[or-cvs] blow away the interim changelogs for the 0.1.1.x tree
arma at seul.org
arma at seul.org
Tue May 23 17:02:23 UTC 2006
Update of /home/or/cvsroot/tor
In directory moria:/home/arma/work/onion/tor-011x/tor
Modified Files:
Tag: tor-0_1_1-patches
ChangeLog
Log Message:
blow away the interim changelogs for the 0.1.1.x tree
Index: ChangeLog
===================================================================
RCS file: /home/or/cvsroot/tor/ChangeLog,v
retrieving revision 1.154.2.3
retrieving revision 1.154.2.4
diff -u -p -d -r1.154.2.3 -r1.154.2.4
--- ChangeLog 3 May 2006 18:31:51 -0000 1.154.2.3
+++ ChangeLog 23 May 2006 17:02:21 -0000 1.154.2.4
@@ -1,1030 +1,3 @@
-Changes in version 0.1.1.19-rc - 2006-05-03
- o Minor bugs:
- - Regenerate our local descriptor if it's dirty and we try to use
- it locally (e.g. if it changes during reachability detection).
- - If we setconf our ORPort to 0, we continued to listen on the
- old ORPort and receive connections.
- - Avoid a second warning about machine/limits.h on Debian
- GNU/kFreeBSD.
- - Be willing to add our own routerinfo into the routerlist.
- Now authorities will include themselves in their directories
- and network-statuses.
- - Stop trying to upload rendezvous descriptors to every
- directory authority: only try the v1 authorities.
- - Servers no longer complain when they think they're not
- registered with the directory authorities. There were too many
- false positives.
- - Backport dist-rpm changes so rpms can be built without errors.
-
- o Features:
- - Implement an option, VirtualAddrMask, to set which addresses
- get handed out in response to mapaddress requests. This works
- around a bug in tsocks where 127.0.0.0/8 is never socksified.
-
-
-Changes in version 0.1.1.18-rc - 2006-04-10
- o Major fixes:
- - Work harder to download live network-statuses from all the
- directory authorities we know about. Improve the threshold
- decision logic so we're more robust to edge cases.
- - When fetching rendezvous descriptors, we were willing to ask
- v2 authorities too, which would always return 404.
-
- o Minor fixes:
- - Stop listing down or invalid nodes in the v1 directory. This will
- reduce its bulk by about 1/3, and reduce load on directory mirrors.
- - When deciding whether a router is Fast or Guard-worthy, consider
- his advertised BandwidthRate and not just the BandwidthCapacity.
- - No longer ship INSTALL and README files -- they are useless now.
- - Force rpmbuild to behave and honor target_cpu.
- - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
- - Start to include translated versions of the tor-doc-*.html
- files, along with the screenshots. Still needs more work.
- - Start sending back 512 and 451 errors if mapaddress fails,
- rather than not sending anything back at all.
- - When we fail to bind or listen on an incoming or outgoing
- socket, we should close it before failing. otherwise we just
- leak it. (thanks to weasel for finding.)
- - Allow "getinfo dir/status/foo" to work, as long as your DirPort
- is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
- - Make NoPublish (even though deprecated) work again.
- - Fix a minor security flaw where a versioning auth dirserver
- could list a recommended version many times in a row to make
- clients more convinced that it's recommended.
- - Fix crash bug if there are two unregistered servers running
- with the same nickname, one of them is down, and you ask for
- them by nickname in your EntryNodes or ExitNodes. Also, try
- to pick the one that's running rather than an arbitrary one.
- - Fix an infinite loop we could hit if we go offline for too long.
- - Complain when we hit WSAENOBUFS on recv() or write() too.
- Perhaps this will help us hunt the bug.
- - If you're not a versioning dirserver, don't put the string
- "client-versions \nserver-versions \n" in your network-status.
- - Lower the minimum required number of file descriptors to 1000,
- so we can have some overhead for Valgrind on Linux, where the
- default ulimit -n is 1024.
-
- o New features:
- - Add tor.dizum.com as the fifth authoritative directory server.
- - Add a new config option FetchUselessDescriptors, off by default,
- for when you plan to run "exitlist" on your client and you want
- to know about even the non-running descriptors.
-
-
-Changes in version 0.1.1.17-rc - 2006-03-28
- o Major fixes:
- - Clients and servers since 0.1.1.10-alpha have been expiring
- connections whenever they are idle for 5 minutes and they *do*
- have circuits on them. Oops. With this new version, clients will
- discard their previous entry guard choices and avoid choosing
- entry guards running these flawed versions.
- - Fix memory leak when uncompressing concatenated zlib streams. This
- was causing substantial leaks over time on Tor servers.
- - The v1 directory was including servers as much as 48 hours old,
- because that's how the new routerlist->routers works. Now only
- include them if they're 20 hours old or less.
-
- o Minor fixes:
- - Resume building on irix64, netbsd 2.0, etc.
- - On non-gcc compilers (e.g. solaris), use "-g -O" instead of
- "-Wall -g -O2".
- - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
- and it is confusing some users.
- - Mirrors stop caching the v1 directory so often.
- - Make the max number of old descriptors that a cache will hold
- rise with the number of directory authorities, so we can scale.
- - Change our win32 uname() hack to be more forgiving about what
- win32 versions it thinks it's found.
-
- o New features:
- - Add lefkada.eecs.harvard.edu as a fourth authoritative directory
- server.
- - When the controller's *setconf commands fail, collect an error
- message in a string and hand it back to the controller.
- - Make the v2 dir's "Fast" flag based on relative capacity, just
- like "Stable" is based on median uptime. Name everything in the
- top 7/8 Fast, and only the top 1/2 gets to be a Guard.
- - Log server fingerprint on startup, so new server operators don't
- have to go hunting around their filesystem for it.
- - Return a robots.txt on our dirport to discourage google indexing.
- - Let the controller ask for GETINFO dir/status/foo so it can ask
- directly rather than connecting to the dir port. Only works when
- dirport is set for now.
