|
@@ -0,0 +1,2262 @@
|
|
|
+
|
|
|
+This document summarizes new features and bugfixes in each stable release
|
|
|
+of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
+each development snapshot, see the ChangeLog file.
|
|
|
+
|
|
|
+Changes in version 0.1.1.26 - 2006-12-14
|
|
|
+ o Security bugfixes:
|
|
|
+ - Stop sending the HttpProxyAuthenticator string to directory
|
|
|
+ servers when directory connections are tunnelled through Tor.
|
|
|
+ - Clients no longer store bandwidth history in the state file.
|
|
|
+ - Do not log introduction points for hidden services if SafeLogging
|
|
|
+ is set.
|
|
|
+
|
|
|
+ o Minor bugfixes:
|
|
|
+ - Fix an assert failure when a directory authority sets
|
|
|
+ AuthDirRejectUnlisted and then receives a descriptor from an
|
|
|
+ unlisted router (reported by seeess).
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.25 - 2006-11-04
|
|
|
+ o Major bugfixes:
|
|
|
+ - When a client asks us to resolve (rather than connect to)
|
|
|
+ an address, and we have a cached answer, give them the cached
|
|
|
+ answer. Previously, we would give them no answer at all.
|
|
|
+ - We were building exactly the wrong circuits when we predict
|
|
|
+ hidden service requirements, meaning Tor would have to build all
|
|
|
+ its circuits on demand.
|
|
|
+ - If none of our live entry guards have a high uptime, but we
|
|
|
+ require a guard with a high uptime, try adding a new guard before
|
|
|
+ we give up on the requirement. This patch should make long-lived
|
|
|
+ connections more stable on average.
|
|
|
+ - When testing reachability of our DirPort, don't launch new
|
|
|
+ tests when there's already one in progress -- unreachable
|
|
|
+ servers were stacking up dozens of testing streams.
|
|
|
+
|
|
|
+ o Security bugfixes:
|
|
|
+ - When the user sends a NEWNYM signal, clear the client-side DNS
|
|
|
+ cache too. Otherwise we continue to act on previous information.
|
|
|
+
|
|
|
+ o Minor bugfixes:
|
|
|
+ - Avoid a memory corruption bug when creating a hash table for
|
|
|
+ the first time.
|
|
|
+ - Avoid possibility of controller-triggered crash when misusing
|
|
|
+ certain commands from a v0 controller on platforms that do not
|
|
|
+ handle printf("%s",NULL) gracefully.
|
|
|
+ - Avoid infinite loop on unexpected controller input.
|
|
|
+ - Don't log spurious warnings when we see a circuit close reason we
|
|
|
+ don't recognize; it's probably just from a newer version of Tor.
|
|
|
+ - Add Vidalia to the OS X uninstaller script, so when we uninstall
|
|
|
+ Tor/Privoxy we also uninstall Vidalia.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.24 - 2006-09-29
|
|
|
+ o Major bugfixes:
|
|
|
+ - Allow really slow clients to not hang up five minutes into their
|
|
|
+ directory downloads (suggested by Adam J. Richter).
|
|
|
+ - Fix major performance regression from 0.1.0.x: instead of checking
|
|
|
+ whether we have enough directory information every time we want to
|
|
|
+ do something, only check when the directory information has changed.
|
|
|
+ This should improve client CPU usage by 25-50%.
|
|
|
+ - Don't crash if, after a server has been running for a while,
|
|
|
+ it can't resolve its hostname.
|
|
|
+ - When a client asks us to resolve (not connect to) an address,
|
|
|
+ and we have a cached answer, give them the cached answer.
|
|
|
+ Previously, we would give them no answer at all.
|
|
|
+
|
|
|
+ o Minor bugfixes:
|
|
|
+ - Allow Tor to start when RunAsDaemon is set but no logs are set.
|
|
|
+ - Don't crash when the controller receives a third argument to an
|
|
|
+ "extendcircuit" request.
|
|
|
+ - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
|
|
+ response; fix error code when "getinfo dir/status/" fails.
|
|
|
+ - Fix configure.in to not produce broken configure files with
|
|
|
+ more recent versions of autoconf. Thanks to Clint for his auto*
|
|
|
+ voodoo.
|
|
|
+ - Fix security bug on NetBSD that could allow someone to force
|
|
|
+ uninitialized RAM to be sent to a server's DNS resolver. This
|
|
|
+ only affects NetBSD and other platforms that do not bounds-check
|
|
|
+ tolower().
|
|
|
+ - Warn user when using libevent 1.1a or earlier with win32 or kqueue
|
|
|
+ methods: these are known to be buggy.
|
|
|
+ - If we're a directory mirror and we ask for "all" network status
|
|
|
+ documents, we would discard status documents from authorities
|
|
|
+ we don't recognize.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.23 - 2006-07-30
|
|
|
+ o Major bugfixes:
|
|
|
+ - Fast Tor servers, especially exit nodes, were triggering asserts
|
|
|
+ due to a bug in handling the list of pending DNS resolves. Some
|
|
|
+ bugs still remain here; we're hunting them.
|
|
|
+ - Entry guards could crash clients by sending unexpected input.
|
|
|
+ - More fixes on reachability testing: if you find yourself reachable,
|
|
|
+ then don't ever make any client requests (so you stop predicting
|
|
|
+ circuits), then hup or have your clock jump, then later your IP
|
|
|
+ changes, you won't think circuits are working, so you won't try to
|
|
|
+ test reachability, so you won't publish.
|
|
|
+
|
|
|
+ o Minor bugfixes:
|
|
|
+ - Avoid a crash if the controller does a resetconf firewallports
|
|
|
+ and then a setconf fascistfirewall=1.
|
|
|
+ - Avoid an integer underflow when the dir authority decides whether
|
|
|
+ a router is stable: we might wrongly label it stable, and compute
|
|
|
+ a slightly wrong median stability, when a descriptor is published
|
|
|
+ later than now.
|
|
|
+ - Fix a place where we might trigger an assert if we can't build our
|
|
|
+ own server descriptor yet.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.22 - 2006-07-05
|
|
|
+ o Major bugfixes:
|
|
|
+ - Fix a big bug that was causing servers to not find themselves
|
|
|
+ reachable if they changed IP addresses. Since only 0.1.1.22+
|
|
|
+ servers can do reachability testing correctly, now we automatically
|
|
|
+ make sure to test via one of these.
|
|
|
+ - Fix to allow clients and mirrors to learn directory info from
|
|
|
+ descriptor downloads that get cut off partway through.
|
|
|
+ - Directory authorities had a bug in deciding if a newly published
|
|
|
+ descriptor was novel enough to make everybody want a copy -- a few
|
|
|
+ servers seem to be publishing new descriptors many times a minute.
|
|
|
+ o Minor bugfixes:
|
|
|
+ - Fix a rare bug that was causing some servers to complain about
|
|
|
+ "closing wedged cpuworkers" and skip some circuit create requests.
|
|
|
+ - Make the Exit flag in directory status documents actually work.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.21 - 2006-06-10
|
|
|
+ o Crash and assert fixes from 0.1.1.20:
|
|
|
+ - Fix a rare crash on Tor servers that have enabled hibernation.
|
|
|
+ - Fix a seg fault on startup for Tor networks that use only one
|
|
|
+ directory authority.
|
|
|
+ - Fix an assert from a race condition that occurs on Tor servers
|
|
|
+ while exiting, where various threads are trying to log that they're
|
|
|
+ exiting, and delete the logs, at the same time.
|
|
|
+ - Make our unit tests pass again on certain obscure platforms.
|
|
|
+
|
|
|
+ o Other fixes:
|
|
|
+ - Add support for building SUSE RPM packages.
|
|
|
+ - Speed up initial bootstrapping for clients: if we are making our
|
|
|
+ first ever connection to any entry guard, then don't mark it down
|
|
|
+ right after that.
