and turn them into RELAY cells if we've
|
|
negotiated a v1 connection for their next step. Initial code for
|
|
proposal 110.
|
|
|
|
|
|
Changes in version 0.2.0.11-alpha - 2007-11-12
|
|
This eleventh development snapshot fixes some build problems with
|
|
the previous snapshot. It also includes a more secure-by-default exit
|
|
policy for relays, fixes an enormous memory leak for exit relays, and
|
|
fixes another bug where servers were falling out of the directory list.
|
|
|
|
o Security fixes:
|
|
- Exit policies now reject connections that are addressed to a
|
|
relay's public (external) IP address too, unless
|
|
ExitPolicyRejectPrivate is turned off. We do this because too
|
|
many relays are running nearby to services that trust them based
|
|
on network address. Bugfix on 0.1.2.x.
|
|
|
|
o Major bugfixes:
|
|
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
|
|
on every successful resolve. Reported by Mike Perry; bugfix
|
|
on 0.1.2.x.
|
|
- On authorities, never downgrade to old router descriptors simply
|
|
because they're listed in the consensus. This created a catch-22
|
|
where we wouldn't list a new descriptor because there was an
|
|
old one in the consensus, and we couldn't get the new one in the
|
|
consensus because we wouldn't list it. Possible fix for bug 548.
|
|
Also, this might cause bug 543 to appear on authorities; if so,
|
|
we'll need a band-aid for that. Bugfix on 0.2.0.9-alpha.
|
|
|
|
o Packaging fixes on 0.2.0.10-alpha:
|
|
- We were including instructions about what to do with the
|
|
src/config/fallback-consensus file, but we weren't actually
|
|
including it in the tarball. Disable all of that for now.
|
|
|
|
o Minor features:
|
|
- Allow people to say PreferTunnelledDirConns rather than
|
|
PreferTunneledDirConns, for those alternate-spellers out there.
|
|
|
|
o Minor bugfixes:
|
|
- Don't reevaluate all the information from our consensus document
|
|
just because we've downloaded a v2 networkstatus that we intend
|
|
to cache. Fixes bug 545; bugfix on 0.2.0.x.
|
|
|
|
|
|
Changes in version 0.2.0.10-alpha - 2007-11-10
|
|
This tenth development snapshot adds a third v3 directory authority
|
|
run by Mike Perry, adds most of Karsten Loesing's new hidden service
|
|
descriptor format, fixes a bad crash bug and new bridge bugs introduced
|
|
in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation,
|
|
fixes some minor memory leaks in previous 0.2.0.x snapshots, and
|
|
addresses many more minor issues.
|
|
|
|
o New directory authorities:
|
|
- Set up ides (run by Mike Perry) as the third v3 directory authority.
|
|
|
|
o Major features:
|
|
- Allow tunnelled directory connections to ask for an encrypted
|
|
"begin_dir" connection or an anonymized "uses a full Tor circuit"
|
|
connection independently. Now we can make anonymized begin_dir
|
|
connections for (e.g.) more secure hidden service posting and
|
|
fetching.
|
|
- More progress on proposal 114: code from Karsten Loesing to
|
|
implement new hidden service descriptor format.
|
|
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
|
|
accommodate the growing number of servers that use the default
|
|
and are reaching it.
|
|
- Directory authorities use a new formula for selecting which nodes
|
|
to advertise as Guards: they must be in the top 7/8 in terms of
|
|
how long we have known about them, and above the median of those
|
|
nodes in terms of weighted fractional uptime.
|
|
- Make "not enough dir info yet" warnings describe *why* Tor feels
|
|
it doesn't have enough directory info yet.
|
|
|
|
o Major bugfixes:
|
|
- Stop servers from crashing if they set a Family option (or
|
|
maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
|
|
by Fabian Keil.
|
|
- Make bridge users work again -- the move to v3 directories in
|
|
0.2.0.9-alpha had introduced a number of bugs that made bridges
|
|
no longer work for clients.
|
|
- When the clock jumps forward a lot, do not allow the bandwidth
|
|
buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544.
|
|
|
|
o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha):
|
|
- When the consensus lists a router descriptor that we previously were
|
|
mirroring, but that we considered non-canonical, reload the
|
|
descriptor as canonical. This fixes bug 543 where Tor servers
|
|
would start complaining after a few days that they don't have
|
|
enough directory information to build a circuit.
|
|
- Consider replacing the current consensus when certificates arrive
|
|
that make the pending consensus valid. Previously, we were only
|
|
considering replacement when the new certs _didn't_ help.
|
|
- Fix an assert error on startup if we didn't already have the
|
|
consensus and certs cached in our datadirectory: we were caching
|
|
the consensus in consensus_waiting_for_certs but then free'ing it
|
|
right after.
|
|
- Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad
|
|
Request) if we need more v3 certs but we've already got pending
|
|
requests for all of them.
|
|
- Correctly back off from failing certificate downloads. Fixes
|
|
bug 546.
|
|
- Authorities don't vote on the Running flag if they have been running
|
|
for less than 30 minutes themselves. Fixes bug 547, where a newly
|
|
started authority would vote that everyone was down.
|
|
|
|
o New requirements:
|
|
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
|
|
it, it had no AES, and it hasn't seen any security patches since
|
|
2004.
|
|
|
|
o Minor features:
|
|
- Clients now hold circuitless TLS connections open for 1.5 times
|
|
MaxCircuitDirtiness (15 minutes), since it is likely that they'll
|
|
rebuild a new circuit over them within that timeframe. Previously,
|
|
they held them open only for KeepalivePeriod (5 minutes).
|
|
- Use "If-Modified-Since" to avoid retrieving consensus
|
|
networkstatuses that we already have.
|
|
- When we have no consensus, check FallbackNetworkstatusFile (defaults
|
|
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
|
|
we start knowing some directory caches.
|
|
- When we receive a consensus from the future, warn about skew.
|
|
- Improve skew reporting: try to give the user a better log message
|
|
about how skewed they are, and how much this matters.
|
|
- When we have a certificate for an authority, believe that
|
|
certificate's claims about the authority's IP address.
|
|
- New --quiet command-line option to suppress the default console log.
|
|
Good in combination with --hash-password.
|
|
- Authorities send back an X-Descriptor-Not-New header in response to
|
|
an accepted-but-discarded descriptor upload. Partially implements
|
|
fix for bug 535.
|
|
- Make the log message for "tls error. breaking." more useful.
|
|
- Better log messages about certificate downloads, to attempt to
|
|
track down the second incarnation of bug 546.
|
|
|
|
o Minor features (bridges):
|
|
- If bridge users set UpdateBridgesFromAuthority, but the digest
|
|
they ask for is a 404 from the bridge authority, they now fall
|
|
back to trying the bridge directly.
|
|
- Bridges now use begin_dir to publish their server descriptor to
|
|
the bridge authority, even when they haven't set TunnelDirConns.
|
|
|
|
o Minor features (controller):
|
|
- When reporting clock skew, and we know that the clock is _at least
|
|
as skewed_ as some value, but we don't know the actual value,
|
|
report the value as a "minimum skew."
|
|
|
|
o Utilities:
|
|
- Update linux-tor-prio.sh script to allow QoS based on the uid of
|
|
the Tor process. Patch from Marco Bonetti with tweaks from Mike
|
|
Perry.
|
|
|
|
o Minor bugfixes:
|
|
- Refuse to start if both ORPort and UseBridges are set. Bugfix
|
|
on 0.2.0.x, suggested by Matt Edman.
|
|
- Don't stop fetching descriptors when FetchUselessDescriptors is
|
|
set, even if we stop asking for circuits. Bugfix on 0.1.2.x;
|
|
reported by tup and ioerror.
|
|
- Better log message on vote from unknown authority.
|
|
- Don't log "Launching 0 request for 0 router" message.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Stop leaking memory every time we parse a v3 certificate. Bugfix
|
|
on 0.2.0.1-alpha.
|
|
- Stop leaking memory every time we load a v3 certificate. Bugfix
|
|
on 0.2.0.1-alpha. Fixes bug 536.
|
|
- Stop leaking a cached networkstatus on exit. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Stop leaking voter information every time we free a consensus.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking signed data every time we check a voter signature.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking a signature every time we fail to parse a consensus or
|
|
a vote. Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking v2_download_status_map on shutdown. Bugfix on
|
|
0.2.0.9-alpha.
|
|
- Stop leaking conn->nickname every time we make a connection to a
|
|
Tor relay without knowing its expected identity digest (e.g. when
|
|
using bridges). Bugfix on 0.2.0.3-alpha.
|
|
|
|
- Minor bugfixes (portability):
|
|
- Run correctly on platforms where rlim_t is larger than unsigned
|
|
long, and/or where the real limit for number of open files is
|
|
OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In
|
|
particular, these may be needed for OS X 10.5.
|
|
|
|
|
|
Changes in version 0.1.2.18 - 2007-10-28
|
|
Tor 0.1.2.18 fixes many problems including crash bugs, problems with
|
|
hidden service introduction that were causing huge delays, and a big
|
|
bug that was causing some servers to disappear from the network status
|
|
lists for a few hours each day.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a connection is shut down abruptly because of something that
|
|
happened inside connection_flushed_some(), do not call
|
|
connection_finished_flushing(). Should fix bug 451:
|
|
"connection_stop_writing: Assertion conn->write_event failed"
|
|
Bugfix on 0.1.2.7-alpha.
|
|
- Fix possible segfaults in functions called from
|
|
rend_process_relay_cell().
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Hidden services were choosing introduction points uniquely by
|
|
hexdigest, but when constructing the hidden service descriptor
|
|
they merely wrote the (potentially ambiguous) nickname.
|
|
- Clients now use the v2 intro format for hidden service
|
|
connections: they specify their chosen rendezvous point by identity
|
|
digest rather than by (potentially ambiguous) nickname. These
|
|
changes could speed up hidden service connections dramatically.
|
|
|
|
o Major bugfixes (other):
|
|
- Stop publishing a new server descriptor just because we get a
|
|
HUP signal. This led (in a roundabout way) to some servers getting
|
|
dropped from the networkstatus lists for a few hours each day.
|
|
- When looking for a circuit to cannibalize, consider family as well
|
|
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
|
|
circuit cannibalization).
|
|
- When a router wasn't listed in a new networkstatus, we were leaving
|
|
the flags for that router alone -- meaning it remained Named,
|
|
Running, etc -- even though absence from the networkstatus means
|
|
that it shouldn't be considered to exist at all anymore. Now we
|
|
clear all the flags for routers that fall out of the networkstatus
|
|
consensus. Fixes bug 529.
|
|
|
|
o Minor bugfixes:
|
|
- Don't try to access (or alter) the state file when running
|
|
--list-fingerprint or --verify-config or --hash-password. Resolves
|
|
bug 499.
|
|
- When generating information telling us how to extend to a given
|
|
router, do not try to include the nickname if it is
|
|
absent. Resolves bug 467.
|
|
- Fix a user-triggerable segfault in expand_filename(). (There isn't
|
|
a way to trigger this remotely.)
|
|
- When sending a status event to the controller telling it that an
|
|
OR address is reachable, set the port correctly. (Previously we
|
|
were reporting the dir port.)
|
|
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
|
|
command. Bugfix on 0.1.2.17.
|
|
- When loading bandwidth history, do not believe any information in
|
|
the future. Fixes bug 434.
|
|
- When loading entry guard information, do not believe any information
|
|
in the future.
|
|
- When we have our clock set far in the future and generate an
|
|
onion key, then re-set our clock to be correct, we should not stop
|
|
the onion key from getting rotated.
|
|
- On some platforms, accept() can return a broken address. Detect
|
|
this more quietly, and deal accordingly. Fixes bug 483.
|
|
- It's not actually an error to find a non-pending entry in the DNS
|
|
cache when canceling a pending resolve. Don't log unless stuff
|
|
is fishy. Resolves bug 463.
|
|
- Don't reset trusted dir server list when we set a configuration
|
|
option. Patch from Robert Hogan.
|
|
- Don't try to create the datadir when running --verify-config or
|
|
--hash-password. Resolves bug 540.
|
|
|
|
|
|
Changes in version 0.2.0.9-alpha - 2007-10-24
|
|
This ninth development snapshot switches clients to the new v3 directory
|
|
system; allows servers to be listed in the network status even when they
|
|
have the same nickname as a registered server; and fixes many other
|
|
bugs including a big one that was causing some servers to disappear
|
|
from the network status lists for a few hours each day.
|
|
|
|
o Major features (directory system):
|
|
- Clients now download v3 consensus networkstatus documents instead
|
|
of v2 networkstatus documents. Clients and caches now base their
|
|
opinions about routers on these consensus documents. Clients only
|
|
download router descriptors listed in the consensus.
|
|
- Authorities now list servers who have the same nickname as
|
|
a different named server, but list them with a new flag,
|
|
"Unnamed". Now we can list servers that happen to pick the same
|
|
nickname as a server that registered two years ago and then
|
|
disappeared. Partially implements proposal 122.
|
|
- If the consensus lists a router as "Unnamed", the name is assigned
|
|
to a different router: do not identify the router by that name.
|
|
Partially implements proposal 122.
|
|
- Authorities can now come to a consensus on which method to use to
|
|
compute the consensus. This gives us forward compatibility.
|
|
|
|
o Major bugfixes:
|
|
- Stop publishing a new server descriptor just because we HUP or
|
|
when we find our DirPort to be reachable but won't actually publish
|
|
it. New descriptors without any real changes are dropped by the
|
|
authorities, and can screw up our "publish every 18 hours" schedule.
|
|
Bugfix on 0.1.2.x.
|
|
- When a router wasn't listed in a new networkstatus, we were leaving
|
|
the flags for that router alone -- meaning it remained Named,
|
|
Running, etc -- even though absence from the networkstatus means
|
|
that it shouldn't be considered to exist at all anymore. Now we
|
|
clear all the flags for routers that fall out of the networkstatus
|
|
consensus. Fixes bug 529; bugfix on 0.1.2.x.
|
|
- Fix awful behavior in DownloadExtraInfo option where we'd fetch
|
|
extrainfo documents and then discard them immediately for not
|
|
matching the latest router. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features (v3 directory protocol):
|
|
- Allow tor-gencert to generate a new certificate without replacing
|
|
the signing key.
|
|
- Allow certificates to include an address.
|
|
- When we change our directory-cache settings, reschedule all voting
|
|
and download operations.
|
|
- Reattempt certificate downloads immediately on failure, as long as
|
|
we haven't failed a threshold number of times yet.
|
|
- Delay retrying consensus downloads while we're downloading
|
|
certificates to verify the one we just got. Also, count getting a
|
|
consensus that we already have (or one that isn't valid) as a failure,
|
|
and count failing to get the certificates after 20 minutes as a
|
|
failure.
|
|
- Build circuits and download descriptors even if our consensus is a
|
|
little expired. (This feature will go away once authorities are
|
|
more reliable.)
|
|
|
|
o Minor features (router descriptor cache):
|
|
- If we find a cached-routers file that's been sitting around for more
|
|
than 28 days unmodified, then most likely it's a leftover from
|
|
when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
|
|
routers anyway.
|
|
- When we (as a cache) download a descriptor because it was listed
|
|
in a consensus, remember when the consensus was supposed to expire,
|
|
and don't expire the descriptor until then.
|
|
|
|
o Minor features (performance):
|
|
- Call routerlist_remove_old_routers() much less often. This should
|
|
speed startup, especially on directory caches.
|
|
- Don't try to launch new descriptor downloads quite so often when we
|
|
already have enough directory information to build circuits.
|
|
- Base64 decoding was actually showing up on our profile when parsing
|
|
the initial descriptor file; switch to an in-process all-at-once
|
|
implementation that's about 3.5x times faster than calling out to
|
|
OpenSSL.
|
|
|
|
o Minor features (compilation):
|
|
- Detect non-ASCII platforms (if any still exist) and refuse to
|
|
build there: some of our code assumes that 'A' is 65 and so on.
|
|
|
|
o Minor bugfixes (v3 directory authorities, bugfixes on 0.2.0.x):
|
|
- Make the "next period" votes into "current period" votes immediately
|
|
after publishing the consensus; avoid a heisenbug that made them
|
|
stick around indefinitely.
|
|
- When we discard a vote as a duplicate, do not report this as
|
|
an error.
|
|
- Treat missing v3 keys or certificates as an error when running as a
|
|
v3 directory authority.
|
|
- When we're configured to be a v3 authority, but we're only listed
|
|
as a non-v3 authority in our DirServer line for ourself, correct
|
|
the listing.
|
|
- If an authority doesn't have a qualified hostname, just put
|
|
its address in the vote. This fixes the problem where we referred to
|
|
"moria on moria:9031."
|
|
- Distinguish between detached signatures for the wrong period, and
|
|
detached signatures for a divergent vote.
|
|
- Fix a small memory leak when computing a consensus.
|
|
- When there's no concensus, we were forming a vote every 30
|
|
minutes, but writing the "valid-after" line in our vote based
|
|
on our configured V3AuthVotingInterval: so unless the intervals
|
|
matched up, we immediately rejected our own vote because it didn't
|
|
start at the voting interval that caused us to construct a vote.
|
|
|
|
o Minor bugfixes (v3 directory protocol, bugfixes on 0.2.0.x):
|
|
- Delete unverified-consensus when the real consensus is set.
|
|
- Consider retrying a consensus networkstatus fetch immediately
|
|
after one fails: don't wait 60 seconds to notice.
|
|
- When fetching a consensus as a cache, wait until a newer consensus
|
|
should exist before trying to replace the current one.
|
|
- Use a more forgiving schedule for retrying failed consensus
|
|
downloads than for other types.
|
|
|
|
o Minor bugfixes (other directory issues):
|
|
- Correct the implementation of "download votes by digest." Bugfix on
|
|
0.2.0.8-alpha.
|
|
- Authorities no longer send back "400 you're unreachable please fix
|
|
it" errors to Tor servers that aren't online all the time. We're
|
|
supposed to tolerate these servers now. Bugfix on 0.1.2.x.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Don't reset trusted dir server list when we set a configuration
|
|
option. Patch from Robert Hogan; bugfix on 0.1.2.x.
|
|
- Respond to INT and TERM SIGNAL commands before we execute the
|
|
signal, in case the signal shuts us down. We had a patch in
|
|
0.1.2.1-alpha that tried to do this by queueing the response on
|
|
the connection's buffer before shutting down, but that really
|
|
isn't the same thing at all. Bug located by Matt Edman.
|
|
|
|
o Minor bugfixes (misc):
|
|
- Correctly check for bad options to the "PublishServerDescriptor"
|
|
config option. Bugfix on 0.2.0.1-alpha; reported by Matt Edman.
|
|
- Stop leaking memory on failing case of base32_decode, and make
|
|
it accept upper-case letters. Bugfixes on 0.2.0.7-alpha.
|
|
- Don't try to download extrainfo documents when we're trying to
|
|
fetch enough directory info to build a circuit: having enough
|
|
info should get priority. Bugfix on 0.2.0.x.
|
|
- Don't complain that "your server has not managed to confirm that its
|
|
ports are reachable" if we haven't been able to build any circuits
|
|
yet. Bug found by spending four hours without a v3 consensus. Bugfix
|
|
on 0.1.2.x.
|
|
- Detect the reason for failing to mmap a descriptor file we just
|
|
wrote, and give a more useful log message. Fixes bug 533. Bugfix
|
|
on 0.1.2.x.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove support for the old bw_accounting file: we've been storing
|
|
bandwidth accounting information in the state file since
|
|
0.1.2.5-alpha. This may result in bandwidth accounting errors
|
|
if you try to upgrade from 0.1.1.x or earlier, or if you try to
|
|
downgrade to 0.1.1.x or earlier.
|
|
- New convenience code to locate a file within the DataDirectory.
|
|
- Move non-authority functionality out of dirvote.c.
|
|
- Refactor the arguments for router_pick_{directory_|trusteddir}server
|
|
so that they all take the same named flags.
|
|
|
|
o Utilities
|
|
- Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
|
|
Unix users an easy way to script their Tor process (e.g. by
|
|
adjusting bandwidth based on the time of the day).
|
|
|
|
|
|
Changes in version 0.2.0.8-alpha - 2007-10-12
|
|
This eighth development snapshot fixes a crash bug that's been bothering
|
|
us since February 2007, lets bridge authorities store a list of bridge
|
|
descriptors they've seen, gets v3 directory voting closer to working,
|
|
starts caching v3 directory consensus documents on directory mirrors,
|
|
and fixes a variety of smaller issues including some minor memory leaks.
|
|
|
|
o Major features (router descriptor cache):
|
|
- Store routers in a file called cached-descriptors instead of in
|
|
cached-routers. Initialize cached-descriptors from cached-routers
|
|
if the old format is around. The new format allows us to store
|
|
annotations along with descriptors.
|
|
- Use annotations to record the time we received each descriptor, its
|
|
source, and its purpose.
|
|
- Disable the SETROUTERPURPOSE controller command: it is now
|
|
obsolete.
|
|
- Controllers should now specify cache=no or cache=yes when using
|
|
the +POSTDESCRIPTOR command.
|
|
- Bridge authorities now write bridge descriptors to disk, meaning
|
|
we can export them to other programs and begin distributing them
|
|
to blocked users.
|
|
|
|
o Major features (directory authorities):
|
|
- When a v3 authority is missing votes or signatures, it now tries
|
|
to fetch them.
|
|
- Directory authorities track weighted fractional uptime as well as
|
|
weighted mean-time-between failures. WFU is suitable for deciding
|
|
whether a node is "usually up", while MTBF is suitable for deciding
|
|
whether a node is "likely to stay up." We need both, because
|
|
"usually up" is a good requirement for guards, while "likely to
|
|
stay up" is a good requirement for long-lived connections.
|
|
|
|
o Major features (v3 directory system):
|
|
- Caches now download v3 network status documents as needed,
|
|
and download the descriptors listed in them.
|
|
- All hosts now attempt to download and keep fresh v3 authority
|
|
certificates, and re-attempt after failures.
|
|
- More internal-consistency checks for vote parsing.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a connection is shut down abruptly because of something that
|
|
happened inside connection_flushed_some(), do not call
|
|
connection_finished_flushing(). Should fix bug 451. Bugfix on
|
|
0.1.2.7-alpha.
|
|
|
|
o Major bugfixes (performance):
|
|
- Fix really bad O(n^2) performance when parsing a long list of
|
|
routers: Instead of searching the entire list for an "extra-info "
|
|
string which usually wasn't there, once for every routerinfo
|
|
we read, just scan lines forward until we find one we like.
|
|
Bugfix on 0.2.0.1.
|
|
- When we add data to a write buffer in response to the data on that
|
|
write buffer getting low because of a flush, do not consider the
|
|
newly added data as a candidate for immediate flushing, but rather
|
|
make it wait until the next round of writing. Otherwise, we flush
|
|
and refill recursively, and a single greedy TLS connection can
|
|
eat all of our bandwidth. Bugfix on 0.1.2.7-alpha.
|
|
|
|
o Minor features (v3 authority system):
|
|
- Add more ways for tools to download the votes that lead to the
|
|
current consensus.
|
|
- Send a 503 when low on bandwidth and a vote, consensus, or
|
|
certificate is requested.
|
|
- If-modified-since is now implemented properly for all kinds of
|
|
certificate requests.
|
|
|
|
o Minor bugfixes (network statuses):
|
|
- Tweak the implementation of proposal 109 slightly: allow at most
|
|
two Tor servers on the same IP address, except if it's the location
|
|
of a directory authority, in which case allow five. Bugfix on
|
|
0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- When sending a status event to the controller telling it that an
|
|
OR address is reachable, set the port correctly. (Previously we
|
|
were reporting the dir port.) Bugfix on 0.1.2.x.
|
|
|
|
o Minor bugfixes (v3 directory system):
|
|
- Fix logic to look up a cert by its signing key digest. Bugfix on
|
|
0.2.0.7-alpha.
|
|
- Only change the reply to a vote to "OK" if it's not already
|
|
set. This gets rid of annoying "400 OK" log messages, which may
|
|
have been masking some deeper issue. Bugfix on 0.2.0.7-alpha.
|
|
- When we get a valid consensus, recompute the voting schedule.
|
|
- Base the valid-after time of a vote on the consensus voting
|
|
schedule, not on our preferred schedule.
|
|
- Make the return values and messages from signature uploads and
|
|
downloads more sensible.
|
|
- Fix a memory leak when serving votes and consensus documents, and
|
|
another when serving certificates.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Use a slightly simpler string hashing algorithm (copying Python's
|
|
instead of Java's) and optimize our digest hashing algorithm to take
|
|
advantage of 64-bit platforms and to remove some possibly-costly
|
|
voodoo.
|
|
- Fix a minor memory leak whenever we parse guards from our state
|
|
file. Bugfix on 0.2.0.7-alpha.
|
|
- Fix a minor memory leak whenever we write out a file. Bugfix on
|
|
0.2.0.7-alpha.
|
|
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
|
|
command. Bugfix on 0.2.0.5-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- On some platforms, accept() can return a broken address. Detect
|
|
this more quietly, and deal accordingly. Fixes bug 483.
|
|
- Stop calling tor_strlower() on uninitialized memory in some cases.
|
|
Bugfix in 0.2.0.7-alpha.
|
|
|
|
o Minor bugfixes (usability):
|
|
- Treat some 403 responses from directory servers as INFO rather than
|
|
WARN-severity events.
|
|
- It's not actually an error to find a non-pending entry in the DNS
|
|
cache when canceling a pending resolve. Don't log unless stuff is
|
|
fishy. Resolves bug 463.
|
|
|
|
o Minor bugfixes (anonymity):
|
|
- Never report that we've used more bandwidth than we're willing to
|
|
relay: it leaks how much non-relay traffic we're using. Resolves
|
|
bug 516.
|
|
- When looking for a circuit to cannibalize, consider family as well
|
|
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
|
|
circuit cannibalization).
|
|
|
|
o Code simplifications and refactoring:
|
|
- Make a bunch of functions static. Remove some dead code.
|
|
- Pull out about a third of the really big routerlist.c; put it in a
|
|
new module, networkstatus.c.
|
|
- Merge the extra fields in local_routerstatus_t back into
|
|
routerstatus_t: we used to need one routerstatus_t for each
|
|
authority's opinion, plus a local_routerstatus_t for the locally
|
|
computed consensus opinion. To save space, we put the locally
|
|
modified fields into local_routerstatus_t, and only the common
|
|
stuff into routerstatus_t. But once v3 directories are in use,
|
|
clients and caches will no longer need to hold authority opinions;
|
|
thus, the rationale for keeping the types separate is now gone.
|
|
- Make the code used to reschedule and reattempt downloads more
|
|
uniform.
|
|
- Turn all 'Are we a directory server/mirror?' logic into a call to
|
|
dirserver_mode().
|
|
- Remove the code to generate the oldest (v1) directory format.
|
|
The code has been disabled since 0.2.0.5-alpha.
|
|
|
|
|
|
Changes in version 0.2.0.7-alpha - 2007-09-21
|
|
This seventh development snapshot makes bridges work again, makes bridge
|
|
authorities work for the first time, fixes two huge performance flaws
|
|
in hidden services, and fixes a variety of minor issues.
|
|
|
|
o New directory authorities:
|
|
- Set up moria1 and tor26 as the first v3 directory authorities. See
|
|
doc/spec/dir-spec.txt for details on the new directory design.
|
|
|
|
o Major bugfixes (crashes):
|
|
- Fix possible segfaults in functions called from
|
|
rend_process_relay_cell(). Bugfix on 0.1.2.x.
|
|
|
|
o Major bugfixes (bridges):
|
|
- Fix a bug that made servers send a "404 Not found" in response to
|
|
attempts to fetch their server descriptor. This caused Tor servers
|
|
to take many minutes to establish reachability for their DirPort,
|
|
and it totally crippled bridges. Bugfix on 0.2.0.5-alpha.
|
|
- Make "UpdateBridgesFromAuthority" torrc option work: when bridge
|
|
users configure that and specify a bridge with an identity
|
|
fingerprint, now they will lookup the bridge descriptor at the
|
|
default bridge authority via a one-hop tunnel, but once circuits
|
|
are established they will switch to a three-hop tunnel for later
|
|
connections to the bridge authority. Bugfix in 0.2.0.3-alpha.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Hidden services were choosing introduction points uniquely by
|
|
hexdigest, but when constructing the hidden service descriptor
|
|
they merely wrote the (potentially ambiguous) nickname.
|
|
- Clients now use the v2 intro format for hidden service
|
|
connections: they specify their chosen rendezvous point by identity
|
|
digest rather than by (potentially ambiguous) nickname. Both
|
|
are bugfixes on 0.1.2.x, and they could speed up hidden service
|
|
connections dramatically. Thanks to Karsten Loesing.
|
|
|
|
o Minor features (security):
|
|
- As a client, do not believe any server that tells us that an
|
|
address maps to an internal address space.
|
|
- Make it possible to enable HashedControlPassword and
|
|
CookieAuthentication at the same time.
|
|
|
|
o Minor features (guard nodes):
|
|
- Tag every guard node in our state file with the version that
|
|
we believe added it, or with our own version if we add it. This way,
|
|
if a user temporarily runs an old version of Tor and then switches
|
|
back to a new one, she doesn't automatically lose her guards.
|
|
|
|
o Minor features (speed):
|
|
- When implementing AES counter mode, update only the portions of the
|
|
counter buffer that need to change, and don't keep separate
|
|
network-order and host-order counters when they are the same (i.e.,
|
|
on big-endian hosts.)
|
|
|
|
o Minor features (controller):
|
|
- Accept LF instead of CRLF on controller, since some software has a
|
|
hard time generating real Internet newlines.
|
|
- Add GETINFO values for the server status events
|
|
"REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
|
|
Robert Hogan.
|
|
|
|
o Removed features:
|
|
- Routers no longer include bandwidth-history lines in their
|
|
descriptors; this information is already available in extra-info
|
|
documents, and including it in router descriptors took up 60%
|
|
(!) of compressed router descriptor downloads. Completes
|
|
implementation of proposal 104.
|
|
- Remove the contrib scripts ExerciseServer.py, PathDemo.py,
|
|
and TorControl.py, as they use the old v0 controller protocol,
|
|
and are obsoleted by TorFlow anyway.
|
|
- Drop support for v1 rendezvous descriptors, since we never used
|
|
them anyway, and the code has probably rotted by now. Based on
|
|
patch from Karsten Loesing.
|
|
- On OSX, stop warning the user that kqueue support in libevent is
|
|
"experimental", since it seems to have worked fine for ages.
|
|
|
|
o Minor bugfixes:
|
|
- When generating information telling us how to extend to a given
|
|
router, do not try to include the nickname if it is absent. Fixes
|
|
bug 467. Bugfix on 0.2.0.3-alpha.
|
|
- Fix a user-triggerable (but not remotely-triggerable) segfault
|
|
in expand_filename(). Bugfix on 0.1.2.x.
|
|
- Fix a memory leak when freeing incomplete requests from DNSPort.
|
|
Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha.
|
|
- Don't try to access (or alter) the state file when running
|
|
--list-fingerprint or --verify-config or --hash-password. (Resolves
|
|
bug 499.) Bugfix on 0.1.2.x.
|
|
- Servers used to decline to publish their DirPort if their
|
|
BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth
|
|
were below a threshold. Now they only look at BandwidthRate and
|
|
RelayBandwidthRate. Bugfix on 0.1.2.x.
|
|
- Remove an optimization in the AES counter-mode code that assumed
|
|
that the counter never exceeded 2^68. When the counter can be set
|
|
arbitrarily as an IV (as it is by Karsten's new hidden services
|
|
code), this assumption no longer holds. Bugfix on 0.1.2.x.
|
|
- Resume listing "AUTHORITY" flag for authorities in network status.
|
|
Bugfix on 0.2.0.3-alpha; reported by Alex de Joode.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Revamp file-writing logic so we don't need to have the entire
|
|
contents of a file in memory at once before we write to disk. Tor,
|
|
meet stdio.
|
|
- Turn "descriptor store" into a full-fledged type.
|
|
- Move all NT services code into a separate source file.
|
|
- Unify all code that computes medians, percentile elements, etc.
|
|
- Get rid of a needless malloc when parsing address policies.
|
|
|
|
|
|
Changes in version 0.1.2.17 - 2007-08-30
|
|
Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
|
|
X bundles. Vidalia 0.0.14 makes authentication required for the
|
|
ControlPort in the default configuration, which addresses important
|
|
security risks. Everybody who uses Vidalia (or another controller)
|
|
should upgrade.
|
|
|
|
In addition, this Tor update fixes major load balancing problems with
|
|
path selection, which should speed things up a lot once many people
|
|
have upgraded.
|
|
|
|
o Major bugfixes (security):
|
|
- We removed support for the old (v0) control protocol. It has been
|
|
deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
|
|
become more of a headache than it's worth.
|
|
|
|
o Major bugfixes (load balancing):
|
|
- When choosing nodes for non-guard positions, weight guards
|
|
proportionally less, since they already have enough load. Patch
|
|
from Mike Perry.
|
|
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
|
|
will allow fast Tor servers to get more attention.
|
|
- When we're upgrading from an old Tor version, forget our current
|
|
guards and pick new ones according to the new weightings. These
|
|
three load balancing patches could raise effective network capacity
|
|
by a factor of four. Thanks to Mike Perry for measurements.
|
|
|
|
o Major bugfixes (stream expiration):
|
|
- Expire not-yet-successful application streams in all cases if
|
|
they've been around longer than SocksTimeout. Right now there are
|
|
some cases where the stream will live forever, demanding a new
|
|
circuit every 15 seconds. Fixes bug 454; reported by lodger.
|
|
|
|
o Minor features (controller):
|
|
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
|
|
is valid before any authentication has been received. It tells
|
|
a controller what kind of authentication is expected, and what
|
|
protocol is spoken. Implements proposal 119.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Save on most routerlist_assert_ok() calls in routerlist.c, thus
|
|
greatly speeding up loading cached-routers from disk on startup.
|
|
- Disable sentinel-based debugging for buffer code: we squashed all
|
|
the bugs that this was supposed to detect a long time ago, and now
|
|
its only effect is to change our buffer sizes from nice powers of
|
|
two (which platform mallocs tend to like) to values slightly over
|
|
powers of two (which make some platform mallocs sad).