-
- o New config options rather than constants in the code:
- - SocksTimeout: How long do we let a socks connection wait
- unattached before we fail it?
- - CircuitBuildTimeout: Cull non-open circuits that were born
- at least this many seconds ago.
- - CircuitIdleTimeout: Cull open clean circuits that were born
- at least this many seconds ago.
-
-
-Changes in version 0.1.1.16-rc - 2006-03-18
- o Bugfixes on 0.1.1.15-rc:
- - Fix assert when the controller asks to attachstream a connect-wait
- or resolve-wait stream.
- - Now do address rewriting when the controller asks us to attach
- to a particular circuit too. This will let Blossom specify
- "moria2.exit" without having to learn what moria2's IP address is.
- - Make the "tor --verify-config" command-line work again, so people
- can automatically check if their torrc will parse.
- - Authoritative dirservers no longer require an open connection from
- a server to consider him "reachable". We need this change because
- when we add new auth dirservers, old servers won't know not to
- hang up on them.
- - Let Tor build on Sun CC again.
- - Fix an off-by-one buffer size in dirserv.c that magically never
- hit our three authorities but broke sjmurdoch's own tor network.
- - If we as a directory mirror don't know of any v1 directory
- authorities, then don't try to cache any v1 directories.
- - Stop warning about unknown servers in our family when they are
- given as hex digests.
- - Stop complaining as quickly to the server operator that he
- hasn't registered his nickname/key binding.
- - Various cleanups so we can add new V2 Auth Dirservers.
- - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
- reflect the updated flags in our v2 dir protocol.
- - Resume allowing non-printable characters for exit streams (both
- for connecting and for resolving). Now we tolerate applications
- that don't follow the RFCs. But continue to block malformed names
- at the socks side.
-
- o Bugfixes on 0.1.0.x:
- - Fix assert bug in close_logs(): when we close and delete logs,
- remove them all from the global "logfiles" list.
- - Fix minor integer overflow in calculating when we expect to use up
- our bandwidth allocation before hibernating.
- - Fix a couple of bugs in OpenSSL detection. Also, deal better when
- there are multiple SSLs installed with different versions.
- - When we try to be a server and Address is not explicitly set and
- our hostname resolves to a private IP address, try to use an
- interface address if it has a public address. Now Windows machines
- that think of themselves as localhost can work by default.
-
- o New features:
- - Let the controller ask for GETINFO dir/server/foo so it can ask
- directly rather than connecting to the dir port.
- - Let the controller tell us about certain router descriptors
- that it doesn't want Tor to use in circuits. Implement
- SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
- - New config option SafeSocks to reject all application connections
- using unsafe socks protocols. Defaults to off.
-
-
-Changes in version 0.1.1.15-rc - 2006-03-11
- o Bugfixes and cleanups:
- - When we're printing strings from the network, don't try to print
- non-printable characters. This protects us against shell escape
- sequence exploits, and also against attacks to fool humans into
- misreading their logs.
- - Fix a bug where Tor would fail to establish any connections if you
- left it off for 24 hours and then started it: we were happy with
- the obsolete network statuses, but they all referred to router
- descriptors that were too old to fetch, so we ended up with no
- valid router descriptors.
- - Fix a seg fault in the controller's "getinfo orconn-status" command
- while listing status on incoming handshaking connections. Introduce
- a status name "NEW" for these connections.
- - If we get a linelist or linelist_s config option from the torrc
- (e.g. ExitPolicy) and it has no value, warn and skip rather than
- silently resetting it to its default.
- - Don't abandon entry guards until they've been down or gone for
- a whole month.
- - Cleaner and quieter log messages.
-
- o New features:
- - New controller signal NEWNYM that makes new application requests
- use clean circuits.
- - Add a new circuit purpose 'controller' to let the controller ask
- for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
- controller command to let you specify the purpose if you're starting
- a new circuit. Add a new SETCIRCUITPURPOSE controller command to
- let you change a circuit's purpose after it's been created.
- - Accept "private:*" in routerdesc exit policies; not generated yet
- because older Tors do not understand it.
- - Add BSD-style contributed startup script "rc.subr" from Peter
- Thoenen.
-
-
-Changes in version 0.1.1.14-alpha - 2006-02-20
- o Bugfixes on 0.1.1.x:
- - Don't die if we ask for a stdout or stderr log (even implicitly)
- and we're set to RunAsDaemon -- just warn.
- - We still had a few bugs in the OR connection rotation code that
- caused directory servers to slowly aggregate connections to other
- fast Tor servers. This time for sure!
- - Make log entries on Win32 include the name of the function again.
- - We were treating a pair of exit policies if they were equal even
- if one said accept and the other said reject -- causing us to
- not always publish a new descriptor since we thought nothing
- had changed.
- - Retry pending server downloads as well as pending networkstatus
- downloads when we unexpectedly get a socks request.
- - We were ignoring the IS_FAST flag in the directory status,
- meaning we were willing to pick trivial-bandwidth nodes for "fast"
- connections.
- - If the controller's SAVECONF command fails (e.g. due to file
- permissions), let the controller know that it failed.
-
- o Features:
- - If we're trying to be a Tor server and running Windows 95/98/ME
- as a server, explain that we'll likely crash.
- - When we're a server, a client asks for an old-style directory,
- and our write bucket is empty, don't give it to him. This way
- small servers can continue to serve the directory *sometimes*,
- without getting overloaded.
- - Compress exit policies even more -- look for duplicate lines
- and remove them.
- - Clients now honor the "guard" flag in the router status when
- picking entry guards, rather than looking at is_fast or is_stable.
- - Retain unrecognized lines in $DATADIR/state file, so that we can
- be forward-compatible.
- - Generate 18.0.0.0/8 address policy format in descs when we can;
- warn when the mask is not reducible to a bit-prefix.
- - Let the user set ControlListenAddress in the torrc. This can be
- dangerous, but there are some cases (like a secured LAN) where it
- makes sense.