|
|
|
+ - When only one Tor server in the network is labelled as a guard,
|
|
|
+ and we've already picked him, we would cycle endlessly picking him
|
|
|
+ again, being unhappy about it, etc. Now we specifically exclude
|
|
|
+ current guards when picking a new guard.
|
|
|
+ - Servers send create cells more reliably after the TLS connection
|
|
|
+ is established: we were sometimes forgetting to send half of them
|
|
|
+ when we had more than one pending.
|
|
|
+ - If we get a create cell that asks us to extend somewhere, but the
|
|
|
+ Tor server there doesn't match the expected digest, we now send
|
|
|
+ a destroy cell back, rather than silently doing nothing.
|
|
|
+ - Make options->RedirectExit work again.
|
|
|
+ - Make cookie authentication for the controller work again.
|
|
|
+ - Stop being picky about unusual characters in the arguments to
|
|
|
+ mapaddress. It's none of our business.
|
|
|
+ - Add a new config option "TestVia" that lets you specify preferred
|
|
|
+ middle hops to use for test circuits. Perhaps this will let me
|
|
|
+ debug the reachability problems better.
|
|
|
+
|
|
|
+ o Log / documentation fixes:
|
|
|
+ - If we're a server and some peer has a broken TLS certificate, don't
|
|
|
+ log about it unless ProtocolWarnings is set, i.e., we want to hear
|
|
|
+ about protocol violations by others.
|
|
|
+ - Fix spelling of VirtualAddrNetwork in man page.
|
|
|
+ - Add a better explanation at the top of the autogenerated torrc file
|
|
|
+ about what happened to our old torrc.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.1.20 - 2006-05-23
|
|
|
+ o Crash and assert fixes from 0.1.0.17:
|
|
|
+ - Fix assert bug in close_logs() on exit: when we close and delete
|
|
|
+ logs, remove them all from the global "logfiles" list.
|
|
|
+ - Fix an assert error when we're out of space in the connection_list
|
|
|
+ and we try to post a hidden service descriptor (reported by Peter
|
|
|
+ Palfrader).
|
|
|
+ - Fix a rare assert error when we've tried all intro points for
|
|
|
+ a hidden service and we try fetching the service descriptor again:
|
|
|
+ "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
|
|
|
+ - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
|
|
|
+ out and refuse the setconf if it would fail.
|
|
|
+ - If you specify a relative torrc path and you set RunAsDaemon in
|
|
|
+ your torrc, then it chdir()'s to the new directory. If you then
|
|
|
+ HUP, it tries to load the new torrc location, fails, and exits.
|
|
|
+ The fix: no longer allow a relative path to torrc when using -f.
|
|
|
+ - Check for integer overflows in more places, when adding elements
|
|
|
+ to smartlists. This could possibly prevent a buffer overflow
|
|
|
+ on malicious huge inputs.
|
|
|
+
|
|
|
+ o Security fixes, major:
|
|
|
+ - When we're printing strings from the network, don't try to print
|
|
|
+ non-printable characters. Now we're safer against shell escape
|
|
|
+ sequence exploits, and also against attacks to fool users into
|
|
|
+ misreading their logs.
|
|
|
+ - Implement entry guards: automatically choose a handful of entry
|
|
|
+ nodes and stick with them for all circuits. Only pick new guards
|
|
|
+ when the ones you have are unsuitable, and if the old guards
|
|
|
+ become suitable again, switch back. This will increase security
|
|
|
+ dramatically against certain end-point attacks. The EntryNodes
|
|
|
+ config option now provides some hints about which entry guards you
|
|
|
+ want to use most; and StrictEntryNodes means to only use those.
|
|
|
+ Fixes CVE-2006-0414.
|
|
|
+ - Implement exit enclaves: if we know an IP address for the
|
|
|
+ destination, and there's a running Tor server at that address
|
|
|
+ which allows exit to the destination, then extend the circuit to
|
|
|
+ that exit first. This provides end-to-end encryption and end-to-end
|
|
|
+ authentication. Also, if the user wants a .exit address or enclave,
|
|
|
+ use 4 hops rather than 3, and cannibalize a general circ for it
|
|
|
+ if you can.
|
|
|
+ - Obey our firewall options more faithfully:
|
|
|
+ . If we can't get to a dirserver directly, try going via Tor.
|
|
|
+ . Don't ever try to connect (as a client) to a place our
|
|
|
+ firewall options forbid.
|
|
|
+ . If we specify a proxy and also firewall options, obey the
|
|
|
+ firewall options even when we're using the proxy: some proxies
|
|
|
+ can only proxy to certain destinations.
|
|
|
+ - Make clients regenerate their keys when their IP address changes.
|
|
|
+ - For the OS X package's modified privoxy config file, comment
|
|
|
+ out the "logfile" line so we don't log everything passed
|
|
|
+ through privoxy.
|
|
|
+ - Our TLS handshakes were generating a single public/private
|
|
|
+ keypair for the TLS context, rather than making a new one for
|
|
|
+ each new connection. Oops. (But we were still rotating them
|
|
|
+ periodically, so it's not so bad.)
|
|
|
+ - When we were cannibalizing a circuit with a particular exit
|
|
|
+ node in mind, we weren't checking to see if that exit node was
|
|
|
+ already present earlier in the circuit. Now we are.
|
|
|
+ - Require server descriptors to list IPv4 addresses -- hostnames
|
|
|
+ are no longer allowed. This also fixes potential vulnerabilities
|
|
|
+ to servers providing hostnames as their address and then
|
|
|
+ preferentially resolving them so they can partition users.
|
|
|
+ - Our logic to decide if the OR we connected to was the right guy
|
|
|
+ was brittle and maybe open to a mitm for invalid routers.
|
|
|
+
|
|
|
+ o Security fixes, minor:
|
|
|
+ - Adjust tor-spec.txt to parameterize cell and key lengths. Now
|
|
|
+ Ian Goldberg can prove things about our handshake protocol more
|
|
|
+ easily.
|
|
|
+ - Make directory authorities generate a separate "guard" flag to
|
|
|
+ mean "would make a good entry guard". Clients now honor the
|
|
|
+ is_guard flag rather than looking at is_fast or is_stable.
|
|
|
+ - Try to list MyFamily elements by key, not by nickname, and warn
|
|
|
+ if we've not heard of a server.
|
|
|
+ - Start using RAND_bytes rather than RAND_pseudo_bytes from
|
|
|
+ OpenSSL. Also, reseed our entropy every hour, not just at
|
|
|
+ startup. And add entropy in 512-bit chunks, not 160-bit chunks.
|
|
|
+ - Refuse server descriptors where the fingerprint line doesn't match
|
|
|
+ the included identity key. Tor doesn't care, but other apps (and
|
|
|
+ humans) might actually be trusting the fingerprint line.
|
|
|
+ - We used to kill the circuit when we receive a relay command we
|
|
|
+ don't recognize. Now we just drop that cell.
|
|
|
+ - Fix a bug found by Lasse Overlier: when we were making internal
|
|
|
+ circuits (intended to be cannibalized later for rendezvous and
|
|
|
+ introduction circuits), we were picking them so that they had
|
|
|
+ useful exit nodes. There was no need for this, and it actually
|
|
|
+ aids some statistical attacks.
|
|
|
+ - Start treating internal circuits and exit circuits separately.
|
|
|
+ It's important to keep them separate because internal circuits
|
|
|
+ have their last hops picked like middle hops, rather than like
|
|
|
+ exit hops. So exiting on them will break the user's expectations.
|
|
|
+ - Fix a possible way to DoS dirservers.
|
|
|
+ - When the client asked for a rendezvous port that the hidden
|
|
|
+ service didn't want to provide, we were sending an IP address
|
|
|
+ back along with the end cell. Fortunately, it was zero. But stop
|
|
|
+ that anyway.
|
|
|
+
|
|
|
+ o Packaging improvements:
|
|
|
+ - Implement --with-libevent-dir option to ./configure. Improve
|
|
|
+ search techniques to find libevent, and use those for openssl too.