|
|
|
|
o Minor bugfixes (misc):
|
|
- If exit bandwidth ever exceeds one third of total bandwidth, then
|
|
use the correct formula to weight exit nodes when choosing paths.
|
|
Based on patch from Mike Perry.
|
|
- Choose perfectly fairly among routers when choosing by bandwidth and
|
|
weighting by fraction of bandwidth provided by exits. Previously, we
|
|
would choose with only approximate fairness, and correct ourselves
|
|
if we ran off the end of the list.
|
|
- If we require CookieAuthentication but we fail to write the
|
|
cookie file, we would warn but not exit, and end up in a state
|
|
where no controller could authenticate. Now we exit.
|
|
- If we require CookieAuthentication, stop generating a new cookie
|
|
every time we change any piece of our config.
|
|
- Refuse to start with certain directory authority keys, and
|
|
encourage people using them to stop.
|
|
- Terminate multi-line control events properly. Original patch
|
|
from tup.
|
|
- Fix a minor memory leak when we fail to find enough suitable
|
|
servers to choose a circuit.
|
|
- Stop leaking part of the descriptor when we run into a particularly
|
|
unparseable piece of it.
|
|
|
|
|
|
Changes in version 0.2.0.6-alpha - 2007-08-26
|
|
This sixth development snapshot features a new Vidalia version in the
|
|
Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for
|
|
the ControlPort in the default configuration, which addresses important
|
|
security risks.
|
|
|
|
In addition, this snapshot fixes major load balancing problems
|
|
with path selection, which should speed things up a lot once many
|
|
people have upgraded. The directory authorities also use a new
|
|
mean-time-between-failure approach to tracking which servers are stable,
|
|
rather than just looking at the most recent uptime.
|
|
|
|
o New directory authorities:
|
|
- Set up Tonga as the default bridge directory authority.
|
|
|
|
o Major features:
|
|
- Directory authorities now track servers by weighted
|
|
mean-times-between-failures. When we have 4 or more days of data,
|
|
use measured MTBF rather than declared uptime to decide whether
|
|
to call a router Stable. Implements proposal 108.
|
|
|
|
o Major bugfixes (load balancing):
|
|
- When choosing nodes for non-guard positions, weight guards
|
|
proportionally less, since they already have enough load. Patch
|
|
from Mike Perry.
|
|
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
|
|
will allow fast Tor servers to get more attention.
|
|
- When we're upgrading from an old Tor version, forget our current
|
|
guards and pick new ones according to the new weightings. These
|
|
three load balancing patches could raise effective network capacity
|
|
by a factor of four. Thanks to Mike Perry for measurements.
|
|
|
|
o Major bugfixes (descriptor parsing):
|
|
- Handle unexpected whitespace better in malformed descriptors. Bug
|
|
found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
|
|
GETINFO for Torstat to use until it can switch to using extrainfos.
|
|
- Optionally (if built with -DEXPORTMALLINFO) export the output
|
|
of mallinfo via http, as tor/mallinfo.txt. Only accessible
|
|
from localhost.
|
|
|
|
o Minor bugfixes:
|
|
- Do not intermix bridge routers with controller-added
|
|
routers. (Bugfix on 0.2.0.x)
|
|
- Do not fail with an assert when accept() returns an unexpected
|
|
address family. Addresses but does not wholly fix bug 483. (Bugfix
|
|
on 0.2.0.x)
|
|
- Let directory authorities startup even when they can't generate
|
|
a descriptor immediately, e.g. because they don't know their
|
|
address.
|
|
- Stop putting the authentication cookie in a file called "0"
|
|
in your working directory if you don't specify anything for the
|
|
new CookieAuthFile option. Reported by Matt Edman.
|
|
- Make it possible to read the PROTOCOLINFO response in a way that
|
|
conforms to our control-spec. Reported by Matt Edman.
|
|
- Fix a minor memory leak when we fail to find enough suitable
|
|
servers to choose a circuit. Bugfix on 0.1.2.x.
|
|
- Stop leaking part of the descriptor when we run into a particularly
|
|
unparseable piece of it. Bugfix on 0.1.2.x.
|
|
- Unmap the extrainfo cache file on exit.
|
|
|
|
|
|
Changes in version 0.2.0.5-alpha - 2007-08-19
|
|
This fifth development snapshot fixes compilation on Windows again;
|
|
fixes an obnoxious client-side bug that slowed things down and put
|
|
extra load on the network; gets us closer to using the v3 directory
|
|
voting scheme; makes it easier for Tor controllers to use cookie-based
|
|
authentication; and fixes a variety of other bugs.
|
|
|
|
o Removed features:
|
|
- Version 1 directories are no longer generated in full. Instead,
|
|
authorities generate and serve "stub" v1 directories that list
|
|
no servers. This will stop Tor versions 0.1.0.x and earlier from
|
|
working, but (for security reasons) nobody should be running those
|
|
versions anyway.
|
|
|
|
o Major bugfixes (compilation, 0.2.0.x):
|
|
- Try to fix Win32 compilation again: improve checking for IPv6 types.
|
|
- Try to fix MSVC compilation: build correctly on platforms that do
|
|
not define s6_addr16 or s6_addr32.
|
|
- Fix compile on platforms without getaddrinfo: bug found by Li-Hui
|
|
Zhou.
|
|
|
|
o Major bugfixes (stream expiration):
|
|
- Expire not-yet-successful application streams in all cases if
|
|
they've been around longer than SocksTimeout. Right now there are
|
|
some cases where the stream will live forever, demanding a new
|
|
circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454;
|
|
reported by lodger.
|
|
|
|
o Minor features (directory servers):
|
|
- When somebody requests a list of statuses or servers, and we have
|
|
none of those, return a 404 rather than an empty 200.
|
|
|
|
o Minor features (directory voting):
|
|
- Store v3 consensus status consensuses on disk, and reload them
|
|
on startup.
|
|
|
|
o Minor features (security):
|
|
- Warn about unsafe ControlPort configurations.
|
|
- Refuse to start with certain directory authority keys, and
|
|
encourage people using them to stop.
|
|
|
|
o Minor features (controller):
|
|
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
|
|
is valid before any authentication has been received. It tells
|
|
a controller what kind of authentication is expected, and what
|
|
protocol is spoken. Implements proposal 119.
|
|
- New config option CookieAuthFile to choose a new location for the
|
|
cookie authentication file, and config option
|
|
CookieAuthFileGroupReadable to make it group-readable.
|
|
|
|
o Minor features (unit testing):
|
|
- Add command-line arguments to unit-test executable so that we can
|
|
invoke any chosen test from the command line rather than having
|
|
to run the whole test suite at once; and so that we can turn on
|
|
logging for the unit tests.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- If we require CookieAuthentication but we fail to write the
|
|
cookie file, we would warn but not exit, and end up in a state
|
|
where no controller could authenticate. Now we exit.
|
|
- If we require CookieAuthentication, stop generating a new cookie
|
|
every time we change any piece of our config.
|
|
- When loading bandwidth history, do not believe any information in
|
|
the future. Fixes bug 434.
|
|
- When loading entry guard information, do not believe any information
|
|
in the future.
|
|
- When we have our clock set far in the future and generate an
|
|
onion key, then re-set our clock to be correct, we should not stop
|
|
the onion key from getting rotated.
|
|
- Clean up torrc sample config file.
|
|
- Do not automatically run configure from autogen.sh. This
|
|
non-standard behavior tended to annoy people who have built other
|
|
programs.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Fix a bug with AutomapHostsOnResolve that would always cause
|
|
the second request to fail. Bug reported by Kate. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Fix a bug in ADDRMAP controller replies that would sometimes
|
|
try to print a NULL. Patch from tup.
|
|
- Read v3 directory authority keys from the right location.
|
|
- Numerous bugfixes to directory voting code.
|
|
|
|
|
|
Changes in version 0.1.2.16 - 2007-08-01
|
|
Tor 0.1.2.16 fixes a critical security vulnerability that allows a
|
|
remote attacker in certain situations to rewrite the user's torrc
|
|
configuration file. This can completely compromise anonymity of users
|
|
in most configurations, including those running the Vidalia bundles,
|
|
TorK, etc. Or worse.
|
|
|
|
o Major security fixes:
|
|
- Close immediately after missing authentication on control port;
|
|
do not allow multiple authentication attempts.
|
|
|
|
|
|
Changes in version 0.2.0.4-alpha - 2007-08-01
|
|
This fourth development snapshot fixes a critical security vulnerability
|
|
for most users, specifically those running Vidalia, TorK, etc. Everybody
|
|
should upgrade to either 0.1.2.16 or 0.2.0.4-alpha.
|
|
|
|
o Major security fixes:
|
|
- Close immediately after missing authentication on control port;
|
|
do not allow multiple authentication attempts.
|
|
|
|
o Major bugfixes (compilation):
|
|
- Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already
|
|
defined there.
|
|
|
|
o Minor features (performance):
|
|
- Be even more aggressive about releasing RAM from small
|
|
empty buffers. Thanks to our free-list code, this shouldn't be too
|
|
performance-intensive.
|
|
- Disable sentinel-based debugging for buffer code: we squashed all
|
|
the bugs that this was supposed to detect a long time ago, and
|
|
now its only effect is to change our buffer sizes from nice
|
|
powers of two (which platform mallocs tend to like) to values
|
|
slightly over powers of two (which make some platform mallocs sad).
|
|
- Log malloc statistics from mallinfo() on platforms where it
|
|
exists.
|
|
|
|
|
|
Changes in version 0.2.0.3-alpha - 2007-07-29
|
|
This third development snapshot introduces new experimental
|
|
blocking-resistance features and a preliminary version of the v3
|
|
directory voting design, and includes many other smaller features
|
|
and bugfixes.
|
|
|
|
o Major features:
|
|
- The first pieces of our "bridge" design for blocking-resistance
|
|
are implemented. People can run bridge directory authorities;
|
|
people can run bridges; and people can configure their Tor clients
|
|
with a set of bridges to use as the first hop into the Tor network.
|
|
See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for
|
|
details.
|
|
- Create listener connections before we setuid to the configured
|
|
User and Group. Now non-Windows users can choose port values
|
|
under 1024, start Tor as root, and have Tor bind those ports
|
|
before it changes to another UID. (Windows users could already
|
|
pick these ports.)
|
|
- Added a new ConstrainedSockets config option to set SO_SNDBUF and
|
|
SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
|
|
on "vserver" accounts. (Patch from coderman.)
|
|
- Be even more aggressive about separating local traffic from relayed
|
|
traffic when RelayBandwidthRate is set. (Refines proposal 111.)
|
|
|
|
o Major features (experimental):
|
|
- First cut of code for "v3 dir voting": directory authorities will
|
|
vote on a common network status document rather than each publishing
|
|
their own opinion. This code needs more testing and more corner-case
|
|
handling before it's ready for use.
|
|
|
|
o Security fixes:
|
|
- Directory authorities now call routers Fast if their bandwidth is
|
|
at least 100KB/s, and consider their bandwidth adequate to be a
|
|
Guard if it is at least 250KB/s, no matter the medians. This fix
|
|
complements proposal 107. [Bugfix on 0.1.2.x]
|
|
- Directory authorities now never mark more than 3 servers per IP as
|
|
Valid and Running. (Implements proposal 109, by Kevin Bauer and
|
|
Damon McCoy.)
|
|
- Minor change to organizationName and commonName generation
|
|
procedures in TLS certificates during Tor handshakes, to invalidate
|
|
some earlier censorware approaches. This is not a long-term
|
|
solution, but applying it will give us a bit of time to look into
|
|
the epidemiology of countermeasures as they spread.
|
|
|
|
o Major bugfixes (directory):
|
|
- Rewrite directory tokenization code to never run off the end of
|
|
a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]
|
|
|
|
o Minor features (controller):
|
|
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
|
|
match requests to applications. (Patch from Robert Hogan.)
|
|
- Report address and port correctly on connections to DNSPort. (Patch
|
|
from Robert Hogan.)
|
|
- Add a RESOLVE command to launch hostname lookups. (Original patch
|
|
from Robert Hogan.)
|
|
- Add GETINFO status/enough-dir-info to let controllers tell whether
|
|
Tor has downloaded sufficient directory information. (Patch
|
|
from Tup.)
|
|
- You can now use the ControlSocket option to tell Tor to listen for
|
|
controller connections on Unix domain sockets on systems that
|
|
support them. (Patch from Peter Palfrader.)
|
|
- STREAM NEW events are generated for DNSPort requests and for
|
|
tunneled directory connections. (Patch from Robert Hogan.)
|
|
- New "GETINFO address-mappings/*" command to get address mappings
|
|
with expiry information. "addr-mappings/*" is now deprecated.
|
|
(Patch from Tup.)
|
|
|
|
o Minor features (misc):
|
|
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
|
|
from croup.)
|
|
- The tor-gencert tool for v3 directory authorities now creates all
|
|
files as readable to the file creator only, and write-protects
|
|
the authority identity key.
|
|
- When dumping memory usage, list bytes used in buffer memory
|
|
free-lists.
|
|
- When running with dmalloc, dump more stats on hup and on exit.
|
|
- Directory authorities now fail quickly and (relatively) harmlessly
|
|
if they generate a network status document that is somehow
|
|
malformed.
|
|
|
|
o Traffic load balancing improvements:
|
|
- If exit bandwidth ever exceeds one third of total bandwidth, then
|
|
use the correct formula to weight exit nodes when choosing paths.
|
|
(Based on patch from Mike Perry.)
|
|
- Choose perfectly fairly among routers when choosing by bandwidth and
|
|
weighting by fraction of bandwidth provided by exits. Previously, we
|
|
would choose with only approximate fairness, and correct ourselves
|
|
if we ran off the end of the list. [Bugfix on 0.1.2.x]
|
|
|
|
o Performance improvements:
|
|
- Be more aggressive with freeing buffer RAM or putting it on the
|
|
memory free lists.
|
|
- Use Critical Sections rather than Mutexes for synchronizing threads
|
|
on win32; Mutexes are heavier-weight, and designed for synchronizing
|
|
between processes.
|
|
|
|
o Deprecated and removed features:
|
|
- RedirectExits is now deprecated.
|
|
- Stop allowing address masks that do not correspond to bit prefixes.
|
|
We have warned about these for a really long time; now it's time
|
|
to reject them. (Patch from croup.)
|
|
|
|
o Minor bugfixes (directory):
|
|
- Fix another crash bug related to extra-info caching. (Bug found by
|
|
Peter Palfrader.) [Bugfix on 0.2.0.2-alpha]
|
|
- Directories no longer return a "304 not modified" when they don't
|
|
have the networkstatus the client asked for. Also fix a memory
|
|
leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha]
|
|
- We had accidentally labelled 0.1.2.x directory servers as not
|
|
suitable for begin_dir requests, and had labelled no directory
|
|
servers as suitable for uploading extra-info documents. [Bugfix
|
|
on 0.2.0.1-alpha]
|
|
|
|
o Minor bugfixes (dns):
|
|
- Fix a crash when DNSPort is set more than once. (Patch from Robert
|
|
Hogan.) [Bugfix on 0.2.0.2-alpha]
|
|
- Add DNSPort connections to the global connection list, so that we
|
|
can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
|
|
on 0.2.0.2-alpha]
|
|
- Fix a dangling reference that could lead to a crash when DNSPort is
|
|
changed or closed (Patch from Robert Hogan.) [Bugfix on
|
|
0.2.0.2-alpha]
|
|
|
|
o Minor bugfixes (controller):
|
|
- Provide DNS expiry times in GMT, not in local time. For backward
|
|
compatibility, ADDRMAP events only provide GMT expiry in an extended
|
|
field. "GETINFO address-mappings" always does the right thing.
|
|
- Use CRLF line endings properly in NS events.
|
|
- Terminate multi-line control events properly. (Original patch
|
|
from tup.) [Bugfix on 0.1.2.x-alpha]
|
|
- Do not include spaces in SOURCE_ADDR fields in STREAM
|
|
events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha]
|
|
|
|
|
|
Changes in version 0.1.2.15 - 2007-07-17
|
|
Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
|
|
problems, fixes compilation on BSD, and fixes a variety of other
|
|
bugs. Everybody should upgrade.
|
|
|
|
o Major bugfixes (compilation):
|
|
- Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
|
|
|
|
o Major bugfixes (crashes):
|
|
- Try even harder not to dereference the first character after
|
|
an mmap(). Reported by lodger.
|
|
- Fix a crash bug in directory authorities when we re-number the
|
|
routerlist while inserting a new router.
|
|
- When the cached-routers file is an even multiple of the page size,
|
|
don't run off the end and crash. (Fixes bug 455; based on idea
|
|
from croup.)
|
|
- Fix eventdns.c behavior on Solaris: It is critical to include
|
|
orconfig.h _before_ sys/types.h, so that we can get the expected
|
|
definition of _FILE_OFFSET_BITS.
|
|
|
|
o Major bugfixes (security):
|
|
- Fix a possible buffer overrun when using BSD natd support. Bug
|
|
found by croup.
|
|
- When sending destroy cells from a circuit's origin, don't include
|
|
the reason for tearing down the circuit. The spec says we didn't,
|
|
and now we actually don't. Reported by lodger.
|
|
- Keep streamids from different exits on a circuit separate. This
|
|
bug may have allowed other routers on a given circuit to inject
|
|
cells into streams. Reported by lodger; fixes bug 446.
|
|
- If there's a never-before-connected-to guard node in our list,
|
|
never choose any guards past it. This way we don't expand our
|
|
guard list unless we need to.
|
|
|
|
o Minor bugfixes (guard nodes):
|
|
- Weight guard selection by bandwidth, so that low-bandwidth nodes
|
|
don't get overused as guards.
|
|
|
|
o Minor bugfixes (directory):
|
|
- Correctly count the number of authorities that recommend each
|
|
version. Previously, we were under-counting by 1.
|
|
- Fix a potential crash bug when we load many server descriptors at
|
|
once and some of them make others of them obsolete. Fixes bug 458.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop tearing down the whole circuit when the user asks for a
|
|
connection to a port that the hidden service didn't configure.
|
|
Resolves bug 444.
|
|
|
|
o Minor bugfixes (misc):
|
|
- On Windows, we were preventing other processes from reading
|
|
cached-routers while Tor was running. Reported by janbar.
|
|
- Fix a possible (but very unlikely) bug in picking routers by
|
|
bandwidth. Add a log message to confirm that it is in fact
|
|
unlikely. Patch from lodger.
|
|
- Backport a couple of memory leak fixes.
|
|
- Backport miscellaneous cosmetic bugfixes.
|
|
|
|
|
|
Changes in version 0.2.0.2-alpha - 2007-06-02
|
|
o Major bugfixes on 0.2.0.1-alpha:
|
|
- Fix an assertion failure related to servers without extra-info digests.
|
|
Resolves bugs 441 and 442.
|
|
|
|
o Minor features (directory):
|
|
- Support "If-Modified-Since" when answering HTTP requests for
|
|
directories, running-routers documents, and network-status documents.
|
|
(There's no need to support it for router descriptors, since those
|
|
are downloaded by descriptor digest.)
|
|
|
|
o Minor build issues:
|
|
- Clear up some MIPSPro compiler warnings.
|
|
- When building from a tarball on a machine that happens to have SVK
|
|
installed, report the micro-revision as whatever version existed
|
|
in the tarball, not as "x".
|
|
|
|
|
|
Changes in version 0.2.0.1-alpha - 2007-06-01
|
|
This early development snapshot provides new features for people running
|
|
Tor as both a client and a server (check out the new RelayBandwidth
|
|
config options); lets Tor run as a DNS proxy; and generally moves us
|
|
forward on a lot of fronts.
|
|
|
|
o Major features, server usability:
|
|
- New config options RelayBandwidthRate and RelayBandwidthBurst:
|
|
a separate set of token buckets for relayed traffic. Right now
|
|
relayed traffic is defined as answers to directory requests, and
|
|
OR connections that don't have any local circuits on them.
|
|
|
|
o Major features, client usability:
|
|
- A client-side DNS proxy feature to replace the need for
|
|
dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
|
|
for DNS requests on port 9999, use the Tor network to resolve them
|
|
anonymously, and send the reply back like a regular DNS server.
|
|
The code still only implements a subset of DNS.
|
|
- Make PreferTunneledDirConns and TunnelDirConns work even when
|
|
we have no cached directory info. This means Tor clients can now
|
|
do all of their connections protected by TLS.
|
|
|
|
o Major features, performance and efficiency:
|
|
- Directory authorities accept and serve "extra info" documents for
|
|
routers. These documents contain fields from router descriptors
|
|
that aren't usually needed, and that use a lot of excess
|
|
bandwidth. Once these fields are removed from router descriptors,
|
|
the bandwidth savings should be about 60%. [Partially implements
|
|
proposal 104.]
|
|
- Servers upload extra-info documents to any authority that accepts
|
|
them. Authorities (and caches that have been configured to download
|
|
extra-info documents) download them as needed. [Partially implements
|
|
proposal 104.]
|
|
- Change the way that Tor buffers data that it is waiting to write.
|
|
Instead of queueing data cells in an enormous ring buffer for each
|
|
client->OR or OR->OR connection, we now queue cells on a separate
|
|
queue for each circuit. This lets us use less slack memory, and
|
|
will eventually let us be smarter about prioritizing different kinds
|
|
of traffic.
|
|
- Use memory pools to allocate cells with better speed and memory
|
|
efficiency, especially on platforms where malloc() is inefficient.
|
|
- Stop reading on edge connections when their corresponding circuit
|
|
buffers are full; start again as the circuits empty out.
|
|
|
|
o Major features, other:
|
|
- Add an HSAuthorityRecordStats option that hidden service authorities
|
|
can use to track statistics of overall hidden service usage without
|
|
logging information that would be very useful to an attacker.
|
|
- Start work implementing multi-level keys for directory authorities:
|
|
Add a standalone tool to generate key certificates. (Proposal 103.)
|
|
|
|
o Security fixes:
|
|
- Directory authorities now call routers Stable if they have an
|
|
uptime of at least 30 days, even if that's not the median uptime
|
|
in the network. Implements proposal 107, suggested by Kevin Bauer
|
|
and Damon McCoy.
|
|
|
|
o Minor fixes (resource management):
|
|
- Count the number of open sockets separately from the number
|
|
of active connection_t objects. This will let us avoid underusing
|
|
our allocated connection limit.
|
|
- We no longer use socket pairs to link an edge connection to an
|
|
anonymous directory connection or a DirPort test connection.
|
|
Instead, we track the link internally and transfer the data
|
|
in-process. This saves two sockets per "linked" connection (at the
|
|
client and at the server), and avoids the nasty Windows socketpair()
|
|
workaround.
|
|
- Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
|
|
for every single inactive connection_t. Free items from the
|
|
4k/16k-buffer free lists when they haven't been used for a while.
|
|
|
|
o Minor features (build):
|
|
- Make autoconf search for libevent, openssl, and zlib consistently.
|
|
- Update deprecated macros in configure.in.
|
|
- When warning about missing headers, tell the user to let us
|
|
know if the compile succeeds anyway, so we can downgrade the
|
|
warning.
|
|
- Include the current subversion revision as part of the version
|
|
string: either fetch it directly if we're in an SVN checkout, do
|
|
some magic to guess it if we're in an SVK checkout, or use
|
|
the last-detected version if we're building from a .tar.gz.
|
|
Use this version consistently in log messages.
|
|
|
|
o Minor features (logging):
|
|
- Always prepend "Bug: " to any log message about a bug.
|
|
- Put a platform string (e.g. "Linux i686") in the startup log
|
|
message, so when people paste just their logs, we know if it's
|
|
OpenBSD or Windows or what.
|
|
- When logging memory usage, break down memory used in buffers by
|
|
buffer type.
|
|
|
|
o Minor features (directory system):
|
|
- New config option V2AuthoritativeDirectory that all directory
|
|
authorities should set. This will let future authorities choose
|
|
not to serve V2 directory information.
|
|
- Directory authorities allow multiple router descriptors and/or extra
|
|
info documents to be uploaded in a single go. This will make
|
|
implementing proposal 104 simpler.
|
|
|
|
o Minor features (controller):
|
|
- Add a new config option __DisablePredictedCircuits designed for
|
|
use by the controller, when we don't want Tor to build any circuits
|
|
preemptively.
|
|
- Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
|
|
so we can exit from the middle of the circuit.
|
|
- Implement "getinfo status/circuit-established".
|
|
- Implement "getinfo status/version/..." so a controller can tell
|
|
whether the current version is recommended, and whether any versions
|
|
are good, and how many authorities agree. (Patch from shibz.)
|
|
|
|
o Minor features (hidden services):
|
|
- Allow multiple HiddenServicePort directives with the same virtual
|
|
port; when they occur, the user is sent round-robin to one
|
|
of the target ports chosen at random. Partially fixes bug 393 by
|
|
adding limited ad-hoc round-robining.
|
|
|
|
o Minor features (other):
|
|
- More unit tests.
|
|
- Add a new AutomapHostsOnResolve option: when it is enabled, any
|
|
resolve request for hosts matching a given pattern causes Tor to
|
|
generate an internal virtual address mapping for that host. This
|
|
allows DNSPort to work sensibly with hidden service users. By
|
|
default, .exit and .onion addresses are remapped; the list of
|
|
patterns can be reconfigured with AutomapHostsSuffixes.
|
|
- Add an "-F" option to tor-resolve to force a resolve for a .onion
|
|
address. Thanks to the AutomapHostsOnResolve option, this is no
|
|
longer a completely silly thing to do.
|
|
- If Tor is invoked from something that isn't a shell (e.g. Vidalia),
|
|
now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
|
|
- Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
|
|
minus 1 byte: the actual maximum declared bandwidth.
|
|
|
|
o Removed features:
|
|
- Removed support for the old binary "version 0" controller protocol.
|
|
This has been deprecated since 0.1.1, and warnings have been issued
|
|
since 0.1.2. When we encounter a v0 control message, we now send
|
|
back an error and close the connection.
|
|
- Remove the old "dns worker" server DNS code: it hasn't been default
|
|
since 0.1.2.2-alpha, and all the servers seem to be using the new
|
|
eventdns code.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Even though Windows is equally happy with / and \ as path separators,
|
|
try to use \ consistently on Windows and / consistently on Unix: it
|
|
makes the log messages nicer.
|
|
- Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
|
|
- Read resolv.conf files correctly on platforms where read() returns
|
|
partial results on small file reads.
|
|
|
|
o Minor bugfixes (directory):
|
|
- Correctly enforce that elements of directory objects do not appear
|
|
more often than they are allowed to appear.
|
|
- When we are reporting the DirServer line we just parsed, we were
|
|
logging the second stanza of the key fingerprint, not the first.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When we hit an EOF on a log (probably because we're shutting down),
|
|
don't try to remove the log from the list: just mark it as
|
|
unusable. (Bulletproofs against bug 222.)
|
|
|
|
o Minor bugfixes (other):
|
|
- In the exitlist script, only consider the most recently published
|
|
server descriptor for each server. Also, when the user requests
|
|
a list of servers that _reject_ connections to a given address,
|
|
explicitly exclude the IPs that also have servers that accept
|
|
connections to that address. (Resolves bug 405.)
|
|
- Stop allowing hibernating servers to be "stable" or "fast".
|
|
- On Windows, we were preventing other processes from reading
|
|
cached-routers while Tor was running. (Reported by janbar)
|
|
- Make the NodeFamilies config option work. (Reported by
|
|
lodger -- it has never actually worked, even though we added it
|
|
in Oct 2004.)
|
|
- Check return values from pthread_mutex functions.
|
|
- Don't save non-general-purpose router descriptors to the disk cache,
|
|
because we have no way of remembering what their purpose was when
|
|
we restart.
|
|
- Add even more asserts to hunt down bug 417.
|
|
- Build without verbose warnings even on (not-yet-released) gcc 4.2.
|
|
- Fix a possible (but very unlikely) bug in picking routers by bandwidth.
|
|
Add a log message to confirm that it is in fact unlikely.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Make 'getinfo fingerprint' return a 551 error if we're not a
|
|
server, so we match what the control spec claims we do. Reported
|
|
by daejees.
|
|
- Fix a typo in an error message when extendcircuit fails that
|
|
caused us to not follow the \r\n-based delimiter protocol. Reported
|
|
by daejees.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Stop passing around circuit_t and crypt_path_t pointers that are
|
|
implicit in other procedure arguments.
|
|
- Drop the old code to choke directory connections when the
|
|
corresponding OR connections got full: thanks to the cell queue
|
|
feature, OR conns don't get full any more.
|
|
- Make dns_resolve() handle attaching connections to circuits
|
|
properly, so the caller doesn't have to.
|
|
- Rename wants_to_read and wants_to_write to read/write_blocked_on_bw.
|
|
- Keep the connection array as a dynamic smartlist_t, rather than as
|
|
a fixed-sized array. This is important, as the number of connections
|
|
is becoming increasingly decoupled from the number of sockets.
|
|
|
|
|
|
Changes in version 0.1.2.14 - 2007-05-25
|
|
Tor 0.1.2.14 changes the addresses of two directory authorities (this
|
|
change especially affects those who serve or use hidden services),
|
|
and fixes several other crash- and security-related bugs.
|
|
|
|
o Directory authority changes:
|
|
- Two directory authorities (moria1 and moria2) just moved to new
|
|
IP addresses. This change will particularly affect those who serve
|
|
or use hidden services.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a directory server runs out of space in the connection table
|
|
as it's processing a begin_dir request, it will free the exit stream
|
|
but leave it attached to the circuit, leading to unpredictable
|
|
behavior. (Reported by seeess, fixes bug 425.)
|
|
- Fix a bug in dirserv_remove_invalid() that would cause authorities
|
|
to corrupt memory under some really unlikely scenarios.
|
|
- Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
|
|
- Avoid segfaults when reading from mmaped descriptor file. (Reported
|
|
by lodger.)
|
|
|
|
o Major bugfixes (security):
|
|
- When choosing an entry guard for a circuit, avoid using guards
|
|
that are in the same family as the chosen exit -- not just guards
|
|
that are exactly the chosen exit. (Reported by lodger.)
|
|
|
|
o Major bugfixes (resource management):
|
|
- If a directory authority is down, skip it when deciding where to get
|
|
networkstatus objects or descriptors. Otherwise we keep asking
|
|
every 10 seconds forever. Fixes bug 384.
|
|
- Count it as a failure if we fetch a valid network-status but we
|
|
don't want to keep it. Otherwise we'll keep fetching it and keep
|
|
not wanting to keep it. Fixes part of bug 422.
|
|
- If all of our dirservers have given us bad or no networkstatuses
|
|
lately, then stop hammering them once per minute even when we
|
|
think they're failed. Fixes another part of bug 422.
|
|
|
|
o Minor bugfixes:
|
|
- Actually set the purpose correctly for descriptors inserted with
|
|
purpose=controller.
|
|
- When we have k non-v2 authorities in our DirServer config,
|
|
we ignored the last k authorities in the list when updating our
|
|
network-statuses.
|
|
- Correctly back-off from requesting router descriptors that we are
|
|
having a hard time downloading.
|
|
- Read resolv.conf files correctly on platforms where read() returns
|
|
partial results on small file reads.
|
|
- Don't rebuild the entire router store every time we get 32K of
|
|
routers: rebuild it when the journal gets very large, or when
|
|
the gaps in the store get very large.
|
|
|
|
o Minor features:
|
|
- When routers publish SVN revisions in their router descriptors,
|
|
authorities now include those versions correctly in networkstatus
|
|
documents.
|
|
- Warn when using a version of libevent before 1.3b to run a server on
|
|
OSX or BSD: these versions interact badly with userspace threads.
|
|
|
|
|
|
Changes in version 0.1.2.13 - 2007-04-24
|
|
This release features some major anonymity fixes, such as safer path
|
|
selection; better client performance; faster bootstrapping, better
|
|
address detection, and better DNS support for servers; write limiting as
|
|
well as read limiting to make servers easier to run; and a huge pile of
|
|
other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
|
|
|
|
Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
|
|
of the Freenode IRC network, remembering his patience and vision for
|
|
free speech on the Internet.
|
|
|
|
o Minor fixes:
|
|
- Fix a memory leak when we ask for "all" networkstatuses and we
|
|
get one we don't recognize.
|
|
- Add more asserts to hunt down bug 417.
|
|
- Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
|
|
|
|
|
|
Changes in version 0.1.2.12-rc - 2007-03-16
|
|
o Major bugfixes:
|
|
- Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
|
|
directory information requested inside Tor connections (i.e. via
|
|
begin_dir cells). It only triggered when the same connection was
|
|
serving other data at the same time. Reported by seeess.
|
|
|
|
o Minor bugfixes:
|
|
- When creating a circuit via the controller, send a 'launched'
|
|
event when we're done, so we follow the spec better.
|
|
|
|
|
|
Changes in version 0.1.2.11-rc - 2007-03-15
|
|
o Minor bugfixes (controller), reported by daejees:
|
|
- Correct the control spec to match how the code actually responds
|
|
to 'getinfo addr-mappings/*'.
|
|
- The control spec described a GUARDS event, but the code
|
|
implemented a GUARD event. Standardize on GUARD, but let people
|
|
ask for GUARDS too.
|
|
|
|
|
|
Changes in version 0.1.2.10-rc - 2007-03-07
|
|
o Major bugfixes (Windows):
|
|
- Do not load the NT services library functions (which may not exist)
|
|
just to detect if we're a service trying to shut down. Now we run
|
|
on Win98 and friends again.
|
|
|
|
o Minor bugfixes (other):
|
|
- Clarify a couple of log messages.
|
|
- Fix a misleading socks5 error number.
|
|
|
|
|
|
Changes in version 0.1.2.9-rc - 2007-03-02
|
|
o Major bugfixes (Windows):
|
|
- On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead
|
|
of the usual GCC "%llu". This prevents a bug when saving 64-bit
|
|
int configuration values: the high-order 32 bits would get
|
|
truncated. In particular, we were being bitten by the default
|
|
MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400
|
|
and maybe also bug 397.)
|
|
|
|
o Minor bugfixes (performance):
|
|
- Use OpenSSL's AES implementation on platforms where it's faster.
|
|
This could save us as much as 10% CPU usage.
|
|
|
|
o Minor bugfixes (server):
|
|
- Do not rotate onion key immediately after setting it for the first
|
|
time.
|
|
|
|
o Minor bugfixes (directory authorities):
|
|
- Stop calling servers that have been hibernating for a long time
|
|
"stable". Also, stop letting hibernating or obsolete servers affect
|
|
uptime and bandwidth cutoffs.
|
|
- Stop listing hibernating servers in the v1 directory.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Upload hidden service descriptors slightly less often, to reduce
|
|
load on authorities.
|
|
|
|
o Minor bugfixes (other):
|
|
- Fix an assert that could trigger if a controller quickly set then
|
|
cleared EntryNodes. (Bug found by Udo van den Heuvel.)
|
|
- On architectures where sizeof(int)>4, still clamp declarable bandwidth
|
|
to INT32_MAX.
|
|
- Fix a potential race condition in the rpm installer. Found by
|
|
Stefan Nordhausen.
|
|
- Try to fix eventdns warnings once and for all: do not treat a dns rcode
|
|
of 2 as indicating that the server is completely bad; it sometimes
|
|
means that the server is just bad for the request in question. (may fix
|
|
the last of bug 326.)
|
|
- Disable encrypted directory connections when we don't have a server
|
|
descriptor for the destination. We'll get this working again in
|
|
the 0.2.0 branch.
|
|
|
|
|
|
Changes in version 0.1.2.8-beta - 2007-02-26
|
|
o Major bugfixes (crashes):
|
|
- Stop crashing when the controller asks us to resetconf more than
|
|
one config option at once. (Vidalia 0.0.11 does this.)
|
|
- Fix a crash that happened on Win98 when we're given command-line
|
|
arguments: don't try to load NT service functions from advapi32.dll
|
|
except when we need them. (Bug introduced in 0.1.2.7-alpha;
|
|
resolves bug 389.)
|
|
- Fix a longstanding obscure crash bug that could occur when
|
|
we run out of DNS worker processes. (Resolves bug 390.)