- - Split ReachableAddresses into ReachableDirAddresses and
- ReachableORAddresses, so we can restrict Dir conns to port 80
- and OR conns to port 443.
- - Now we can target arch and OS in rpm builds (contributed by
- Phobos). Also make the resulting dist-rpm filename match the
- target arch.
- - New config options to help controllers: FetchServerDescriptors
- and FetchHidServDescriptors for whether to fetch server
- info and hidserv info or let the controller do it, and
- PublishServerDescriptor and PublishHidServDescriptors.
- - Also let the controller set the __AllDirActionsPrivate config
- option if you want all directory fetches/publishes to happen via
- Tor (it assumes your controller bootstraps your circuits).
-
-
-Changes in version 0.1.1.13-alpha - 2006-02-09
- o Crashes in 0.1.1.x:
- - When you tried to setconf ORPort via the controller, Tor would
- crash. So people using TorCP to become a server were sad.
- - Solve (I hope) the stack-smashing bug that we were seeing on fast
- servers. The problem appears to be something do with OpenSSL's
- random number generation, or how we call it, or something. Let me
- know if the crashes continue.
- - Turn crypto hardware acceleration off by default, until we find
- somebody smart who can test it for us. (It appears to produce
- seg faults in at least some cases.)
- - Fix a rare assert error when we've tried all intro points for
- a hidden service and we try fetching the service descriptor again:
- "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
-
- o Major fixes:
- - Fix a major load balance bug: we were round-robining in 16 KB
- chunks, and servers with bandwidthrate of 20 KB, while downloading
- a 600 KB directory, would starve their other connections. Now we
- try to be a bit more fair.
- - Dir authorities and mirrors were never expiring the newest
- descriptor for each server, causing memory and directory bloat.
- - Fix memory-bloating and connection-bloating bug on servers: We
- were never closing any connection that had ever had a circuit on
- it, because we were checking conn->n_circuits == 0, yet we had a
- bug that let it go negative.
- - Make Tor work using squid as your http proxy again -- squid
- returns an error if you ask for a URL that's too long, and it uses
- a really generic error message. Plus, many people are behind a
- transparent squid so they don't even realize it.
- - On platforms that don't have getrlimit (like Windows), we were
- artificially constraining ourselves to a max of 1024
- connections. Now just assume that we can handle as many as 15000
- connections. Hopefully this won't cause other problems.
- - Add a new config option ExitPolicyRejectPrivate which defaults to
- 1. This means all exit policies will begin with rejecting private
- addresses, unless the server operator explicitly turns it off.
-
- o Major features:
- - Clients no longer download descriptors for non-running descriptors.
- - Before we add new directory authorities, we should make it
- clear that only v1 authorities should receive/publish hidden
- service descriptors.
-
- o Minor features:
- - As soon as we've fetched some more directory info, immediately
- try to download more server descriptors. This way we don't have
- a 10 second pause during initial bootstrapping.
- - Remove even more loud log messages that the server operator can't
- do anything about.
- - When we're running an obsolete or un-recommended version, make
- the log message more clear about what the problem is and what
- versions *are* still recommended.
- - Provide a more useful warn message when our onion queue gets full:
- the CPU is too slow or the exit policy is too liberal.
- - Don't warn when we receive a 503 from a dirserver/cache -- this
- will pave the way for them being able to refuse if they're busy.
- - When we fail to bind a listener, try to provide a more useful
- log message: e.g., "Is Tor already running?"
- - Adjust tor-spec to parameterize cell and key lengths. Now Ian
- Goldberg can prove things about our handshake protocol more
- easily.
- - MaxConn has been obsolete for a while now. Document the ConnLimit
- config option, which is a *minimum* number of file descriptors
- that must be available else Tor refuses to start.
- - Apply Matt Ghali's --with-syslog-facility patch to ./configure
- if you log to syslog and want something other than LOG_DAEMON.
- - Make dirservers generate a separate "guard" flag to mean,
- "would make a good entry guard". Make clients parse it and vote
- on it. Not used by clients yet.
- - Implement --with-libevent-dir option to ./configure. Also, improve
- search techniques to find libevent, and use those for openssl too.
- - Bump the default bandwidthrate to 3 MB, and burst to 6 MB
- - Only start testing reachability once we've established a
- circuit. This will make startup on dirservers less noisy.
- - Don't try to upload hidden service descriptors until we have
- established a circuit.
- - Fix the controller's "attachstream 0" command to treat conn like
- it just connected, doing address remapping, handling .exit and
- .onion idioms, and so on. Now we're more uniform in making sure
- that the controller hears about new and closing connections.
-
-
-Changes in version 0.1.1.12-alpha - 2006-01-11
- o Bugfixes on 0.1.1.x:
- - The fix to close duplicate server connections was closing all
- Tor client connections if they didn't establish a circuit
- quickly enough. Oops.
- - Fix minor memory issue (double-free) that happened on exit.
-
- o Bugfixes on 0.1.0.x:
- - Tor didn't warn when it failed to open a log file.
-
-
-Changes in version 0.1.1.11-alpha - 2006-01-10
- o Crashes in 0.1.1.x:
- - Include all the assert/crash fixes from 0.1.0.16.
- - If you start Tor and then quit very quickly, there were some
- races that tried to free things that weren't allocated yet.
- - Fix a rare memory stomp if you're running hidden services.
- - Fix segfault when specifying DirServer in config without nickname.
- - Fix a seg fault when you finish connecting to a server but at
- that moment you dump his server descriptor.
- - Extendcircuit and Attachstream controller commands would
- assert/crash if you don't give them enough arguments.
- - Fix an assert error when we're out of space in the connection_list
- and we try to post a hidden service descriptor (reported by weasel).
- - If you specify a relative torrc path and you set RunAsDaemon in
- your torrc, then it chdir()'s to the new directory. If you HUP,
- it tries to load the new torrc location, fails, and exits.
- The fix: no longer allow a relative path to torrc using -f.