|
|
|
+ - Fix a couple of bugs in OpenSSL detection. Deal better when
|
|
|
+ there are multiple SSLs installed with different versions.
|
|
|
+ - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
|
|
|
+ - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
|
|
|
+ "-Wall -g -O2".
|
|
|
+ - Make unit tests (and other invocations that aren't the real Tor)
|
|
|
+ run without launching listeners, creating subdirectories, and so on.
|
|
|
+ - The OS X installer was adding a symlink for tor_resolve but
|
|
|
+ the binary was called tor-resolve (reported by Thomas Hardly).
|
|
|
+ - Now we can target arch and OS in rpm builds (contributed by
|
|
|
+ Phobos). Also make the resulting dist-rpm filename match the
|
|
|
+ target arch.
|
|
|
+ - Apply Matt Ghali's --with-syslog-facility patch to ./configure
|
|
|
+ if you log to syslog and want something other than LOG_DAEMON.
|
|
|
+ - Fix the torify (tsocks) config file to not use Tor for localhost
|
|
|
+ connections.
|
|
|
+ - Start shipping socks-extensions.txt, tor-doc-unix.html,
|
|
|
+ tor-doc-server.html, and stylesheet.css in the tarball.
|
|
|
+ - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
|
|
|
+ They are useless now.
|
|
|
+ - Add Peter Palfrader's contributed check-tor script. It lets you
|
|
|
+ easily check whether a given server (referenced by nickname)
|
|
|
+ is reachable by you.
|
|
|
+ - Add BSD-style contributed startup script "rc.subr" from Peter
|
|
|
+ Thoenen.
|
|
|
+
|
|
|
+ o Directory improvements -- new directory protocol:
|
|
|
+ - See tor/doc/dir-spec.txt for all the juicy details. Key points:
|
|
|
+ - Authorities and caches publish individual descriptors (by
|
|
|
+ digest, by fingerprint, by "all", and by "tell me yours").
|
|
|
+ - Clients don't download or use the old directory anymore. Now they
|
|
|
+ download network-statuses from the directory authorities, and
|
|
|
+ fetch individual server descriptors as needed from mirrors.
|
|
|
+ - Clients don't download descriptors of non-running servers.
|
|
|
+ - Download descriptors by digest, not by fingerprint. Caches try to
|
|
|
+ download all listed digests from authorities; clients try to
|
|
|
+ download "best" digests from caches. This avoids partitioning
|
|
|
+ and isolating attacks better.
|
|
|
+ - Only upload a new server descriptor when options change, 18
|
|
|
+ hours have passed, uptime is reset, or bandwidth changes a lot.
|
|
|
+ - Directory authorities silently throw away new descriptors that
|
|
|
+ haven't changed much if the timestamps are similar. We do this to
|
|
|
+ tolerate older Tor servers that upload a new descriptor every 15
|
|
|
+ minutes. (It seemed like a good idea at the time.)
|
|
|
+ - Clients choose directory servers from the network status lists,
|
|
|
+ not from their internal list of router descriptors. Now they can
|
|
|
+ go to caches directly rather than needing to go to authorities
|
|
|
+ to bootstrap the first set of descriptors.
|
|
|
+ - When picking a random directory, prefer non-authorities if any
|
|
|
+ are known.
|
|
|
+ - Add a new flag to network-status indicating whether the server
|
|
|
+ can answer v2 directory requests too.
|
|
|
+ - Directory mirrors now cache up to 16 unrecognized network-status
|
|
|
+ docs, so new directory authorities will be cached too.
|
|
|
+ - Stop parsing, storing, or using running-routers output (but
|
|
|
+ mirrors still cache and serve it).
|
|
|
+ - Clients consider a threshold of "versioning" directory authorities
|
|
|
+ before deciding whether to warn the user that he's obsolete.
|
|
|
+ - Authorities publish separate sorted lists of recommended versions
|
|
|
+ for clients and for servers.
|
|
|
+ - Change DirServers config line to note which dirs are v1 authorities.
|
|
|
+ - Put nicknames on the DirServer line, so we can refer to them
|
|
|
+ without requiring all our users to memorize their IP addresses.
|
|
|
+ - Remove option when getting directory cache to see whether they
|
|
|
+ support running-routers; they all do now. Replace it with one
|
|
|
+ to see whether caches support v2 stuff.
|
|
|
+ - Stop listing down or invalid nodes in the v1 directory. This
|
|
|
+ reduces its bulk by about 1/3, and reduces load on mirrors.
|
|
|
+ - Mirrors no longer cache the v1 directory as often.
|
|
|
+ - If we as a directory mirror don't know of any v1 directory
|
|
|
+ authorities, then don't try to cache any v1 directories.
|
|
|
+
|
|
|
+ o Other directory improvements:
|
|
|
+ - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
|
|
|
+ fifth authoritative directory servers.
|
|
|
+ - Directory authorities no longer require an open connection from
|
|
|
+ a server to consider him "reachable". We need this change because
|
|
|
+ when we add new directory authorities, old servers won't know not
|
|
|
+ to hang up on them.
|
|
|
+ - Dir authorities now do their own external reachability testing
|
|
|
+ of each server, and only list as running the ones they found to
|
|
|
+ be reachable. We also send back warnings to the server's logs if
|
|
|
+ it uploads a descriptor that we already believe is unreachable.
|
|
|
+ - Spread the directory authorities' reachability testing over the
|
|
|
+ entire testing interval, so we don't try to do 500 TLS's at once
|
|
|
+ every 20 minutes.
|
|
|
+ - Make the "stable" router flag in network-status be the median of
|
|
|
+ the uptimes of running valid servers, and make clients pay
|
|
|
+ attention to the network-status flags. Thus the cutoff adapts
|
|
|
+ to the stability of the network as a whole, making IRC, IM, etc
|
|
|
+ connections more reliable.
|
|
|
+ - Make the v2 dir's "Fast" flag based on relative capacity, just
|
|
|
+ like "Stable" is based on median uptime. Name everything in the
|
|
|
+ top 7/8 Fast, and only the top 1/2 gets to be a Guard.
|
|
|
+ - Retry directory requests if we fail to get an answer we like
|
|
|
+ from a given dirserver (we were retrying before, but only if
|
|
|
+ we fail to connect).
|
|
|
+ - Return a robots.txt on our dirport to discourage google indexing.
|
|
|
+
|
|
|
+ o Controller protocol improvements:
|
|
|
+ - Revised controller protocol (version 1) that uses ascii rather
|
|
|
+ than binary: tor/doc/control-spec.txt. Add supporting libraries
|
|
|
+ in python and java and c# so you can use the controller from your
|
|
|
+ applications without caring how our protocol works.
|
|
|
+ - Allow the DEBUG controller event to work again. Mark certain log
|
|
|
+ entries as "don't tell this to controllers", so we avoid cycles.
|
|
|
+ - New controller function "getinfo accounting", to ask how
|
|
|
+ many bytes we've used in this time period.
|
|
|
+ - Add a "resetconf" command so you can set config options like
|
|
|
+ AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
|
|
|
+ a config option in the torrc with no value, then it clears it
|
|
|
+ entirely (rather than setting it to its default).
|
|
|
+ - Add a "getinfo config-file" to tell us where torrc is. Also
|
|
|
+ expose guard nodes, config options/names.
|
|
|
+ - Add a "quit" command (when when using the controller manually).
|
|
|
+ - Add a new signal "newnym" to "change pseudonyms" -- that is, to
|
|
|
+ stop using any currently-dirty circuits for new streams, so we
|
|
|
+ don't link new actions to old actions. This also occurs on HUP
|
|
|
+ or "signal reload".
|
|
|
+ - If we would close a stream early (e.g. it asks for a .exit that
|
|
|
+ we know would refuse it) but the LeaveStreamsUnattached config
|
|
|
+ option is set by the controller, then don't close it.
|
|
|
+ - Add a new controller event type "authdir_newdescs" that allows
|
|
|
+ controllers to get all server descriptors that were uploaded to
|
|
|
+ a router in its role as directory authority.