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Correctly detect whether hidden service descriptor downloads are
|
|
in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
|
|
|
|
o Major bugfixes (accounting):
|
|
- When we start during an accounting interval before it's time to wake
|
|
up, remember to wake up at the correct time. (May fix bug 342.)
|
|
|
|
o Minor bugfixes (controller):
|
|
- Give the controller END_STREAM_REASON_DESTROY events _before_ we
|
|
clear the corresponding on_circuit variable, and remember later
|
|
that we don't need to send a redundant CLOSED event. (Resolves part
|
|
3 of bug 367.)
|
|
- Report events where a resolve succeeded or where we got a socks
|
|
protocol error correctly, rather than calling both of them
|
|
"INTERNAL".
|
|
- Change reported stream target addresses to IP consistently when
|
|
we finally get the IP from an exit node.
|
|
- Send log messages to the controller even if they happen to be very
|
|
long.
|
|
|
|
o Minor bugfixes (other):
|
|
- Display correct results when reporting which versions are
|
|
recommended, and how recommended they are. (Resolves bug 383.)
|
|
- Improve our estimates for directory bandwidth to be less random:
|
|
guess that an unrecognized directory will have the average bandwidth
|
|
from all known directories, not that it will have the average
|
|
bandwidth from those directories earlier than it on the list.
|
|
- If we start a server with ClientOnly 1, then set ClientOnly to 0
|
|
and hup, stop triggering an assert based on an empty onion_key.
|
|
- On platforms with no working mmap() equivalent, don't warn the
|
|
user when cached-routers doesn't exist.
|
|
- Warn the user when mmap() [or its equivalent] fails for some reason
|
|
other than file-not-found.
|
|
- Don't warn the user when cached-routers.new doesn't exist: that's
|
|
perfectly fine when starting up for the first time.
|
|
- When EntryNodes are configured, rebuild the guard list to contain,
|
|
in order: the EntryNodes that were guards before; the rest of the
|
|
EntryNodes; the nodes that were guards before.
|
|
- Mask out all signals in sub-threads; only the libevent signal
|
|
handler should be processing them. This should prevent some crashes
|
|
on some machines using pthreads. (Patch from coderman.)
|
|
- Fix switched arguments on memset in the implementation of
|
|
tor_munmap() for systems with no mmap() call.
|
|
- When Tor receives a router descriptor that it asked for, but
|
|
no longer wants (because it has received fresh networkstatuses
|
|
in the meantime), do not warn the user. Cache the descriptor if
|
|
we're a cache; drop it if we aren't.
|
|
- Make earlier entry guards _really_ get retried when the network
|
|
comes back online.
|
|
- On a malformed DNS reply, always give an error to the corresponding
|
|
DNS request.
|
|
- Build with recent libevents on platforms that do not define the
|
|
nonstandard types "u_int8_t" and friends.
|
|
|
|
o Minor features (controller):
|
|
- Warn the user when an application uses the obsolete binary v0
|
|
control protocol. We're planning to remove support for it during
|
|
the next development series, so it's good to give people some
|
|
advance warning.
|
|
- Add STREAM_BW events to report per-entry-stream bandwidth
|
|
use. (Patch from Robert Hogan.)
|
|
- Rate-limit SIGNEWNYM signals in response to controllers that
|
|
impolitely generate them for every single stream. (Patch from
|
|
mwenge; closes bug 394.)
|
|
- Make REMAP stream events have a SOURCE (cache or exit), and
|
|
make them generated in every case where we get a successful
|
|
connected or resolved cell.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Call router_have_min_dir_info half as often. (This is showing up in
|
|
some profiles, but not others.)
|
|
- When using GCC, make log_debug never get called at all, and its
|
|
arguments never get evaluated, when no debug logs are configured.
|
|
(This is showing up in some profiles, but not others.)
|
|
|
|
o Minor features:
|
|
- Remove some never-implemented options. Mark PathlenCoinWeight as
|
|
obsolete.
|
|
- Implement proposal 106: Stop requiring clients to have well-formed
|
|
certificates; stop checking nicknames in certificates. (Clients
|
|
have certificates so that they can look like Tor servers, but in
|
|
the future we might want to allow them to look like regular TLS
|
|
clients instead. Nicknames in certificates serve no purpose other
|
|
than making our protocol easier to recognize on the wire.)
|
|
- Revise messages on handshake failure again to be even more clear about
|
|
which are incoming connections and which are outgoing.
|
|
- Discard any v1 directory info that's over 1 month old (for
|
|
directories) or over 1 week old (for running-routers lists).
|
|
- Do not warn when individual nodes in the configuration's EntryNodes,
|
|
ExitNodes, etc are down: warn only when all possible nodes
|
|
are down. (Fixes bug 348.)
|
|
- Always remove expired routers and networkstatus docs before checking
|
|
whether we have enough information to build circuits. (Fixes
|
|
bug 373.)
|
|
- Put a lower-bound on MaxAdvertisedBandwidth.
|
|
|
|
|
|
Changes in version 0.1.2.7-alpha - 2007-02-06
|
|
o Major bugfixes (rate limiting):
|
|
- Servers decline directory requests much more aggressively when
|
|
they're low on bandwidth. Otherwise they end up queueing more and
|
|
more directory responses, which can't be good for latency.
|
|
- But never refuse directory requests from local addresses.
|
|
- Fix a memory leak when sending a 503 response for a networkstatus
|
|
request.
|
|
- Be willing to read or write on local connections (e.g. controller
|
|
connections) even when the global rate limiting buckets are empty.
|
|
- If our system clock jumps back in time, don't publish a negative
|
|
uptime in the descriptor. Also, don't let the global rate limiting
|
|
buckets go absurdly negative.
|
|
- Flush local controller connection buffers periodically as we're
|
|
writing to them, so we avoid queueing 4+ megabytes of data before
|
|
trying to flush.
|
|
|
|
o Major bugfixes (NT services):
|
|
- Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
|
|
command-line flag so that admins can override the default by saying
|
|
"tor --service install --user "SomeUser"". This will not affect
|
|
existing installed services. Also, warn the user that the service
|
|
will look for its configuration file in the service user's
|
|
%appdata% directory. (We can't do the 'hardwire the user's appdata
|
|
directory' trick any more, since we may not have read access to that
|
|
directory.)
|
|
|
|
o Major bugfixes (other):
|
|
- Previously, we would cache up to 16 old networkstatus documents
|
|
indefinitely, if they came from nontrusted authorities. Now we
|
|
discard them if they are more than 10 days old.
|
|
- Fix a crash bug in the presence of DNS hijacking (reported by Andrew
|
|
Del Vecchio).
|
|
- Detect and reject malformed DNS responses containing circular
|
|
pointer loops.
|
|
- If exits are rare enough that we're not marking exits as guards,
|
|
ignore exit bandwidth when we're deciding the required bandwidth
|
|
to become a guard.
|
|
- When we're handling a directory connection tunneled over Tor,
|
|
don't fill up internal memory buffers with all the data we want
|
|
to tunnel; instead, only add it if the OR connection that will
|
|
eventually receive it has some room for it. (This can lead to
|
|
slowdowns in tunneled dir connections; a better solution will have
|
|
to wait for 0.2.0.)
|
|
|
|
o Minor bugfixes (dns):
|
|
- Add some defensive programming to eventdns.c in an attempt to catch
|
|
possible memory-stomping bugs.
|
|
- Detect and reject DNS replies containing IPv4 or IPv6 records with
|
|
an incorrect number of bytes. (Previously, we would ignore the
|
|
extra bytes.)
|
|
- Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
|
|
in the correct order, and doesn't crash.
|
|
- Free memory held in recently-completed DNS lookup attempts on exit.
|
|
This was not a memory leak, but may have been hiding memory leaks.
|
|
- Handle TTL values correctly on reverse DNS lookups.
|
|
- Treat failure to parse resolv.conf as an error.
|
|
|
|
o Minor bugfixes (other):
|
|
- Fix crash with "tor --list-fingerprint" (reported by seeess).
|
|
- When computing clock skew from directory HTTP headers, consider what
|
|
time it was when we finished asking for the directory, not what
|
|
time it is now.
|
|
- Expire socks connections if they spend too long waiting for the
|
|
handshake to finish. Previously we would let them sit around for
|
|
days, if the connecting application didn't close them either.
|
|
- And if the socks handshake hasn't started, don't send a
|
|
"DNS resolve socks failed" handshake reply; just close it.
|
|
- Stop using C functions that OpenBSD's linker doesn't like.
|
|
- Don't launch requests for descriptors unless we have networkstatuses
|
|
from at least half of the authorities. This delays the first
|
|
download slightly under pathological circumstances, but can prevent
|
|
us from downloading a bunch of descriptors we don't need.
|
|
- Do not log IPs with TLS failures for incoming TLS
|
|
connections. (Fixes bug 382.)
|
|
- If the user asks to use invalid exit nodes, be willing to use
|
|
unstable ones.
|
|
- Stop using the reserved ac_cv namespace in our configure script.
|
|
- Call stat() slightly less often; use fstat() when possible.
|
|
- Refactor the way we handle pending circuits when an OR connection
|
|
completes or fails, in an attempt to fix a rare crash bug.
|
|
- Only rewrite a conn's address based on X-Forwarded-For: headers
|
|
if it's a parseable public IP address; and stop adding extra quotes
|
|
to the resulting address.
|
|
|
|
o Major features:
|
|
- Weight directory requests by advertised bandwidth. Now we can
|
|
let servers enable write limiting but still allow most clients to
|
|
succeed at their directory requests. (We still ignore weights when
|
|
choosing a directory authority; I hope this is a feature.)
|
|
|
|
o Minor features:
|
|
- Create a new file ReleaseNotes which was the old ChangeLog. The
|
|
new ChangeLog file now includes the summaries for all development
|
|
versions too.
|
|
- Check for addresses with invalid characters at the exit as well
|
|
as at the client, and warn less verbosely when they fail. You can
|
|
override this by setting ServerDNSAllowNonRFC953Addresses to 1.
|
|
- Adapt a patch from goodell to let the contrib/exitlist script
|
|
take arguments rather than require direct editing.
|
|
- Inform the server operator when we decide not to advertise a
|
|
DirPort due to AccountingMax enabled or a low BandwidthRate. It
|
|
was confusing Zax, so now we're hopefully more helpful.
|
|
- Bring us one step closer to being able to establish an encrypted
|
|
directory tunnel without knowing a descriptor first. Still not
|
|
ready yet. As part of the change, now assume we can use a
|
|
create_fast cell if we don't know anything about a router.
|
|
- Allow exit nodes to use nameservers running on ports other than 53.
|
|
- Servers now cache reverse DNS replies.
|
|
- Add an --ignore-missing-torrc command-line option so that we can
|
|
get the "use sensible defaults if the configuration file doesn't
|
|
exist" behavior even when specifying a torrc location on the command
|
|
line.
|
|
|
|
o Minor features (controller):
|
|
- Track reasons for OR connection failure; make these reasons
|
|
available via the controller interface. (Patch from Mike Perry.)
|
|
- Add a SOCKS_BAD_HOSTNAME client status event so controllers
|
|
can learn when clients are sending malformed hostnames to Tor.
|
|
- Clean up documentation for controller status events.
|
|
- Add a REMAP status to stream events to note that a stream's
|
|
address has changed because of a cached address or a MapAddress
|
|
directive.
|
|
|
|
|
|
Changes in version 0.1.2.6-alpha - 2007-01-09
|
|
o Major bugfixes:
|
|
- Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS
|
|
connection handles more than 4 gigs in either direction, we crash.
|
|
- Fix an assert error introduced in 0.1.2.5-alpha: if we're an
|
|
advertised exit node, somebody might try to exit from us when
|
|
we're bootstrapping and before we've built our descriptor yet.
|
|
Refuse the connection rather than crashing.
|
|
|
|
o Minor bugfixes:
|
|
- Warn if we (as a server) find that we've resolved an address that we
|
|
weren't planning to resolve.
|
|
- Warn that using select() on any libevent version before 1.1 will be
|
|
unnecessarily slow (even for select()).
|
|
- Flush ERR-level controller status events just like we currently
|
|
flush ERR-level log events, so that a Tor shutdown doesn't prevent
|
|
the controller from learning about current events.
|
|
|
|
o Minor features (more controller status events):
|
|
- Implement EXTERNAL_ADDRESS server status event so controllers can
|
|
learn when our address changes.
|
|
- Implement BAD_SERVER_DESCRIPTOR server status event so controllers
|
|
can learn when directories reject our descriptor.
|
|
- Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers
|
|
can learn when a client application is speaking a non-socks protocol
|
|
to our SocksPort.
|
|
- Implement DANGEROUS_SOCKS client status event so controllers
|
|
can learn when a client application is leaking DNS addresses.
|
|
- Implement BUG general status event so controllers can learn when
|
|
Tor is unhappy about its internal invariants.
|
|
- Implement CLOCK_SKEW general status event so controllers can learn
|
|
when Tor thinks the system clock is set incorrectly.
|
|
- Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR
|
|
server status events so controllers can learn when their descriptors
|
|
are accepted by a directory.
|
|
- Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED}
|
|
server status events so controllers can learn about Tor's progress in
|
|
deciding whether it's reachable from the outside.
|
|
- Implement BAD_LIBEVENT general status event so controllers can learn
|
|
when we have a version/method combination in libevent that needs to
|
|
be changed.
|
|
- Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED,
|
|
and DNS_USELESS server status events so controllers can learn
|
|
about changes to DNS server status.
|
|
|
|
o Minor features (directory):
|
|
- Authorities no longer recommend exits as guards if this would shift
|
|
too much load to the exit nodes.
|
|
|
|
|
|
Changes in version 0.1.2.5-alpha - 2007-01-06
|
|
o Major features:
|
|
- Enable write limiting as well as read limiting. Now we sacrifice
|
|
capacity if we're pushing out lots of directory traffic, rather
|
|
than overrunning the user's intended bandwidth limits.
|
|
- Include TLS overhead when counting bandwidth usage; previously, we
|
|
would count only the bytes sent over TLS, but not the bytes used
|
|
to send them.
|
|
- Support running the Tor service with a torrc not in the same
|
|
directory as tor.exe and default to using the torrc located in
|
|
the %appdata%\Tor\ of the user who installed the service. Patch
|
|
from Matt Edman.
|
|
- Servers now check for the case when common DNS requests are going to
|
|
wildcarded addresses (i.e. all getting the same answer), and change
|
|
their exit policy to reject *:* if it's happening.
|
|
- Implement BEGIN_DIR cells, so we can connect to the directory
|
|
server via TLS to do encrypted directory requests rather than
|
|
plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
|
|
config options if you like.
|
|
|
|
o Minor features (config and docs):
|
|
- Start using the state file to store bandwidth accounting data:
|
|
the bw_accounting file is now obsolete. We'll keep generating it
|
|
for a while for people who are still using 0.1.2.4-alpha.
|
|
- Try to batch changes to the state file so that we do as few
|
|
disk writes as possible while still storing important things in
|
|
a timely fashion.
|
|
- The state file and the bw_accounting file get saved less often when
|
|
the AvoidDiskWrites config option is set.
|
|
- Make PIDFile work on Windows (untested).
|
|
- Add internal descriptions for a bunch of configuration options:
|
|
accessible via controller interface and in comments in saved
|
|
options files.
|
|
- Reject *:563 (NNTPS) in the default exit policy. We already reject
|
|
NNTP by default, so this seems like a sensible addition.
|
|
- Clients now reject hostnames with invalid characters. This should
|
|
avoid some inadvertent info leaks. Add an option
|
|
AllowNonRFC953Hostnames to disable this behavior, in case somebody
|
|
is running a private network with hosts called @, !, and #.
|
|
- Add a maintainer script to tell us which options are missing
|
|
documentation: "make check-docs".
|
|
- Add a new address-spec.txt document to describe our special-case
|
|
addresses: .exit, .onion, and .noconnnect.
|
|
|
|
o Minor features (DNS):
|
|
- Ongoing work on eventdns infrastructure: now it has dns server
|
|
and ipv6 support. One day Tor will make use of it.
|
|
- Add client-side caching for reverse DNS lookups.
|
|
- Add support to tor-resolve tool for reverse lookups and SOCKS5.
|
|
- When we change nameservers or IP addresses, reset and re-launch
|
|
our tests for DNS hijacking.
|
|
|
|
o Minor features (directory):
|
|
- Authorities now specify server versions in networkstatus. This adds
|
|
about 2% to the size of compressed networkstatus docs, and allows
|
|
clients to tell which servers support BEGIN_DIR and which don't.
|
|
The implementation is forward-compatible with a proposed future
|
|
protocol version scheme not tied to Tor versions.
|
|
- DirServer configuration lines now have an orport= option so
|
|
clients can open encrypted tunnels to the authorities without
|
|
having downloaded their descriptors yet. Enabled for moria1,
|
|
moria2, tor26, and lefkada now in the default configuration.
|
|
- Directory servers are more willing to send a 503 "busy" if they
|
|
are near their write limit, especially for v1 directory requests.
|
|
Now they can use their limited bandwidth for actual Tor traffic.
|
|
- Clients track responses with status 503 from dirservers. After a
|
|
dirserver has given us a 503, we try not to use it until an hour has
|
|
gone by, or until we have no dirservers that haven't given us a 503.
|
|
- When we get a 503 from a directory, and we're not a server, we don't
|
|
count the failure against the total number of failures allowed
|
|
for the thing we're trying to download.
|
|
- Report X-Your-Address-Is correctly from tunneled directory
|
|
connections; don't report X-Your-Address-Is when it's an internal
|
|
address; and never believe reported remote addresses when they're
|
|
internal.
|
|
- Protect against an unlikely DoS attack on directory servers.
|
|
- Add a BadDirectory flag to network status docs so that authorities
|
|
can (eventually) tell clients about caches they believe to be
|
|
broken.
|
|
|
|
o Minor features (controller):
|
|
- Have GETINFO dir/status/* work on hosts with DirPort disabled.
|
|
- Reimplement GETINFO so that info/names stays in sync with the
|
|
actual keys.
|
|
- Implement "GETINFO fingerprint".
|
|
- Implement "SETEVENTS GUARD" so controllers can get updates on
|
|
entry guard status as it changes.
|
|
|
|
o Minor features (clean up obsolete pieces):
|
|
- Remove some options that have been deprecated since at least
|
|
0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
|
|
SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
|
|
to set log options.
|
|
- We no longer look for identity and onion keys in "identity.key" and
|
|
"onion.key" -- these were replaced by secret_id_key and
|
|
secret_onion_key in 0.0.8pre1.
|
|
- We no longer require unrecognized directory entries to be
|
|
preceded by "opt".
|
|
|
|
o Major bugfixes (security):
|
|
- Stop sending the HttpProxyAuthenticator string to directory
|
|
servers when directory connections are tunnelled through Tor.
|
|
- Clients no longer store bandwidth history in the state file.
|
|
- Do not log introduction points for hidden services if SafeLogging
|
|
is set.
|
|
- When generating bandwidth history, round down to the nearest
|
|
1k. When storing accounting data, round up to the nearest 1k.
|
|
- When we're running as a server, remember when we last rotated onion
|
|
keys, so that we will rotate keys once they're a week old even if
|
|
we never stay up for a week ourselves.
|
|
|
|
o Major bugfixes (other):
|
|
- Fix a longstanding bug in eventdns that prevented the count of
|
|
timed-out resolves from ever being reset. This bug caused us to
|
|
give up on a nameserver the third time it timed out, and try it
|
|
10 seconds later... and to give up on it every time it timed out
|
|
after that.
|
|
- Take out the '5 second' timeout from the connection retry
|
|
schedule. Now the first connect attempt will wait a full 10
|
|
seconds before switching to a new circuit. Perhaps this will help
|
|
a lot. Based on observations from Mike Perry.
|
|
- Fix a bug on the Windows implementation of tor_mmap_file() that
|
|
would prevent the cached-routers file from ever loading. Reported
|
|
by John Kimble.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an assert failure when a directory authority sets
|
|
AuthDirRejectUnlisted and then receives a descriptor from an
|
|
unlisted router. Reported by seeess.
|
|
- Avoid a double-free when parsing malformed DirServer lines.
|
|
- Fix a bug when a BSD-style PF socket is first used. Patch from
|
|
Fabian Keil.
|
|
- Fix a bug in 0.1.2.2-alpha that prevented clients from asking
|
|
to resolve an address at a given exit node even when they ask for
|
|
it by name.
|
|
- Servers no longer ever list themselves in their "family" line,
|
|
even if configured to do so. This makes it easier to configure
|
|
family lists conveniently.
|
|
- When running as a server, don't fall back to 127.0.0.1 when no
|
|
nameservers are configured in /etc/resolv.conf; instead, make the
|
|
user fix resolv.conf or specify nameservers explicitly. (Resolves
|
|
bug 363.)
|
|
- Stop accepting certain malformed ports in configured exit policies.
|
|
- Don't re-write the fingerprint file every restart, unless it has
|
|
changed.
|
|
- Stop warning when a single nameserver fails: only warn when _all_ of
|
|
our nameservers have failed. Also, when we only have one nameserver,
|
|
raise the threshold for deciding that the nameserver is dead.
|
|
- Directory authorities now only decide that routers are reachable
|
|
if their identity keys are as expected.
|
|
- When the user uses bad syntax in the Log config line, stop
|
|
suggesting other bad syntax as a replacement.
|
|
- Correctly detect ipv6 DNS capability on OpenBSD.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Report the circuit number correctly in STREAM CLOSED events. Bug
|
|
reported by Mike Perry.
|
|
- Do not report bizarre values for results of accounting GETINFOs
|
|
when the last second's write or read exceeds the allotted bandwidth.
|
|
- Report "unrecognized key" rather than an empty string when the
|
|
controller tries to fetch a networkstatus that doesn't exist.
|
|
|
|
|
|
Changes in version 0.1.1.26 - 2006-12-14
|
|
o Security bugfixes:
|
|
- Stop sending the HttpProxyAuthenticator string to directory
|
|
servers when directory connections are tunnelled through Tor.
|
|
- Clients no longer store bandwidth history in the state file.
|
|
- Do not log introduction points for hidden services if SafeLogging
|
|
is set.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an assert failure when a directory authority sets
|
|
AuthDirRejectUnlisted and then receives a descriptor from an
|
|
unlisted router (reported by seeess).
|
|
|
|
|
|
Changes in version 0.1.2.4-alpha - 2006-12-03
|
|
o Major features:
|
|
- Add support for using natd; this allows FreeBSDs earlier than
|
|
5.1.2 to have ipfw send connections through Tor without using
|
|
SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
|
|
|
|
o Minor features:
|
|
- Make all connections to addresses of the form ".noconnect"
|
|
immediately get closed. This lets application/controller combos
|
|
successfully test whether they're talking to the same Tor by
|
|
watching for STREAM events.
|
|
- Make cross.sh cross-compilation script work even when autogen.sh
|
|
hasn't been run. (Patch from Michael Mohr.)
|
|
- Statistics dumped by -USR2 now include a breakdown of public key
|
|
operations, for profiling.
|
|
|
|
o Major bugfixes:
|
|
- Fix a major leak when directory authorities parse their
|
|
approved-routers list, a minor memory leak when we fail to pick
|
|
an exit node, and a few rare leaks on errors.
|
|
- Handle TransPort connections even when the server sends data before
|
|
the client sends data. Previously, the connection would just hang
|
|
until the client sent data. (Patch from tup based on patch from
|
|
Zajcev Evgeny.)
|
|
- Avoid assert failure when our cached-routers file is empty on
|
|
startup.
|
|
|
|
o Minor bugfixes:
|
|
- Don't log spurious warnings when we see a circuit close reason we
|
|
don't recognize; it's probably just from a newer version of Tor.
|
|
- Have directory authorities allow larger amounts of drift in uptime
|
|
without replacing the server descriptor: previously, a server that
|
|
restarted every 30 minutes could have 48 "interesting" descriptors
|
|
per day.
|
|
- Start linking to the Tor specification and Tor reference manual
|
|
correctly in the Windows installer.
|
|
- Add Vidalia to the OS X uninstaller script, so when we uninstall
|
|
Tor/Privoxy we also uninstall Vidalia.
|
|
- Resume building on Irix64, and fix a lot of warnings from its
|
|
MIPSpro C compiler.
|
|
- Don't corrupt last_guessed_ip in router_new_address_suggestion()
|
|
when we're running as a client.
|
|
|
|
|
|
Changes in version 0.1.1.25 - 2006-11-04
|
|
o Major bugfixes:
|
|
- When a client asks us to resolve (rather than connect to)
|
|
an address, and we have a cached answer, give them the cached
|
|
answer. Previously, we would give them no answer at all.
|
|
- We were building exactly the wrong circuits when we predict
|
|
hidden service requirements, meaning Tor would have to build all
|
|
its circuits on demand.
|
|
- If none of our live entry guards have a high uptime, but we
|
|
require a guard with a high uptime, try adding a new guard before
|
|
we give up on the requirement. This patch should make long-lived
|
|
connections more stable on average.
|
|
- When testing reachability of our DirPort, don't launch new
|
|
tests when there's already one in progress -- unreachable
|
|
servers were stacking up dozens of testing streams.
|
|
|
|
o Security bugfixes:
|
|
- When the user sends a NEWNYM signal, clear the client-side DNS
|
|
cache too. Otherwise we continue to act on previous information.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a memory corruption bug when creating a hash table for
|
|
the first time.
|
|
- Avoid possibility of controller-triggered crash when misusing
|
|
certain commands from a v0 controller on platforms that do not
|
|
handle printf("%s",NULL) gracefully.
|
|
- Avoid infinite loop on unexpected controller input.
|
|
- Don't log spurious warnings when we see a circuit close reason we
|
|
don't recognize; it's probably just from a newer version of Tor.
|
|
- Add Vidalia to the OS X uninstaller script, so when we uninstall
|
|
Tor/Privoxy we also uninstall Vidalia.
|
|
|
|
|
|
Changes in version 0.1.2.3-alpha - 2006-10-29
|
|
o Minor features:
|
|
- Prepare for servers to publish descriptors less often: never
|
|
discard a descriptor simply for being too old until either it is
|
|
recommended by no authorities, or until we get a better one for
|
|
the same router. Make caches consider retaining old recommended
|
|
routers for even longer.
|
|
- If most authorities set a BadExit flag for a server, clients
|
|
don't think of it as a general-purpose exit. Clients only consider
|
|
authorities that advertise themselves as listing bad exits.
|
|
- Directory servers now provide 'Pragma: no-cache' and 'Expires'
|
|
headers for content, so that we can work better in the presence of
|
|
caching HTTP proxies.
|
|
- Allow authorities to list nodes as bad exits by fingerprint or by
|
|
address.
|
|
|
|
o Minor features, controller:
|
|
- Add a REASON field to CIRC events; for backward compatibility, this
|
|
field is sent only to controllers that have enabled the extended
|
|
event format. Also, add additional reason codes to explain why
|
|
a given circuit has been destroyed or truncated. (Patches from
|
|
Mike Perry)
|
|
- Add a REMOTE_REASON field to extended CIRC events to tell the
|
|
controller about why a remote OR told us to close a circuit.
|
|
- Stream events also now have REASON and REMOTE_REASON fields,
|
|
working much like those for circuit events.
|
|
- There's now a GETINFO ns/... field so that controllers can ask Tor
|
|
about the current status of a router.
|
|
- A new event type "NS" to inform a controller when our opinion of
|
|
a router's status has changed.
|
|
- Add a GETINFO events/names and GETINFO features/names so controllers
|
|
can tell which events and features are supported.
|
|
- A new CLEARDNSCACHE signal to allow controllers to clear the
|
|
client-side DNS cache without expiring circuits.
|
|
|
|
o Security bugfixes:
|
|
- When the user sends a NEWNYM signal, clear the client-side DNS
|
|
cache too. Otherwise we continue to act on previous information.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid sending junk to controllers or segfaulting when a controller
|
|
uses EVENT_NEW_DESC with verbose nicknames.
|
|
- Stop triggering asserts if the controller tries to extend hidden
|
|
service circuits (reported by mwenge).
|
|
- Avoid infinite loop on unexpected controller input.
|
|
- When the controller does a "GETINFO network-status", tell it
|
|
about even those routers whose descriptors are very old, and use
|
|
long nicknames where appropriate.
|
|
- Change NT service functions to be loaded on demand. This lets us
|
|
build with MinGW without breaking Tor for Windows 98 users.
|
|
- Do DirPort reachability tests less often, since a single test
|
|
chews through many circuits before giving up.
|
|
- In the hidden service example in torrc.sample, stop recommending
|
|
esoteric and discouraged hidden service options.
|
|
- When stopping an NT service, wait up to 10 sec for it to actually
|
|
stop. (Patch from Matt Edman; resolves bug 295.)
|
|
- Fix handling of verbose nicknames with ORCONN controller events:
|
|
make them show up exactly when requested, rather than exactly when
|
|
not requested.
|
|
- When reporting verbose nicknames in entry_guards_getinfo(), avoid
|
|
printing a duplicate "$" in the keys we send (reported by mwenge).
|
|
- Correctly set maximum connection limit on Cygwin. (This time
|
|
for sure!)
|
|
- Try to detect Windows correctly when cross-compiling.
|
|
- Detect the size of the routers file correctly even if it is
|
|
corrupted (on systems without mmap) or not page-aligned (on systems
|
|
with mmap). This bug was harmless.
|
|
- Sometimes we didn't bother sending a RELAY_END cell when an attempt
|
|
to open a stream fails; now we do in more cases. This should
|
|
make clients able to find a good exit faster in some cases, since
|
|
unhandleable requests will now get an error rather than timing out.
|
|
- Resolve two memory leaks when rebuilding the on-disk router cache
|
|
(reported by fookoowa).
|
|
- Clean up minor code warnings suggested by the MIPSpro C compiler,
|
|
and reported by some Centos users.
|
|
- Controller signals now work on non-Unix platforms that don't define
|
|
SIGUSR1 and SIGUSR2 the way we expect.
|
|
- Patch from Michael Mohr to contrib/cross.sh, so it checks more
|
|
values before failing, and always enables eventdns.
|
|
- Libevent-1.2 exports, but does not define in its headers, strlcpy.
|
|
Try to fix this in configure.in by checking for most functions
|
|
before we check for libevent.
|
|
|
|
|
|
Changes in version 0.1.2.2-alpha - 2006-10-07
|
|
o Major features:
|
|
- Make our async eventdns library on-by-default for Tor servers,
|
|
and plan to deprecate the separate dnsworker threads.
|
|
- Add server-side support for "reverse" DNS lookups (using PTR
|
|
records so clients can determine the canonical hostname for a given
|
|
IPv4 address). Only supported by servers using eventdns; servers
|
|
now announce in their descriptors whether they support eventdns.
|
|
- Specify and implement client-side SOCKS5 interface for reverse DNS
|
|
lookups (see doc/socks-extensions.txt).
|
|
- Add a BEGIN_DIR relay cell type for an easier in-protocol way to
|
|
connect to directory servers through Tor. Previously, clients needed
|
|
to find Tor exits to make private connections to directory servers.
|
|
- Avoid choosing Exit nodes for entry or middle hops when the
|
|
total bandwidth available from non-Exit nodes is much higher than
|
|
the total bandwidth available from Exit nodes.
|
|
- Workaround for name servers (like Earthlink's) that hijack failing
|
|
DNS requests and replace the no-such-server answer with a "helpful"
|
|
redirect to an advertising-driven search portal. Also work around
|
|
DNS hijackers who "helpfully" decline to hijack known-invalid
|
|
RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
|
|
lets you turn it off.
|
|
- Send out a burst of long-range padding cells once we've established
|
|
that we're reachable. Spread them over 4 circuits, so hopefully
|
|
a few will be fast. This exercises our bandwidth and bootstraps
|
|
us into the directory more quickly.
|
|
|
|
o New/improved config options:
|
|
- Add new config option "ResolvConf" to let the server operator
|
|
choose an alternate resolve.conf file when using eventdns.
|
|
- Add an "EnforceDistinctSubnets" option to control our "exclude
|
|
servers on the same /16" behavior. It's still on by default; this
|
|
is mostly for people who want to operate private test networks with
|
|
all the machines on the same subnet.
|
|
- If one of our entry guards is on the ExcludeNodes list, or the
|
|
directory authorities don't think it's a good guard, treat it as
|
|
if it were unlisted: stop using it as a guard, and throw it off
|
|
the guards list if it stays that way for a long time.