-
- o Major features:
- - Implement "entry guards": automatically choose a handful of entry
- nodes and stick with them for all circuits. Only pick new guards
- when the ones you have are unsuitable, and if the old guards
- become suitable again, switch back. This will increase security
- dramatically against certain end-point attacks. The EntryNodes
- config option now provides some hints about which entry guards you
- want to use most; and StrictEntryNodes means to only use those.
- (CVE-2006-0414)
- - New directory logic: download by descriptor digest, not by
- fingerprint. Caches try to download all listed digests from
- authorities; clients try to download "best" digests from caches.
- This avoids partitioning and isolating attacks better.
- - Make the "stable" router flag in network-status be the median of
- the uptimes of running valid servers, and make clients pay
- attention to the network-status flags. Thus the cutoff adapts
- to the stability of the network as a whole, making IRC, IM, etc
- connections more reliable.
-
- o Major fixes:
- - Tor servers with dynamic IP addresses were needing to wait 18
- hours before they could start doing reachability testing using
- the new IP address and ports. This is because they were using
- the internal descriptor to learn what to test, yet they were only
- rebuilding the descriptor once they decided they were reachable.
- - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients
- to download certain server descriptors, throw them away, and then
- fetch them again after 30 minutes. Now mirrors throw away these
- server descriptors so clients can't get them.
- - We were leaving duplicate connections to other ORs open for a week,
- rather than closing them once we detect a duplicate. This only
- really affected authdirservers, but it affected them a lot.
- - Spread the authdirservers' reachability testing over the entire
- testing interval, so we don't try to do 500 TLS's at once every
- 20 minutes.
-
- o Minor fixes:
- - If the network is down, and we try to connect to a conn because
- we have a circuit in mind, and we timeout (30 seconds) because the
- network never answers, we were expiring the circuit, but we weren't
- obsoleting the connection or telling the entry_guards functions.
- - Some Tor servers process billions of cells per day. These statistics
- need to be uint64_t's.
- - Check for integer overflows in more places, when adding elements
- to smartlists. This could possibly prevent a buffer overflow
- on malicious huge inputs. I don't see any, but I haven't looked
- carefully.
- - ReachableAddresses kept growing new "reject *:*" lines on every
- setconf/reload.
- - When you "setconf log" via the controller, it should remove all
- logs. We were automatically adding back in a "log notice stdout".
- - Newly bootstrapped Tor networks couldn't establish hidden service
- circuits until they had nodes with high uptime. Be more tolerant.
- - We were marking servers down when they could not answer every piece
- of the directory request we sent them. This was far too harsh.
- - Fix the torify (tsocks) config file to not use Tor for localhost
- connections.
- - Directory authorities now go to the proper authority when asking for
- a networkstatus, even when they want a compressed one.
- - Fix a harmless bug that was causing Tor servers to log
- "Got an end because of misc error, but we're not an AP. Closing."
- - Authorities were treating their own descriptor changes as cosmetic,
- meaning the descriptor available in the network-status and the
- descriptor that clients downloaded were different.
- - The OS X installer was adding a symlink for tor_resolve but
- the binary was called tor-resolve (reported by Thomas Hardly).
- - Workaround a problem with some http proxies where they refuse GET
- requests that specify "Content-Length: 0" (reported by Adrian).
- - Fix wrong log message when you add a "HiddenServiceNodes" config
- line without any HiddenServiceDir line (reported by Chris Thomas).
-
- o Minor features:
- - Write the TorVersion into the state file so we have a prayer of
- keeping forward and backward compatibility.
- - Revive the FascistFirewall config option rather than eliminating it:
- now it's a synonym for ReachableAddresses *:80,*:443.
- - Clients choose directory servers from the network status lists,
- not from their internal list of router descriptors. Now they can
- go to caches directly rather than needing to go to authorities
- to bootstrap.
- - Directory authorities ignore router descriptors that have only
- cosmetic differences: do this for 0.1.0.x servers now too.
- - Add a new flag to network-status indicating whether the server
- can answer v2 directory requests too.
- - Authdirs now stop whining so loudly about bad descriptors that
- they fetch from other dirservers. So when there's a log complaint,
- it's for sure from a freshly uploaded descriptor.
- - Reduce memory requirements in our structs by changing the order
- of fields.
- - There used to be two ways to specify your listening ports in a
- server descriptor: on the "router" line and with a separate "ports"
- line. Remove support for the "ports" line.
- - New config option "AuthDirRejectUnlisted" for auth dirservers as
- a panic button: if we get flooded with unusable servers we can
- revert to only listing servers in the approved-routers file.
- - Auth dir servers can now mark a fingerprint as "!reject" or
- "!invalid" in the approved-routers file (as its nickname), to
- refuse descriptors outright or include them but marked as invalid.
- - Servers store bandwidth history across restarts/crashes.
- - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
- get a better idea of why their circuits failed. Not used yet.
- - Directory mirrors now cache up to 16 unrecognized network-status
- docs. Now we can add new authdirservers and they'll be cached too.
- - When picking a random directory, prefer non-authorities if any
- are known.
- - New controller option "getinfo desc/all-recent" to fetch the
- latest server descriptor for every router that Tor knows about.
-
-
-Changes in version 0.1.1.10-alpha - 2005-12-11
- o Correctness bugfixes on 0.1.0.x:
- - On Windows, build with a libevent patch from "I-M Weasel" to avoid
- corrupting the heap, losing FDs, or crashing when we need to resize
- the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
- - Stop doing the complex voodoo overkill checking for insecure
- Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
- - When we were closing connections, there was a rare case that
- stomped on memory, triggering seg faults and asserts.
- - We were neglecting to unlink marked circuits from soon-to-close OR
- connections, which caused some rare scribbling on freed memory.
- - When we're deciding whether a stream has enough circuits around
- that can handle it, count the freshly dirty ones and not the ones
- that are so dirty they won't be able to handle it.
- - Recover better from TCP connections to Tor servers that are
- broken but don't tell you (it happens!); and rotate TLS
- connections once a week.