|
|
|
+ - New controller option "getinfo desc/all-recent" to fetch the
|
|
|
+ latest server descriptor for every router that Tor knows about.
|
|
|
+ - Fix the controller's "attachstream 0" command to treat conn like
|
|
|
+ it just connected, doing address remapping, handling .exit and
|
|
|
+ .onion idioms, and so on. Now we're more uniform in making sure
|
|
|
+ that the controller hears about new and closing connections.
|
|
|
+ - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
|
|
|
+ the controller. Also, rotate dns and cpu workers if the controller
|
|
|
+ changes options that will affect them; and initialize the dns
|
|
|
+ worker cache tree whether or not we start out as a server.
|
|
|
+ - Add a new circuit purpose 'controller' to let the controller ask
|
|
|
+ for a circuit that Tor won't try to use. Extend the "extendcircuit"
|
|
|
+ controller command to let you specify the purpose if you're starting
|
|
|
+ a new circuit. Add a new "setcircuitpurpose" controller command to
|
|
|
+ let you change a circuit's purpose after it's been created.
|
|
|
+ - Let the controller ask for "getinfo dir/server/foo" so it can ask
|
|
|
+ directly rather than connecting to the dir port. "getinfo
|
|
|
+ dir/status/foo" also works, but currently only if your DirPort
|
|
|
+ is enabled.
|
|
|
+ - Let the controller tell us about certain router descriptors
|
|
|
+ that it doesn't want Tor to use in circuits. Implement
|
|
|
+ "setrouterpurpose" and modify "+postdescriptor" to do this.
|
|
|
+ - If the controller's *setconf commands fail, collect an error
|
|
|
+ message in a string and hand it back to the controller -- don't
|
|
|
+ just tell them to go read their logs.
|
|
|
+
|
|
|
+ o Scalability, resource management, and performance:
|
|
|
+ - Fix a major load balance bug: we were round-robin reading in 16 KB
|
|
|
+ chunks, and servers with bandwidthrate of 20 KB, while downloading
|
|
|
+ a 600 KB directory, would starve their other connections. Now we
|
|
|
+ try to be a bit more fair.
|
|
|
+ - Be more conservative about whether to advertise our DirPort.
|
|
|
+ The main change is to not advertise if we're running at capacity
|
|
|
+ and either a) we could hibernate ever or b) our capacity is low
|
|
|
+ and we're using a default DirPort.
|
|
|
+ - We weren't cannibalizing circuits correctly for
|
|
|
+ CIRCUIT_PURPOSE_C_ESTABLISH_REND and
|
|
|
+ CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
|
|
|
+ build those from scratch. This should make hidden services faster.
|
|
|
+ - Predict required circuits better, with an eye toward making hidden
|
|
|
+ services faster on the service end.
|
|
|
+ - Compress exit policies even more: look for duplicate lines and
|
|
|
+ remove them.
|
|
|
+ - Generate 18.0.0.0/8 address policy format in descs when we can;
|
|
|
+ warn when the mask is not reducible to a bit-prefix.
|
|
|
+ - There used to be two ways to specify your listening ports in a
|
|
|
+ server descriptor: on the "router" line and with a separate "ports"
|
|
|
+ line. Remove support for the "ports" line.
|
|
|
+ - Reduce memory requirements in our structs by changing the order
|
|
|
+ of fields. Replace balanced trees with hash tables. Inline
|
|
|
+ bottleneck smartlist functions. Add a "Map from digest to void*"
|
|
|
+ abstraction so we can do less hex encoding/decoding, and use it
|
|
|
+ in router_get_by_digest(). Many other CPU and memory improvements.
|
|
|
+ - Allow tor_gzip_uncompress to extract as much as possible from
|
|
|
+ truncated compressed data. Try to extract as many
|
|
|
+ descriptors as possible from truncated http responses (when
|
|
|
+ purpose is DIR_PURPOSE_FETCH_ROUTERDESC).
|
|
|
+ - Make circ->onionskin a pointer, not a static array. moria2 was using
|
|
|
+ 125000 circuit_t's after it had been up for a few weeks, which
|
|
|
+ translates to 20+ megs of wasted space.
|
|
|
+ - The private half of our EDH handshake keys are now chosen out
|
|
|
+ of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
|
|
|
+ - Stop doing the complex voodoo overkill checking for insecure
|
|
|
+ Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
|
|
|
+ - Do round-robin writes for TLS of at most 16 kB per write. This
|
|
|
+ might be more fair on loaded Tor servers.
|
|
|
+ - Do not use unaligned memory access on alpha, mips, or mipsel.
|
|
|
+ It *works*, but is very slow, so we treat them as if it doesn't.
|
|
|
+
|
|
|
+ o Other bugfixes and improvements:
|
|
|
+ - Start storing useful information to $DATADIR/state, so we can
|
|
|
+ remember things across invocations of Tor. Retain unrecognized
|
|
|
+ lines so we can be forward-compatible, and write a TorVersion line
|
|
|
+ so we can be backward-compatible.
|
|
|
+ - If ORPort is set, Address is not explicitly set, and our hostname
|
|
|
+ resolves to a private IP address, try to use an interface address
|
|
|
+ if it has a public address. Now Windows machines that think of
|
|
|
+ themselves as localhost can guess their address.
|
|
|
+ - Regenerate our local descriptor if it's dirty and we try to use
|
|
|
+ it locally (e.g. if it changes during reachability detection).
|
|
|
+ This was causing some Tor servers to keep publishing the same
|
|
|
+ initial descriptor forever.
|
|
|
+ - Tor servers with dynamic IP addresses were needing to wait 18
|
|
|
+ hours before they could start doing reachability testing using
|
|
|
+ the new IP address and ports. This is because they were using
|
|
|
+ the internal descriptor to learn what to test, yet they were only
|
|
|
+ rebuilding the descriptor once they decided they were reachable.
|
|
|
+ - It turns out we couldn't bootstrap a network since we added
|
|
|
+ reachability detection in 0.1.0.1-rc. Good thing the Tor network
|
|
|
+ has never gone down. Add an AssumeReachable config option to let
|
|
|
+ servers and authorities bootstrap. When we're trying to build a
|
|
|
+ high-uptime or high-bandwidth circuit but there aren't enough
|
|
|
+ suitable servers, try being less picky rather than simply failing.
|
|
|
+ - Newly bootstrapped Tor networks couldn't establish hidden service
|
|
|
+ circuits until they had nodes with high uptime. Be more tolerant.
|
|
|
+ - Really busy servers were keeping enough circuits open on stable
|
|
|
+ connections that they were wrapping around the circuit_id
|
|
|
+ space. (It's only two bytes.) This exposed a bug where we would
|
|
|
+ feel free to reuse a circuit_id even if it still exists but has
|
|
|
+ been marked for close. Try to fix this bug. Some bug remains.
|
|
|
+ - When we fail to bind or listen on an incoming or outgoing
|
|
|
+ socket, we now close it before refusing, rather than just
|
|
|
+ leaking it. (Thanks to Peter Palfrader for finding.)
|
|
|
+ - Fix a file descriptor leak in start_daemon().
|
|
|
+ - On Windows, you can't always reopen a port right after you've
|
|
|
+ closed it. So change retry_listeners() to only close and re-open
|
|
|
+ ports that have changed.
|
|
|
+ - Workaround a problem with some http proxies that refuse GET
|
|
|
+ requests that specify "Content-Length: 0". Reported by Adrian.
|
|
|
+ - Recover better from TCP connections to Tor servers that are
|
|
|
+ broken but don't tell you (it happens!); and rotate TLS
|
|
|
+ connections once a week.
|
|
|
+ - Fix a scary-looking but apparently harmless bug where circuits
|
|
|
+ would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
|
|
|
+ servers, and never switch to state CIRCUIT_STATE_OPEN.
|
|
|
+ - Check for even more Windows version flags when writing the platform
|
|
|
+ string in server descriptors, and note any we don't recognize.
|
|
|
+ - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
|
|
|
+ get a better idea of why their circuits failed. Not used yet.