|
|
- Allow directory authorities to be marked separately as authorities
|
|
for the v1 directory protocol, the v2 directory protocol, and
|
|
as hidden service directories, to make it easier to retire old
|
|
authorities. V1 authorities should set "HSAuthoritativeDir 1"
|
|
to continue being hidden service authorities too.
|
|
- Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
|
|
|
|
o Minor features, controller:
|
|
- Fix CIRC controller events so that controllers can learn the
|
|
identity digests of non-Named servers used in circuit paths.
|
|
- Let controllers ask for more useful identifiers for servers. Instead
|
|
of learning identity digests for un-Named servers and nicknames
|
|
for Named servers, the new identifiers include digest, nickname,
|
|
and indication of Named status. Off by default; see control-spec.txt
|
|
for more information.
|
|
- Add a "getinfo address" controller command so it can display Tor's
|
|
best guess to the user.
|
|
- New controller event to alert the controller when our server
|
|
descriptor has changed.
|
|
- Give more meaningful errors on controller authentication failure.
|
|
|
|
o Minor features, other:
|
|
- When asked to resolve a hostname, don't use non-exit servers unless
|
|
requested to do so. This allows servers with broken DNS to be
|
|
useful to the network.
|
|
- Divide eventdns log messages into warn and info messages.
|
|
- Reserve the nickname "Unnamed" for routers that can't pick
|
|
a hostname: any router can call itself Unnamed; directory
|
|
authorities will never allocate Unnamed to any particular router;
|
|
clients won't believe that any router is the canonical Unnamed.
|
|
- Only include function names in log messages for info/debug messages.
|
|
For notice/warn/err, the content of the message should be clear on
|
|
its own, and printing the function name only confuses users.
|
|
- Avoid some false positives during reachability testing: don't try
|
|
to test via a server that's on the same /24 as us.
|
|
- If we fail to build a circuit to an intended enclave, and it's
|
|
not mandatory that we use that enclave, stop wanting it.
|
|
- When eventdns is enabled, allow multithreaded builds on NetBSD and
|
|
OpenBSD. (We had previously disabled threads on these platforms
|
|
because they didn't have working thread-safe resolver functions.)
|
|
|
|
o Major bugfixes, anonymity/security:
|
|
- If a client asked for a server by name, and there's a named server
|
|
in our network-status but we don't have its descriptor yet, we
|
|
could return an unnamed server instead.
|
|
- Fix NetBSD bug that could allow someone to force uninitialized RAM
|
|
to be sent to a server's DNS resolver. This only affects NetBSD
|
|
and other platforms that do not bounds-check tolower().
|
|
- Reject (most) attempts to use Tor circuits with length one. (If
|
|
many people start using Tor as a one-hop proxy, exit nodes become
|
|
a more attractive target for compromise.)
|
|
- Just because your DirPort is open doesn't mean people should be
|
|
able to remotely teach you about hidden service descriptors. Now
|
|
only accept rendezvous posts if you've got HSAuthoritativeDir set.
|
|
|
|
o Major bugfixes, other:
|
|
- Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
|
|
- When a client asks the server to resolve (not connect to)
|
|
an address, and it has a cached answer, give them the cached answer.
|
|
Previously, the server would give them no answer at all.
|
|
- Allow really slow clients to not hang up five minutes into their
|
|
directory downloads (suggested by Adam J. Richter).
|
|
- We were building exactly the wrong circuits when we anticipated
|
|
hidden service requirements, meaning Tor would have to build all
|
|
its circuits on demand.
|
|
- Avoid crashing when we mmap a router cache file of size 0.
|
|
- When testing reachability of our DirPort, don't launch new
|
|
tests when there's already one in progress -- unreachable
|
|
servers were stacking up dozens of testing streams.
|
|
|
|
o Minor bugfixes, correctness:
|
|
- If we're a directory mirror and we ask for "all" network status
|
|
documents, we would discard status documents from authorities
|
|
we don't recognize.
|
|
- Avoid a memory corruption bug when creating a hash table for
|
|
the first time.
|
|
- Avoid controller-triggered crash when misusing certain commands
|
|
from a v0 controller on platforms that do not handle
|
|
printf("%s",NULL) gracefully.
|
|
- Don't crash when a controller sends a third argument to an
|
|
"extendcircuit" request.
|
|
- Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
|
response; fix error code when "getinfo dir/status/" fails.
|
|
- Avoid crash when telling controller stream-status and a stream
|
|
is detached.
|
|
- Patch from Adam Langley to fix assert() in eventdns.c.
|
|
- Fix a debug log message in eventdns to say "X resolved to Y"
|
|
instead of "X resolved to X".
|
|
- Make eventdns give strings for DNS errors, not just error numbers.
|
|
- Track unreachable entry guards correctly: don't conflate
|
|
'unreachable by us right now' with 'listed as down by the directory
|
|
authorities'. With the old code, if a guard was unreachable by
|
|
us but listed as running, it would clog our guard list forever.
|
|
- Behave correctly in case we ever have a network with more than
|
|
2GB/s total advertised capacity.
|
|
- Make TrackExitHosts case-insensitive, and fix the behavior of
|
|
".suffix" TrackExitHosts items to avoid matching in the middle of
|
|
an address.
|
|
- Finally fix the openssl warnings from newer gccs that believe that
|
|
ignoring a return value is okay, but casting a return value and
|
|
then ignoring it is a sign of madness.
|
|
- Prevent the contrib/exitlist script from printing the same
|
|
result more than once.
|
|
- Patch from Steve Hildrey: Generate network status correctly on
|
|
non-versioning dirservers.
|
|
- Don't listen to the X-Your-Address-Is hint if you did the lookup
|
|
via Tor; otherwise you'll think you're the exit node's IP address.
|
|
|
|
o Minor bugfixes, performance:
|
|
- Two small performance improvements on parsing descriptors.
|
|
- Major performance improvement on inserting descriptors: change
|
|
algorithm from O(n^2) to O(n).
|
|
- Make the common memory allocation path faster on machines where
|
|
malloc(0) returns a pointer.
|
|
- Start remembering X-Your-Address-Is directory hints even if you're
|
|
a client, so you can become a server more smoothly.
|
|
- Avoid duplicate entries on MyFamily line in server descriptor.
|
|
|
|
o Packaging, features:
|
|
- Remove architecture from OS X builds. The official builds are
|
|
now universal binaries.
|
|
- The Debian package now uses --verify-config when (re)starting,
|
|
to distinguish configuration errors from other errors.
|
|
- Update RPMs to require libevent 1.1b.
|
|
|
|
o Packaging, bugfixes:
|
|
- Patches so Tor builds with MinGW on Windows.
|
|
- Patches so Tor might run on Cygwin again.
|
|
- Resume building on non-gcc compilers and ancient gcc. Resume
|
|
building with the -O0 compile flag. Resume building cleanly on
|
|
Debian woody.
|
|
- Run correctly on OS X platforms with case-sensitive filesystems.
|
|
- Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
|
|
- Add autoconf checks so Tor can build on Solaris x86 again.
|
|
|
|
o Documentation
|
|
- Documented (and renamed) ServerDNSSearchDomains and
|
|
ServerDNSResolvConfFile options.
|
|
- Be clearer that the *ListenAddress directives can be repeated
|
|
multiple times.
|
|
|
|
|
|
Changes in version 0.1.1.24 - 2006-09-29
|
|
o Major bugfixes:
|
|
- Allow really slow clients to not hang up five minutes into their
|
|
directory downloads (suggested by Adam J. Richter).
|
|
- Fix major performance regression from 0.1.0.x: instead of checking
|
|
whether we have enough directory information every time we want to
|
|
do something, only check when the directory information has changed.
|
|
This should improve client CPU usage by 25-50%.
|
|
- Don't crash if, after a server has been running for a while,
|
|
it can't resolve its hostname.
|
|
|
|
o Minor bugfixes:
|
|
- Allow Tor to start when RunAsDaemon is set but no logs are set.
|
|
- Don't crash when the controller receives a third argument to an
|
|
"extendcircuit" request.
|
|
- Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
|
response; fix error code when "getinfo dir/status/" fails.
|
|
- Fix configure.in to not produce broken configure files with
|
|
more recent versions of autoconf. Thanks to Clint for his auto*
|
|
voodoo.
|
|
- Fix security bug on NetBSD that could allow someone to force
|
|
uninitialized RAM to be sent to a server's DNS resolver. This
|
|
only affects NetBSD and other platforms that do not bounds-check
|
|
tolower().
|
|
- Warn user when using libevent 1.1a or earlier with win32 or kqueue
|
|
methods: these are known to be buggy.
|
|
- If we're a directory mirror and we ask for "all" network status
|
|
documents, we would discard status documents from authorities
|
|
we don't recognize.
|
|
|
|
|
|
Changes in version 0.1.2.1-alpha - 2006-08-27
|
|
o Major features:
|
|
- Add "eventdns" async dns library from Adam Langley, tweaked to
|
|
build on OSX and Windows. Only enabled if you pass the
|
|
--enable-eventdns argument to configure.
|
|
- Allow servers with no hostname or IP address to learn their
|
|
IP address by asking the directory authorities. This code only
|
|
kicks in when you would normally have exited with a "no address"
|
|
error. Nothing's authenticated, so use with care.
|
|
- Rather than waiting a fixed amount of time between retrying
|
|
application connections, we wait only 5 seconds for the first,
|
|
10 seconds for the second, and 15 seconds for each retry after
|
|
that. Hopefully this will improve the expected user experience.
|
|
- Patch from Tup to add support for transparent AP connections:
|
|
this basically bundles the functionality of trans-proxy-tor
|
|
into the Tor mainline. Now hosts with compliant pf/netfilter
|
|
implementations can redirect TCP connections straight to Tor
|
|
without diverting through SOCKS. Needs docs.
|
|
- Busy directory servers save lots of memory by spooling server
|
|
descriptors, v1 directories, and v2 networkstatus docs to buffers
|
|
as needed rather than en masse. Also mmap the cached-routers
|
|
files, so we don't need to keep the whole thing in memory too.
|
|
- Automatically avoid picking more than one node from the same
|
|
/16 network when constructing a circuit.
|
|
- Revise and clean up the torrc.sample that we ship with; add
|
|
a section for BandwidthRate and BandwidthBurst.
|
|
|
|
o Minor features:
|
|
- Split circuit_t into origin_circuit_t and or_circuit_t, and
|
|
split connection_t into edge, or, dir, control, and base structs.
|
|
These will save quite a bit of memory on busy servers, and they'll
|
|
also help us track down bugs in the code and bugs in the spec.
|
|
- Experimentally re-enable kqueue on OSX when using libevent 1.1b
|
|
or later. Log when we are doing this, so we can diagnose it when
|
|
it fails. (Also, recommend libevent 1.1b for kqueue and
|
|
win32 methods; deprecate libevent 1.0b harder; make libevent
|
|
recommendation system saner.)
|
|
- Start being able to build universal binaries on OS X (thanks
|
|
to Phobos).
|
|
- Export the default exit policy via the control port, so controllers
|
|
don't need to guess what it is / will be later.
|
|
- Add a man page entry for ProtocolWarnings.
|
|
- Add TestVia config option to the man page.
|
|
- Remove even more protocol-related warnings from Tor server logs,
|
|
such as bad TLS handshakes and malformed begin cells.
|
|
- Stop fetching descriptors if you're not a dir mirror and you
|
|
haven't tried to establish any circuits lately. [This currently
|
|
causes some dangerous behavior, because when you start up again
|
|
you'll use your ancient server descriptors.]
|
|
- New DirPort behavior: if you have your dirport set, you download
|
|
descriptors aggressively like a directory mirror, whether or not
|
|
your ORPort is set.
|
|
- Get rid of the router_retry_connections notion. Now routers
|
|
no longer try to rebuild long-term connections to directory
|
|
authorities, and directory authorities no longer try to rebuild
|
|
long-term connections to all servers. We still don't hang up
|
|
connections in these two cases though -- we need to look at it
|
|
more carefully to avoid flapping, and we likely need to wait til
|
|
0.1.1.x is obsolete.
|
|
- Drop compatibility with obsolete Tors that permit create cells
|
|
to have the wrong circ_id_type.
|
|
- Re-enable per-connection rate limiting. Get rid of the "OP
|
|
bandwidth" concept. Lay groundwork for "bandwidth classes" --
|
|
separate global buckets that apply depending on what sort of conn
|
|
it is.
|
|
- Start publishing one minute or so after we find our ORPort
|
|
to be reachable. This will help reduce the number of descriptors
|
|
we have for ourselves floating around, since it's quite likely
|
|
other things (e.g. DirPort) will change during that minute too.
|
|
- Fork the v1 directory protocol into its own spec document,
|
|
and mark dir-spec.txt as the currently correct (v2) spec.
|
|
|
|
o Major bugfixes:
|
|
- When we find our DirPort to be reachable, publish a new descriptor
|
|
so we'll tell the world (reported by pnx).
|
|
- Publish a new descriptor after we hup/reload. This is important
|
|
if our config has changed such that we'll want to start advertising
|
|
our DirPort now, etc.
|
|
- Allow Tor to start when RunAsDaemon is set but no logs are set.
|
|
- When we have a state file we cannot parse, tell the user and
|
|
move it aside. Now we avoid situations where the user starts
|
|
Tor in 1904, Tor writes a state file with that timestamp in it,
|
|
the user fixes her clock, and Tor refuses to start.
|
|
- Fix configure.in to not produce broken configure files with
|
|
more recent versions of autoconf. Thanks to Clint for his auto*
|
|
voodoo.
|
|
- "tor --verify-config" now exits with -1(255) or 0 depending on
|
|
whether the config options are bad or good.
|
|
- Resolve bug 321 when using dnsworkers: append a period to every
|
|
address we resolve at the exit node, so that we do not accidentally
|
|
pick up local addresses, and so that failing searches are retried
|
|
in the resolver search domains. (This is already solved for
|
|
eventdns.) (This breaks Blossom servers for now.)
|
|
- If we are using an exit enclave and we can't connect, e.g. because
|
|
its webserver is misconfigured to not listen on localhost, then
|
|
back off and try connecting from somewhere else before we fail.
|
|
|
|
o Minor bugfixes:
|
|
- Start compiling on MinGW on Windows (patches from Mike Chiussi).
|
|
- Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
|
|
- Fix bug 314: Tor clients issued "unsafe socks" warnings even
|
|
when the IP address is mapped through MapAddress to a hostname.
|
|
- Start passing "ipv4" hints to getaddrinfo(), so servers don't do
|
|
useless IPv6 DNS resolves.
|
|
- Patch suggested by Karsten Loesing: respond to SIGNAL command
|
|
before we execute the signal, in case the signal shuts us down.
|
|
- Clean up AllowInvalidNodes man page entry.
|
|
- Claim a commonname of Tor, rather than TOR, in TLS handshakes.
|
|
- Add more asserts to track down an assert error on a windows Tor
|
|
server with connection_add being called with socket == -1.
|
|
- Handle reporting OR_CONN_EVENT_NEW events to the controller.
|
|
- Fix misleading log messages: an entry guard that is "unlisted",
|
|
as well as not known to be "down" (because we've never heard
|
|
of it), is not therefore "up".
|
|
- Remove code to special-case "-cvs" ending, since it has not
|
|
actually mattered since 0.0.9.
|
|
- Make our socks5 handling more robust to broken socks clients:
|
|
throw out everything waiting on the buffer in between socks
|
|
handshake phases, since they can't possibly (so the theory
|
|
goes) have predicted what we plan to respond to them.
|
|
|
|
|
|
Changes in version 0.1.1.23 - 2006-07-30
|
|
o Major bugfixes:
|
|
- Fast Tor servers, especially exit nodes, were triggering asserts
|
|
due to a bug in handling the list of pending DNS resolves. Some
|
|
bugs still remain here; we're hunting them.
|
|
- Entry guards could crash clients by sending unexpected input.
|
|
- More fixes on reachability testing: if you find yourself reachable,
|
|
then don't ever make any client requests (so you stop predicting
|
|
circuits), then hup or have your clock jump, then later your IP
|
|
changes, you won't think circuits are working, so you won't try to
|
|
test reachability, so you won't publish.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a crash if the controller does a resetconf firewallports
|
|
and then a setconf fascistfirewall=1.
|
|
- Avoid an integer underflow when the dir authority decides whether
|
|
a router is stable: we might wrongly label it stable, and compute
|
|
a slightly wrong median stability, when a descriptor is published
|
|
later than now.
|
|
- Fix a place where we might trigger an assert if we can't build our
|
|
own server descriptor yet.
|
|
|
|
|
|
Changes in version 0.1.1.22 - 2006-07-05
|
|
o Major bugfixes:
|
|
- Fix a big bug that was causing servers to not find themselves
|
|
reachable if they changed IP addresses. Since only 0.1.1.22+
|
|
servers can do reachability testing correctly, now we automatically
|
|
make sure to test via one of these.
|
|
- Fix to allow clients and mirrors to learn directory info from
|
|
descriptor downloads that get cut off partway through.
|
|
- Directory authorities had a bug in deciding if a newly published
|
|
descriptor was novel enough to make everybody want a copy -- a few
|
|
servers seem to be publishing new descriptors many times a minute.
|
|
o Minor bugfixes:
|
|
- Fix a rare bug that was causing some servers to complain about
|
|
"closing wedged cpuworkers" and skip some circuit create requests.
|
|
- Make the Exit flag in directory status documents actually work.
|
|
|
|
|
|
Changes in version 0.1.1.21 - 2006-06-10
|
|
o Crash and assert fixes from 0.1.1.20:
|
|
- Fix a rare crash on Tor servers that have enabled hibernation.
|
|
- Fix a seg fault on startup for Tor networks that use only one
|
|
directory authority.
|
|
- Fix an assert from a race condition that occurs on Tor servers
|
|
while exiting, where various threads are trying to log that they're
|
|
exiting, and delete the logs, at the same time.
|
|
- Make our unit tests pass again on certain obscure platforms.
|
|
|
|
o Other fixes:
|
|
- Add support for building SUSE RPM packages.
|
|
- Speed up initial bootstrapping for clients: if we are making our
|
|
first ever connection to any entry guard, then don't mark it down
|
|
right after that.
|
|
- When only one Tor server in the network is labelled as a guard,
|
|
and we've already picked him, we would cycle endlessly picking him
|
|
again, being unhappy about it, etc. Now we specifically exclude
|
|
current guards when picking a new guard.
|
|
- Servers send create cells more reliably after the TLS connection
|
|
is established: we were sometimes forgetting to send half of them
|
|
when we had more than one pending.
|
|
- If we get a create cell that asks us to extend somewhere, but the
|
|
Tor server there doesn't match the expected digest, we now send
|
|
a destroy cell back, rather than silently doing nothing.
|
|
- Make options->RedirectExit work again.
|
|
- Make cookie authentication for the controller work again.
|
|
- Stop being picky about unusual characters in the arguments to
|
|
mapaddress. It's none of our business.
|
|
- Add a new config option "TestVia" that lets you specify preferred
|
|
middle hops to use for test circuits. Perhaps this will let me
|
|
debug the reachability problems better.
|
|
|
|
o Log / documentation fixes:
|
|
- If we're a server and some peer has a broken TLS certificate, don't
|
|
log about it unless ProtocolWarnings is set, i.e., we want to hear
|
|
about protocol violations by others.
|
|
- Fix spelling of VirtualAddrNetwork in man page.
|
|
- Add a better explanation at the top of the autogenerated torrc file
|
|
about what happened to our old torrc.
|
|
|
|
|
|
Changes in version 0.1.1.20 - 2006-05-23
|
|
o Bugfixes:
|
|
- Downgrade a log severity where servers complain that they're
|
|
invalid.
|
|
- Avoid a compile warning on FreeBSD.
|
|
- Remove string size limit on NEWDESC messages; solve bug 291.
|
|
- Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon
|
|
more thoroughly when we're running on windows.
|
|
|
|
|
|
Changes in version 0.1.1.19-rc - 2006-05-03
|
|
o Minor bugs:
|
|
- Regenerate our local descriptor if it's dirty and we try to use
|
|
it locally (e.g. if it changes during reachability detection).
|
|
- If we setconf our ORPort to 0, we continued to listen on the
|
|
old ORPort and receive connections.
|
|
- Avoid a second warning about machine/limits.h on Debian
|
|
GNU/kFreeBSD.
|
|
- Be willing to add our own routerinfo into the routerlist.
|
|
Now authorities will include themselves in their directories
|
|
and network-statuses.
|
|
- Stop trying to upload rendezvous descriptors to every
|
|
directory authority: only try the v1 authorities.
|
|
- Servers no longer complain when they think they're not
|
|
registered with the directory authorities. There were too many
|
|
false positives.
|
|
- Backport dist-rpm changes so rpms can be built without errors.
|
|
|
|
o Features:
|
|
- Implement an option, VirtualAddrMask, to set which addresses
|
|
get handed out in response to mapaddress requests. This works
|
|
around a bug in tsocks where 127.0.0.0/8 is never socksified.
|
|
|
|
|
|
Changes in version 0.1.1.18-rc - 2006-04-10
|
|
o Major fixes:
|
|
- Work harder to download live network-statuses from all the
|
|
directory authorities we know about. Improve the threshold
|
|
decision logic so we're more robust to edge cases.
|
|
- When fetching rendezvous descriptors, we were willing to ask
|
|
v2 authorities too, which would always return 404.
|
|
|
|
o Minor fixes:
|
|
- Stop listing down or invalid nodes in the v1 directory. This will
|
|
reduce its bulk by about 1/3, and reduce load on directory
|
|
mirrors.
|
|
- When deciding whether a router is Fast or Guard-worthy, consider
|
|
his advertised BandwidthRate and not just the BandwidthCapacity.
|
|
- No longer ship INSTALL and README files -- they are useless now.
|
|
- Force rpmbuild to behave and honor target_cpu.
|
|
- Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
|
|
- Start to include translated versions of the tor-doc-*.html
|
|
files, along with the screenshots. Still needs more work.
|
|
- Start sending back 512 and 451 errors if mapaddress fails,
|
|
rather than not sending anything back at all.
|
|
- When we fail to bind or listen on an incoming or outgoing
|
|
socket, we should close it before failing. otherwise we just
|
|
leak it. (thanks to weasel for finding.)
|
|
- Allow "getinfo dir/status/foo" to work, as long as your DirPort
|
|
is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
|
|
- Make NoPublish (even though deprecated) work again.
|
|
- Fix a minor security flaw where a versioning auth dirserver
|
|
could list a recommended version many times in a row to make
|
|
clients more convinced that it's recommended.
|
|
- Fix crash bug if there are two unregistered servers running
|
|
with the same nickname, one of them is down, and you ask for
|
|
them by nickname in your EntryNodes or ExitNodes. Also, try
|
|
to pick the one that's running rather than an arbitrary one.
|
|
- Fix an infinite loop we could hit if we go offline for too long.
|
|
- Complain when we hit WSAENOBUFS on recv() or write() too.
|
|
Perhaps this will help us hunt the bug.
|
|
- If you're not a versioning dirserver, don't put the string
|
|
"client-versions \nserver-versions \n" in your network-status.
|
|
- Lower the minimum required number of file descriptors to 1000,
|
|
so we can have some overhead for Valgrind on Linux, where the
|
|
default ulimit -n is 1024.
|
|
|
|
o New features:
|
|
- Add tor.dizum.com as the fifth authoritative directory server.
|
|
- Add a new config option FetchUselessDescriptors, off by default,
|
|
for when you plan to run "exitlist" on your client and you want
|
|
to know about even the non-running descriptors.
|
|
|
|
|
|
Changes in version 0.1.1.17-rc - 2006-03-28
|
|
o Major fixes:
|
|
- Clients and servers since 0.1.1.10-alpha have been expiring
|
|
connections whenever they are idle for 5 minutes and they *do*
|
|
have circuits on them. Oops. With this new version, clients will
|
|
discard their previous entry guard choices and avoid choosing
|
|
entry guards running these flawed versions.
|
|
- Fix memory leak when uncompressing concatenated zlib streams. This
|
|
was causing substantial leaks over time on Tor servers.
|
|
- The v1 directory was including servers as much as 48 hours old,
|
|
because that's how the new routerlist->routers works. Now only
|
|
include them if they're 20 hours old or less.
|
|
|
|
o Minor fixes:
|
|
- Resume building on irix64, netbsd 2.0, etc.
|
|
- On non-gcc compilers (e.g. solaris), use "-g -O" instead of
|
|
"-Wall -g -O2".
|
|
- Stop writing the "router.desc" file, ever. Nothing uses it anymore,
|
|
and it is confusing some users.
|
|
- Mirrors stop caching the v1 directory so often.
|
|
- Make the max number of old descriptors that a cache will hold
|
|
rise with the number of directory authorities, so we can scale.
|
|
- Change our win32 uname() hack to be more forgiving about what
|
|
win32 versions it thinks it's found.
|
|
|
|
o New features:
|
|
- Add lefkada.eecs.harvard.edu as a fourth authoritative directory
|
|
server.
|
|
- When the controller's *setconf commands fail, collect an error
|
|
message in a string and hand it back to the controller.
|
|
- Make the v2 dir's "Fast" flag based on relative capacity, just
|
|
like "Stable" is based on median uptime. Name everything in the
|
|
top 7/8 Fast, and only the top 1/2 gets to be a Guard.
|
|
- Log server fingerprint on startup, so new server operators don't
|
|
have to go hunting around their filesystem for it.
|
|
- Return a robots.txt on our dirport to discourage google indexing.
|
|
- Let the controller ask for GETINFO dir/status/foo so it can ask
|
|
directly rather than connecting to the dir port. Only works when
|
|
dirport is set for now.
|
|
|
|
o New config options rather than constants in the code:
|
|
- SocksTimeout: How long do we let a socks connection wait
|
|
unattached before we fail it?
|
|
- CircuitBuildTimeout: Cull non-open circuits that were born
|
|
at least this many seconds ago.
|
|
- CircuitIdleTimeout: Cull open clean circuits that were born
|
|
at least this many seconds ago.
|
|
|
|
|
|
Changes in version 0.1.1.16-rc - 2006-03-18
|
|
o Bugfixes on 0.1.1.15-rc:
|
|
- Fix assert when the controller asks to attachstream a connect-wait
|
|
or resolve-wait stream.
|
|
- Now do address rewriting when the controller asks us to attach
|
|
to a particular circuit too. This will let Blossom specify
|
|
"moria2.exit" without having to learn what moria2's IP address is.
|
|
- Make the "tor --verify-config" command-line work again, so people
|
|
can automatically check if their torrc will parse.
|
|
- Authoritative dirservers no longer require an open connection from
|
|
a server to consider him "reachable". We need this change because
|
|
when we add new auth dirservers, old servers won't know not to
|
|
hang up on them.
|
|
- Let Tor build on Sun CC again.
|
|
- Fix an off-by-one buffer size in dirserv.c that magically never
|
|
hit our three authorities but broke sjmurdoch's own tor network.
|
|
- If we as a directory mirror don't know of any v1 directory
|
|
authorities, then don't try to cache any v1 directories.
|
|
- Stop warning about unknown servers in our family when they are
|
|
given as hex digests.
|
|
- Stop complaining as quickly to the server operator that he
|
|
hasn't registered his nickname/key binding.
|
|
- Various cleanups so we can add new V2 Auth Dirservers.
|
|
- Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
|
|
reflect the updated flags in our v2 dir protocol.
|
|
- Resume allowing non-printable characters for exit streams (both
|
|
for connecting and for resolving). Now we tolerate applications
|
|
that don't follow the RFCs. But continue to block malformed names
|
|
at the socks side.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix assert bug in close_logs(): when we close and delete logs,
|
|
remove them all from the global "logfiles" list.
|
|
- Fix minor integer overflow in calculating when we expect to use up
|
|
our bandwidth allocation before hibernating.
|
|
- Fix a couple of bugs in OpenSSL detection. Also, deal better when
|
|
there are multiple SSLs installed with different versions.
|
|
- When we try to be a server and Address is not explicitly set and
|
|
our hostname resolves to a private IP address, try to use an
|
|
interface address if it has a public address. Now Windows machines
|
|
that think of themselves as localhost can work by default.
|
|
|
|
o New features:
|
|
- Let the controller ask for GETINFO dir/server/foo so it can ask
|
|
directly rather than connecting to the dir port.
|
|
- Let the controller tell us about certain router descriptors
|
|
that it doesn't want Tor to use in circuits. Implement
|
|
SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
|
|
- New config option SafeSocks to reject all application connections
|
|
using unsafe socks protocols. Defaults to off.
|
|
|
|
|
|
Changes in version 0.1.1.15-rc - 2006-03-11
|
|
o Bugfixes and cleanups:
|
|
- When we're printing strings from the network, don't try to print
|
|
non-printable characters. This protects us against shell escape
|
|
sequence exploits, and also against attacks to fool humans into
|
|
misreading their logs.
|
|
- Fix a bug where Tor would fail to establish any connections if you
|
|
left it off for 24 hours and then started it: we were happy with
|
|
the obsolete network statuses, but they all referred to router
|
|
descriptors that were too old to fetch, so we ended up with no
|
|
valid router descriptors.
|
|
- Fix a seg fault in the controller's "getinfo orconn-status"
|
|
command while listing status on incoming handshaking connections.
|
|
Introduce a status name "NEW" for these connections.
|
|
- If we get a linelist or linelist_s config option from the torrc
|
|
(e.g. ExitPolicy) and it has no value, warn and skip rather than
|
|
silently resetting it to its default.
|
|
- Don't abandon entry guards until they've been down or gone for
|
|
a whole month.
|
|
- Cleaner and quieter log messages.
|
|
|
|
o New features:
|
|
- New controller signal NEWNYM that makes new application requests
|
|
use clean circuits.
|
|
- Add a new circuit purpose 'controller' to let the controller ask
|
|
for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
|
|
controller command to let you specify the purpose if you're
|
|
starting a new circuit. Add a new SETCIRCUITPURPOSE controller
|
|
command to let you change a circuit's purpose after it's been
|
|
created.
|
|
- Accept "private:*" in routerdesc exit policies; not generated yet
|
|
because older Tors do not understand it.
|
|
- Add BSD-style contributed startup script "rc.subr" from Peter
|
|
Thoenen.
|
|
|
|
|
|
Changes in version 0.1.1.14-alpha - 2006-02-20
|
|
o Bugfixes on 0.1.1.x:
|
|
- Don't die if we ask for a stdout or stderr log (even implicitly)
|
|
and we're set to RunAsDaemon -- just warn.
|
|
- We still had a few bugs in the OR connection rotation code that
|
|
caused directory servers to slowly aggregate connections to other
|
|
fast Tor servers. This time for sure!
|
|
- Make log entries on Win32 include the name of the function again.
|
|
- We were treating a pair of exit policies if they were equal even
|
|
if one said accept and the other said reject -- causing us to
|
|
not always publish a new descriptor since we thought nothing
|
|
had changed.
|
|
- Retry pending server downloads as well as pending networkstatus
|
|
downloads when we unexpectedly get a socks request.
|
|
- We were ignoring the IS_FAST flag in the directory status,
|
|
meaning we were willing to pick trivial-bandwidth nodes for "fast"
|
|
connections.
|
|
- If the controller's SAVECONF command fails (e.g. due to file
|
|
permissions), let the controller know that it failed.
|
|
|
|
o Features:
|
|
- If we're trying to be a Tor server and running Windows 95/98/ME
|
|
as a server, explain that we'll likely crash.
|
|
- When we're a server, a client asks for an old-style directory,
|
|
and our write bucket is empty, don't give it to him. This way
|
|
small servers can continue to serve the directory *sometimes*,
|
|
without getting overloaded.
|
|
- Compress exit policies even more -- look for duplicate lines
|
|
and remove them.
|
|
- Clients now honor the "guard" flag in the router status when
|
|
picking entry guards, rather than looking at is_fast or is_stable.
|
|
- Retain unrecognized lines in $DATADIR/state file, so that we can
|
|
be forward-compatible.
|
|
- Generate 18.0.0.0/8 address policy format in descs when we can;
|
|
warn when the mask is not reducible to a bit-prefix.
|
|
- Let the user set ControlListenAddress in the torrc. This can be
|
|
dangerous, but there are some cases (like a secured LAN) where it
|
|
makes sense.
|
|
- Split ReachableAddresses into ReachableDirAddresses and
|
|
ReachableORAddresses, so we can restrict Dir conns to port 80
|
|
and OR conns to port 443.
|
|
- Now we can target arch and OS in rpm builds (contributed by
|
|
Phobos). Also make the resulting dist-rpm filename match the
|
|
target arch.
|
|
- New config options to help controllers: FetchServerDescriptors
|
|
and FetchHidServDescriptors for whether to fetch server
|
|
info and hidserv info or let the controller do it, and
|
|
PublishServerDescriptor and PublishHidServDescriptors.
|
|
- Also let the controller set the __AllDirActionsPrivate config
|
|
option if you want all directory fetches/publishes to happen via
|
|
Tor (it assumes your controller bootstraps your circuits).
|
|
|
|
|
|
Changes in version 0.1.0.17 - 2006-02-17
|
|
o Crash bugfixes on 0.1.0.x:
|
|
- When servers with a non-zero DirPort came out of hibernation,
|
|
sometimes they would trigger an assert.
|
|
|
|
o Other important bugfixes:
|
|
- On platforms that don't have getrlimit (like Windows), we were
|
|
artificially constraining ourselves to a max of 1024
|
|
connections. Now just assume that we can handle as many as 15000
|
|
connections. Hopefully this won't cause other problems.
|
|
|
|
o Backported features:
|
|
- When we're a server, a client asks for an old-style directory,
|
|
and our write bucket is empty, don't give it to him. This way
|
|
small servers can continue to serve the directory *sometimes*,
|
|
without getting overloaded.
|
|
- Whenever you get a 503 in response to a directory fetch, try
|
|
once more. This will become important once servers start sending
|
|
503's whenever they feel busy.
|
|
- Fetch a new directory every 120 minutes, not every 40 minutes.
|
|
Now that we have hundreds of thousands of users running the old
|
|
directory algorithm, it's starting to hurt a lot.
|
|
- Bump up the period for forcing a hidden service descriptor upload
|
|
from 20 minutes to 1 hour.