- - When we're expiring old circuits, we had a logic error that caused
- us to close new rendezvous circuits rather than old ones.
- - Fix a scary-looking but apparently harmless bug where circuits
- would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
- servers, and never switch to state CIRCUIT_STATE_OPEN.
- - When building with -static or on Solaris, we sometimes needed to
- build with -ldl.
- - Give a useful message when people run Tor as the wrong user,
- rather than telling them to start chowning random directories.
- - We were failing to inform the controller about new .onion streams.
-
- o Security bugfixes on 0.1.0.x:
- - Refuse server descriptors if the fingerprint line doesn't match
- the included identity key. Tor doesn't care, but other apps (and
- humans) might actually be trusting the fingerprint line.
- - We used to kill the circuit when we receive a relay command we
- don't recognize. Now we just drop it.
- - Start obeying our firewall options more rigorously:
- . If we can't get to a dirserver directly, try going via Tor.
- . Don't ever try to connect (as a client) to a place our
- firewall options forbid.
- . If we specify a proxy and also firewall options, obey the
- firewall options even when we're using the proxy: some proxies
- can only proxy to certain destinations.
- - Fix a bug found by Lasse Overlier: when we were making internal
- circuits (intended to be cannibalized later for rendezvous and
- introduction circuits), we were picking them so that they had
- useful exit nodes. There was no need for this, and it actually
- aids some statistical attacks.
- - Start treating internal circuits and exit circuits separately.
- It's important to keep them separate because internal circuits
- have their last hops picked like middle hops, rather than like
- exit hops. So exiting on them will break the user's expectations.
-
- o Bugfixes on 0.1.1.x:
- - Take out the mis-feature where we tried to detect IP address
- flapping for people with DynDNS, and chose not to upload a new
- server descriptor sometimes.
- - Try to be compatible with OpenSSL 0.9.6 again.
- - Log fix: when the controller is logging about .onion addresses,
- sometimes it didn't include the ".onion" part of the address.
- - Don't try to modify options->DirServers internally -- if the
- user didn't specify any, just add the default ones directly to
- the trusted dirserver list. This fixes a bug where people running
- controllers would use SETCONF on some totally unrelated config
- option, and Tor would start yelling at them about changing their
- DirServer lines.
- - Let the controller's redirectstream command specify a port, in
- case the controller wants to change that too.
- - When we requested a pile of server descriptors, we sometimes
- accidentally launched a duplicate request for the first one.
- - Bugfix for trackhostexits: write down the fingerprint of the
- chosen exit, not its nickname, because the chosen exit might not
- be verified.
- - When parsing foo.exit, if foo is unknown, and we are leaving
- circuits unattached, set the chosen_exit field and leave the
- address empty. This matters because controllers got confused
- otherwise.
- - Directory authorities no longer try to download server
- descriptors that they know they will reject.
-
- o Features and updates:
- - Replace balanced trees with hash tables: this should make stuff
- significantly faster.
- - Resume using the AES counter-mode implementation that we ship,
- rather than OpenSSL's. Ours is significantly faster.
- - Many other CPU and memory improvements.
- - Add a new config option FastFirstHopPK (on by default) so clients
- do a trivial crypto handshake for their first hop, since TLS has
- already taken care of confidentiality and authentication.
- - Add a new config option TestSocks so people can see if their
- applications are using socks4, socks4a, socks5-with-ip, or
- socks5-with-hostname. This way they don't have to keep mucking
- with tcpdump and wondering if something got cached somewhere.
- - Warn when listening on a public address for socks. I suspect a
- lot of people are setting themselves up as open socks proxies,
- and they have no idea that jerks on the Internet are using them,
- since they simply proxy the traffic into the Tor network.
- - Add "private:*" as an alias in configuration for policies. Now
- you can simplify your exit policy rather than needing to list
- every single internal or nonroutable network space.
- - Add a new controller event type that allows controllers to get
- all server descriptors that were uploaded to a router in its role
- as authoritative dirserver.
- - Start shipping socks-extensions.txt, tor-doc-unix.html,
- tor-doc-server.html, and stylesheet.css in the tarball.
- - Stop shipping tor-doc.html in the tarball.
-
-
-Changes in version 0.1.1.9-alpha - 2005-11-15
- o Usability improvements:
- - Start calling it FooListenAddress rather than FooBindAddress,
- since few of our users know what it means to bind an address
- or port.
- - Reduce clutter in server logs. We're going to try to make
- them actually usable now. New config option ProtocolWarnings that
- lets you hear about how _other Tors_ are breaking the protocol. Off
- by default.
- - Divide log messages into logging domains. Once we put some sort
- of interface on this, it will let people looking at more verbose
- log levels specify the topics they want to hear more about.
- - Make directory servers return better http 404 error messages
- instead of a generic "Servers unavailable".
- - Check for even more Windows version flags when writing the platform
- string in server descriptors, and note any we don't recognize.
- - Clean up more of the OpenSSL memory when exiting, so we can detect
- memory leaks better.
- - Make directory authorities be non-versioning, non-naming by
- default. Now we can add new directory servers without requiring
- their operators to pay close attention.
- - When logging via syslog, include the pid whenever we provide
- a log entry. Suggested by Todd Fries.
-
- o Performance improvements:
- - Directory servers now silently throw away new descriptors that
- haven't changed much if the timestamps are similar. We do this to
- tolerate older Tor servers that upload a new descriptor every 15
- minutes. (It seemed like a good idea at the time.)
- - Inline bottleneck smartlist functions; use fast versions by default.
- - Add a "Map from digest to void*" abstraction digestmap_t so we
- can do less hex encoding/decoding. Use it in router_get_by_digest()
- to resolve a performance bottleneck.
- - Allow tor_gzip_uncompress to extract as much as possible from
- truncated compressed data. Try to extract as many
- descriptors as possible from truncated http responses (when
- DIR_PURPOSE_FETCH_ROUTERDESC).
- - Make circ->onionskin a pointer, not a static array. moria2 was using
- 125000 circuit_t's after it had been up for a few weeks, which
- translates to 20+ megs of wasted space.