|
|
|
+ - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
|
|
|
+ We don't use them yet, but maybe one day our DNS resolver will be
|
|
|
+ able to discover them.
|
|
|
+ - Let people type "tor --install" as well as "tor -install" when they
|
|
|
+ want to make it an NT service.
|
|
|
+ - Looks like we were never delivering deflated (i.e. compressed)
|
|
|
+ running-routers lists, even when asked. Oops.
|
|
|
+ - We were leaking some memory every time the client changed IPs.
|
|
|
+ - Clean up more of the OpenSSL memory when exiting, so we can detect
|
|
|
+ memory leaks better.
|
|
|
+ - Never call free() on tor_malloc()d memory. This will help us
|
|
|
+ use dmalloc to detect memory leaks.
|
|
|
+ - Some Tor servers process billions of cells per day. These
|
|
|
+ statistics are now uint64_t's.
|
|
|
+ - Check [X-]Forwarded-For headers in HTTP requests when generating
|
|
|
+ log messages. This lets people run dirservers (and caches) behind
|
|
|
+ Apache but still know which IP addresses are causing warnings.
|
|
|
+ - Fix minor integer overflow in calculating when we expect to use up
|
|
|
+ our bandwidth allocation before hibernating.
|
|
|
+ - Lower the minimum required number of file descriptors to 1000,
|
|
|
+ so we can have some overhead for Valgrind on Linux, where the
|
|
|
+ default ulimit -n is 1024.
|
|
|
+ - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
|
|
|
+ and its existence is confusing some users.
|
|
|
+
|
|
|
+ o Config option fixes:
|
|
|
+ - Add a new config option ExitPolicyRejectPrivate which defaults
|
|
|
+ to on. Now all exit policies will begin with rejecting private
|
|
|
+ addresses, unless the server operator explicitly turns it off.
|
|
|
+ - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
|
|
|
+ - Add new ReachableORAddresses and ReachableDirAddresses options
|
|
|
+ that understand address policies. FascistFirewall is now a synonym
|
|
|
+ for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
|
|
|
+ - Start calling it FooListenAddress rather than FooBindAddress,
|
|
|
+ since few of our users know what it means to bind an address
|
|
|
+ or port.
|
|
|
+ - If the user gave Tor an odd number of command-line arguments,
|
|
|
+ we were silently ignoring the last one. Now we complain and fail.
|
|
|
+ This wins the oldest-bug prize -- this bug has been present since
|
|
|
+ November 2002, as released in Tor 0.0.0.
|
|
|
+ - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
|
|
|
+ torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
|
|
|
+ it would silently ignore the 6668.
|
|
|
+ - If we get a linelist or linelist_s config option from the torrc,
|
|
|
+ e.g. ExitPolicy, and it has no value, warn and skip rather than
|
|
|
+ silently resetting it to its default.
|
|
|
+ - Setconf was appending items to linelists, not clearing them.
|
|
|
+ - Add MyFamily to torrc.sample in the server section, so operators
|
|
|
+ will be more likely to learn that it exists.
|
|
|
+ - Make ContactInfo mandatory for authoritative directory servers.
|
|
|
+ - MaxConn has been obsolete for a while now. Document the ConnLimit
|
|
|
+ config option, which is a *minimum* number of file descriptors
|
|
|
+ that must be available else Tor refuses to start.
|
|
|
+ - Get rid of IgnoreVersion undocumented config option, and make us
|
|
|
+ only warn, never exit, when we're running an obsolete version.
|
|
|
+ - Make MonthlyAccountingStart config option truly obsolete now.
|
|
|
+ - Correct the man page entry on TrackHostExitsExpire.
|
|
|
+ - Let directory authorities start even if they don't specify an
|
|
|
+ Address config option.
|
|
|
+ - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
|
|
|
+ reflect the updated flags in our v2 dir protocol.
|
|
|
+
|
|
|
+ o Config option features:
|
|
|
+ - Add a new config option FastFirstHopPK (on by default) so clients
|
|
|
+ do a trivial crypto handshake for their first hop, since TLS has
|
|
|
+ already taken care of confidentiality and authentication.
|
|
|
+ - Let the user set ControlListenAddress in the torrc. This can be
|
|
|
+ dangerous, but there are some cases (like a secured LAN) where it
|
|
|
+ makes sense.
|
|
|
+ - New config options to help controllers: FetchServerDescriptors
|
|
|
+ and FetchHidServDescriptors for whether to fetch server
|
|
|
+ info and hidserv info or let the controller do it, and
|
|
|
+ PublishServerDescriptor and PublishHidServDescriptors.
|
|
|
+ - Also let the controller set the __AllDirActionsPrivate config
|
|
|
+ option if you want all directory fetches/publishes to happen via
|
|
|
+ Tor (it assumes your controller bootstraps your circuits).
|
|
|
+ - Add "HardwareAccel" config option: support for crypto hardware
|
|
|
+ accelerators via OpenSSL. Off by default, until we find somebody
|
|
|
+ smart who can test it for us. (It appears to produce seg faults
|
|
|
+ in at least some cases.)
|
|
|
+ - New config option "AuthDirRejectUnlisted" for directory authorities
|
|
|
+ as a panic button: if we get flooded with unusable servers we can
|
|
|
+ revert to only listing servers in the approved-routers file.
|
|
|
+ - Directory authorities can now reject/invalidate by key and IP,
|
|
|
+ with the config options "AuthDirInvalid" and "AuthDirReject", or
|
|
|
+ by marking a fingerprint as "!reject" or "!invalid" (as its
|
|
|
+ nickname) in the approved-routers file. This is useful since
|
|
|
+ currently we automatically list servers as running and usable
|
|
|
+ even if we know they're jerks.
|
|
|
+ - Add a new config option TestSocks so people can see whether their
|
|
|
+ applications are using socks4, socks4a, socks5-with-ip, or
|
|
|
+ socks5-with-fqdn. This way they don't have to keep mucking
|
|
|
+ with tcpdump and wondering if something got cached somewhere.
|
|
|
+ - Add "private:*" as an alias in configuration for policies. Now
|
|
|
+ you can simplify your exit policy rather than needing to list
|
|
|
+ every single internal or nonroutable network space.
|
|
|
+ - Accept "private:*" in routerdesc exit policies; not generated yet
|
|
|
+ because older Tors do not understand it.
|
|
|
+ - Add configuration option "V1AuthoritativeDirectory 1" which
|
|
|
+ moria1, moria2, and tor26 have set.
|
|
|
+ - Implement an option, VirtualAddrMask, to set which addresses
|
|
|
+ get handed out in response to mapaddress requests. This works
|
|
|
+ around a bug in tsocks where 127.0.0.0/8 is never socksified.
|
|
|
+ - Add a new config option FetchUselessDescriptors, off by default,
|
|
|
+ for when you plan to run "exitlist" on your client and you want
|
|
|
+ to know about even the non-running descriptors.
|
|
|
+ - SocksTimeout: How long do we let a socks connection wait
|
|
|
+ unattached before we fail it?
|
|
|
+ - CircuitBuildTimeout: Cull non-open circuits that were born
|
|
|
+ at least this many seconds ago.
|
|
|
+ - CircuitIdleTimeout: Cull open clean circuits that were born
|
|
|
+ at least this many seconds ago.
|
|
|
+ - New config option SafeSocks to reject all application connections
|
|
|
+ using unsafe socks protocols. Defaults to off.
|
|
|
+
|
|
|
+ o Improved and clearer log messages:
|
|
|
+ - Reduce clutter in server logs. We're going to try to make
|
|
|
+ them actually usable now. New config option ProtocolWarnings that
|
|
|
+ lets you hear about how _other Tors_ are breaking the protocol. Off
|
|
|
+ by default.
|
|
|
+ - Divide log messages into logging domains. Once we put some sort
|
|
|
+ of interface on this, it will let people looking at more verbose
|
|
|
+ log levels specify the topics they want to hear more about.