|
|
|
|
|
|
Changes in version 0.1.1.13-alpha - 2006-02-09
|
|
o Crashes in 0.1.1.x:
|
|
- When you tried to setconf ORPort via the controller, Tor would
|
|
crash. So people using TorCP to become a server were sad.
|
|
- Solve (I hope) the stack-smashing bug that we were seeing on fast
|
|
servers. The problem appears to be something do with OpenSSL's
|
|
random number generation, or how we call it, or something. Let me
|
|
know if the crashes continue.
|
|
- Turn crypto hardware acceleration off by default, until we find
|
|
somebody smart who can test it for us. (It appears to produce
|
|
seg faults in at least some cases.)
|
|
- Fix a rare assert error when we've tried all intro points for
|
|
a hidden service and we try fetching the service descriptor again:
|
|
"Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
|
|
|
|
o Major fixes:
|
|
- Fix a major load balance bug: we were round-robining in 16 KB
|
|
chunks, and servers with bandwidthrate of 20 KB, while downloading
|
|
a 600 KB directory, would starve their other connections. Now we
|
|
try to be a bit more fair.
|
|
- Dir authorities and mirrors were never expiring the newest
|
|
descriptor for each server, causing memory and directory bloat.
|
|
- Fix memory-bloating and connection-bloating bug on servers: We
|
|
were never closing any connection that had ever had a circuit on
|
|
it, because we were checking conn->n_circuits == 0, yet we had a
|
|
bug that let it go negative.
|
|
- Make Tor work using squid as your http proxy again -- squid
|
|
returns an error if you ask for a URL that's too long, and it uses
|
|
a really generic error message. Plus, many people are behind a
|
|
transparent squid so they don't even realize it.
|
|
- On platforms that don't have getrlimit (like Windows), we were
|
|
artificially constraining ourselves to a max of 1024
|
|
connections. Now just assume that we can handle as many as 15000
|
|
connections. Hopefully this won't cause other problems.
|
|
- Add a new config option ExitPolicyRejectPrivate which defaults to
|
|
1. This means all exit policies will begin with rejecting private
|
|
addresses, unless the server operator explicitly turns it off.
|
|
|
|
o Major features:
|
|
- Clients no longer download descriptors for non-running
|
|
descriptors.
|
|
- Before we add new directory authorities, we should make it
|
|
clear that only v1 authorities should receive/publish hidden
|
|
service descriptors.
|
|
|
|
o Minor features:
|
|
- As soon as we've fetched some more directory info, immediately
|
|
try to download more server descriptors. This way we don't have
|
|
a 10 second pause during initial bootstrapping.
|
|
- Remove even more loud log messages that the server operator can't
|
|
do anything about.
|
|
- When we're running an obsolete or un-recommended version, make
|
|
the log message more clear about what the problem is and what
|
|
versions *are* still recommended.
|
|
- Provide a more useful warn message when our onion queue gets full:
|
|
the CPU is too slow or the exit policy is too liberal.
|
|
- Don't warn when we receive a 503 from a dirserver/cache -- this
|
|
will pave the way for them being able to refuse if they're busy.
|
|
- When we fail to bind a listener, try to provide a more useful
|
|
log message: e.g., "Is Tor already running?"
|
|
- Adjust tor-spec to parameterize cell and key lengths. Now Ian
|
|
Goldberg can prove things about our handshake protocol more
|
|
easily.
|
|
- MaxConn has been obsolete for a while now. Document the ConnLimit
|
|
config option, which is a *minimum* number of file descriptors
|
|
that must be available else Tor refuses to start.
|
|
- Apply Matt Ghali's --with-syslog-facility patch to ./configure
|
|
if you log to syslog and want something other than LOG_DAEMON.
|
|
- Make dirservers generate a separate "guard" flag to mean,
|
|
"would make a good entry guard". Make clients parse it and vote
|
|
on it. Not used by clients yet.
|
|
- Implement --with-libevent-dir option to ./configure. Also, improve
|
|
search techniques to find libevent, and use those for openssl too.
|
|
- Bump the default bandwidthrate to 3 MB, and burst to 6 MB
|
|
- Only start testing reachability once we've established a
|
|
circuit. This will make startup on dirservers less noisy.
|
|
- Don't try to upload hidden service descriptors until we have
|
|
established a circuit.
|
|
- Fix the controller's "attachstream 0" command to treat conn like
|
|
it just connected, doing address remapping, handling .exit and
|
|
.onion idioms, and so on. Now we're more uniform in making sure
|
|
that the controller hears about new and closing connections.
|
|
|
|
|
|
Changes in version 0.1.1.12-alpha - 2006-01-11
|
|
o Bugfixes on 0.1.1.x:
|
|
- The fix to close duplicate server connections was closing all
|
|
Tor client connections if they didn't establish a circuit
|
|
quickly enough. Oops.
|
|
- Fix minor memory issue (double-free) that happened on exit.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Tor didn't warn when it failed to open a log file.
|
|
|
|
|
|
Changes in version 0.1.1.11-alpha - 2006-01-10
|
|
o Crashes in 0.1.1.x:
|
|
- Include all the assert/crash fixes from 0.1.0.16.
|
|
- If you start Tor and then quit very quickly, there were some
|
|
races that tried to free things that weren't allocated yet.
|
|
- Fix a rare memory stomp if you're running hidden services.
|
|
- Fix segfault when specifying DirServer in config without nickname.
|
|
- Fix a seg fault when you finish connecting to a server but at
|
|
that moment you dump his server descriptor.
|
|
- Extendcircuit and Attachstream controller commands would
|
|
assert/crash if you don't give them enough arguments.
|
|
- Fix an assert error when we're out of space in the connection_list
|
|
and we try to post a hidden service descriptor (reported by weasel).
|
|
- If you specify a relative torrc path and you set RunAsDaemon in
|
|
your torrc, then it chdir()'s to the new directory. If you HUP,
|
|
it tries to load the new torrc location, fails, and exits.
|
|
The fix: no longer allow a relative path to torrc using -f.
|
|
|
|
o Major features:
|
|
- Implement "entry guards": automatically choose a handful of entry
|
|
nodes and stick with them for all circuits. Only pick new guards
|
|
when the ones you have are unsuitable, and if the old guards
|
|
become suitable again, switch back. This will increase security
|
|
dramatically against certain end-point attacks. The EntryNodes
|
|
config option now provides some hints about which entry guards you
|
|
want to use most; and StrictEntryNodes means to only use those.
|
|
- New directory logic: download by descriptor digest, not by
|
|
fingerprint. Caches try to download all listed digests from
|
|
authorities; clients try to download "best" digests from caches.
|
|
This avoids partitioning and isolating attacks better.
|
|
- Make the "stable" router flag in network-status be the median of
|
|
the uptimes of running valid servers, and make clients pay
|
|
attention to the network-status flags. Thus the cutoff adapts
|
|
to the stability of the network as a whole, making IRC, IM, etc
|
|
connections more reliable.
|
|
|
|
o Major fixes:
|
|
- Tor servers with dynamic IP addresses were needing to wait 18
|
|
hours before they could start doing reachability testing using
|
|
the new IP address and ports. This is because they were using
|
|
the internal descriptor to learn what to test, yet they were only
|
|
rebuilding the descriptor once they decided they were reachable.
|
|
- Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients
|
|
to download certain server descriptors, throw them away, and then
|
|
fetch them again after 30 minutes. Now mirrors throw away these
|
|
server descriptors so clients can't get them.
|
|
- We were leaving duplicate connections to other ORs open for a week,
|
|
rather than closing them once we detect a duplicate. This only
|
|
really affected authdirservers, but it affected them a lot.
|
|
- Spread the authdirservers' reachability testing over the entire
|
|
testing interval, so we don't try to do 500 TLS's at once every
|
|
20 minutes.
|
|
|
|
o Minor fixes:
|
|
- If the network is down, and we try to connect to a conn because
|
|
we have a circuit in mind, and we timeout (30 seconds) because the
|
|
network never answers, we were expiring the circuit, but we weren't
|
|
obsoleting the connection or telling the entry_guards functions.
|
|
- Some Tor servers process billions of cells per day. These statistics
|
|
need to be uint64_t's.
|
|
- Check for integer overflows in more places, when adding elements
|
|
to smartlists. This could possibly prevent a buffer overflow
|
|
on malicious huge inputs. I don't see any, but I haven't looked
|
|
carefully.
|
|
- ReachableAddresses kept growing new "reject *:*" lines on every
|
|
setconf/reload.
|
|
- When you "setconf log" via the controller, it should remove all
|
|
logs. We were automatically adding back in a "log notice stdout".
|
|
- Newly bootstrapped Tor networks couldn't establish hidden service
|
|
circuits until they had nodes with high uptime. Be more tolerant.
|
|
- We were marking servers down when they could not answer every piece
|
|
of the directory request we sent them. This was far too harsh.
|
|
- Fix the torify (tsocks) config file to not use Tor for localhost
|
|
connections.
|
|
- Directory authorities now go to the proper authority when asking for
|
|
a networkstatus, even when they want a compressed one.
|
|
- Fix a harmless bug that was causing Tor servers to log
|
|
"Got an end because of misc error, but we're not an AP. Closing."
|
|
- Authorities were treating their own descriptor changes as cosmetic,
|
|
meaning the descriptor available in the network-status and the
|
|
descriptor that clients downloaded were different.
|
|
- The OS X installer was adding a symlink for tor_resolve but
|
|
the binary was called tor-resolve (reported by Thomas Hardly).
|
|
- Workaround a problem with some http proxies where they refuse GET
|
|
requests that specify "Content-Length: 0" (reported by Adrian).
|
|
- Fix wrong log message when you add a "HiddenServiceNodes" config
|
|
line without any HiddenServiceDir line (reported by Chris Thomas).
|
|
|
|
o Minor features:
|
|
- Write the TorVersion into the state file so we have a prayer of
|
|
keeping forward and backward compatibility.
|
|
- Revive the FascistFirewall config option rather than eliminating it:
|
|
now it's a synonym for ReachableAddresses *:80,*:443.
|
|
- Clients choose directory servers from the network status lists,
|
|
not from their internal list of router descriptors. Now they can
|
|
go to caches directly rather than needing to go to authorities
|
|
to bootstrap.
|
|
- Directory authorities ignore router descriptors that have only
|
|
cosmetic differences: do this for 0.1.0.x servers now too.
|
|
- Add a new flag to network-status indicating whether the server
|
|
can answer v2 directory requests too.
|
|
- Authdirs now stop whining so loudly about bad descriptors that
|
|
they fetch from other dirservers. So when there's a log complaint,
|
|
it's for sure from a freshly uploaded descriptor.
|
|
- Reduce memory requirements in our structs by changing the order
|
|
of fields.
|
|
- There used to be two ways to specify your listening ports in a
|
|
server descriptor: on the "router" line and with a separate "ports"
|
|
line. Remove support for the "ports" line.
|
|
- New config option "AuthDirRejectUnlisted" for auth dirservers as
|
|
a panic button: if we get flooded with unusable servers we can
|
|
revert to only listing servers in the approved-routers file.
|
|
- Auth dir servers can now mark a fingerprint as "!reject" or
|
|
"!invalid" in the approved-routers file (as its nickname), to
|
|
refuse descriptors outright or include them but marked as invalid.
|
|
- Servers store bandwidth history across restarts/crashes.
|
|
- Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
|
|
get a better idea of why their circuits failed. Not used yet.
|
|
- Directory mirrors now cache up to 16 unrecognized network-status
|
|
docs. Now we can add new authdirservers and they'll be cached too.
|
|
- When picking a random directory, prefer non-authorities if any
|
|
are known.
|
|
- New controller option "getinfo desc/all-recent" to fetch the
|
|
latest server descriptor for every router that Tor knows about.
|
|
|
|
|
|
Changes in version 0.1.0.16 - 2006-01-02
|
|
o Crash bugfixes on 0.1.0.x:
|
|
- On Windows, build with a libevent patch from "I-M Weasel" to avoid
|
|
corrupting the heap, losing FDs, or crashing when we need to resize
|
|
the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
|
|
- It turns out sparc64 platforms crash on unaligned memory access
|
|
too -- so detect and avoid this.
|
|
- Handle truncated compressed data correctly (by detecting it and
|
|
giving an error).
|
|
- Fix possible-but-unlikely free(NULL) in control.c.
|
|
- When we were closing connections, there was a rare case that
|
|
stomped on memory, triggering seg faults and asserts.
|
|
- Avoid potential infinite recursion when building a descriptor. (We
|
|
don't know that it ever happened, but better to fix it anyway.)
|
|
- We were neglecting to unlink marked circuits from soon-to-close OR
|
|
connections, which caused some rare scribbling on freed memory.
|
|
- Fix a memory stomping race bug when closing the joining point of two
|
|
rendezvous circuits.
|
|
- Fix an assert in time parsing found by Steven Murdoch.
|
|
|
|
o Other bugfixes on 0.1.0.x:
|
|
- When we're doing reachability testing, provide more useful log
|
|
messages so the operator knows what to expect.
|
|
- Do not check whether DirPort is reachable when we are suppressing
|
|
advertising it because of hibernation.
|
|
- When building with -static or on Solaris, we sometimes needed -ldl.
|
|
- When we're deciding whether a stream has enough circuits around
|
|
that can handle it, count the freshly dirty ones and not the ones
|
|
that are so dirty they won't be able to handle it.
|
|
- When we're expiring old circuits, we had a logic error that caused
|
|
us to close new rendezvous circuits rather than old ones.
|
|
- Give a more helpful log message when you try to change ORPort via
|
|
the controller: you should upgrade Tor if you want that to work.
|
|
- We were failing to parse Tor versions that start with "Tor ".
|
|
- Tolerate faulty streams better: when a stream fails for reason
|
|
exitpolicy, stop assuming that the router is lying about his exit
|
|
policy. When a stream fails for reason misc, allow it to retry just
|
|
as if it was resolvefailed. When a stream has failed three times,
|
|
reset its failure count so we can try again and get all three tries.
|
|
|
|
|
|
Changes in version 0.1.1.10-alpha - 2005-12-11
|
|
o Correctness bugfixes on 0.1.0.x:
|
|
- On Windows, build with a libevent patch from "I-M Weasel" to avoid
|
|
corrupting the heap, losing FDs, or crashing when we need to resize
|
|
the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
|
|
- Stop doing the complex voodoo overkill checking for insecure
|
|
Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
|
|
- When we were closing connections, there was a rare case that
|
|
stomped on memory, triggering seg faults and asserts.
|
|
- We were neglecting to unlink marked circuits from soon-to-close OR
|
|
connections, which caused some rare scribbling on freed memory.
|
|
- When we're deciding whether a stream has enough circuits around
|
|
that can handle it, count the freshly dirty ones and not the ones
|
|
that are so dirty they won't be able to handle it.
|
|
- Recover better from TCP connections to Tor servers that are
|
|
broken but don't tell you (it happens!); and rotate TLS
|
|
connections once a week.
|
|
- When we're expiring old circuits, we had a logic error that caused
|
|
us to close new rendezvous circuits rather than old ones.
|
|
- Fix a scary-looking but apparently harmless bug where circuits
|
|
would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
|
|
servers, and never switch to state CIRCUIT_STATE_OPEN.
|
|
- When building with -static or on Solaris, we sometimes needed to
|
|
build with -ldl.
|
|
- Give a useful message when people run Tor as the wrong user,
|
|
rather than telling them to start chowning random directories.
|
|
- We were failing to inform the controller about new .onion streams.
|
|
|
|
o Security bugfixes on 0.1.0.x:
|
|
- Refuse server descriptors if the fingerprint line doesn't match
|
|
the included identity key. Tor doesn't care, but other apps (and
|
|
humans) might actually be trusting the fingerprint line.
|
|
- We used to kill the circuit when we receive a relay command we
|
|
don't recognize. Now we just drop it.
|
|
- Start obeying our firewall options more rigorously:
|
|
. If we can't get to a dirserver directly, try going via Tor.
|
|
. Don't ever try to connect (as a client) to a place our
|
|
firewall options forbid.
|
|
. If we specify a proxy and also firewall options, obey the
|
|
firewall options even when we're using the proxy: some proxies
|
|
can only proxy to certain destinations.
|
|
- Fix a bug found by Lasse Overlier: when we were making internal
|
|
circuits (intended to be cannibalized later for rendezvous and
|
|
introduction circuits), we were picking them so that they had
|
|
useful exit nodes. There was no need for this, and it actually
|
|
aids some statistical attacks.
|
|
- Start treating internal circuits and exit circuits separately.
|
|
It's important to keep them separate because internal circuits
|
|
have their last hops picked like middle hops, rather than like
|
|
exit hops. So exiting on them will break the user's expectations.
|
|
|
|
o Bugfixes on 0.1.1.x:
|
|
- Take out the mis-feature where we tried to detect IP address
|
|
flapping for people with DynDNS, and chose not to upload a new
|
|
server descriptor sometimes.
|
|
- Try to be compatible with OpenSSL 0.9.6 again.
|
|
- Log fix: when the controller is logging about .onion addresses,
|
|
sometimes it didn't include the ".onion" part of the address.
|
|
- Don't try to modify options->DirServers internally -- if the
|
|
user didn't specify any, just add the default ones directly to
|
|
the trusted dirserver list. This fixes a bug where people running
|
|
controllers would use SETCONF on some totally unrelated config
|
|
option, and Tor would start yelling at them about changing their
|
|
DirServer lines.
|
|
- Let the controller's redirectstream command specify a port, in
|
|
case the controller wants to change that too.
|
|
- When we requested a pile of server descriptors, we sometimes
|
|
accidentally launched a duplicate request for the first one.
|
|
- Bugfix for trackhostexits: write down the fingerprint of the
|
|
chosen exit, not its nickname, because the chosen exit might not
|
|
be verified.
|
|
- When parsing foo.exit, if foo is unknown, and we are leaving
|
|
circuits unattached, set the chosen_exit field and leave the
|
|
address empty. This matters because controllers got confused
|
|
otherwise.
|
|
- Directory authorities no longer try to download server
|
|
descriptors that they know they will reject.
|
|
|
|
o Features and updates:
|
|
- Replace balanced trees with hash tables: this should make stuff
|
|
significantly faster.
|
|
- Resume using the AES counter-mode implementation that we ship,
|
|
rather than OpenSSL's. Ours is significantly faster.
|
|
- Many other CPU and memory improvements.
|
|
- Add a new config option FastFirstHopPK (on by default) so clients
|
|
do a trivial crypto handshake for their first hop, since TLS has
|
|
already taken care of confidentiality and authentication.
|
|
- Add a new config option TestSocks so people can see if their
|
|
applications are using socks4, socks4a, socks5-with-ip, or
|
|
socks5-with-hostname. This way they don't have to keep mucking
|
|
with tcpdump and wondering if something got cached somewhere.
|
|
- Warn when listening on a public address for socks. I suspect a
|
|
lot of people are setting themselves up as open socks proxies,
|
|
and they have no idea that jerks on the Internet are using them,
|
|
since they simply proxy the traffic into the Tor network.
|
|
- Add "private:*" as an alias in configuration for policies. Now
|
|
you can simplify your exit policy rather than needing to list
|
|
every single internal or nonroutable network space.
|
|
- Add a new controller event type that allows controllers to get
|
|
all server descriptors that were uploaded to a router in its role
|
|
as authoritative dirserver.
|
|
- Start shipping socks-extensions.txt, tor-doc-unix.html,
|
|
tor-doc-server.html, and stylesheet.css in the tarball.
|
|
- Stop shipping tor-doc.html in the tarball.
|
|
|
|
|
|
Changes in version 0.1.1.9-alpha - 2005-11-15
|
|
o Usability improvements:
|
|
- Start calling it FooListenAddress rather than FooBindAddress,
|
|
since few of our users know what it means to bind an address
|
|
or port.
|
|
- Reduce clutter in server logs. We're going to try to make
|
|
them actually usable now. New config option ProtocolWarnings that
|
|
lets you hear about how _other Tors_ are breaking the protocol. Off
|
|
by default.
|
|
- Divide log messages into logging domains. Once we put some sort
|
|
of interface on this, it will let people looking at more verbose
|
|
log levels specify the topics they want to hear more about.
|
|
- Make directory servers return better http 404 error messages
|
|
instead of a generic "Servers unavailable".
|
|
- Check for even more Windows version flags when writing the platform
|
|
string in server descriptors, and note any we don't recognize.
|
|
- Clean up more of the OpenSSL memory when exiting, so we can detect
|
|
memory leaks better.
|
|
- Make directory authorities be non-versioning, non-naming by
|
|
default. Now we can add new directory servers without requiring
|
|
their operators to pay close attention.
|
|
- When logging via syslog, include the pid whenever we provide
|
|
a log entry. Suggested by Todd Fries.
|
|
|
|
o Performance improvements:
|
|
- Directory servers now silently throw away new descriptors that
|
|
haven't changed much if the timestamps are similar. We do this to
|
|
tolerate older Tor servers that upload a new descriptor every 15
|
|
minutes. (It seemed like a good idea at the time.)
|
|
- Inline bottleneck smartlist functions; use fast versions by default.
|
|
- Add a "Map from digest to void*" abstraction digestmap_t so we
|
|
can do less hex encoding/decoding. Use it in router_get_by_digest()
|
|
to resolve a performance bottleneck.
|
|
- Allow tor_gzip_uncompress to extract as much as possible from
|
|
truncated compressed data. Try to extract as many
|
|
descriptors as possible from truncated http responses (when
|
|
DIR_PURPOSE_FETCH_ROUTERDESC).
|
|
- Make circ->onionskin a pointer, not a static array. moria2 was using
|
|
125000 circuit_t's after it had been up for a few weeks, which
|
|
translates to 20+ megs of wasted space.
|
|
- The private half of our EDH handshake keys are now chosen out
|
|
of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
|
|
|
|
o Security improvements:
|
|
- Start making directory caches retain old routerinfos, so soon
|
|
clients can start asking by digest of descriptor rather than by
|
|
fingerprint of server.
|
|
- Add half our entropy from RAND_poll in OpenSSL. This knows how
|
|
to use egd (if present), openbsd weirdness (if present), vms/os2
|
|
weirdness (if we ever port there), and more in the future.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Do round-robin writes of at most 16 kB per write. This might be
|
|
more fair on loaded Tor servers, and it might resolve our Windows
|
|
crash bug. It might also slow things down.
|
|
- Our TLS handshakes were generating a single public/private
|
|
keypair for the TLS context, rather than making a new one for
|
|
each new connections. Oops. (But we were still rotating them
|
|
periodically, so it's not so bad.)
|
|
- When we were cannibalizing a circuit with a particular exit
|
|
node in mind, we weren't checking to see if that exit node was
|
|
already present earlier in the circuit. Oops.
|
|
- When a Tor server's IP changes (e.g. from a dyndns address),
|
|
upload a new descriptor so clients will learn too.
|
|
- Really busy servers were keeping enough circuits open on stable
|
|
connections that they were wrapping around the circuit_id
|
|
space. (It's only two bytes.) This exposed a bug where we would
|
|
feel free to reuse a circuit_id even if it still exists but has
|
|
been marked for close. Try to fix this bug. Some bug remains.
|
|
- If we would close a stream early (e.g. it asks for a .exit that
|
|
we know would refuse it) but the LeaveStreamsUnattached config
|
|
option is set by the controller, then don't close it.
|
|
|
|
o Bugfixes on 0.1.1.8-alpha:
|
|
- Fix a big pile of memory leaks, some of them serious.
|
|
- Do not try to download a routerdesc if we would immediately reject
|
|
it as obsolete.
|
|
- Resume inserting a newline between all router descriptors when
|
|
generating (old style) signed directories, since our spec says
|
|
we do.
|
|
- When providing content-type application/octet-stream for
|
|
server descriptors using .z, we were leaving out the
|
|
content-encoding header. Oops. (Everything tolerated this just
|
|
fine, but that doesn't mean we need to be part of the problem.)
|
|
- Fix a potential seg fault in getconf and getinfo using version 1
|
|
of the controller protocol.
|
|
- Avoid crash: do not check whether DirPort is reachable when we
|
|
are suppressing it because of hibernation.
|
|
- Make --hash-password not crash on exit.
|
|
|
|
|
|
Changes in version 0.1.1.8-alpha - 2005-10-07
|
|
o New features (major):
|
|
- Clients don't download or use the directory anymore. Now they
|
|
download and use network-statuses from the trusted dirservers,
|
|
and fetch individual server descriptors as needed from mirrors.
|
|
See dir-spec.txt for all the gory details.
|
|
- Be more conservative about whether to advertise our DirPort.
|
|
The main change is to not advertise if we're running at capacity
|
|
and either a) we could hibernate or b) our capacity is low and
|
|
we're using a default DirPort.
|
|
- Use OpenSSL's AES when OpenSSL has version 0.9.7 or later.
|
|
|
|
o New features (minor):
|
|
- Try to be smart about when to retry network-status and
|
|
server-descriptor fetches. Still needs some tuning.
|
|
- Stop parsing, storing, or using running-routers output (but
|
|
mirrors still cache and serve it).
|
|
- Consider a threshold of versioning dirservers (dirservers who have
|
|
an opinion about which Tor versions are still recommended) before
|
|
deciding whether to warn the user that he's obsolete.
|
|
- Dirservers can now reject/invalidate by key and IP, with the
|
|
config options "AuthDirInvalid" and "AuthDirReject". This is
|
|
useful since currently we automatically list servers as running
|
|
and usable even if we know they're jerks.
|
|
- Provide dire warnings to any users who set DirServer; move it out
|
|
of torrc.sample and into torrc.complete.
|
|
- Add MyFamily to torrc.sample in the server section.
|
|
- Add nicknames to the DirServer line, so we can refer to them
|
|
without requiring all our users to memorize their IP addresses.
|
|
- When we get an EOF or a timeout on a directory connection, note
|
|
how many bytes of serverdesc we are dropping. This will help
|
|
us determine whether it is smart to parse incomplete serverdesc
|
|
responses.
|
|
- Add a new function to "change pseudonyms" -- that is, to stop
|
|
using any currently-dirty circuits for new streams, so we don't
|
|
link new actions to old actions. Currently it's only called on
|
|
HUP (or SIGNAL RELOAD).
|
|
- On sighup, if UseHelperNodes changed to 1, use new circuits.
|
|
- Start using RAND_bytes rather than RAND_pseudo_bytes from
|
|
OpenSSL. Also, reseed our entropy every hour, not just at
|
|
startup. And entropy in 512-bit chunks, not 160-bit chunks.
|
|
|
|
o Fixes on 0.1.1.7-alpha:
|
|
- Nobody ever implemented EVENT_ADDRMAP for control protocol
|
|
version 0, so don't let version 0 controllers ask for it.
|
|
- If you requested something with too many newlines via the
|
|
v1 controller protocol, you could crash tor.
|
|
- Fix a number of memory leaks, including some pretty serious ones.
|
|
- Re-enable DirPort testing again, so Tor servers will be willing
|
|
to advertise their DirPort if it's reachable.
|
|
- On TLS handshake, only check the other router's nickname against
|
|
its expected nickname if is_named is set.
|
|
|
|
o Fixes forward-ported from 0.1.0.15:
|
|
- Don't crash when we don't have any spare file descriptors and we
|
|
try to spawn a dns or cpu worker.
|
|
- Make the numbers in read-history and write-history into uint64s,
|
|
so they don't overflow and publish negatives in the descriptor.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- For the OS X package's modified privoxy config file, comment
|
|
out the "logfile" line so we don't log everything passed
|
|
through privoxy.
|
|
- We were whining about using socks4 or socks5-with-local-lookup
|
|
even when it's an IP in the "virtual" range we designed exactly
|
|
for this case.
|
|
- We were leaking some memory every time the client changes IPs.
|
|
- Never call free() on tor_malloc()d memory. This will help us
|
|
use dmalloc to detect memory leaks.
|
|
- Check for named servers when looking them up by nickname;
|
|
warn when we'recalling a non-named server by its nickname;
|
|
don't warn twice about the same name.
|
|
- Try to list MyFamily elements by key, not by nickname, and warn
|
|
if we've not heard of the server.
|
|
- Make windows platform detection (uname equivalent) smarter.
|
|
- It turns out sparc64 doesn't like unaligned access either.
|
|
|
|
|
|
Changes in version 0.1.0.15 - 2005-09-23
|
|
o Bugfixes on 0.1.0.x:
|
|
- Reject ports 465 and 587 (spam targets) in default exit policy.
|
|
- Don't crash when we don't have any spare file descriptors and we
|
|
try to spawn a dns or cpu worker.
|
|
- Get rid of IgnoreVersion undocumented config option, and make us
|
|
only warn, never exit, when we're running an obsolete version.
|
|
- Don't try to print a null string when your server finds itself to
|
|
be unreachable and the Address config option is empty.
|
|
- Make the numbers in read-history and write-history into uint64s,
|
|
so they don't overflow and publish negatives in the descriptor.
|
|
- Fix a minor memory leak in smartlist_string_remove().
|
|
- We were only allowing ourselves to upload a server descriptor at
|
|
most every 20 minutes, even if it changed earlier than that.
|
|
- Clean up log entries that pointed to old URLs.
|
|
|
|
|
|
Changes in version 0.1.1.7-alpha - 2005-09-14
|
|
o Fixes on 0.1.1.6-alpha:
|
|
- Exit servers were crashing when people asked them to make a
|
|
connection to an address not in their exit policy.
|
|
- Looking up a non-existent stream for a v1 control connection would
|
|
cause a segfault.
|
|
- Fix a seg fault if we ask a dirserver for a descriptor by
|
|
fingerprint but he doesn't know about him.
|
|
- SETCONF was appending items to linelists, not clearing them.
|
|
- SETCONF SocksBindAddress killed Tor if it fails to bind. Now back
|
|
out and refuse the setconf if it would fail.
|
|
- Downgrade the dirserver log messages when whining about
|
|
unreachability.
|
|
|
|
o New features:
|
|
- Add Peter Palfrader's check-tor script to tor/contrib/
|
|
It lets you easily check whether a given server (referenced by
|
|
nickname) is reachable by you.
|
|
- Numerous changes to move towards client-side v2 directories. Not
|
|
enabled yet.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- If the user gave tor an odd number of command-line arguments,
|
|
we were silently ignoring the last one. Now we complain and fail.
|
|
[This wins the oldest-bug prize -- this bug has been present since
|
|
November 2002, as released in Tor 0.0.0.]
|
|
- Do not use unaligned memory access on alpha, mips, or mipsel.
|
|
It *works*, but is very slow, so we treat them as if it doesn't.
|
|
- Retry directory requests if we fail to get an answer we like
|
|
from a given dirserver (we were retrying before, but only if
|
|
we fail to connect).
|
|
- When writing the RecommendedVersions line, sort them first.
|
|
- When the client asked for a rendezvous port that the hidden
|
|
service didn't want to provide, we were sending an IP address
|
|
back along with the end cell. Fortunately, it was zero. But stop
|
|
that anyway.
|
|
- Correct "your server is reachable" log entries to indicate that
|
|
it was self-testing that told us so.
|
|
|
|
|
|
Changes in version 0.1.1.6-alpha - 2005-09-09
|
|
o Fixes on 0.1.1.5-alpha:
|
|
- We broke fascistfirewall in 0.1.1.5-alpha. Oops.
|
|
- Fix segfault in unit tests in 0.1.1.5-alpha. Oops.
|
|
- Fix bug with tor_memmem finding a match at the end of the string.
|
|
- Make unit tests run without segfaulting.
|
|
- Resolve some solaris x86 compile warnings.
|
|
- Handle duplicate lines in approved-routers files without warning.
|
|
- Fix bug where as soon as a server refused any requests due to his
|
|
exit policy (e.g. when we ask for localhost and he tells us that's
|
|
127.0.0.1 and he won't do it), we decided he wasn't obeying his
|
|
exit policy using him for any exits.
|
|
- Only do openssl hardware accelerator stuff if openssl version is
|
|
at least 0.9.7.
|
|
|
|
o New controller features/fixes:
|
|
- Add a "RESETCONF" command so you can set config options like
|
|
AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
|
|
a config option in the torrc with no value, then it clears it
|
|
entirely (rather than setting it to its default).
|
|
- Add a "GETINFO config-file" to tell us where torrc is.
|
|
- Avoid sending blank lines when GETINFO replies should be empty.
|
|
- Add a QUIT command for the controller (for using it manually).
|
|
- Fix a bug in SAVECONF that was adding default dirservers and
|
|
other redundant entries to the torrc file.
|
|
|
|
o Start on the new directory design:
|
|
- Generate, publish, cache, serve new network-status format.
|
|
- Publish individual descriptors (by fingerprint, by "all", and by
|
|
"tell me yours").
|
|
- Publish client and server recommended versions separately.
|
|
- Allow tor_gzip_uncompress() to handle multiple concatenated
|
|
compressed strings. Serve compressed groups of router
|
|
descriptors. The compression logic here could be more
|
|
memory-efficient.
|
|
- Distinguish v1 authorities (all currently trusted directories)
|
|
from v2 authorities (all trusted directories).
|
|
- Change DirServers config line to note which dirs are v1 authorities.
|
|
- Add configuration option "V1AuthoritativeDirectory 1" which
|
|
moria1, moria2, and tor26 should set.
|
|
- Remove option when getting directory cache to see whether they
|
|
support running-routers; they all do now. Replace it with one
|
|
to see whether caches support v2 stuff.
|
|
|
|
o New features:
|
|
- Dirservers now do their own external reachability testing of each
|
|
Tor server, and only list them as running if they've been found to
|
|
be reachable. We also send back warnings to the server's logs if
|
|
it uploads a descriptor that we already believe is unreachable.
|
|
- Implement exit enclaves: if we know an IP address for the
|
|
destination, and there's a running Tor server at that address
|
|
which allows exit to the destination, then extend the circuit to
|
|
that exit first. This provides end-to-end encryption and end-to-end
|
|
authentication. Also, if the user wants a .exit address or enclave,
|
|
use 4 hops rather than 3, and cannibalize a general circ for it
|
|
if you can.
|
|
- Permit transitioning from ORPort=0 to ORPort!=0, and back, from the
|
|
controller. Also, rotate dns and cpu workers if the controller
|
|
changes options that will affect them; and initialize the dns
|
|
worker cache tree whether or not we start out as a server.