- - The private half of our EDH handshake keys are now chosen out
- of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
-
- o Security improvements:
- - Start making directory caches retain old routerinfos, so soon
- clients can start asking by digest of descriptor rather than by
- fingerprint of server.
- - Add half our entropy from RAND_poll in OpenSSL. This knows how
- to use egd (if present), openbsd weirdness (if present), vms/os2
- weirdness (if we ever port there), and more in the future.
-
- o Bugfixes on 0.1.0.x:
- - Do round-robin writes of at most 16 kB per write. This might be
- more fair on loaded Tor servers, and it might resolve our Windows
- crash bug. It might also slow things down.
- - Our TLS handshakes were generating a single public/private
- keypair for the TLS context, rather than making a new one for
- each new connections. Oops. (But we were still rotating them
- periodically, so it's not so bad.)
- - When we were cannibalizing a circuit with a particular exit
- node in mind, we weren't checking to see if that exit node was
- already present earlier in the circuit. Oops.
- - When a Tor server's IP changes (e.g. from a dyndns address),
- upload a new descriptor so clients will learn too.
- - Really busy servers were keeping enough circuits open on stable
- connections that they were wrapping around the circuit_id
- space. (It's only two bytes.) This exposed a bug where we would
- feel free to reuse a circuit_id even if it still exists but has
- been marked for close. Try to fix this bug. Some bug remains.
- - If we would close a stream early (e.g. it asks for a .exit that
- we know would refuse it) but the LeaveStreamsUnattached config
- option is set by the controller, then don't close it.
-
- o Bugfixes on 0.1.1.8-alpha:
- - Fix a big pile of memory leaks, some of them serious.
- - Do not try to download a routerdesc if we would immediately reject
- it as obsolete.
- - Resume inserting a newline between all router descriptors when
- generating (old style) signed directories, since our spec says
- we do.
- - When providing content-type application/octet-stream for
- server descriptors using .z, we were leaving out the
- content-encoding header. Oops. (Everything tolerated this just
- fine, but that doesn't mean we need to be part of the problem.)
- - Fix a potential seg fault in getconf and getinfo using version 1
- of the controller protocol.
- - Avoid crash: do not check whether DirPort is reachable when we
- are suppressing it because of hibernation.
- - Make --hash-password not crash on exit.
-
-
-Changes in version 0.1.1.8-alpha - 2005-10-07
- o New features (major):
- - Clients don't download or use the directory anymore. Now they
- download and use network-statuses from the trusted dirservers,
- and fetch individual server descriptors as needed from mirrors.
- See dir-spec.txt for all the gory details.
- - Be more conservative about whether to advertise our DirPort.
- The main change is to not advertise if we're running at capacity
- and either a) we could hibernate or b) our capacity is low and
- we're using a default DirPort.
- - Use OpenSSL's AES when OpenSSL has version 0.9.7 or later.
-
- o New features (minor):
- - Try to be smart about when to retry network-status and
- server-descriptor fetches. Still needs some tuning.
- - Stop parsing, storing, or using running-routers output (but
- mirrors still cache and serve it).
- - Consider a threshold of versioning dirservers (dirservers who have
- an opinion about which Tor versions are still recommended) before
- deciding whether to warn the user that he's obsolete.
- - Dirservers can now reject/invalidate by key and IP, with the
- config options "AuthDirInvalid" and "AuthDirReject". This is
- useful since currently we automatically list servers as running
- and usable even if we know they're jerks.
- - Provide dire warnings to any users who set DirServer; move it out
- of torrc.sample and into torrc.complete.
- - Add MyFamily to torrc.sample in the server section.
- - Add nicknames to the DirServer line, so we can refer to them
- without requiring all our users to memorize their IP addresses.
- - When we get an EOF or a timeout on a directory connection, note
- how many bytes of serverdesc we are dropping. This will help
- us determine whether it is smart to parse incomplete serverdesc
- responses.
- - Add a new function to "change pseudonyms" -- that is, to stop
- using any currently-dirty circuits for new streams, so we don't
- link new actions to old actions. Currently it's only called on
- HUP (or SIGNAL RELOAD).
- - On sighup, if UseHelperNodes changed to 1, use new circuits.
- - Start using RAND_bytes rather than RAND_pseudo_bytes from
- OpenSSL. Also, reseed our entropy every hour, not just at
- startup. And entropy in 512-bit chunks, not 160-bit chunks.
-
- o Fixes on 0.1.1.7-alpha:
- - Nobody ever implemented EVENT_ADDRMAP for control protocol
- version 0, so don't let version 0 controllers ask for it.
- - If you requested something with too many newlines via the
- v1 controller protocol, you could crash tor.
- - Fix a number of memory leaks, including some pretty serious ones.
- - Re-enable DirPort testing again, so Tor servers will be willing
- to advertise their DirPort if it's reachable.
- - On TLS handshake, only check the other router's nickname against
- its expected nickname if is_named is set.
-
- o Fixes forward-ported from 0.1.0.15:
- - Don't crash when we don't have any spare file descriptors and we
- try to spawn a dns or cpu worker.
- - Make the numbers in read-history and write-history into uint64s,
- so they don't overflow and publish negatives in the descriptor.
-
- o Fixes on 0.1.0.x:
- - For the OS X package's modified privoxy config file, comment
- out the "logfile" line so we don't log everything passed
- through privoxy.
- - We were whining about using socks4 or socks5-with-local-lookup
- even when it's an IP in the "virtual" range we designed exactly
- for this case.
- - We were leaking some memory every time the client changes IPs.
- - Never call free() on tor_malloc()d memory. This will help us
- use dmalloc to detect memory leaks.
- - Check for named servers when looking them up by nickname;
- warn when we'recalling a non-named server by its nickname;
- don't warn twice about the same name.
- - Try to list MyFamily elements by key, not by nickname, and warn
- if we've not heard of the server.
- - Make windows platform detection (uname equivalent) smarter.