|
|
|
+ - Log server fingerprint on startup, so new server operators don't
|
|
|
+ have to go hunting around their filesystem for it.
|
|
|
+ - Provide dire warnings to any users who set DirServer manually;
|
|
|
+ move it out of torrc.sample and into torrc.complete.
|
|
|
+ - Make the log message less scary when all the dirservers are
|
|
|
+ temporarily unreachable.
|
|
|
+ - When tor_socketpair() fails in Windows, give a reasonable
|
|
|
+ Windows-style errno back.
|
|
|
+ - Improve tor_gettimeofday() granularity on windows.
|
|
|
+ - We were printing the number of idle dns workers incorrectly when
|
|
|
+ culling them.
|
|
|
+ - Handle duplicate lines in approved-routers files without warning.
|
|
|
+ - We were whining about using socks4 or socks5-with-local-lookup
|
|
|
+ even when it's an IP address in the "virtual" range we designed
|
|
|
+ exactly for this case.
|
|
|
+ - Check for named servers when looking them up by nickname;
|
|
|
+ warn when we're calling a non-named server by its nickname;
|
|
|
+ don't warn twice about the same name.
|
|
|
+ - Downgrade the dirserver log messages when whining about
|
|
|
+ unreachability.
|
|
|
+ - Correct "your server is reachable" log entries to indicate that
|
|
|
+ it was self-testing that told us so.
|
|
|
+ - If we're trying to be a Tor server and running Windows 95/98/ME
|
|
|
+ as a server, explain that we'll likely crash.
|
|
|
+ - Provide a more useful warn message when our onion queue gets full:
|
|
|
+ the CPU is too slow or the exit policy is too liberal.
|
|
|
+ - Don't warn when we receive a 503 from a dirserver/cache -- this
|
|
|
+ will pave the way for them being able to refuse if they're busy.
|
|
|
+ - When we fail to bind a listener, try to provide a more useful
|
|
|
+ log message: e.g., "Is Tor already running?"
|
|
|
+ - Only start testing reachability once we've established a
|
|
|
+ circuit. This will make startup on dir authorities less noisy.
|
|
|
+ - Don't try to upload hidden service descriptors until we have
|
|
|
+ established a circuit.
|
|
|
+ - Tor didn't warn when it failed to open a log file.
|
|
|
+ - Warn when listening on a public address for socks. We suspect a
|
|
|
+ lot of people are setting themselves up as open socks proxies,
|
|
|
+ and they have no idea that jerks on the Internet are using them,
|
|
|
+ since they simply proxy the traffic into the Tor network.
|
|
|
+ - Give a useful message when people run Tor as the wrong user,
|
|
|
+ rather than telling them to start chowning random directories.
|
|
|
+ - Fix a harmless bug that was causing Tor servers to log
|
|
|
+ "Got an end because of misc error, but we're not an AP. Closing."
|
|
|
+ - Fix wrong log message when you add a "HiddenServiceNodes" config
|
|
|
+ line without any HiddenServiceDir line (reported by Chris Thomas).
|
|
|
+ - Directory authorities now stop whining so loudly about bad
|
|
|
+ descriptors that they fetch from other dirservers. So when there's
|
|
|
+ a log complaint, it's for sure from a freshly uploaded descriptor.
|
|
|
+ - When logging via syslog, include the pid whenever we provide
|
|
|
+ a log entry. Suggested by Todd Fries.
|
|
|
+ - When we're shutting down and we do something like try to post a
|
|
|
+ server descriptor or rendezvous descriptor, don't complain that
|
|
|
+ we seem to be unreachable. Of course we are, we're shutting down.
|
|
|
+ - Change log line for unreachability to explicitly suggest /etc/hosts
|
|
|
+ as the culprit. Also make it clearer what IP address and ports we're
|
|
|
+ testing for reachability.
|
|
|
+ - Put quotes around user-supplied strings when logging so users are
|
|
|
+ more likely to realize if they add bad characters (like quotes)
|
|
|
+ to the torrc.
|
|
|
+ - NT service patch from Matt Edman to improve error messages on Win32.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.17 - 2006-02-17
|
|
|
+ o Crash bugfixes on 0.1.0.x:
|
|
|
+ - When servers with a non-zero DirPort came out of hibernation,
|
|
|
+ sometimes they would trigger an assert.
|
|
|
+
|
|
|
+ o Other important bugfixes:
|
|
|
+ - On platforms that don't have getrlimit (like Windows), we were
|
|
|
+ artificially constraining ourselves to a max of 1024
|
|
|
+ connections. Now just assume that we can handle as many as 15000
|
|
|
+ connections. Hopefully this won't cause other problems.
|
|
|
+
|
|
|
+ o Backported features:
|
|
|
+ - When we're a server, a client asks for an old-style directory,
|
|
|
+ and our write bucket is empty, don't give it to him. This way
|
|
|
+ small servers can continue to serve the directory *sometimes*,
|
|
|
+ without getting overloaded.
|
|
|
+ - Whenever you get a 503 in response to a directory fetch, try
|
|
|
+ once more. This will become important once servers start sending
|
|
|
+ 503's whenever they feel busy.
|
|
|
+ - Fetch a new directory every 120 minutes, not every 40 minutes.
|
|
|
+ Now that we have hundreds of thousands of users running the old
|
|
|
+ directory algorithm, it's starting to hurt a lot.
|
|
|
+ - Bump up the period for forcing a hidden service descriptor upload
|
|
|
+ from 20 minutes to 1 hour.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.16 - 2006-01-02
|
|
|
+ o Crash bugfixes on 0.1.0.x:
|
|
|
+ - On Windows, build with a libevent patch from "I-M Weasel" to avoid
|
|
|
+ corrupting the heap, losing FDs, or crashing when we need to resize
|
|
|
+ the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
|
|
|
+ - It turns out sparc64 platforms crash on unaligned memory access
|
|
|
+ too -- so detect and avoid this.
|
|
|
+ - Handle truncated compressed data correctly (by detecting it and
|
|
|
+ giving an error).
|
|
|
+ - Fix possible-but-unlikely free(NULL) in control.c.
|
|
|
+ - When we were closing connections, there was a rare case that
|
|
|
+ stomped on memory, triggering seg faults and asserts.
|
|
|
+ - Avoid potential infinite recursion when building a descriptor. (We
|
|
|
+ don't know that it ever happened, but better to fix it anyway.)
|
|
|
+ - We were neglecting to unlink marked circuits from soon-to-close OR
|
|
|
+ connections, which caused some rare scribbling on freed memory.
|
|
|
+ - Fix a memory stomping race bug when closing the joining point of two
|
|
|
+ rendezvous circuits.
|
|
|
+ - Fix an assert in time parsing found by Steven Murdoch.
|
|
|
+
|
|
|
+ o Other bugfixes on 0.1.0.x:
|
|
|
+ - When we're doing reachability testing, provide more useful log
|
|
|
+ messages so the operator knows what to expect.
|
|
|
+ - Do not check whether DirPort is reachable when we are suppressing
|
|
|
+ advertising it because of hibernation.
|
|
|
+ - When building with -static or on Solaris, we sometimes needed -ldl.
|
|
|
+ - One of the dirservers (tor26) changed its IP address.
|
|
|
+ - When we're deciding whether a stream has enough circuits around
|
|
|
+ that can handle it, count the freshly dirty ones and not the ones
|
|
|
+ that are so dirty they won't be able to handle it.
|
|
|
+ - When we're expiring old circuits, we had a logic error that caused
|
|
|
+ us to close new rendezvous circuits rather than old ones.
|
|
|
+ - Give a more helpful log message when you try to change ORPort via
|
|
|
+ the controller: you should upgrade Tor if you want that to work.
|
|
|
+ - We were failing to parse Tor versions that start with "Tor ".