|
|
- Only upload a new server descriptor when options change, 18
|
|
hours have passed, uptime is reset, or bandwidth changes a lot.
|
|
- Check [X-]Forwarded-For headers in HTTP requests when generating
|
|
log messages. This lets people run dirservers (and caches) behind
|
|
Apache but still know which IP addresses are causing warnings.
|
|
|
|
o Config option changes:
|
|
- Replace (Fascist)Firewall* config options with a new
|
|
ReachableAddresses option that understands address policies.
|
|
For example, "ReachableAddresses *:80,*:443"
|
|
- Get rid of IgnoreVersion undocumented config option, and make us
|
|
only warn, never exit, when we're running an obsolete version.
|
|
- Make MonthlyAccountingStart config option truly obsolete now.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- Reject ports 465 and 587 in the default exit policy, since
|
|
people have started using them for spam too.
|
|
- It turns out we couldn't bootstrap a network since we added
|
|
reachability detection in 0.1.0.1-rc. Good thing the Tor network
|
|
has never gone down. Add an AssumeReachable config option to let
|
|
servers and dirservers bootstrap. When we're trying to build a
|
|
high-uptime or high-bandwidth circuit but there aren't enough
|
|
suitable servers, try being less picky rather than simply failing.
|
|
- Our logic to decide if the OR we connected to was the right guy
|
|
was brittle and maybe open to a mitm for unverified routers.
|
|
- We weren't cannibalizing circuits correctly for
|
|
CIRCUIT_PURPOSE_C_ESTABLISH_REND and
|
|
CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
|
|
build those from scratch. This should make hidden services faster.
|
|
- Predict required circuits better, with an eye toward making hidden
|
|
services faster on the service end.
|
|
- Retry streams if the exit node sends back a 'misc' failure. This
|
|
should result in fewer random failures. Also, after failing
|
|
from resolve failed or misc, reset the num failures, so we give
|
|
it a fair shake next time we try.
|
|
- Clean up the rendezvous warn log msgs, and downgrade some to info.
|
|
- Reduce severity on logs about dns worker spawning and culling.
|
|
- When we're shutting down and we do something like try to post a
|
|
server descriptor or rendezvous descriptor, don't complain that
|
|
we seem to be unreachable. Of course we are, we're shutting down.
|
|
- Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
|
|
We don't use them yet, but maybe one day our DNS resolver will be
|
|
able to discover them.
|
|
- Make ContactInfo mandatory for authoritative directory servers.
|
|
- Require server descriptors to list IPv4 addresses -- hostnames
|
|
are no longer allowed. This also fixes some potential security
|
|
problems with people providing hostnames as their address and then
|
|
preferentially resolving them to partition users.
|
|
- Change log line for unreachability to explicitly suggest /etc/hosts
|
|
as the culprit. Also make it clearer what IP address and ports we're
|
|
testing for reachability.
|
|
- Put quotes around user-supplied strings when logging so users are
|
|
more likely to realize if they add bad characters (like quotes)
|
|
to the torrc.
|
|
- Let auth dir servers start without specifying an Address config
|
|
option.
|
|
- Make unit tests (and other invocations that aren't the real Tor)
|
|
run without launching listeners, creating subdirectories, and so on.
|
|
|
|
|
|
Changes in version 0.1.1.5-alpha - 2005-08-08
|
|
o Bugfixes included in 0.1.0.14.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
|
|
torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
|
|
it would silently using ignore the 6668.
|
|
|
|
|
|
Changes in version 0.1.0.14 - 2005-08-08
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix the other half of the bug with crypto handshakes
|
|
(CVE-2005-2643).
|
|
- Fix an assert trigger if you send a 'signal term' via the
|
|
controller when it's listening for 'event info' messages.
|
|
|
|
|
|
Changes in version 0.1.1.4-alpha - 2005-08-04
|
|
o Bugfixes included in 0.1.0.13.
|
|
|
|
o Features:
|
|
- Improve tor_gettimeofday() granularity on windows.
|
|
- Make clients regenerate their keys when their IP address changes.
|
|
- Implement some more GETINFO goodness: expose helper nodes, config
|
|
options, getinfo keys.
|
|
|
|
|
|
Changes in version 0.1.0.13 - 2005-08-04
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix a critical bug in the security of our crypto handshakes.
|
|
- Fix a size_t underflow in smartlist_join_strings2() that made
|
|
it do bad things when you hand it an empty smartlist.
|
|
- Fix Windows installer to ship Tor license (thanks to Aphex for
|
|
pointing out this oversight) and put a link to the doc directory
|
|
in the start menu.
|
|
- Explicitly set no-unaligned-access for sparc: it turns out the
|
|
new gcc's let you compile broken code, but that doesn't make it
|
|
not-broken.
|
|
|
|
|
|
Changes in version 0.1.1.3-alpha - 2005-07-23
|
|
o Bugfixes on 0.1.1.2-alpha:
|
|
- Fix a bug in handling the controller's "post descriptor"
|
|
function.
|
|
- Fix several bugs in handling the controller's "extend circuit"
|
|
function.
|
|
- Fix a bug in handling the controller's "stream status" event.
|
|
- Fix an assert failure if we have a controller listening for
|
|
circuit events and we go offline.
|
|
- Re-allow hidden service descriptors to publish 0 intro points.
|
|
- Fix a crash when generating your hidden service descriptor if
|
|
you don't have enough intro points already.
|
|
|
|
o New features on 0.1.1.2-alpha:
|
|
- New controller function "getinfo accounting", to ask how
|
|
many bytes we've used in this time period.
|
|
- Experimental support for helper nodes: a lot of the risk from
|
|
a small static adversary comes because users pick new random
|
|
nodes every time they rebuild a circuit. Now users will try to
|
|
stick to the same small set of entry nodes if they can. Not
|
|
enabled by default yet.
|
|
|
|
o Bugfixes on 0.1.0.12:
|
|
- If you're an auth dir server, always publish your dirport,
|
|
even if you haven't yet found yourself to be reachable.
|
|
- Fix a size_t underflow in smartlist_join_strings2() that made
|
|
it do bad things when you hand it an empty smartlist.
|
|
|
|
|
|
Changes in version 0.1.0.12 - 2005-07-18
|
|
o New directory servers:
|
|
- tor26 has changed IP address.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix a possible double-free in tor_gzip_uncompress().
|
|
- When --disable-threads is set, do not search for or link against
|
|
pthreads libraries.
|
|
- Don't trigger an assert if an authoritative directory server
|
|
claims its dirport is 0.
|
|
- Fix bug with removing Tor as an NT service: some people were
|
|
getting "The service did not return an error." Thanks to Matt
|
|
Edman for the fix.
|
|
|
|
|
|
Changes in version 0.1.1.2-alpha - 2005-07-15
|
|
o New directory servers:
|
|
- tor26 has changed IP address.
|
|
|
|
o Bugfixes on 0.1.0.x, crashes/leaks:
|
|
- Port the servers-not-obeying-their-exit-policies fix from
|
|
0.1.0.11.
|
|
- Fix an fd leak in start_daemon().
|
|
- On Windows, you can't always reopen a port right after you've
|
|
closed it. So change retry_listeners() to only close and re-open
|
|
ports that have changed.
|
|
- Fix a possible double-free in tor_gzip_uncompress().
|
|
|
|
o Bugfixes on 0.1.0.x, usability:
|
|
- When tor_socketpair() fails in Windows, give a reasonable
|
|
Windows-style errno back.
|
|
- Let people type "tor --install" as well as "tor -install" when
|
|
they
|
|
want to make it an NT service.
|
|
- NT service patch from Matt Edman to improve error messages.
|
|
- When the controller asks for a config option with an abbreviated
|
|
name, give the full name in our response.
|
|
- Correct the man page entry on TrackHostExitsExpire.
|
|
- Looks like we were never delivering deflated (i.e. compressed)
|
|
running-routers lists, even when asked. Oops.
|
|
- When --disable-threads is set, do not search for or link against
|
|
pthreads libraries.
|
|
|
|
o Bugfixes on 0.1.1.x:
|
|
- Fix a seg fault with autodetecting which controller version is
|
|
being used.
|
|
|
|
o Features:
|
|
- New hidden service descriptor format: put a version in it, and
|
|
let people specify introduction/rendezvous points that aren't
|
|
in "the directory" (which is subjective anyway).
|
|
- Allow the DEBUG controller event to work again. Mark certain log
|
|
entries as "don't tell this to controllers", so we avoid cycles.
|
|
|
|
|
|
Changes in version 0.1.0.11 - 2005-06-30
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix major security bug: servers were disregarding their
|
|
exit policies if clients behaved unexpectedly.
|
|
- Make OS X init script check for missing argument, so we don't
|
|
confuse users who invoke it incorrectly.
|
|
- Fix a seg fault in "tor --hash-password foo".
|
|
- The MAPADDRESS control command was broken.
|
|
|
|
|
|
Changes in version 0.1.1.1-alpha - 2005-06-29
|
|
o Bugfixes:
|
|
- Make OS X init script check for missing argument, so we don't
|
|
confuse users who invoke it incorrectly.
|
|
- Fix a seg fault in "tor --hash-password foo".
|
|
- Fix a possible way to DoS dirservers.
|
|
- When we complain that your exit policy implicitly allows local or
|
|
private address spaces, name them explicitly so operators can
|
|
fix it.
|
|
- Make the log message less scary when all the dirservers are
|
|
temporarily unreachable.
|
|
- We were printing the number of idle dns workers incorrectly when
|
|
culling them.
|
|
|
|
o Features:
|
|
- Revised controller protocol (version 1) that uses ascii rather
|
|
than binary. Add supporting libraries in python and java so you
|
|
can use the controller from your applications without caring how
|
|
our protocol works.
|
|
- Spiffy new support for crypto hardware accelerators. Can somebody
|
|
test this?
|
|
|
|
|
|
Changes in version 0.0.9.10 - 2005-06-16
|
|
o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
|
|
- Refuse relay cells that claim to have a length larger than the
|
|
maximum allowed. This prevents a potential attack that could read
|
|
arbitrary memory (e.g. keys) from an exit server's process
|
|
(CVE-2005-2050).
|
|
|
|
|
|
Changes in version 0.1.0.10 - 2005-06-14
|
|
o Allow a few EINVALs from libevent before dying. Warn on kqueue with
|
|
libevent before 1.1a.
|
|
|
|
|
|
Changes in version 0.1.0.9-rc - 2005-06-09
|
|
o Bugfixes:
|
|
- Reset buf->highwater every time buf_shrink() is called, not just on
|
|
a successful shrink. This was causing significant memory bloat.
|
|
- Fix buffer overflow when checking hashed passwords.
|
|
- Security fix: if seeding the RNG on Win32 fails, quit.
|
|
- Allow seeding the RNG on Win32 even when you're not running as
|
|
Administrator.
|
|
- Disable threading on Solaris too. Something is wonky with it,
|
|
cpuworkers, and reentrant libs.
|
|
- Reenable the part of the code that tries to flush as soon as an
|
|
OR outbuf has a full TLS record available. Perhaps this will make
|
|
OR outbufs not grow as huge except in rare cases, thus saving lots
|
|
of CPU time plus memory.
|
|
- Reject malformed .onion addresses rather then passing them on as
|
|
normal web requests.
|
|
- Adapt patch from Adam Langley: fix possible memory leak in
|
|
tor_lookup_hostname().
|
|
- Initialize libevent later in the startup process, so the logs are
|
|
already established by the time we start logging libevent warns.
|
|
- Use correct errno on win32 if libevent fails.
|
|
- Check and warn about known-bad/slow libevent versions.
|
|
- Pay more attention to the ClientOnly config option.
|
|
- Have torctl.in/tor.sh.in check for location of su binary (needed
|
|
on FreeBSD)
|
|
- Correct/add man page entries for LongLivedPorts, ExitPolicy,
|
|
KeepalivePeriod, ClientOnly, NoPublish, HttpProxy, HttpsProxy,
|
|
HttpProxyAuthenticator
|
|
- Stop warning about sigpipes in the logs. We're going to
|
|
pretend that getting these occassionally is normal and fine.
|
|
- Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in
|
|
certain
|
|
installer screens; and don't put stuff into StartupItems unless
|
|
the user asks you to.
|
|
- Require servers that use the default dirservers to have public IP
|
|
addresses. We have too many servers that are configured with private
|
|
IPs and their admins never notice the log entries complaining that
|
|
their descriptors are being rejected.
|
|
- Add OSX uninstall instructions. An actual uninstall script will
|
|
come later.
|
|
|
|
|
|
Changes in version 0.1.0.8-rc - 2005-05-23
|
|
o Bugfixes:
|
|
- It turns out that kqueue on OS X 10.3.9 was causing kernel
|
|
panics. Disable kqueue on all OS X Tors.
|
|
- Fix RPM: remove duplicate line accidentally added to the rpm
|
|
spec file.
|
|
- Disable threads on openbsd too, since its gethostaddr is not
|
|
reentrant either.
|
|
- Tolerate libevent 0.8 since it still works, even though it's
|
|
ancient.
|
|
- Enable building on Red Hat 9.0 again.
|
|
- Allow the middle hop of the testing circuit to be running any
|
|
version, now that most of them have the bugfix to let them connect
|
|
to unknown servers. This will allow reachability testing to work
|
|
even when 0.0.9.7-0.0.9.9 become obsolete.
|
|
- Handle relay cells with rh.length too large. This prevents
|
|
a potential attack that could read arbitrary memory (maybe even
|
|
keys) from the exit server's process.
|
|
- We screwed up the dirport reachability testing when we don't yet
|
|
have a cached version of the directory. Hopefully now fixed.
|
|
- Clean up router_load_single_router() (used by the controller),
|
|
so it doesn't seg fault on error.
|
|
- Fix a minor memory leak when somebody establishes an introduction
|
|
point at your Tor server.
|
|
- If a socks connection ends because read fails, don't warn that
|
|
you're not sending a socks reply back.
|
|
|
|
o Features:
|
|
- Add HttpProxyAuthenticator config option too, that works like
|
|
the HttpsProxyAuthenticator config option.
|
|
- Encode hashed controller passwords in hex instead of base64,
|
|
to make it easier to write controllers.
|
|
|
|
|
|
Changes in version 0.1.0.7-rc - 2005-05-17
|
|
o Bugfixes:
|
|
- Fix a bug in the OS X package installer that prevented it from
|
|
installing on Tiger.
|
|
- Fix a script bug in the OS X package installer that made it
|
|
complain during installation.
|
|
- Find libevent even if it's hiding in /usr/local/ and your
|
|
CFLAGS and LDFLAGS don't tell you to look there.
|
|
- Be able to link with libevent as a shared library (the default
|
|
after 1.0d), even if it's hiding in /usr/local/lib and even
|
|
if you haven't added /usr/local/lib to your /etc/ld.so.conf,
|
|
assuming you're running gcc. Otherwise fail and give a useful
|
|
error message.
|
|
- Fix a bug in the RPM packager: set home directory for _tor to
|
|
something more reasonable when first installing.
|
|
- Free a minor amount of memory that is still reachable on exit.
|
|
|
|
|
|
Changes in version 0.1.0.6-rc - 2005-05-14
|
|
o Bugfixes:
|
|
- Implement --disable-threads configure option. Disable threads on
|
|
netbsd by default, because it appears to have no reentrant resolver
|
|
functions.
|
|
- Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent
|
|
release (1.1) detects and disables kqueue if it's broken.
|
|
- Append default exit policy before checking for implicit internal
|
|
addresses. Now we don't log a bunch of complaints on startup
|
|
when using the default exit policy.
|
|
- Some people were putting "Address " in their torrc, and they had
|
|
a buggy resolver that resolved " " to 0.0.0.0. Oops.
|
|
- If DataDir is ~/.tor, and that expands to /.tor, then default to
|
|
LOCALSTATEDIR/tor instead.
|
|
- Fix fragmented-message bug in TorControl.py.
|
|
- Resolve a minor bug which would prevent unreachable dirports
|
|
from getting suppressed in the published descriptor.
|
|
- When the controller gave us a new descriptor, we weren't resolving
|
|
it immediately, so Tor would think its address was 0.0.0.0 until
|
|
we fetched a new directory.
|
|
- Fix an uppercase/lowercase case error in suppressing a bogus
|
|
libevent warning on some Linuxes.
|
|
|
|
o Features:
|
|
- Begin scrubbing sensitive strings from logs by default. Turn off
|
|
the config option SafeLogging if you need to do debugging.
|
|
- Switch to a new buffer management algorithm, which tries to avoid
|
|
reallocing and copying quite as much. In first tests it looks like
|
|
it uses *more* memory on average, but less cpu.
|
|
- First cut at support for "create-fast" cells. Clients can use
|
|
these when extending to their first hop, since the TLS already
|
|
provides forward secrecy and authentication. Not enabled on
|
|
clients yet.
|
|
- When dirservers refuse a router descriptor, we now log its
|
|
contactinfo, platform, and the poster's IP address.
|
|
- Call tor_free_all instead of connections_free_all after forking, to
|
|
save memory on systems that need to fork.
|
|
- Whine at you if you're a server and you don't set your contactinfo.
|
|
- Implement --verify-config command-line option to check if your torrc
|
|
is valid without actually launching Tor.
|
|
- Rewrite address "serifos.exit" to "localhost.serifos.exit"
|
|
rather than just rejecting it.
|
|
|
|
|
|
Changes in version 0.1.0.5-rc - 2005-04-27
|
|
o Bugfixes:
|
|
- Stop trying to print a null pointer if an OR conn fails because
|
|
we didn't like its cert.
|
|
o Features:
|
|
- Switch our internal buffers implementation to use a ring buffer,
|
|
to hopefully improve performance for fast servers a lot.
|
|
- Add HttpsProxyAuthenticator support (basic auth only), based
|
|
on patch from Adam Langley.
|
|
- Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
|
|
the fast servers that have been joining lately.
|
|
- Give hidden service accesses extra time on the first attempt,
|
|
since 60 seconds is often only barely enough. This might improve
|
|
robustness more.
|
|
- Improve performance for dirservers: stop re-parsing the whole
|
|
directory every time you regenerate it.
|
|
- Add more debugging info to help us find the weird dns freebsd
|
|
pthreads bug; cleaner debug messages to help track future issues.
|
|
|
|
|
|
Changes in version 0.0.9.9 - 2005-04-23
|
|
o Bugfixes on 0.0.9.x:
|
|
- If unofficial Tor clients connect and send weird TLS certs, our
|
|
Tor server triggers an assert. This release contains a minimal
|
|
backport from the broader fix that we put into 0.1.0.4-rc.
|
|
|
|
|
|
Changes in version 0.1.0.4-rc - 2005-04-23
|
|
o Bugfixes:
|
|
- If unofficial Tor clients connect and send weird TLS certs, our
|
|
Tor server triggers an assert. Stop asserting, and start handling
|
|
TLS errors better in other situations too.
|
|
- When the controller asks us to tell it about all the debug-level
|
|
logs, it turns out we were generating debug-level logs while
|
|
telling it about them, which turns into a bad loop. Now keep
|
|
track of whether you're sending a debug log to the controller,
|
|
and don't log when you are.
|
|
- Fix the "postdescriptor" feature of the controller interface: on
|
|
non-complete success, only say "done" once.
|
|
o Features:
|
|
- Clients are now willing to load balance over up to 2mB, not 1mB,
|
|
of advertised bandwidth capacity.
|
|
- Add a NoPublish config option, so you can be a server (e.g. for
|
|
testing running Tor servers in other Tor networks) without
|
|
publishing your descriptor to the primary dirservers.
|
|
|
|
|
|
Changes in version 0.1.0.3-rc - 2005-04-08
|
|
o Improvements on 0.1.0.2-rc:
|
|
- Client now retries when streams end early for 'hibernating' or
|
|
'resource limit' reasons, rather than failing them.
|
|
- More automated handling for dirserver operators:
|
|
- Automatically approve nodes running 0.1.0.2-rc or later,
|
|
now that the the reachability detection stuff is working.
|
|
- Now we allow two unverified servers with the same nickname
|
|
but different keys. But if a nickname is verified, only that
|
|
nickname+key are allowed.
|
|
- If you're an authdirserver connecting to an address:port,
|
|
and it's not the OR you were expecting, forget about that
|
|
descriptor. If he *was* the one you were expecting, then forget
|
|
about all other descriptors for that address:port.
|
|
- Allow servers to publish descriptors from 12 hours in the future.
|
|
Corollary: only whine about clock skew from the dirserver if
|
|
he's a trusted dirserver (since now even verified servers could
|
|
have quite wrong clocks).
|
|
- Adjust maximum skew and age for rendezvous descriptors: let skew
|
|
be 48 hours rather than 90 minutes.
|
|
- Efficiency improvements:
|
|
- Keep a big splay tree of (circid,orconn)->circuit mappings to make
|
|
it much faster to look up a circuit for each relay cell.
|
|
- Remove most calls to assert_all_pending_dns_resolves_ok(),
|
|
since they're eating our cpu on exit nodes.
|
|
- Stop wasting time doing a case insensitive comparison for every
|
|
dns name every time we do any lookup. Canonicalize the names to
|
|
lowercase and be done with it.
|
|
- Start sending 'truncated' cells back rather than destroy cells,
|
|
if the circuit closes in front of you. This means we won't have
|
|
to abandon partially built circuits.
|
|
- Only warn once per nickname from add_nickname_list_to_smartlist
|
|
per failure, so an entrynode or exitnode choice that's down won't
|
|
yell so much.
|
|
- Put a note in the torrc about abuse potential with the default
|
|
exit policy.
|
|
- Revise control spec and implementation to allow all log messages to
|
|
be sent to controller with their severities intact (suggested by
|
|
Matt Edman). Update TorControl to handle new log event types.
|
|
- Provide better explanation messages when controller's POSTDESCRIPTOR
|
|
fails.
|
|
- Stop putting nodename in the Platform string in server descriptors.
|
|
It doesn't actually help, and it is confusing/upsetting some people.
|
|
|
|
o Bugfixes on 0.1.0.2-rc:
|
|
- We were printing the host mask wrong in exit policies in server
|
|
descriptors. This isn't a critical bug though, since we were still
|
|
obeying the exit policy internally.
|
|
- Fix Tor when compiled with libevent but without pthreads: move
|
|
connection_unregister() from _connection_free() to
|
|
connection_free().
|
|
- Fix an assert trigger (already fixed in 0.0.9.x): when we have
|
|
the rare mysterious case of accepting a conn on 0.0.0.0:0, then
|
|
when we look through the connection array, we'll find any of the
|
|
cpu/dnsworkers. This is no good.
|
|
|
|
o Bugfixes on 0.0.9.8:
|
|
- Fix possible bug on threading platforms (e.g. win32) which was
|
|
leaking a file descriptor whenever a cpuworker or dnsworker died.
|
|
- When using preferred entry or exit nodes, ignore whether the
|
|
circuit wants uptime or capacity. They asked for the nodes, they
|
|
get the nodes.
|
|
- chdir() to your datadirectory at the *end* of the daemonize process,
|
|
not the beginning. This was a problem because the first time you
|
|
run tor, if your datadir isn't there, and you have runasdaemon set
|
|
to 1, it will try to chdir to it before it tries to create it. Oops.
|
|
- Handle changed router status correctly when dirserver reloads
|
|
fingerprint file. We used to be dropping all unverified descriptors
|
|
right then. The bug was hidden because we would immediately
|
|
fetch a directory from another dirserver, which would include the
|
|
descriptors we just dropped.
|
|
- When we're connecting to an OR and he's got a different nickname/key
|
|
than we were expecting, only complain loudly if we're an OP or a
|
|
dirserver. Complaining loudly to the OR admins just confuses them.
|
|
- Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
|
|
artificially capped at 500kB.
|
|
|
|
|
|
Changes in version 0.0.9.8 - 2005-04-07
|
|
o Bugfixes on 0.0.9.x:
|
|
- We have a bug that I haven't found yet. Sometimes, very rarely,
|
|
cpuworkers get stuck in the 'busy' state, even though the cpuworker
|
|
thinks of itself as idle. This meant that no new circuits ever got
|
|
established. Here's a workaround to kill any cpuworker that's been
|
|
busy for more than 100 seconds.
|
|
|
|
|
|
Changes in version 0.1.0.2-rc - 2005-04-01
|
|
o Bugfixes on 0.1.0.1-rc:
|
|
- Fixes on reachability detection:
|
|
- Don't check for reachability while hibernating.
|
|
- If ORPort is reachable but DirPort isn't, still publish the
|
|
descriptor, but zero out DirPort until it's found reachable.
|
|
- When building testing circs for ORPort testing, use only
|
|
high-bandwidth nodes, so fewer circuits fail.
|
|
- Complain about unreachable ORPort separately from unreachable
|
|
DirPort, so the user knows what's going on.
|
|
- Make sure we only conclude ORPort reachability if we didn't
|
|
initiate the conn. Otherwise we could falsely conclude that
|
|
we're reachable just because we connected to the guy earlier
|
|
and he used that same pipe to extend to us.
|
|
- Authdirservers shouldn't do ORPort reachability detection,
|
|
since they're in clique mode, so it will be rare to find a
|
|
server not already connected to them.
|
|
- When building testing circuits, always pick middle hops running
|
|
Tor 0.0.9.7, so we avoid the "can't extend to unknown routers"
|
|
bug. (This is a kludge; it will go away when 0.0.9.x becomes
|
|
obsolete.)
|
|
- When we decide we're reachable, actually publish our descriptor
|
|
right then.
|
|
- Fix bug in redirectstream in the controller.
|
|
- Fix the state descriptor strings so logs don't claim edge streams
|
|
are in a different state than they actually are.
|
|
- Use recent libevent features when possible (this only really affects
|
|
win32 and osx right now, because the new libevent with these
|
|
features hasn't been released yet). Add code to suppress spurious
|
|
libevent log msgs.
|
|
- Prevent possible segfault in connection_close_unattached_ap().
|
|
- Fix newlines on torrc in win32.
|
|
- Improve error msgs when tor-resolve fails.
|
|
|
|
o Improvements on 0.0.9.x:
|
|
- New experimental script tor/contrib/ExerciseServer.py (needs more
|
|
work) that uses the controller interface to build circuits and
|
|
fetch pages over them. This will help us bootstrap servers that
|
|
have lots of capacity but haven't noticed it yet.
|
|
- New experimental script tor/contrib/PathDemo.py (needs more work)
|
|
that uses the controller interface to let you choose whole paths
|
|
via addresses like
|
|
"<hostname>.<path,separated by dots>.<length of path>.path"
|
|
- When we've connected to an OR and handshaked but didn't like
|
|
the result, we were closing the conn without sending destroy
|
|
cells back for pending circuits. Now send those destroys.
|
|
|
|
|
|
Changes in version 0.0.9.7 - 2005-04-01
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix another race crash bug (thanks to Glenn Fink for reporting).
|
|
- Compare identity to identity, not to nickname, when extending to
|
|
a router not already in the directory. This was preventing us from
|
|
extending to unknown routers. Oops.
|
|
- Make sure to create OS X Tor user in <500 range, so we aren't
|
|
creating actual system users.
|
|
- Note where connection-that-hasn't-sent-end was marked, and fix
|
|
a few really loud instances of this harmless bug (it's fixed more
|
|
in 0.1.0.x).
|
|
|
|
|
|
Changes in version 0.1.0.1-rc - 2005-03-28
|
|
o New features:
|
|
- Add reachability testing. Your Tor server will automatically try
|
|
to see if its ORPort and DirPort are reachable from the outside,
|
|
and it won't upload its descriptor until it decides they are.
|
|
- Handle unavailable hidden services better. Handle slow or busy
|
|
hidden services better.
|
|
- Add support for CONNECTing through https proxies, with "HttpsProxy"
|
|
config option.
|
|
- New exit policy: accept most low-numbered ports, rather than
|
|
rejecting most low-numbered ports.
|
|
- More Tor controller support (still experimental). See
|
|
http://tor.eff.org/doc/control-spec.txt for all the new features,
|
|
including signals to emulate unix signals from any platform;
|
|
redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
|
closestream; closecircuit; etc.
|
|
- Make nt services work and start on startup on win32 (based on
|
|
patch by Matt Edman).
|
|
- Add a new AddressMap config directive to rewrite incoming socks
|
|
addresses. This lets you, for example, declare an implicit
|
|
required exit node for certain sites.
|
|
- Add a new TrackHostExits config directive to trigger addressmaps
|
|
for certain incoming socks addresses -- for sites that break when
|
|
your exit keeps changing (based on patch by Mike Perry).
|
|
- Redo the client-side dns cache so it's just an addressmap too.
|
|
- Notice when our IP changes, and reset stats/uptime/reachability.
|
|
- When an application is using socks5, give him the whole variety of
|
|
potential socks5 responses (connect refused, host unreachable, etc),
|
|
rather than just "success" or "failure".
|
|
- A more sane version numbering system. See
|
|
http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
|
- New contributed script "exitlist": a simple python script to
|
|
parse directories and find Tor nodes that exit to listed
|
|
addresses/ports.
|
|
- New contributed script "privoxy-tor-toggle" to toggle whether
|
|
Privoxy uses Tor. Seems to be configured for Debian by default.
|
|
- Report HTTP reasons to client when getting a response from directory
|
|
servers -- so you can actually know what went wrong.
|
|
- New config option MaxAdvertisedBandwidth which lets you advertise
|
|
a low bandwidthrate (to not attract as many circuits) while still
|
|
allowing a higher bandwidthrate in reality.
|
|
|
|
o Robustness/stability fixes:
|
|
- Make Tor use Niels Provos's libevent instead of its current
|
|
poll-but-sometimes-select mess. This will let us use faster async
|
|
cores (like epoll, kpoll, and /dev/poll), and hopefully work better
|
|
on Windows too.
|
|
- pthread support now too. This was forced because when we forked,
|
|
we ended up wasting a lot of duplicate ram over time. Also switch
|
|
to foo_r versions of some library calls to allow reentry and
|
|
threadsafeness.
|
|
- Better handling for heterogeneous / unreliable nodes:
|
|
- Annotate circuits w/ whether they aim to contain high uptime nodes
|
|
and/or high capacity nodes. When building circuits, choose
|
|
appropriate nodes.
|
|
- This means that every single node in an intro rend circuit,
|
|
not just the last one, will have a minimum uptime.
|
|
- New config option LongLivedPorts to indicate application streams
|
|
that will want high uptime circuits.
|
|
- Servers reset uptime when a dir fetch entirely fails. This
|
|
hopefully reflects stability of the server's network connectivity.
|
|
- If somebody starts his tor server in Jan 2004 and then fixes his
|
|
clock, don't make his published uptime be a year.
|
|
- Reset published uptime when you wake up from hibernation.
|
|
- Introduce a notion of 'internal' circs, which are chosen without
|
|
regard to the exit policy of the last hop. Intro and rendezvous
|
|
circs must be internal circs, to avoid leaking information. Resolve
|
|
and connect streams can use internal circs if they want.
|
|
- New circuit pooling algorithm: make sure to have enough circs around
|
|
to satisfy any predicted ports, and also make sure to have 2 internal
|
|
circs around if we've required internal circs lately (and with high
|
|
uptime if we've seen that lately too).
|
|
- Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
|
which describes how often we retry making new circuits if current
|
|
ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
|
how long we're willing to make use of an already-dirty circuit.
|
|
- Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
|
circ as necessary, if there are any completed ones lying around
|
|
when we try to launch one.
|
|
- Make hidden services try to establish a rendezvous for 30 seconds,
|
|
rather than for n (where n=3) attempts to build a circuit.
|
|
- Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
|
|
"ShutdownWaitLength".
|
|
- Try to be more zealous about calling connection_edge_end when
|
|
things go bad with edge conns in connection.c.
|
|
- Revise tor-spec to add more/better stream end reasons.
|
|
- Revise all calls to connection_edge_end to avoid sending "misc",
|
|
and to take errno into account where possible.
|
|
|
|
o Bug fixes:
|
|
- Fix a race condition that can trigger an assert, when we have a
|
|
pending create cell and an OR connection fails right then.
|
|
- Fix several double-mark-for-close bugs, e.g. where we were finding
|
|
a conn for a cell even if that conn is already marked for close.
|
|
- Make sequence of log messages when starting on win32 with no config
|
|
file more reasonable.
|
|
- When choosing an exit node for a new non-internal circ, don't take
|
|
into account whether it'll be useful for any pending x.onion
|
|
addresses -- it won't.
|
|
- Turn addr_policy_compare from a tristate to a quadstate; this should
|
|
help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
|
for google.com" problem.
|
|
- Make "platform" string in descriptor more accurate for Win32 servers,
|
|
so it's not just "unknown platform".
|
|
- Fix an edge case in parsing config options (thanks weasel).
|
|
If they say "--" on the commandline, it's not an option.
|
|
- Reject odd-looking addresses at the client (e.g. addresses that
|
|
contain a colon), rather than having the server drop them because
|
|
they're malformed.
|
|
- tor-resolve requests were ignoring .exit if there was a working circuit
|
|
they could use instead.
|
|
- REUSEADDR on normal platforms means you can rebind to the port
|
|
right after somebody else has let it go. But REUSEADDR on win32
|
|
means to let you bind to the port _even when somebody else
|
|
already has it bound_! So, don't do that on Win32.
|
|
- Change version parsing logic: a version is "obsolete" if it is not
|
|
recommended and (1) there is a newer recommended version in the
|
|
same series, or (2) there are no recommended versions in the same
|
|
series, but there are some recommended versions in a newer series.
|
|
A version is "new" if it is newer than any recommended version in
|
|
the same series.
|
|
- Stop most cases of hanging up on a socks connection without sending
|
|
the socks reject.
|
|
|
|
o Helpful fixes:
|
|
- Require BandwidthRate to be at least 20kB/s for servers.
|
|
- When a dirserver causes you to give a warn, mention which dirserver
|
|
it was.
|
|
- New config option DirAllowPrivateAddresses for authdirservers.
|
|
Now by default they refuse router descriptors that have non-IP or
|
|
private-IP addresses.
|
|
- Stop publishing socksport in the directory, since it's not
|
|
actually meant to be public. For compatibility, publish a 0 there
|
|
for now.
|
|
- Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
|
smart" value, that is low for servers and high for clients.
|
|
- If our clock jumps forward by 100 seconds or more, assume something
|
|
has gone wrong with our network and abandon all not-yet-used circs.