- - It turns out sparc64 doesn't like unaligned access either.
-
-
-Changes in version 0.1.1.7-alpha - 2005-09-14
- o Fixes on 0.1.1.6-alpha:
- - Exit servers were crashing when people asked them to make a
- connection to an address not in their exit policy.
- - Looking up a non-existent stream for a v1 control connection would
- cause a segfault.
- - Fix a seg fault if we ask a dirserver for a descriptor by
- fingerprint but he doesn't know about him.
- - SETCONF was appending items to linelists, not clearing them.
- - SETCONF SocksBindAddress killed Tor if it fails to bind. Now back
- out and refuse the setconf if it would fail.
- - Downgrade the dirserver log messages when whining about
- unreachability.
-
- o New features:
- - Add Peter Palfrader's check-tor script to tor/contrib/
- It lets you easily check whether a given server (referenced by
- nickname) is reachable by you.
- - Numerous changes to move towards client-side v2 directories. Not
- enabled yet.
-
- o Fixes on 0.1.0.x:
- - If the user gave tor an odd number of command-line arguments,
- we were silently ignoring the last one. Now we complain and fail.
- [This wins the oldest-bug prize -- this bug has been present since
- November 2002, as released in Tor 0.0.0.]
- - Do not use unaligned memory access on alpha, mips, or mipsel.
- It *works*, but is very slow, so we treat them as if it doesn't.
- - Retry directory requests if we fail to get an answer we like
- from a given dirserver (we were retrying before, but only if
- we fail to connect).
- - When writing the RecommendedVersions line, sort them first.
- - When the client asked for a rendezvous port that the hidden
- service didn't want to provide, we were sending an IP address
- back along with the end cell. Fortunately, it was zero. But stop
- that anyway.
- - Correct "your server is reachable" log entries to indicate that
- it was self-testing that told us so.
-
-
-Changes in version 0.1.1.6-alpha - 2005-09-09
- o Fixes on 0.1.1.5-alpha:
- - We broke fascistfirewall in 0.1.1.5-alpha. Oops.
- - Fix segfault in unit tests in 0.1.1.5-alpha. Oops.
- - Fix bug with tor_memmem finding a match at the end of the string.
- - Make unit tests run without segfaulting.
- - Resolve some solaris x86 compile warnings.
- - Handle duplicate lines in approved-routers files without warning.
- - Fix bug where as soon as a server refused any requests due to his
- exit policy (e.g. when we ask for localhost and he tells us that's
- 127.0.0.1 and he won't do it), we decided he wasn't obeying his
- exit policy and stopped using him for any exits.
- - Only do openssl hardware accelerator stuff if openssl version is
- at least 0.9.7.
-
- o New controller features/fixes:
- - Add a "RESETCONF" command so you can set config options like
- AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
- a config option in the torrc with no value, then it clears it
- entirely (rather than setting it to its default).
- - Add a "GETINFO config-file" to tell us where torrc is.
- - Avoid sending blank lines when GETINFO replies should be empty.
- - Add a QUIT command for the controller (for using it manually).
- - Fix a bug in SAVECONF that was adding default dirservers and
- other redundant entries to the torrc file.
-
- o Start on the new directory design:
- - Generate, publish, cache, serve new network-status format.
- - Publish individual descriptors (by fingerprint, by "all", and by
- "tell me yours").
- - Publish client and server recommended versions separately.
- - Allow tor_gzip_uncompress() to handle multiple concatenated
- compressed strings. Serve compressed groups of router
- descriptors. The compression logic here could be more
- memory-efficient.
- - Distinguish v1 authorities (all currently trusted directories)
- from v2 authorities (all trusted directories).
- - Change DirServers config line to note which dirs are v1 authorities.
- - Add configuration option "V1AuthoritativeDirectory 1" which
- moria1, moria2, and tor26 should set.
- - Remove option when getting directory cache to see whether they
- support running-routers; they all do now. Replace it with one
- to see whether caches support v2 stuff.
-
- o New features:
- - Dirservers now do their own external reachability testing of each
- Tor server, and only list them as running if they've been found to
- be reachable. We also send back warnings to the server's logs if
- it uploads a descriptor that we already believe is unreachable.
- - Implement exit enclaves: if we know an IP address for the
- destination, and there's a running Tor server at that address
- which allows exit to the destination, then extend the circuit to
- that exit first. This provides end-to-end encryption and end-to-end
- authentication. Also, if the user wants a .exit address or enclave,
- use 4 hops rather than 3, and cannibalize a general circ for it
- if you can.
- - Permit transitioning from ORPort=0 to ORPort!=0, and back, from the
- controller. Also, rotate dns and cpu workers if the controller
- changes options that will affect them; and initialize the dns
- worker cache tree whether or not we start out as a server.
- - Only upload a new server descriptor when options change, 18
- hours have passed, uptime is reset, or bandwidth changes a lot.
- - Check [X-]Forwarded-For headers in HTTP requests when generating
- log messages. This lets people run dirservers (and caches) behind
- Apache but still know which IP addresses are causing warnings.
-
- o Config option changes:
- - Replace (Fascist)Firewall* config options with a new
- ReachableAddresses option that understands address policies.
- For example, "ReachableAddresses *:80,*:443"
- - Get rid of IgnoreVersion undocumented config option, and make us
- only warn, never exit, when we're running an obsolete version.
- - Make MonthlyAccountingStart config option truly obsolete now.
-
- o Fixes on 0.1.0.x:
- - Reject ports 465 and 587 in the default exit policy, since
- people have started using them for spam too.
- - It turns out we couldn't bootstrap a network since we added
- reachability detection in 0.1.0.1-rc. Good thing the Tor network
- has never gone down. Add an AssumeReachable config option to let
- servers and dirservers bootstrap. When we're trying to build a
- high-uptime or high-bandwidth circuit but there aren't enough
- suitable servers, try being less picky rather than simply failing.
- - Our logic to decide if the OR we connected to was the right guy
- was brittle and maybe open to a mitm for unverified routers.