|
|
|
+ - Tolerate faulty streams better: when a stream fails for reason
|
|
|
+ exitpolicy, stop assuming that the router is lying about his exit
|
|
|
+ policy. When a stream fails for reason misc, allow it to retry just
|
|
|
+ as if it was resolvefailed. When a stream has failed three times,
|
|
|
+ reset its failure count so we can try again and get all three tries.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.15 - 2005-09-23
|
|
|
+ o Bugfixes on 0.1.0.x:
|
|
|
+ - Reject ports 465 and 587 (spam targets) in default exit policy.
|
|
|
+ - Don't crash when we don't have any spare file descriptors and we
|
|
|
+ try to spawn a dns or cpu worker.
|
|
|
+ - Get rid of IgnoreVersion undocumented config option, and make us
|
|
|
+ only warn, never exit, when we're running an obsolete version.
|
|
|
+ - Don't try to print a null string when your server finds itself to
|
|
|
+ be unreachable and the Address config option is empty.
|
|
|
+ - Make the numbers in read-history and write-history into uint64s,
|
|
|
+ so they don't overflow and publish negatives in the descriptor.
|
|
|
+ - Fix a minor memory leak in smartlist_string_remove().
|
|
|
+ - We were only allowing ourselves to upload a server descriptor at
|
|
|
+ most every 20 minutes, even if it changed earlier than that.
|
|
|
+ - Clean up log entries that pointed to old URLs.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.14 - 2005-08-08
|
|
|
+ o Bugfixes on 0.1.0.x:
|
|
|
+ - Fix the other half of the bug with crypto handshakes
|
|
|
+ (CVE-2005-2643).
|
|
|
+ - Fix an assert trigger if you send a 'signal term' via the
|
|
|
+ controller when it's listening for 'event info' messages.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.13 - 2005-08-04
|
|
|
+ o Bugfixes on 0.1.0.x:
|
|
|
+ - Fix a critical bug in the security of our crypto handshakes.
|
|
|
+ - Fix a size_t underflow in smartlist_join_strings2() that made
|
|
|
+ it do bad things when you hand it an empty smartlist.
|
|
|
+ - Fix Windows installer to ship Tor license (thanks to Aphex for
|
|
|
+ pointing out this oversight) and put a link to the doc directory
|
|
|
+ in the start menu.
|
|
|
+ - Explicitly set no-unaligned-access for sparc: it turns out the
|
|
|
+ new gcc's let you compile broken code, but that doesn't make it
|
|
|
+ not-broken.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.12 - 2005-07-18
|
|
|
+ o New directory servers:
|
|
|
+ - tor26 has changed IP address.
|
|
|
+
|
|
|
+ o Bugfixes on 0.1.0.x:
|
|
|
+ - Fix a possible double-free in tor_gzip_uncompress().
|
|
|
+ - When --disable-threads is set, do not search for or link against
|
|
|
+ pthreads libraries.
|
|
|
+ - Don't trigger an assert if an authoritative directory server
|
|
|
+ claims its dirport is 0.
|
|
|
+ - Fix bug with removing Tor as an NT service: some people were
|
|
|
+ getting "The service did not return an error." Thanks to Matt
|
|
|
+ Edman for the fix.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.11 - 2005-06-30
|
|
|
+ o Bugfixes on 0.1.0.x:
|
|
|
+ - Fix major security bug: servers were disregarding their
|
|
|
+ exit policies if clients behaved unexpectedly.
|
|
|
+ - Make OS X init script check for missing argument, so we don't
|
|
|
+ confuse users who invoke it incorrectly.
|
|
|
+ - Fix a seg fault in "tor --hash-password foo".
|
|
|
+ - The MAPADDRESS control command was broken.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.1.0.10 - 2005-06-14
|
|
|
+ o Fixes on Win32:
|
|
|
+ - Make NT services work and start on startup on Win32 (based on
|
|
|
+ patch by Matt Edman). See the FAQ entry for details.
|
|
|
+ - Make 'platform' string in descriptor more accurate for Win32
|
|
|
+ servers, so it's not just "unknown platform".
|
|
|
+ - REUSEADDR on normal platforms means you can rebind to the port
|
|
|
+ right after somebody else has let it go. But REUSEADDR on Win32
|
|
|
+ means you can bind to the port _even when somebody else already
|
|
|
+ has it bound_! So, don't do that on Win32.
|
|
|
+ - Clean up the log messages when starting on Win32 with no config
|
|
|
+ file.
|
|
|
+ - Allow seeding the RNG on Win32 even when you're not running as
|
|
|
+ Administrator. If seeding the RNG on Win32 fails, quit.
|
|
|
+
|
|
|
+ o Assert / crash bugs:
|
|
|
+ - Refuse relay cells that claim to have a length larger than the
|
|
|
+ maximum allowed. This prevents a potential attack that could read
|
|
|
+ arbitrary memory (e.g. keys) from an exit server's process
|
|
|
+ (CVE-2005-2050).
|
|
|
+ - If unofficial Tor clients connect and send weird TLS certs, our
|
|
|
+ Tor server triggers an assert. Stop asserting, and start handling
|
|
|
+ TLS errors better in other situations too.
|
|
|
+ - Fix a race condition that can trigger an assert when we have a
|
|
|
+ pending create cell and an OR connection attempt fails.
|
|
|
+
|
|
|
+ o Resource leaks:
|
|
|
+ - Use pthreads for worker processes rather than forking. This was
|
|
|
+ forced because when we forked, we ended up wasting a lot of
|
|
|
+ duplicate ram over time.
|
|
|
+ - Also switch to foo_r versions of some library calls to allow
|
|
|
+ reentry and threadsafeness.
|
|
|
+ - Implement --disable-threads configure option. Disable threads on
|
|
|
+ netbsd and openbsd by default, because they have no reentrant
|
|
|
+ resolver functions (!), and on solaris since it has other
|
|
|
+ threading issues.
|
|
|
+ - Fix possible bug on threading platforms (e.g. win32) which was
|
|
|
+ leaking a file descriptor whenever a cpuworker or dnsworker died.
|
|
|
+ - Fix a minor memory leak when somebody establishes an introduction
|
|
|
+ point at your Tor server.
|
|
|
+ - Fix possible memory leak in tor_lookup_hostname(). (Thanks to
|
|
|
+ Adam Langley.)
|
|
|
+ - Add ./configure --with-dmalloc option, to track memory leaks.
|
|
|
+ - And try to free all memory on closing, so we can detect what
|
|
|
+ we're leaking.
|
|
|
+
|
|
|
+ o Protocol correctness:
|
|
|
+ - When we've connected to an OR and handshaked but didn't like
|
|
|
+ the result, we were closing the conn without sending destroy
|
|
|
+ cells back for pending circuits. Now send those destroys.
|
|
|
+ - Start sending 'truncated' cells back rather than destroy cells
|
|
|
+ if the circuit closes in front of you. This means we won't have
|
|
|
+ to abandon partially built circuits.
|
|
|
+ - Handle changed router status correctly when dirserver reloads
|
|
|
+ fingerprint file. We used to be dropping all unverified descriptors
|
|
|
+ right then. The bug was hidden because we would immediately
|
|
|
+ fetch a directory from another dirserver, which would include the
|
|
|
+ descriptors we just dropped.
|
|
|
+ - Revise tor-spec to add more/better stream end reasons.
|
|
|
+ - Revise all calls to connection_edge_end to avoid sending 'misc',
|
|
|
+ and to take errno into account where possible.
|
|
|
+ - Client now retries when streams end early for 'hibernating' or
|
|
|
+ 'resource limit' reasons, rather than failing them.
|
|
|
+ - Try to be more zealous about calling connection_edge_end when
|
|
|
+ things go bad with edge conns in connection.c.
|
|
|
+
|
|
|
+ o Robustness improvements:
|
|
|
+ - Better handling for heterogeneous / unreliable nodes:
|
|
|
+ - Annotate circuits with whether they aim to contain high uptime
|
|
|
+ nodes and/or high capacity nodes. When building circuits, choose
|
|
|
+ appropriate nodes.
|
|
|
+ - This means that every single node in an intro rend circuit,
|
|
|
+ not just the last one, will have a minimum uptime.