|
|
- Warn when exit policy implicitly allows local addresses.
|
|
- If we get an incredibly skewed timestamp from a dirserver mirror
|
|
that isn't a verified OR, don't warn -- it's probably him that's
|
|
wrong.
|
|
- Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
|
cookies to disk and doesn't log each web request to disk. (Thanks
|
|
to Brett Carrington for pointing this out.)
|
|
- When a client asks us for a dir mirror and we don't have one,
|
|
launch an attempt to get a fresh one.
|
|
- If we're hibernating and we get a SIGINT, exit immediately.
|
|
- Add --with-dmalloc ./configure option, to track memory leaks.
|
|
- And try to free all memory on closing, so we can detect what
|
|
we're leaking.
|
|
- Cache local dns resolves correctly even when they're .exit
|
|
addresses.
|
|
- Give a better warning when some other server advertises an
|
|
ORPort that is actually an apache running ssl.
|
|
- Add "opt hibernating 1" to server descriptor to make it clearer
|
|
whether the server is hibernating.
|
|
|
|
|
|
Changes in version 0.0.9.6 - 2005-03-24
|
|
o Bugfixes on 0.0.9.x (crashes and asserts):
|
|
- Add new end stream reasons to maintainance branch. Fix bug where
|
|
reason (8) could trigger an assert. Prevent bug from recurring.
|
|
- Apparently win32 stat wants paths to not end with a slash.
|
|
- Fix assert triggers in assert_cpath_layer_ok(), where we were
|
|
blowing away the circuit that conn->cpath_layer points to, then
|
|
checking to see if the circ is well-formed. Backport check to make
|
|
sure we dont use the cpath on a closed connection.
|
|
- Prevent circuit_resume_edge_reading_helper() from trying to package
|
|
inbufs for marked-for-close streams.
|
|
- Don't crash on hup if your options->address has become unresolvable.
|
|
- Some systems (like OS X) sometimes accept() a connection and tell
|
|
you the remote host is 0.0.0.0:0. If this happens, due to some
|
|
other mis-features, we get confused; so refuse the conn for now.
|
|
|
|
o Bugfixes on 0.0.9.x (other):
|
|
- Fix harmless but scary "Unrecognized content encoding" warn message.
|
|
- Add new stream error reason: TORPROTOCOL reason means "you are not
|
|
speaking a version of Tor I understand; say bye-bye to your stream."
|
|
- Be willing to cache directories from up to ROUTER_MAX_AGE seconds
|
|
into the future, now that we are more tolerant of skew. This
|
|
resolves a bug where a Tor server would refuse to cache a directory
|
|
because all the directories it gets are too far in the future;
|
|
yet the Tor server never logs any complaints about clock skew.
|
|
- Mac packaging magic: make man pages useable, and do not overwrite
|
|
existing torrc files.
|
|
- Make OS X log happily to /var/log/tor/tor.log
|
|
|
|
|
|
Changes in version 0.0.9.5 - 2005-02-22
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix an assert race at exit nodes when resolve requests fail.
|
|
- Stop picking unverified dir mirrors--it only leads to misery.
|
|
- Patch from Matt Edman to make NT services work better. Service
|
|
support is still not compiled into the executable by default.
|
|
- Patch from Dmitri Bely so the Tor service runs better under
|
|
the win32 SYSTEM account.
|
|
- Make tor-resolve actually work (?) on Win32.
|
|
- Fix a sign bug when getrlimit claims to have 4+ billion
|
|
file descriptors available.
|
|
- Stop refusing to start when bandwidthburst == bandwidthrate.
|
|
- When create cells have been on the onion queue more than five
|
|
seconds, just send back a destroy and take them off the list.
|
|
|
|
|
|
Changes in version 0.0.9.4 - 2005-02-03
|
|
o Bugfixes on 0.0.9:
|
|
- Fix an assert bug that took down most of our servers: when
|
|
a server claims to have 1 GB of bandwidthburst, don't
|
|
freak out.
|
|
- Don't crash as badly if we have spawned the max allowed number
|
|
of dnsworkers, or we're out of file descriptors.
|
|
- Block more file-sharing ports in the default exit policy.
|
|
- MaxConn is now automatically set to the hard limit of max
|
|
file descriptors we're allowed (ulimit -n), minus a few for
|
|
logs, etc.
|
|
- Give a clearer message when servers need to raise their
|
|
ulimit -n when they start running out of file descriptors.
|
|
- SGI Compatibility patches from Jan Schaumann.
|
|
- Tolerate a corrupt cached directory better.
|
|
- When a dirserver hasn't approved your server, list which one.
|
|
- Go into soft hibernation after 95% of the bandwidth is used,
|
|
not 99%. This is especially important for daily hibernators who
|
|
have a small accounting max. Hopefully it will result in fewer
|
|
cut connections when the hard hibernation starts.
|
|
- Load-balance better when using servers that claim more than
|
|
800kB/s of capacity.
|
|
- Make NT services work (experimental, only used if compiled in).
|
|
|
|
|
|
Changes in version 0.0.9.3 - 2005-01-21
|
|
o Bugfixes on 0.0.9:
|
|
- Backport the cpu use fixes from main branch, so busy servers won't
|
|
need as much processor time.
|
|
- Work better when we go offline and then come back, or when we
|
|
run Tor at boot before the network is up. We do this by
|
|
optimistically trying to fetch a new directory whenever an
|
|
application request comes in and we think we're offline -- the
|
|
human is hopefully a good measure of when the network is back.
|
|
- Backport some minimal hidserv bugfixes: keep rend circuits open as
|
|
long as you keep using them; actually publish hidserv descriptors
|
|
shortly after they change, rather than waiting 20-40 minutes.
|
|
- Enable Mac startup script by default.
|
|
- Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
|
|
- When you update AllowUnverifiedNodes or FirewallPorts via the
|
|
controller's setconf feature, we were always appending, never
|
|
resetting.
|
|
- When you update HiddenServiceDir via setconf, it was screwing up
|
|
the order of reading the lines, making it fail.
|
|
- Do not rewrite a cached directory back to the cache; otherwise we
|
|
will think it is recent and not fetch a newer one on startup.
|
|
- Workaround for webservers that lie about Content-Encoding: Tor
|
|
now tries to autodetect compressed directories and compression
|
|
itself. This lets us Proxypass dir fetches through apache.
|
|
|
|
|
|
Changes in version 0.0.9.2 - 2005-01-04
|
|
o Bugfixes on 0.0.9 (crashes and asserts):
|
|
- Fix an assert on startup when the disk is full and you're logging
|
|
to a file.
|
|
- If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
|
|
style address, then we'd crash.
|
|
- Fix an assert trigger when the running-routers string we get from
|
|
a dirserver is broken.
|
|
- Make worker threads start and run on win32. Now win32 servers
|
|
may work better.
|
|
- Bandaid (not actually fix, but now it doesn't crash) an assert
|
|
where the dns worker dies mysteriously and the main Tor process
|
|
doesn't remember anything about the address it was resolving.
|
|
|
|
o Bugfixes on 0.0.9 (Win32):
|
|
- Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
|
|
name out of the warning/assert messages.
|
|
- Fix a superficial "unhandled error on read" bug on win32.
|
|
- The win32 installer no longer requires a click-through for our
|
|
license, since our Free Software license grants rights but does not
|
|
take any away.
|
|
- Win32: When connecting to a dirserver fails, try another one
|
|
immediately. (This was already working for non-win32 Tors.)
|
|
- Stop trying to parse $HOME on win32 when hunting for default
|
|
DataDirectory.
|
|
- Make tor-resolve.c work on win32 by calling network_init().
|
|
|
|
o Bugfixes on 0.0.9 (other):
|
|
- Make 0.0.9.x build on Solaris again.
|
|
- Due to a fencepost error, we were blowing away the \n when reporting
|
|
confvalue items in the controller. So asking for multiple config
|
|
values at once couldn't work.
|
|
- When listing circuits that are pending on an opening OR connection,
|
|
if we're an OR we were listing circuits that *end* at us as
|
|
being pending on every listener, dns/cpu worker, etc. Stop that.
|
|
- Dirservers were failing to create 'running-routers' or 'directory'
|
|
strings if we had more than some threshold of routers. Fix them so
|
|
they can handle any number of routers.
|
|
- Fix a superficial "Duplicate mark for close" bug.
|
|
- Stop checking for clock skew for OR connections, even for servers.
|
|
- Fix a fencepost error that was chopping off the last letter of any
|
|
nickname that is the maximum allowed nickname length.
|
|
- Update URLs in log messages so they point to the new website.
|
|
- Fix a potential problem in mangling server private keys while
|
|
writing to disk (not triggered yet, as far as we know).
|
|
- Include the licenses for other free software we include in Tor,
|
|
now that we're shipping binary distributions more regularly.
|
|
|
|
|
|
Changes in version 0.0.9.1 - 2004-12-15
|
|
o Bugfixes on 0.0.9:
|
|
- Make hibernation actually work.
|
|
- Make HashedControlPassword config option work.
|
|
- When we're reporting event circuit status to a controller,
|
|
don't use the stream status code.
|
|
|
|
|
|
Changes in version 0.0.9 - 2004-12-12
|
|
o Cleanups:
|
|
- Clean up manpage and torrc.sample file.
|
|
- Clean up severities and text of log warnings.
|
|
o Mistakes:
|
|
- Make servers trigger an assert when they enter hibernation.
|
|
|
|
|
|
Changes in version 0.0.9rc7 - 2004-12-08
|
|
o Bugfixes on 0.0.9rc:
|
|
- Fix a stack-trashing crash when an exit node begins hibernating.
|
|
- Avoid looking at unallocated memory while considering which
|
|
ports we need to build circuits to cover.
|
|
- Stop a sigpipe: when an 'end' cell races with eof from the app,
|
|
we shouldn't hold-open-until-flush if the eof arrived first.
|
|
- Fix a bug with init_cookie_authentication() in the controller.
|
|
- When recommending new-format log lines, if the upper bound is
|
|
LOG_ERR, leave it implicit.
|
|
|
|
o Bugfixes on 0.0.8.1:
|
|
- Fix a whole slew of memory leaks.
|
|
- Fix isspace() and friends so they still make Solaris happy
|
|
but also so they don't trigger asserts on win32.
|
|
- Fix parse_iso_time on platforms without strptime (eg win32).
|
|
- win32: tolerate extra "readable" events better.
|
|
- win32: when being multithreaded, leave parent fdarray open.
|
|
- Make unit tests work on win32.
|
|
|
|
|
|
Changes in version 0.0.9rc6 - 2004-12-06
|
|
o Bugfixes on 0.0.9pre:
|
|
- Clean up some more integer underflow opportunities (not exploitable
|
|
we think).
|
|
- While hibernating, hup should not regrow our listeners.
|
|
- Send an end to the streams we close when we hibernate, rather
|
|
than just chopping them off.
|
|
- React to eof immediately on non-open edge connections.
|
|
|
|
o Bugfixes on 0.0.8.1:
|
|
- Calculate timeout for waiting for a connected cell from the time
|
|
we sent the begin cell, not from the time the stream started. If
|
|
it took a long time to establish the circuit, we would time out
|
|
right after sending the begin cell.
|
|
- Fix router_compare_addr_to_addr_policy: it was not treating a port
|
|
of * as always matching, so we were picking reject *:* nodes as
|
|
exit nodes too. Oops.
|
|
|
|
o Features:
|
|
- New circuit building strategy: keep a list of ports that we've
|
|
used in the past 6 hours, and always try to have 2 circuits open
|
|
or on the way that will handle each such port. Seed us with port
|
|
80 so web users won't complain that Tor is "slow to start up".
|
|
- Make kill -USR1 dump more useful stats about circuits.
|
|
- When warning about retrying or giving up, print the address, so
|
|
the user knows which one it's talking about.
|
|
- If you haven't used a clean circuit in an hour, throw it away,
|
|
just to be on the safe side. (This means after 6 hours a totally
|
|
unused Tor client will have no circuits open.)
|
|
|
|
|
|
Changes in version 0.0.9rc5 - 2004-12-01
|
|
o Bugfixes on 0.0.8.1:
|
|
- Disallow NDEBUG. We don't ever want anybody to turn off debug.
|
|
- Let resolve conns retry/expire also, rather than sticking around
|
|
forever.
|
|
- If we are using select, make sure we stay within FD_SETSIZE.
|
|
|
|
o Bugfixes on 0.0.9pre:
|
|
- Fix integer underflow in tor_vsnprintf() that may be exploitable,
|
|
but doesn't seem to be currently; thanks to Ilja van Sprundel for
|
|
finding it.
|
|
- If anybody set DirFetchPostPeriod, give them StatusFetchPeriod
|
|
instead. Impose minima and maxima for all *Period options; impose
|
|
even tighter maxima for fetching if we are a caching dirserver.
|
|
Clip rather than rejecting.
|
|
- Fetch cached running-routers from servers that serve it (that is,
|
|
authdirservers and servers running 0.0.9rc5-cvs or later.)
|
|
|
|
o Features:
|
|
- Accept *:706 (silc) in default exit policy.
|
|
- Implement new versioning format for post 0.1.
|
|
- Support "foo.nickname.exit" addresses, to let Alice request the
|
|
address "foo" as viewed by exit node "nickname". Based on a patch
|
|
by Geoff Goodell.
|
|
- Make tor --version --version dump the cvs Id of every file.
|
|
|
|
|
|
Changes in version 0.0.9rc4 - 2004-11-28
|
|
o Bugfixes on 0.0.8.1:
|
|
- Make windows sockets actually non-blocking (oops), and handle
|
|
win32 socket errors better.
|
|
|
|
o Bugfixes on 0.0.9rc1:
|
|
- Actually catch the -USR2 signal.
|
|
|
|
|
|
Changes in version 0.0.9rc3 - 2004-11-25
|
|
o Bugfixes on 0.0.8.1:
|
|
- Flush the log file descriptor after we print "Tor opening log file",
|
|
so we don't see those messages days later.
|
|
|
|
o Bugfixes on 0.0.9rc1:
|
|
- Make tor-resolve work again.
|
|
- Avoid infinite loop in tor-resolve if tor hangs up on it.
|
|
- Fix an assert trigger for clients/servers handling resolves.
|
|
|
|
|
|
Changes in version 0.0.9rc2 - 2004-11-24
|
|
o Bugfixes on 0.0.9rc1:
|
|
- I broke socks5 support while fixing the eof bug.
|
|
- Allow unitless bandwidths and intervals; they default to bytes
|
|
and seconds.
|
|
- New servers don't start out hibernating; they are active until
|
|
they run out of bytes, so they have a better estimate of how
|
|
long it takes, and so their operators can know they're working.
|
|
|
|
|
|
Changes in version 0.0.9rc1 - 2004-11-23
|
|
o Bugfixes on 0.0.8.1:
|
|
- Finally fix a bug that's been plaguing us for a year:
|
|
With high load, circuit package window was reaching 0. Whenever
|
|
we got a circuit-level sendme, we were reading a lot on each
|
|
socket, but only writing out a bit. So we would eventually reach
|
|
eof. This would be noticed and acted on even when there were still
|
|
bytes sitting in the inbuf.
|
|
- When poll() is interrupted, we shouldn't believe the revents values.
|
|
|
|
o Bugfixes on 0.0.9pre6:
|
|
- Fix hibernate bug that caused pre6 to be broken.
|
|
- Don't keep rephist info for routers that haven't had activity for
|
|
24 hours. (This matters now that clients have keys, since we track
|
|
them too.)
|
|
- Never call close_temp_logs while validating log options.
|
|
- Fix backslash-escaping on tor.sh.in and torctl.in.
|
|
|
|
o Features:
|
|
- Implement weekly/monthly/daily accounting: now you specify your
|
|
hibernation properties by
|
|
AccountingMax N bytes|KB|MB|GB|TB
|
|
AccountingStart day|week|month [day] HH:MM
|
|
Defaults to "month 1 0:00".
|
|
- Let bandwidth and interval config options be specified as 5 bytes,
|
|
kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
|
|
- kill -USR2 now moves all logs to loglevel debug (kill -HUP to
|
|
get back to normal.)
|
|
- If your requested entry or exit node has advertised bandwidth 0,
|
|
pick it anyway.
|
|
- Be more greedy about filling up relay cells -- we try reading again
|
|
once we've processed the stuff we read, in case enough has arrived
|
|
to fill the last cell completely.
|
|
- Apply NT service patch from Osamu Fujino. Still needs more work.
|
|
|
|
|
|
Changes in version 0.0.9pre6 - 2004-11-15
|
|
o Bugfixes on 0.0.8.1:
|
|
- Fix assert failure on malformed socks4a requests.
|
|
- Use identity comparison, not nickname comparison, to choose which
|
|
half of circuit-ID-space each side gets to use. This is needed
|
|
because sometimes we think of a router as a nickname, and sometimes
|
|
as a hex ID, and we can't predict what the other side will do.
|
|
- Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
|
|
write() call will fail and we handle it there.
|
|
- Add a FAST_SMARTLIST define to optionally inline smartlist_get
|
|
and smartlist_len, which are two major profiling offenders.
|
|
|
|
o Bugfixes on 0.0.9pre5:
|
|
- Fix a bug in read_all that was corrupting config files on windows.
|
|
- When we're raising the max number of open file descriptors to
|
|
'unlimited', don't log that we just raised it to '-1'.
|
|
- Include event code with events, as required by control-spec.txt.
|
|
- Don't give a fingerprint when clients do --list-fingerprint:
|
|
it's misleading, because it will never be the same again.
|
|
- Stop using strlcpy in tor_strndup, since it was slowing us
|
|
down a lot.
|
|
- Remove warn on startup about missing cached-directory file.
|
|
- Make kill -USR1 work again.
|
|
- Hibernate if we start tor during the "wait for wakeup-time" phase
|
|
of an accounting interval. Log our hibernation plans better.
|
|
- Authoritative dirservers now also cache their directory, so they
|
|
have it on start-up.
|
|
|
|
o Features:
|
|
- Fetch running-routers; cache running-routers; compress
|
|
running-routers; serve compressed running-routers.z
|
|
- Add NSI installer script contributed by J Doe.
|
|
- Commit VC6 and VC7 workspace/project files.
|
|
- Commit a tor.spec for making RPM files, with help from jbash.
|
|
- Add contrib/torctl.in contributed by Glenn Fink.
|
|
- Implement the control-spec's SAVECONF command, to write your
|
|
configuration to torrc.
|
|
- Get cookie authentication for the controller closer to working.
|
|
- Include control-spec.txt in the tarball.
|
|
- When set_conf changes our server descriptor, upload a new copy.
|
|
But don't upload it too often if there are frequent changes.
|
|
- Document authentication config in man page, and document signals
|
|
we catch.
|
|
- Clean up confusing parts of man page and torrc.sample.
|
|
- Make expand_filename handle ~ and ~username.
|
|
- Use autoconf to enable largefile support where necessary. Use
|
|
ftello where available, since ftell can fail at 2GB.
|
|
- Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
|
|
log more informatively.
|
|
- Give a slightly more useful output for "tor -h".
|
|
- Refuse application socks connections to port 0.
|
|
- Check clock skew for verified servers, but allow unverified
|
|
servers and clients to have any clock skew.
|
|
- Break DirFetchPostPeriod into:
|
|
- DirFetchPeriod for fetching full directory,
|
|
- StatusFetchPeriod for fetching running-routers,
|
|
- DirPostPeriod for posting server descriptor,
|
|
- RendPostPeriod for posting hidden service descriptors.
|
|
- Make sure the hidden service descriptors are at a random offset
|
|
from each other, to hinder linkability.
|
|
|
|
|
|
Changes in version 0.0.9pre5 - 2004-11-09
|
|
o Bugfixes on 0.0.9pre4:
|
|
- Fix a seg fault in unit tests (doesn't affect main program).
|
|
- Fix an assert bug where a hidden service provider would fail if
|
|
the first hop of his rendezvous circuit was down.
|
|
- Hidden service operators now correctly handle version 1 style
|
|
INTRODUCE1 cells (nobody generates them still, so not a critical
|
|
bug).
|
|
- If do_hup fails, actually notice.
|
|
- Handle more errnos from accept() without closing the listener.
|
|
Some OpenBSD machines were closing their listeners because
|
|
they ran out of file descriptors.
|
|
- Send resolve cells to exit routers that are running a new
|
|
enough version of the resolve code to work right.
|
|
- Better handling of winsock includes on non-MSV win32 compilers.
|
|
- Some people had wrapped their tor client/server in a script
|
|
that would restart it whenever it died. This did not play well
|
|
with our "shut down if your version is obsolete" code. Now people
|
|
don't fetch a new directory if their local cached version is
|
|
recent enough.
|
|
- Make our autogen.sh work on ksh as well as bash.
|
|
|
|
o Major Features:
|
|
- Hibernation: New config option "AccountingMaxKB" lets you
|
|
set how many KBytes per month you want to allow your server to
|
|
consume. Rather than spreading those bytes out evenly over the
|
|
month, we instead hibernate for some of the month and pop up
|
|
at a deterministic time, work until the bytes are consumed, then
|
|
hibernate again. Config option "MonthlyAccountingStart" lets you
|
|
specify which day of the month your billing cycle starts on.
|
|
- Control interface: a separate program can now talk to your
|
|
client/server over a socket, and get/set config options, receive
|
|
notifications of circuits and streams starting/finishing/dying,
|
|
bandwidth used, etc. The next step is to get some GUIs working.
|
|
Let us know if you want to help out. See doc/control-spec.txt .
|
|
- Ship a contrib/tor-control.py as an example script to interact
|
|
with the control port.
|
|
- "tor --hash-password zzyxz" will output a salted password for
|
|
use in authenticating to the control interface.
|
|
- New log format in config:
|
|
"Log minsev[-maxsev] stdout|stderr|syslog" or
|
|
"Log minsev[-maxsev] file /var/foo"
|
|
|
|
o Minor Features:
|
|
- DirPolicy config option, to let people reject incoming addresses
|
|
from their dirserver.
|
|
- "tor --list-fingerprint" will list your identity key fingerprint
|
|
and then exit.
|
|
- Add "pass" target for RedirectExit, to make it easier to break
|
|
out of a sequence of RedirectExit rules.
|
|
- Clients now generate a TLS cert too, in preparation for having
|
|
them act more like real nodes.
|
|
- Ship src/win32/ in the tarball, so people can use it to build.
|
|
- Make old win32 fall back to CWD if SHGetSpecialFolderLocation
|
|
is broken.
|
|
- New "router-status" line in directory, to better bind each verified
|
|
nickname to its identity key.
|
|
- Deprecate unofficial config option abbreviations, and abbreviations
|
|
not on the command line.
|
|
- Add a pure-C tor-resolve implementation.
|
|
- Use getrlimit and friends to ensure we can reach MaxConn (currently
|
|
1024) file descriptors.
|
|
|
|
o Code security improvements, inspired by Ilja:
|
|
- Replace sprintf with snprintf. (I think they were all safe, but
|
|
hey.)
|
|
- Replace strcpy/strncpy with strlcpy in more places.
|
|
- Avoid strcat; use snprintf or strlcat instead.
|
|
- snprintf wrapper with consistent (though not C99) overflow behavior.
|
|
|
|
|
|
Changes in version 0.0.9pre4 - 2004-10-17
|
|
o Bugfixes on 0.0.9pre3:
|
|
- If the server doesn't specify an exit policy, use the real default
|
|
exit policy, not reject *:*.
|
|
- Ignore fascistfirewall when uploading/downloading hidden service
|
|
descriptors, since we go through Tor for those; and when using
|
|
an HttpProxy, since we assume it can reach them all.
|
|
- When looking for an authoritative dirserver, use only the ones
|
|
configured at boot. Don't bother looking in the directory.
|
|
- The rest of the fix for get_default_conf_file() on older win32.
|
|
- Make 'Routerfile' config option obsolete.
|
|
|
|
o Features:
|
|
- New 'MyFamily nick1,...' config option for a server to
|
|
specify other servers that shouldn't be used in the same circuit
|
|
with it. Only believed if nick1 also specifies us.
|
|
- New 'NodeFamily nick1,nick2,...' config option for a client to
|
|
specify nodes that it doesn't want to use in the same circuit.
|
|
- New 'Redirectexit pattern address:port' config option for a
|
|
server to redirect exit connections, e.g. to a local squid.
|
|
|
|
|
|
Changes in version 0.0.9pre3 - 2004-10-13
|
|
o Bugfixes on 0.0.8.1:
|
|
- Better torrc example lines for dirbindaddress and orbindaddress.
|
|
- Improved bounds checking on parsed ints (e.g. config options and
|
|
the ones we find in directories.)
|
|
- Better handling of size_t vs int, so we're more robust on 64
|
|
bit platforms.
|
|
- Fix the rest of the bug where a newly started OR would appear
|
|
as unverified even after we've added his fingerprint and hupped
|
|
the dirserver.
|
|
- Fix a bug from 0.0.7: when read() failed on a stream, we would
|
|
close it without sending back an end. So 'connection refused'
|
|
would simply be ignored and the user would get no response.
|
|
|
|
o Bugfixes on 0.0.9pre2:
|
|
- Serving the cached-on-disk directory to people is bad. We now
|
|
provide no directory until we've fetched a fresh one.
|
|
- Workaround for bug on windows where cached-directories get crlf
|
|
corruption.
|
|
- Make get_default_conf_file() work on older windows too.
|
|
- If we write a *:* exit policy line in the descriptor, don't write
|
|
any more exit policy lines.
|
|
|
|
o Features:
|
|
- Use only 0.0.9pre1 and later servers for resolve cells.
|
|
- Make the dirservers file obsolete.
|
|
- Include a dir-signing-key token in directories to tell the
|
|
parsing entity which key is being used to sign.
|
|
- Remove the built-in bulky default dirservers string.
|
|
- New config option "Dirserver %s:%d [fingerprint]", which can be
|
|
repeated as many times as needed. If no dirservers specified,
|
|
default to moria1,moria2,tor26.
|
|
- Make moria2 advertise a dirport of 80, so people behind firewalls
|
|
will be able to get a directory.
|
|
- Http proxy support
|
|
- Dirservers translate requests for http://%s:%d/x to /x
|
|
- You can specify "HttpProxy %s[:%d]" and all dir fetches will
|
|
be routed through this host.
|
|
- Clients ask for /tor/x rather than /x for new enough dirservers.
|
|
This way we can one day coexist peacefully with apache.
|
|
- Clients specify a "Host: %s%d" http header, to be compatible
|
|
with more proxies, and so running squid on an exit node can work.
|
|
|
|
|
|
Changes in version 0.0.8.1 - 2004-10-13
|
|
o Bugfixes:
|
|
- Fix a seg fault that can be triggered remotely for Tor
|
|
clients/servers with an open dirport.
|
|
- Fix a rare assert trigger, where routerinfos for entries in
|
|
our cpath would expire while we're building the path.
|
|
- Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
- Fix a rare seg fault for people running hidden services on
|
|
intermittent connections.
|
|
- Fix a bug in parsing opt keywords with objects.
|
|
- Fix a stale pointer assert bug when a stream detaches and
|
|
reattaches.
|
|
- Fix a string format vulnerability (probably not exploitable)
|
|
in reporting stats locally.
|
|
- Fix an assert trigger: sometimes launching circuits can fail
|
|
immediately, e.g. because too many circuits have failed recently.
|
|
- Fix a compile warning on 64 bit platforms.
|
|
|
|
|
|
Changes in version 0.0.9pre2 - 2004-10-03
|
|
o Bugfixes:
|
|
- Make fetching a cached directory work for 64-bit platforms too.
|
|
- Make zlib.h a required header, not an optional header.
|
|
|
|
|
|
Changes in version 0.0.9pre1 - 2004-10-01
|
|
o Bugfixes:
|
|
- Stop using separate defaults for no-config-file and
|
|
empty-config-file. Now you have to explicitly turn off SocksPort,
|
|
if you don't want it open.
|
|
- Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
- Improve man page to mention more of the 0.0.8 features.
|
|
- Fix a rare seg fault for people running hidden services on
|
|
intermittent connections.
|
|
- Change our file IO stuff (especially wrt OpenSSL) so win32 is
|
|
happier.
|
|
- Fix more dns related bugs: send back resolve_failed and end cells
|
|
more reliably when the resolve fails, rather than closing the
|
|
circuit and then trying to send the cell. Also attach dummy resolve
|
|
connections to a circuit *before* calling dns_resolve(), to fix
|
|
a bug where cached answers would never be sent in RESOLVED cells.
|
|
- When we run out of disk space, or other log writing error, don't
|
|
crash. Just stop logging to that log and continue.
|
|
- We were starting to daemonize before we opened our logs, so if
|
|
there were any problems opening logs, we would complain to stderr,
|
|
which wouldn't work, and then mysteriously exit.
|
|
- Fix a rare bug where sometimes a verified OR would connect to us
|
|
before he'd uploaded his descriptor, which would cause us to
|
|
assign conn->nickname as though he's unverified. Now we look through
|
|
the fingerprint list to see if he's there.
|
|
- Fix a rare assert trigger, where routerinfos for entries in
|
|
our cpath would expire while we're building the path.
|
|
|
|
o Features:
|
|
- Clients can ask dirservers for /dir.z to get a compressed version
|
|
of the directory. Only works for servers running 0.0.9, of course.
|
|
- Make clients cache directories and use them to seed their router
|
|
lists at startup. This means clients have a datadir again.
|
|
- Configuration infrastructure support for warning on obsolete
|
|
options.
|
|
- Respond to content-encoding headers by trying to uncompress as
|
|
appropriate.
|
|
- Reply with a deflated directory when a client asks for "dir.z".
|
|
We could use allow-encodings instead, but allow-encodings isn't
|
|
specified in HTTP 1.0.
|
|
- Raise the max dns workers from 50 to 100.
|
|
- Discourage people from setting their dirfetchpostperiod more often
|
|
than once per minute.
|
|
- Protect dirservers from overzealous descriptor uploading -- wait
|
|
10 seconds after directory gets dirty, before regenerating.
|
|
|
|
|
|
Changes in version 0.0.8 - 2004-08-25
|
|
o Port it to SunOS 5.9 / Athena
|
|
|
|
|
|
Changes in version 0.0.8rc2 - 2004-08-20
|
|
o Make it compile on cygwin again.
|
|
o When picking unverified routers, skip those with low uptime and/or
|
|
low bandwidth, depending on what properties you care about.
|
|
|
|
|
|
Changes in version 0.0.8rc1 - 2004-08-18
|
|
o Changes from 0.0.7.3:
|
|
- Bugfixes:
|
|
- Fix assert triggers: if the other side returns an address 0.0.0.0,
|
|
don't put it into the client dns cache.
|
|
- If a begin failed due to exit policy, but we believe the IP address
|
|
should have been allowed, switch that router to exitpolicy reject *:*
|
|
until we get our next directory.
|
|
- Features:
|
|
- Clients choose nodes proportional to advertised bandwidth.
|
|
- Avoid using nodes with low uptime as introduction points.
|
|
- Handle servers with dynamic IP addresses: don't replace
|
|
options->Address with the resolved one at startup, and
|
|
detect our address right before we make a routerinfo each time.
|
|
- 'FascistFirewall' option to pick dirservers and ORs on specific
|
|
ports; plus 'FirewallPorts' config option to tell FascistFirewall
|
|
which ports are open. (Defaults to 80,443)
|
|
- Be more aggressive about trying to make circuits when the network
|
|
has changed (e.g. when you unsuspend your laptop).
|
|
- Check for time skew on http headers; report date in response to
|
|
"GET /".
|
|
- If the entrynode config line has only one node, don't pick it as
|
|
an exitnode.
|
|
- Add strict{entry|exit}nodes config options. If set to 1, then
|
|
we refuse to build circuits that don't include the specified entry
|
|
or exit nodes.
|
|
- OutboundBindAddress config option, to bind to a specific
|
|
IP address for outgoing connect()s.
|
|
- End truncated log entries (e.g. directories) with "[truncated]".
|
|
|
|
o Patches to 0.0.8preX:
|
|
- Bugfixes:
|
|
- Patches to compile and run on win32 again (maybe)?
|
|
- Fix crash when looking for ~/.torrc with no $HOME set.
|
|
- Fix a race bug in the unit tests.
|
|
- Handle verified/unverified name collisions better when new
|
|
routerinfo's arrive in a directory.
|
|
- Sometimes routers were getting entered into the stats before
|
|
we'd assigned their identity_digest. Oops.
|
|
- Only pick and establish intro points after we've gotten a
|
|
directory.
|
|
- Features:
|
|
- AllowUnverifiedNodes config option to let circuits choose no-name
|
|
routers in entry,middle,exit,introduction,rendezvous positions.
|
|
Allow middle and rendezvous positions by default.
|
|
- Add a man page for tor-resolve.
|
|
|
|
|
|
Changes in version 0.0.7.3 - 2004-08-12
|
|
o Stop dnsworkers from triggering an assert failure when you
|
|
ask them to resolve the host "".
|
|
|
|
|
|
Changes in version 0.0.8pre3 - 2004-08-09
|
|
o Changes from 0.0.7.2:
|
|
- Allow multiple ORs with same nickname in routerlist -- now when
|
|
people give us one identity key for a nickname, then later
|
|
another, we don't constantly complain until the first expires.
|
|
- Remember used bandwidth (both in and out), and publish 15-minute
|
|
snapshots for the past day into our descriptor.
|
|
- You can now fetch $DIRURL/running-routers to get just the
|
|
running-routers line, not the whole descriptor list. (But
|
|
clients don't use this yet.)
|
|
- When people mistakenly use Tor as an http proxy, point them
|
|
at the tor-doc.html rather than the INSTALL.
|
|
- Remove our mostly unused -- and broken -- hex_encode()
|
|
function. Use base16_encode() instead. (Thanks to Timo Lindfors
|
|
for pointing out this bug.)
|
|
- Rotate onion keys every 12 hours, not every 2 hours, so we have
|
|
fewer problems with people using the wrong key.
|
|
- Change the default exit policy to reject the default edonkey,
|
|
kazaa, gnutella ports.
|
|
- Add replace_file() to util.[ch] to handle win32's rename().
|
|
|
|
o Changes from 0.0.8preX:
|
|
- Fix two bugs in saving onion keys to disk when rotating, so
|
|
hopefully we'll get fewer people using old onion keys.