- - We weren't cannibalizing circuits correctly for
- CIRCUIT_PURPOSE_C_ESTABLISH_REND and
- CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
- build those from scratch. This should make hidden services faster.
- - Predict required circuits better, with an eye toward making hidden
- services faster on the service end.
- - Retry streams if the exit node sends back a 'misc' failure. This
- should result in fewer random failures. Also, after failing
- from resolve failed or misc, reset the num failures, so we give
- it a fair shake next time we try.
- - Clean up the rendezvous warn log msgs, and downgrade some to info.
- - Reduce severity on logs about dns worker spawning and culling.
- - When we're shutting down and we do something like try to post a
- server descriptor or rendezvous descriptor, don't complain that
- we seem to be unreachable. Of course we are, we're shutting down.
- - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
- We don't use them yet, but maybe one day our DNS resolver will be
- able to discover them.
- - Make ContactInfo mandatory for authoritative directory servers.
- - Require server descriptors to list IPv4 addresses -- hostnames
- are no longer allowed. This also fixes some potential security
- problems with people providing hostnames as their address and then
- preferentially resolving them to partition users.
- - Change log line for unreachability to explicitly suggest /etc/hosts
- as the culprit. Also make it clearer what IP address and ports we're
- testing for reachability.
- - Put quotes around user-supplied strings when logging so users are
- more likely to realize if they add bad characters (like quotes)
- to the torrc.
- - Let auth dir servers start without specifying an Address config
- option.
- - Make unit tests (and other invocations that aren't the real Tor)
- run without launching listeners, creating subdirectories, and so on.
-
-
-Changes in version 0.1.1.5-alpha - 2005-08-08
- o Bugfixes included in 0.1.0.14.
-
- o Bugfixes on 0.1.0.x:
- - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
- torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
- it would silently using ignore the 6668.
-
-
-Changes in version 0.1.1.4-alpha - 2005-08-04
- o Bugfixes included in 0.1.0.13.
-
- o Features:
- - Improve tor_gettimeofday() granularity on windows.
- - Make clients regenerate their keys when their IP address changes.
- - Implement some more GETINFO goodness: expose helper nodes, config
- options, getinfo keys.
-
-
-Changes in version 0.1.1.3-alpha - 2005-07-25
- o Bugfixes on 0.1.1.2-alpha:
- - Fix a bug in handling the controller's "post descriptor"
- function.
- - Fix several bugs in handling the controller's "extend circuit"
- function.
- - Fix a bug in handling the controller's "stream status" event.
- - Fix an assert failure if we have a controller listening for
- circuit events and we go offline.
- - Re-allow hidden service descriptors to publish 0 intro points.
- - Fix a crash when generating your hidden service descriptor if
- you don't have enough intro points already.
-
- o New features on 0.1.1.2-alpha:
- - New controller function "getinfo accounting", to ask how
- many bytes we've used in this time period.
- - Experimental support for helper nodes: a lot of the risk from
- a small static adversary comes because users pick new random
- nodes every time they rebuild a circuit. Now users will try to
- stick to the same small set of entry nodes if they can. Not
- enabled by default yet.
-
- o Bugfixes on 0.1.0.12:
- - If you're an auth dir server, always publish your dirport,
- even if you haven't yet found yourself to be reachable.
- - Fix a size_t underflow in smartlist_join_strings2() that made
- it do bad things when you hand it an empty smartlist.
-
-
-Changes in version 0.1.1.2-alpha - 2005-07-14
- o New directory servers:
- - tor26 has changed IP address.
-
- o Bugfixes on 0.1.0.x, crashes/leaks:
- - Port the servers-not-obeying-their-exit-policies fix from 0.1.0.11.
- - Fix an fd leak in start_daemon().
- - On Windows, you can't always reopen a port right after you've
- closed it. So change retry_listeners() to only close and re-open
- ports that have changed.
- - Fix a possible double-free in tor_gzip_uncompress().
-
- o Bugfixes on 0.1.0.x, usability:
- - When tor_socketpair() fails in Windows, give a reasonable
- Windows-style errno back.
- - Let people type "tor --install" as well as "tor -install" when they
- want to make it an NT service.
- - NT service patch from Matt Edman to improve error messages.
- - When the controller asks for a config option with an abbreviated
- name, give the full name in our response.
- - Correct the man page entry on TrackHostExitsExpire.
- - Looks like we were never delivering deflated (i.e. compressed)
- running-routers lists, even when asked. Oops.
- - When --disable-threads is set, do not search for or link against
- pthreads libraries.
-
- o Bugfixes on 0.1.1.x:
- - Fix a seg fault with autodetecting which controller version is
- being used.
-
- o Features:
- - New hidden service descriptor format: put a version in it, and
- let people specify introduction/rendezvous points that aren't
- in "the directory" (which is subjective anyway).
- - Allow the DEBUG controller event to work again. Mark certain log
- entries as "don't tell this to controllers", so we avoid cycles.
-
-
-Changes in version 0.1.1.1-alpha - 2005-06-29
- o Bugfixes:
- - Make OS X init script check for missing argument, so we don't
- confuse users who invoke it incorrectly.
- - Fix a seg fault in "tor --hash-password foo".
- - Fix a possible way to DoS dirservers.
- - When we complain that your exit policy implicitly allows local or
- private address spaces, name them explicitly so operators can
- fix it.
- - Make the log message less scary when all the dirservers are
- temporarily unreachable.
- - We were printing the number of idle dns workers incorrectly when
- culling them.
-
- o Features:
- - Revised controller protocol (version 1) that uses ascii rather
- than binary. Add supporting libraries in python and java so you
- can use the controller from your applications without caring how
- our protocol works.
- - Spiffy new support for crypto hardware accelerators. Can somebody
- test this?
-
-
Changes in version 0.1.0.17 - 2006-02-17
o Crash bugfixes on 0.1.0.x:
- When servers with a non-zero DirPort came out of hibernation,
More information about the tor-commits
mailing list