|
|
- Fix an assert error that was making SocksPolicy not work.
|
|
- Be willing to expire routers that have an open dirport -- it's
|
|
just the authoritative dirservers we want to not forget.
|
|
- Reject tor-resolve requests for .onion addresses early, so we
|
|
don't build a whole rendezvous circuit and then fail.
|
|
- When you're warning a server that he's unverified, don't cry
|
|
wolf unpredictably.
|
|
- Fix a race condition: don't try to extend onto a connection
|
|
that's still handshaking.
|
|
- For servers in clique mode, require the conn to be open before
|
|
you'll choose it for your path.
|
|
- Fix some cosmetic bugs about duplicate mark-for-close, lack of
|
|
end relay cell, etc.
|
|
- Measure bandwidth capacity over the last 24 hours, not just 12
|
|
- Bugfix: authoritative dirservers were making and signing a new
|
|
directory for each client, rather than reusing the cached one.
|
|
|
|
|
|
Changes in version 0.0.8pre2 - 2004-08-04
|
|
o Changes from 0.0.7.2:
|
|
- Security fixes:
|
|
- Check directory signature _before_ you decide whether you're
|
|
you're running an obsolete version and should exit.
|
|
- Check directory signature _before_ you parse the running-routers
|
|
list to decide who's running or verified.
|
|
- Bugfixes and features:
|
|
- Check return value of fclose while writing to disk, so we don't
|
|
end up with broken files when servers run out of disk space.
|
|
- Log a warning if the user uses an unsafe socks variant, so people
|
|
are more likely to learn about privoxy or socat.
|
|
- Dirservers now include RFC1123-style dates in the HTTP headers,
|
|
which one day we will use to better detect clock skew.
|
|
|
|
o Changes from 0.0.8pre1:
|
|
- Make it compile without warnings again on win32.
|
|
- Log a warning if you're running an unverified server, to let you
|
|
know you might want to get it verified.
|
|
- Only pick a default nickname if you plan to be a server.
|
|
|
|
|
|
Changes in version 0.0.8pre1 - 2004-07-23
|
|
o Bugfixes:
|
|
- Made our unit tests compile again on OpenBSD 3.5, and tor
|
|
itself compile again on OpenBSD on a sparc64.
|
|
- We were neglecting milliseconds when logging on win32, so
|
|
everything appeared to happen at the beginning of each second.
|
|
|
|
o Protocol changes:
|
|
- 'Extend' relay cell payloads now include the digest of the
|
|
intended next hop's identity key. Now we can verify that we're
|
|
extending to the right router, and also extend to routers we
|
|
hadn't heard of before.
|
|
|
|
o Features:
|
|
- Tor nodes can now act as relays (with an advertised ORPort)
|
|
without being manually verified by the dirserver operators.
|
|
- Uploaded descriptors of unverified routers are now accepted
|
|
by the dirservers, and included in the directory.
|
|
- Verified routers are listed by nickname in the running-routers
|
|
list; unverified routers are listed as "$<fingerprint>".
|
|
- We now use hash-of-identity-key in most places rather than
|
|
nickname or addr:port, for improved security/flexibility.
|
|
- To avoid Sybil attacks, paths still use only verified servers.
|
|
But now we have a chance to play around with hybrid approaches.
|
|
- Nodes track bandwidth usage to estimate capacity (not used yet).
|
|
- ClientOnly option for nodes that never want to become servers.
|
|
- Directory caching.
|
|
- "AuthoritativeDir 1" option for the official dirservers.
|
|
- Now other nodes (clients and servers) will cache the latest
|
|
directory they've pulled down.
|
|
- They can enable their DirPort to serve it to others.
|
|
- Clients will pull down a directory from any node with an open
|
|
DirPort, and check the signature/timestamp correctly.
|
|
- Authoritative dirservers now fetch directories from other
|
|
authdirservers, to stay better synced.
|
|
- Running-routers list tells who's down also, along with noting
|
|
if they're verified (listed by nickname) or unverified (listed
|
|
by hash-of-key).
|
|
- Allow dirservers to serve running-router list separately.
|
|
This isn't used yet.
|
|
- ORs connect-on-demand to other ORs
|
|
- If you get an extend cell to an OR you're not connected to,
|
|
connect, handshake, and forward the create cell.
|
|
- The authoritative dirservers stay connected to everybody,
|
|
and everybody stays connected to 0.0.7 servers, but otherwise
|
|
clients/servers expire unused connections after 5 minutes.
|
|
- When servers get a sigint, they delay 30 seconds (refusing new
|
|
connections) then exit. A second sigint causes immediate exit.
|
|
- File and name management:
|
|
- Look for .torrc if no CONFDIR "torrc" is found.
|
|
- If no datadir is defined, then choose, make, and secure ~/.tor
|
|
as datadir.
|
|
- If torrc not found, exitpolicy reject *:*.
|
|
- Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
|
|
- If no nickname is defined, derive default from hostname.
|
|
- Rename secret key files, e.g. identity.key -> secret_id_key,
|
|
to discourage people from mailing their identity key to tor-ops.
|
|
- Refuse to build a circuit before the directory has arrived --
|
|
it won't work anyway, since you won't know the right onion keys
|
|
to use.
|
|
- Try other dirservers immediately if the one you try is down. This
|
|
should tolerate down dirservers better now.
|
|
- Parse tor version numbers so we can do an is-newer-than check
|
|
rather than an is-in-the-list check.
|
|
- New socks command 'resolve', to let us shim gethostbyname()
|
|
locally.
|
|
- A 'tor_resolve' script to access the socks resolve functionality.
|
|
- A new socks-extensions.txt doc file to describe our
|
|
interpretation and extensions to the socks protocols.
|
|
- Add a ContactInfo option, which gets published in descriptor.
|
|
- Publish OR uptime in descriptor (and thus in directory) too.
|
|
- Write tor version at the top of each log file
|
|
- New docs in the tarball:
|
|
- tor-doc.html.
|
|
- Document that you should proxy your SSL traffic too.
|
|
|
|
|
|
Changes in version 0.0.7.2 - 2004-07-07
|
|
o A better fix for the 0.0.0.0 problem, that will hopefully
|
|
eliminate the remaining related assertion failures.
|
|
|
|
|
|
Changes in version 0.0.7.1 - 2004-07-04
|
|
o When an address resolves to 0.0.0.0, treat it as a failed resolve,
|
|
since internally we use 0.0.0.0 to signify "not yet resolved".
|
|
|
|
|
|
Changes in version 0.0.7 - 2004-06-07
|
|
o Updated the man page to reflect the new features.
|
|
|
|
|
|
Changes in version 0.0.7rc2 - 2004-06-06
|
|
o Changes from 0.0.7rc1:
|
|
- Make it build on Win32 again.
|
|
o Changes from 0.0.6.2:
|
|
- Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
|
|
settings too.
|
|
|
|
|
|
Changes in version 0.0.7rc1 - 2004-06-02
|
|
o Bugfixes:
|
|
- On sighup, we were adding another log without removing the first
|
|
one. So log messages would get duplicated n times for n sighups.
|
|
- Several cases of using a connection after we'd freed it. The
|
|
problem was that connections that are pending resolve are in both
|
|
the pending_resolve tree, and also the circuit's resolving_streams
|
|
list. When you want to remove one, you must remove it from both.
|
|
- Fix a double-mark-for-close where an end cell arrived for a
|
|
resolving stream, and then the resolve failed.
|
|
- Check directory signatures based on name of signer, not on whom
|
|
we got the directory from. This will let us cache directories more
|
|
easily.
|
|
o Features:
|
|
- Crank up some of our constants to handle more users.
|
|
|
|
|
|
Changes in version 0.0.7pre1 - 2004-06-02
|
|
o Fixes for crashes and other obnoxious bugs:
|
|
- Fix an epipe bug: sometimes when directory connections failed
|
|
to connect, we would give them a chance to flush before closing
|
|
them.
|
|
- When we detached from a circuit because of resolvefailed, we
|
|
would immediately try the same circuit twice more, and then
|
|
give up on the resolve thinking we'd tried three different
|
|
exit nodes.
|
|
- Limit the number of intro circuits we'll attempt to build for a
|
|
hidden service per 15-minute period.
|
|
- Check recommended-software string *early*, before actually parsing
|
|
the directory. Thus we can detect an obsolete version and exit,
|
|
even if the new directory format doesn't parse.
|
|
o Fixes for security bugs:
|
|
- Remember which nodes are dirservers when you startup, and if a
|
|
random OR enables his dirport, don't automatically assume he's
|
|
a trusted dirserver.
|
|
o Other bugfixes:
|
|
- Directory connections were asking the wrong poll socket to
|
|
start writing, and not asking themselves to start writing.
|
|
- When we detached from a circuit because we sent a begin but
|
|
didn't get a connected, we would use it again the first time;
|
|
but after that we would correctly switch to a different one.
|
|
- Stop warning when the first onion decrypt attempt fails; they
|
|
will sometimes legitimately fail now that we rotate keys.
|
|
- Override unaligned-access-ok check when $host_cpu is ia64 or
|
|
arm. Apparently they allow it but the kernel whines.
|
|
- Dirservers try to reconnect periodically too, in case connections
|
|
have failed.
|
|
- Fix some memory leaks in directory servers.
|
|
- Allow backslash in Win32 filenames.
|
|
- Made Tor build complain-free on FreeBSD, hopefully without
|
|
breaking other BSD builds. We'll see.
|
|
o Features:
|
|
- Doxygen markup on all functions and global variables.
|
|
- Make directory functions update routerlist, not replace it. So
|
|
now directory disagreements are not so critical a problem.
|
|
- Remove the upper limit on number of descriptors in a dirserver's
|
|
directory (not that we were anywhere close).
|
|
- Allow multiple logfiles at different severity ranges.
|
|
- Allow *BindAddress to specify ":port" rather than setting *Port
|
|
separately. Allow multiple instances of each BindAddress config
|
|
option, so you can bind to multiple interfaces if you want.
|
|
- Allow multiple exit policy lines, which are processed in order.
|
|
Now we don't need that huge line with all the commas in it.
|
|
- Enable accept/reject policies on SOCKS connections, so you can bind
|
|
to 0.0.0.0 but still control who can use your OP.
|
|
|
|
|
|
Changes in version 0.0.6.2 - 2004-05-16
|
|
o Our integrity-checking digest was checking only the most recent cell,
|
|
not the previous cells like we'd thought.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
|
|
|
|
Changes in version 0.0.6.1 - 2004-05-06
|
|
o Fix two bugs in our AES counter-mode implementation (this affected
|
|
onion-level stream encryption, but not TLS-level). It turns
|
|
out we were doing something much more akin to a 16-character
|
|
polyalphabetic cipher. Oops.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
o Retire moria3 as a directory server, and add tor26 as a directory
|
|
server.
|
|
|
|
|
|
Changes in version 0.0.6 - 2004-05-02
|
|
[version bump only]
|
|
|
|
|
|
Changes in version 0.0.6rc4 - 2004-05-01
|
|
o Update the built-in dirservers list to use the new directory format
|
|
o Fix a rare seg fault: if a node offering a hidden service attempts
|
|
to build a circuit to Alice's rendezvous point and fails before it
|
|
reaches the last hop, it retries with a different circuit, but
|
|
then dies.
|
|
o Handle windows socket errors correctly.
|
|
|
|
|
|
Changes in version 0.0.6rc3 - 2004-04-28
|
|
o Don't expire non-general excess circuits (if we had enough
|
|
circuits open, we were expiring rendezvous circuits -- even
|
|
when they had a stream attached. oops.)
|
|
o Fetch randomness from /dev/urandom better (not via fopen/fread)
|
|
o Better debugging for tls errors
|
|
o Some versions of openssl have an SSL_pending function that erroneously
|
|
returns bytes when there is a non-application record pending.
|
|
o Set Content-Type on the directory and hidserv descriptor.
|
|
o Remove IVs from cipher code, since AES-ctr has none.
|
|
o Win32 fixes. Tor now compiles on win32 with no warnings/errors.
|
|
o We were using an array of length zero in a few places.
|
|
o win32's gethostbyname can't resolve an IP to an IP.
|
|
o win32's close can't close a socket.
|
|
|
|
|
|
Changes in version 0.0.6rc2 - 2004-04-26
|
|
o Fix a bug where we were closing tls connections intermittently.
|
|
It turns out openssl keeps its errors around -- so if an error
|
|
happens, and you don't ask about it, and then another openssl
|
|
operation happens and succeeds, and you ask if there was an error,
|
|
it tells you about the first error. Fun fun.
|
|
o Fix a bug that's been lurking since 27 may 03 (!)
|
|
When passing back a destroy cell, we would use the wrong circ id.
|
|
'Mostly harmless', but still worth fixing.
|
|
o Since we don't support truncateds much, don't bother sending them;
|
|
just close the circ.
|
|
o check for <machine/limits.h> so we build on NetBSD again (I hope).
|
|
o don't crash if a conn that sent a begin has suddenly lost its circuit
|
|
(this was quite rare).
|
|
|
|
|
|
Changes in version 0.0.6rc1 - 2004-04-25
|
|
o We now rotate link (tls context) keys and onion keys.
|
|
o CREATE cells now include oaep padding, so you can tell
|
|
if you decrypted them correctly.
|
|
o Add bandwidthburst to server descriptor.
|
|
o Directories now say which dirserver signed them.
|
|
o Use a tor_assert macro that logs failed assertions too.
|
|
|
|
|
|
Changes in version 0.0.6pre5 - 2004-04-18
|
|
o changes from 0.0.6pre4:
|
|
- make tor build on broken freebsd 5.2 installs
|
|
- fix a failed assert when you try an intro point, get a nack, and try
|
|
a second one and it works.
|
|
- when alice uses a port that the hidden service doesn't accept,
|
|
it now sends back an end cell (denied by exit policy). otherwise
|
|
alice would just have to wait to time out.
|
|
- fix another rare bug: when we had tried all the intro
|
|
points for a hidden service, we fetched the descriptor
|
|
again, but we left our introcirc thinking it had already
|
|
sent an intro, so it kept waiting for a response...
|
|
- bugfix: when you sleep your hidden-service laptop, as soon
|
|
as it wakes up it tries to upload a service descriptor, but
|
|
socketpair fails for some reason (localhost not up yet?).
|
|
now we simply give up on that upload, and we'll try again later.
|
|
i'd still like to find the bug though.
|
|
- if an intro circ waiting for an ack dies before getting one, then
|
|
count it as a nack
|
|
- we were reusing stale service descriptors and refetching usable
|
|
ones. oops.
|
|
|
|
|
|
Changes in version 0.0.6pre4 - 2004-04-14
|
|
o changes from 0.0.6pre3:
|
|
- when bob fails to connect to the rendezvous point, and his
|
|
circ didn't fail because of the rendezvous point itself, then
|
|
he retries a couple of times
|
|
- we expire introduction and rendezvous circs more thoroughly
|
|
(sometimes they were hanging around forever)
|
|
- we expire unattached rendezvous streams that have been around
|
|
too long (they were sticking around forever).
|
|
- fix a measly fencepost error that was crashing everybody with
|
|
a strict glibc.
|
|
|
|
|
|
Changes in version 0.0.6pre3 - 2004-04-14
|
|
o changes from 0.0.6pre2:
|
|
- make hup work again
|
|
- fix some memory leaks for dirservers
|
|
- allow more skew in rendezvous descriptor timestamps, to help
|
|
handle people like blanu who don't know what time it is
|
|
- normal circs are 3 hops, but some rend/intro circs are 4, if
|
|
the initiator doesn't get to choose the last hop
|
|
- send acks for introductions, so alice can know whether to try
|
|
again
|
|
- bob publishes intro points more correctly
|
|
o changes from 0.0.5:
|
|
- fix an assert trigger that's been plaguing us since the days
|
|
of 0.0.2prexx (thanks weasel!)
|
|
- retry stream correctly when we fail to connect because of
|
|
exit-policy-reject (should try another) or can't-resolve-address
|
|
(also should try another, because dns on random internet servers
|
|
is flaky).
|
|
- when we hup a dirserver and we've *removed* a server from the
|
|
approved-routers list, now we remove that server from the
|
|
in-memory directories too
|
|
|
|
|
|
Changes in version 0.0.6pre2 - 2004-04-08
|
|
o We fixed our base32 implementation. Now it works on all architectures.
|
|
|
|
|
|
Changes in version 0.0.6pre1 - 2004-04-08
|
|
o Features:
|
|
- Hidden services and rendezvous points are implemented. Go to
|
|
http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
|
|
hidden services. (This only works via a socks4a proxy such as
|
|
Privoxy, and currently it's quite slow.)
|
|
|
|
|
|
Changes in version 0.0.5 - 2004-03-30
|
|
[version bump only]
|
|
|
|
|
|
Changes in version 0.0.5rc3 - 2004-03-29
|
|
o Install torrc as torrc.sample -- we no longer clobber your
|
|
torrc. (Woo!)
|
|
o Re-enable recommendedversion checking (we broke it in rc2, oops)
|
|
o Add in a 'notice' log level for things the operator should hear
|
|
but that aren't warnings
|
|
|
|
|
|
Changes in version 0.0.5rc2 - 2004-03-29
|
|
o Hold socks connection open until reply is flushed (if possible)
|
|
o Make exit nodes resolve IPs to IPs immediately, rather than asking
|
|
the dns farm to do it.
|
|
o Fix c99 aliasing warnings in rephist.c
|
|
o Don't include server descriptors that are older than 24 hours in the
|
|
directory.
|
|
o Give socks 'reject' replies their whole 15s to attempt to flush,
|
|
rather than seeing the 60s timeout and assuming the flush had failed.
|
|
o Clean automake droppings from the cvs repository
|
|
|
|
|
|
Changes in version 0.0.5rc1 - 2004-03-28
|
|
o Fix mangled-state bug in directory fetching (was causing sigpipes).
|
|
o Only build circuits after we've fetched the directory: clients were
|
|
using only the directory servers before they'd fetched a directory.
|
|
This also means longer startup time; so it goes.
|
|
o Fix an assert trigger where an OP would fail to handshake, and we'd
|
|
expect it to have a nickname.
|
|
o Work around a tsocks bug: do a socks reject when AP connection dies
|
|
early, else tsocks goes into an infinite loop.
|
|
|
|
|
|
Changes in version 0.0.4 - 2004-03-26
|
|
o When connecting to a dirserver or OR and the network is down,
|
|
we would crash.
|
|
|
|
|
|
Changes in version 0.0.3 - 2004-03-26
|
|
o Warn and fail if server chose a nickname with illegal characters
|
|
o Port to Solaris and Sparc:
|
|
- include missing header fcntl.h
|
|
- have autoconf find -lsocket -lnsl automatically
|
|
- deal with hardware word alignment
|
|
- make uname() work (solaris has a different return convention)
|
|
- switch from using signal() to sigaction()
|
|
o Preliminary work on reputation system:
|
|
- Keep statistics on success/fail of connect attempts; they're published
|
|
by kill -USR1 currently.
|
|
- Add a RunTesting option to try to learn link state by creating test
|
|
circuits, even when SocksPort is off.
|
|
- Remove unused open circuits when there are too many.
|
|
|
|
|
|
Changes in version 0.0.2 - 2004-03-19
|
|
- Include strlcpy and strlcat for safer string ops
|
|
- define INADDR_NONE so we compile (but still not run) on solaris
|
|
|
|
|
|
Changes in version 0.0.2pre27 - 2004-03-14
|
|
o Bugfixes:
|
|
- Allow internal tor networks (we were rejecting internal IPs,
|
|
now we allow them if they're set explicitly).
|
|
- And fix a few endian issues.
|
|
|
|
|
|
Changes in version 0.0.2pre26 - 2004-03-14
|
|
o New features:
|
|
- If a stream times out after 15s without a connected cell, don't
|
|
try that circuit again: try a new one.
|
|
- Retry streams at most 4 times. Then give up.
|
|
- When a dirserver gets a descriptor from an unknown router, it
|
|
logs its fingerprint (so the dirserver operator can choose to
|
|
accept it even without mail from the server operator).
|
|
- Inform unapproved servers when we reject their descriptors.
|
|
- Make tor build on Windows again. It works as a client, who knows
|
|
about as a server.
|
|
- Clearer instructions in the torrc for how to set up a server.
|
|
- Be more efficient about reading fd's when our global token bucket
|
|
(used for rate limiting) becomes empty.
|
|
o Bugfixes:
|
|
- Stop asserting that computers always go forward in time. It's
|
|
simply not true.
|
|
- When we sent a cell (e.g. destroy) and then marked an OR connection
|
|
expired, we might close it before finishing a flush if the other
|
|
side isn't reading right then.
|
|
- Don't allow dirservers to start if they haven't defined
|
|
RecommendedVersions
|
|
- We were caching transient dns failures. Oops.
|
|
- Prevent servers from publishing an internal IP as their address.
|
|
- Address a strcat vulnerability in circuit.c
|
|
|
|
|
|
Changes in version 0.0.2pre25 - 2004-03-04
|
|
o New features:
|
|
- Put the OR's IP in its router descriptor, not its fqdn. That way
|
|
we'll stop being stalled by gethostbyname for nodes with flaky dns,
|
|
e.g. poblano.
|
|
o Bugfixes:
|
|
- If the user typed in an address that didn't resolve, the server
|
|
crashed.
|
|
|
|
|
|
Changes in version 0.0.2pre24 - 2004-03-03
|
|
o Bugfixes:
|
|
- Fix an assertion failure in dns.c, where we were trying to dequeue
|
|
a pending dns resolve even if it wasn't pending
|
|
- Fix a spurious socks5 warning about still trying to write after the
|
|
connection is finished.
|
|
- Hold certain marked_for_close connections open until they're finished
|
|
flushing, rather than losing bytes by closing them too early.
|
|
- Correctly report the reason for ending a stream
|
|
- Remove some duplicate calls to connection_mark_for_close
|
|
- Put switch_id and start_daemon earlier in the boot sequence, so it
|
|
will actually try to chdir() to options.DataDirectory
|
|
- Make 'make test' exit(1) if a test fails; fix some unit tests
|
|
- Make tor fail when you use a config option it doesn't know about,
|
|
rather than warn and continue.
|
|
- Make --version work
|
|
- Bugfixes on the rpm spec file and tor.sh, so it's more up to date
|
|
|
|
|
|
Changes in version 0.0.2pre23 - 2004-02-29
|
|
o New features:
|
|
- Print a statement when the first circ is finished, so the user
|
|
knows it's working.
|
|
- If a relay cell is unrecognized at the end of the circuit,
|
|
send back a destroy. (So attacks to mutate cells are more
|
|
clearly thwarted.)
|
|
- New config option 'excludenodes' to avoid certain nodes for circuits.
|
|
- When it daemonizes, it chdir's to the DataDirectory rather than "/",
|
|
so you can collect coredumps there.
|
|
o Bugfixes:
|
|
- Fix a bug in tls flushing where sometimes data got wedged and
|
|
didn't flush until more data got sent. Hopefully this bug was
|
|
a big factor in the random delays we were seeing.
|
|
- Make 'connected' cells include the resolved IP, so the client
|
|
dns cache actually gets populated.
|
|
- Disallow changing from ORPort=0 to ORPort>0 on hup.
|
|
- When we time-out on a stream and detach from the circuit, send an
|
|
end cell down it first.
|
|
- Only warn about an unknown router (in exitnodes, entrynodes,
|
|
excludenodes) after we've fetched a directory.
|
|
|
|
|
|
Changes in version 0.0.2pre22 - 2004-02-26
|
|
o New features:
|
|
- Servers publish less revealing uname information in descriptors.
|
|
- More memory tracking and assertions, to crash more usefully when
|
|
errors happen.
|
|
- If the default torrc isn't there, just use some default defaults.
|
|
Plus provide an internal dirservers file if they don't have one.
|
|
- When the user tries to use Tor as an http proxy, give them an http
|
|
501 failure explaining that we're a socks proxy.
|
|
- Dump a new router.desc on hup, to help confused people who change
|
|
their exit policies and then wonder why router.desc doesn't reflect
|
|
it.
|
|
- Clean up the generic tor.sh init script that we ship with.
|
|
o Bugfixes:
|
|
- If the exit stream is pending on the resolve, and a destroy arrives,
|
|
then the stream wasn't getting removed from the pending list. I
|
|
think this was the one causing recent server crashes.
|
|
- Use a more robust poll on OSX 10.3, since their poll is flaky.
|
|
- When it couldn't resolve any dirservers, it was useless from then on.
|
|
Now it reloads the RouterFile (or default dirservers) if it has no
|
|
dirservers.
|
|
- Move the 'tor' binary back to /usr/local/bin/ -- it turns out
|
|
many users don't even *have* a /usr/local/sbin/.
|
|
|
|
|
|
Changes in version 0.0.2pre21 - 2004-02-18
|
|
o New features:
|
|
- There's a ChangeLog file that actually reflects the changelog.
|
|
- There's a 'torify' wrapper script, with an accompanying
|
|
tor-tsocks.conf, that simplifies the process of using tsocks for
|
|
tor. It even has a man page.
|
|
- The tor binary gets installed to sbin rather than bin now.
|
|
- Retry streams where the connected cell hasn't arrived in 15 seconds
|
|
- Clean up exit policy handling -- get the default out of the torrc,
|
|
so we can update it without forcing each server operator to fix
|
|
his/her torrc.
|
|
- Allow imaps and pop3s in default exit policy
|
|
o Bugfixes:
|
|
- Prevent picking middleman nodes as the last node in the circuit
|
|
|
|
|
|
Changes in version 0.0.2pre20 - 2004-01-30
|
|
o New features:
|
|
- We now have a deb package, and it's in debian unstable. Go to
|
|
it, apt-getters. :)
|
|
- I've split the TotalBandwidth option into BandwidthRate (how many
|
|
bytes per second you want to allow, long-term) and
|
|
BandwidthBurst (how many bytes you will allow at once before the cap
|
|
kicks in). This better token bucket approach lets you, say, set
|
|
BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
|
|
performance while not exceeding your monthly bandwidth quota.
|
|
- Push out a tls record's worth of data once you've got it, rather
|
|
than waiting until you've read everything waiting to be read. This
|
|
may improve performance by pipelining better. We'll see.
|
|
- Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
|
|
from failed circuits (if they haven't been connected yet) and attach
|
|
to new ones.
|
|
- Expire old streams that haven't managed to connect. Some day we'll
|
|
have them reattach to new circuits instead.
|
|
|
|
o Bugfixes:
|
|
- Fix several memory leaks that were causing servers to become bloated
|
|
after a while.
|
|
- Fix a few very rare assert triggers. A few more remain.
|
|
- Setuid to User _before_ complaining about running as root.
|
|
|
|
|
|
Changes in version 0.0.2pre19 - 2004-01-07
|
|
o Bugfixes:
|
|
- Fix deadlock condition in dns farm. We were telling a child to die by
|
|
closing the parent's file descriptor to him. But newer children were
|
|
inheriting the open file descriptor from the parent, and since they
|
|
weren't closing it, the socket never closed, so the child never read
|
|
eof, so he never knew to exit. Similarly, dns workers were holding
|
|
open other sockets, leading to all sorts of chaos.
|
|
- New cleaner daemon() code for forking and backgrounding.
|
|
- If you log to a file, it now prints an entry at the top of the
|
|
logfile so you know it's working.
|
|
- The onionskin challenge length was 30 bytes longer than necessary.
|
|
- Started to patch up the spec so it's not quite so out of date.
|
|
|
|
|
|
Changes in version 0.0.2pre18 - 2004-01-02
|
|
o Bugfixes:
|
|
- Fix endian issues with the 'integrity' field in the relay header.
|
|
- Fix a potential bug where connections in state
|
|
AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
|
|
|
|
|
|
Changes in version 0.0.2pre17 - 2003-12-30
|
|
o Bugfixes:
|
|
- Made --debuglogfile (or any second log file, actually) work.
|
|
- Resolved an edge case in get_unique_circ_id_by_conn where a smart
|
|
adversary could force us into an infinite loop.
|
|
|
|
o Features:
|
|
- Each onionskin handshake now includes a hash of the computed key,
|
|
to prove the server's identity and help perfect forward secrecy.
|
|
- Changed cell size from 256 to 512 bytes (working toward compatibility
|
|
with MorphMix).
|
|
- Changed cell length to 2 bytes, and moved it to the relay header.
|
|
- Implemented end-to-end integrity checking for the payloads of
|
|
relay cells.
|
|
- Separated streamid from 'recognized' (otherwise circuits will get
|
|
messed up when we try to have streams exit from the middle). We
|
|
use the integrity-checking to confirm that a cell is addressed to
|
|
this hop.
|
|
- Randomize the initial circid and streamid values, so an adversary who
|
|
breaks into a node can't learn how many circuits or streams have
|
|
been made so far.
|
|
|
|
|
|
Changes in version 0.0.2pre16 - 2003-12-14
|
|
o Bugfixes:
|
|
- Fixed a bug that made HUP trigger an assert
|
|
- Fixed a bug where a circuit that immediately failed wasn't being
|
|
counted as a failed circuit in counting retries.
|
|
|
|
o Features:
|
|
- Now we close the circuit when we get a truncated cell: otherwise we're
|
|
open to an anonymity attack where a bad node in the path truncates
|
|
the circuit and then we open streams at him.
|
|
- Add port ranges to exit policies
|
|
- Add a conservative default exit policy
|
|
- Warn if you're running tor as root
|
|
- on HUP, retry OR connections and close/rebind listeners
|
|
- options.EntryNodes: try these nodes first when picking the first node
|
|
- options.ExitNodes: if your best choices happen to include any of
|
|
your preferred exit nodes, you choose among just those preferred
|
|
exit nodes.
|
|
- options.ExcludedNodes: nodes that are never picked in path building
|
|
|
|
|
|
Changes in version 0.0.2pre15 - 2003-12-03
|
|
o Robustness and bugfixes:
|
|
- Sometimes clients would cache incorrect DNS resolves, which would
|
|
really screw things up.
|
|
- An OP that goes offline would slowly leak all its sockets and stop
|
|
working.
|
|
- A wide variety of bugfixes in exit node selection, exit policy
|
|
handling, and processing pending streams when a new circuit is
|
|
established.
|
|
- Pick nodes for a path only from those the directory says are up
|
|
- Choose randomly from all running dirservers, not always the first one
|
|
- Increase allowed http header size for directory fetch.
|
|
- Stop writing to stderr (if we're daemonized it will be closed).
|
|
- Enable -g always, so cores will be more useful to me.
|
|
- Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
|
|
|
|
o Documentation:
|
|
- Wrote a man page. It lists commonly used options.
|
|
|
|
o Configuration:
|
|
- Change default loglevel to warn.
|
|
- Make PidFile default to null rather than littering in your CWD.
|
|
- OnionRouter config option is now obsolete. Instead it just checks
|
|
ORPort>0.
|
|
- Moved to a single unified torrc file for both clients and servers.
|
|
|
|
|
|
Changes in version 0.0.2pre14 - 2003-11-29
|
|
o Robustness and bugfixes:
|
|
- Force the admin to make the DataDirectory himself
|
|
- to get ownership/permissions right
|
|
- so clients no longer make a DataDirectory and then never use it
|
|
- fix bug where a client who was offline for 45 minutes would never
|
|
pull down a directory again
|
|
- fix (or at least hide really well) the dns assert bug that was
|
|
causing server crashes
|
|
- warnings and improved robustness wrt clockskew for certs
|
|
- use the native daemon(3) to daemonize, when available
|
|
- exit if bind() fails
|
|
- exit if neither socksport nor orport is defined
|
|
- include our own tor_timegm (Win32 doesn't have its own)
|
|
- bugfix for win32 with lots of connections
|
|
- fix minor bias in PRNG
|
|
- make dirserver more robust to corrupt cached directory
|
|
|
|
o Documentation:
|
|
- Wrote the design document (woo)
|
|
|
|
o Circuit building and exit policies:
|
|
- Circuits no longer try to use nodes that the directory has told them
|
|
are down.
|
|
- Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
|
|
bitcounts (18.0.0.0/8).
|
|
- Make AP connections standby for a circuit if no suitable circuit
|
|
exists, rather than failing
|
|
- Circuits choose exit node based on addr/port, exit policies, and
|
|
which AP connections are standing by
|
|
- Bump min pathlen from 2 to 3
|
|
- Relay end cells have a payload to describe why the stream ended.
|
|
- If the stream failed because of exit policy, try again with a new
|
|
circuit.
|
|
- Clients have a dns cache to remember resolved addresses.
|
|
- Notice more quickly when we have no working circuits
|
|
|
|
o Configuration:
|
|
- APPort is now called SocksPort
|
|
- SocksBindAddress, ORBindAddress, DirBindAddress let you configure
|
|
where to bind
|
|
- RecommendedVersions is now a config variable rather than
|
|
hardcoded (for dirservers)
|
|
- Reloads config on HUP
|
|
- Usage info on -h or --help
|
|
- If you set User and Group config vars, it'll setu/gid to them.
|
|
|
|
|
|
Changes in version 0.0.2pre13 - 2003-10-19
|
|
o General stability:
|
|
- SSL_write no longer fails when it returns WANTWRITE and the number
|
|
of bytes in the buf has changed by the next SSL_write call.
|
|
- Fix segfault fetching directory when network is down
|
|
- Fix a variety of minor memory leaks
|
|
- Dirservers reload the fingerprints file on HUP, so I don't have
|
|
to take down the network when I approve a new router
|
|
- Default server config file has explicit Address line to specify fqdn
|
|
|
|
o Buffers:
|
|
- Buffers grow and shrink as needed (Cut process size from 20M to 2M)
|
|
- Make listener connections not ever alloc bufs
|
|
|
|
o Autoconf improvements:
|
|
- don't clobber an external CFLAGS in ./configure
|
|
- Make install now works
|
|
- create var/lib/tor on make install
|
|
- autocreate a tor.sh initscript to help distribs
|
|
- autocreate the torrc and sample-server-torrc with correct paths
|
|
|
|
o Log files and Daemonizing now work:
|
|
- If --DebugLogFile is specified, log to it at -l debug
|
|
- If --LogFile is specified, use it instead of commandline
|
|
- If --RunAsDaemon is set, tor forks and backgrounds on startup
|
|
|