|
|
|
+ - New config option LongLivedPorts to indicate application streams
|
|
|
+ that will want high uptime circuits.
|
|
|
+ - Servers reset uptime when a dir fetch entirely fails. This
|
|
|
+ hopefully reflects stability of the server's network connectivity.
|
|
|
+ - If somebody starts his tor server in Jan 2004 and then fixes his
|
|
|
+ clock, don't make his published uptime be a year.
|
|
|
+ - Reset published uptime when we wake up from hibernation.
|
|
|
+ - Introduce a notion of 'internal' circs, which are chosen without
|
|
|
+ regard to the exit policy of the last hop. Intro and rendezvous
|
|
|
+ circs must be internal circs, to avoid leaking information. Resolve
|
|
|
+ and connect streams can use internal circs if they want.
|
|
|
+ - New circuit pooling algorithm: keep track of what destination ports
|
|
|
+ we've used recently (start out assuming we'll want to use 80), and
|
|
|
+ make sure to have enough circs around to satisfy these ports. Also
|
|
|
+ make sure to have 2 internal circs around if we've required internal
|
|
|
+ circs lately (and with high uptime if we've seen that lately too).
|
|
|
+ - Turn addr_policy_compare from a tristate to a quadstate; this should
|
|
|
+ help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
|
|
+ for google.com" problem.
|
|
|
+ - When a client asks us for a dir mirror and we don't have one,
|
|
|
+ launch an attempt to get a fresh one.
|
|
|
+ - First cut at support for "create-fast" cells. Clients can use
|
|
|
+ these when extending to their first hop, since the TLS already
|
|
|
+ provides forward secrecy and authentication. Not enabled on
|
|
|
+ clients yet.
|
|
|
+
|
|
|
+ o Reachability testing.
|
|
|
+ - Your Tor server will automatically try to see if its ORPort and
|
|
|
+ DirPort are reachable from the outside, and it won't upload its
|
|
|
+ descriptor until it decides at least ORPort is reachable (when
|
|
|
+ DirPort is not yet found reachable, publish it as zero).
|
|
|
+ - When building testing circs for ORPort testing, use only
|
|
|
+ high-bandwidth nodes, so fewer circuits fail.
|
|
|
+ - Notice when our IP changes, and reset stats/uptime/reachability.
|
|
|
+ - Authdirservers don't do ORPort reachability detection, since
|
|
|
+ they're in clique mode, so it will be rare to find a server not
|
|
|
+ already connected to them.
|
|
|
+ - Authdirservers now automatically approve nodes running 0.1.0.2-rc
|
|
|
+ or later.
|
|
|
+
|
|
|
+ o Dirserver fixes:
|
|
|
+ - Now we allow two unverified servers with the same nickname
|
|
|
+ but different keys. But if a nickname is verified, only that
|
|
|
+ nickname+key are allowed.
|
|
|
+ - If you're an authdirserver connecting to an address:port,
|
|
|
+ and it's not the OR you were expecting, forget about that
|
|
|
+ descriptor. If he *was* the one you were expecting, then forget
|
|
|
+ about all other descriptors for that address:port.
|
|
|
+ - Allow servers to publish descriptors from 12 hours in the future.
|
|
|
+ Corollary: only whine about clock skew from the dirserver if
|
|
|
+ he's a trusted dirserver (since now even verified servers could
|
|
|
+ have quite wrong clocks).
|
|
|
+ - Require servers that use the default dirservers to have public IP
|
|
|
+ addresses. We have too many servers that are configured with private
|
|
|
+ IPs and their admins never notice the log entries complaining that
|
|
|
+ their descriptors are being rejected.
|
|
|
+
|
|
|
+ o Efficiency improvements:
|
|
|
+ - Use libevent. Now we can use faster async cores (like epoll, kpoll,
|
|
|
+ and /dev/poll), and hopefully work better on Windows too.
|
|
|
+ - Apple's OS X 10.4.0 ships with a broken kqueue API, and using
|
|
|
+ kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X.
|
|
|
+ - Find libevent even if it's hiding in /usr/local/ and your
|
|
|
+ CFLAGS and LDFLAGS don't tell you to look there.
|
|
|
+ - Be able to link with libevent as a shared library (the default
|
|
|
+ after 1.0d), even if it's hiding in /usr/local/lib and even
|
|
|
+ if you haven't added /usr/local/lib to your /etc/ld.so.conf,
|
|
|
+ assuming you're running gcc. Otherwise fail and give a useful
|
|
|
+ error message.
|
|
|
+ - Switch to a new buffer management algorithm, which tries to avoid
|
|
|
+ reallocing and copying quite as much. In first tests it looks like
|
|
|
+ it uses *more* memory on average, but less cpu.
|
|
|
+ - Switch our internal buffers implementation to use a ring buffer,
|
|
|
+ to hopefully improve performance for fast servers a lot.
|
|
|
+ - Reenable the part of the code that tries to flush as soon as an
|
|
|
+ OR outbuf has a full TLS record available. Perhaps this will make
|
|
|
+ OR outbufs not grow as huge except in rare cases, thus saving lots
|
|
|
+ of CPU time plus memory.
|
|
|
+ - Improve performance for dirservers: stop re-parsing the whole
|
|
|
+ directory every time you regenerate it.
|
|
|
+ - Keep a big splay tree of (circid,orconn)->circuit mappings to make
|
|
|
+ it much faster to look up a circuit for each relay cell.
|
|
|
+ - Remove most calls to assert_all_pending_dns_resolves_ok(),
|
|
|
+ since they're eating our cpu on exit nodes.
|
|
|
+ - Stop wasting time doing a case insensitive comparison for every
|
|
|
+ dns name every time we do any lookup. Canonicalize the names to
|
|
|
+ lowercase when you first see them.
|
|
|
+
|
|
|
+ o Hidden services:
|
|
|
+ - Handle unavailable hidden services better. Handle slow or busy
|
|
|
+ hidden services better.
|
|
|
+ - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
|
|
+ circ as necessary, if there are any completed ones lying around
|
|
|
+ when we try to launch one.
|
|
|
+ - Make hidden services try to establish a rendezvous for 30 seconds
|
|
|
+ after fetching the descriptor, rather than for n (where n=3)
|
|
|
+ attempts to build a circuit.
|
|
|
+ - Adjust maximum skew and age for rendezvous descriptors: let skew
|
|
|
+ be 48 hours rather than 90 minutes.
|
|
|
+ - Reject malformed .onion addresses rather then passing them on as
|
|
|
+ normal web requests.
|
|
|
+
|
|
|
+ o Controller:
|
|
|
+ - More Tor controller support. See
|
|
|
+ http://tor.eff.org/doc/control-spec.txt for all the new features,
|
|
|
+ including signals to emulate unix signals from any platform;
|
|
|
+ redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
|
|
+ closestream; closecircuit; etc.
|
|
|
+ - Encode hashed controller passwords in hex instead of base64,
|
|
|
+ to make it easier to write controllers.
|
|
|
+ - Revise control spec and implementation to allow all log messages to
|
|
|
+ be sent to controller with their severities intact (suggested by
|
|
|
+ Matt Edman). Disable debug-level logs while delivering a debug-level
|
|
|
+ log to the controller, to prevent loop. Update TorControl to handle
|
|
|
+ new log event types.
|
|
|
+
|
|
|
+ o New config options/defaults:
|
|
|
+ - Begin scrubbing sensitive strings from logs by default. Turn off
|
|
|
+ the config option SafeLogging if you need to do debugging.
|
|
|
+ - New exit policy: accept most low-numbered ports, rather than
|
|
|
+ rejecting most low-numbered ports.
|
|
|
+ - Put a note in the torrc about abuse potential with the default
|
|
|
+ exit policy.
|
|
|
+ - Add support for CONNECTing through https proxies, with "HttpsProxy"
|
|
|
+ config option.
|
|
|
+ - Add HttpProxyAuthenticator and HttpsProxyAuthenticator support
|
|
|
+ based on patch from Adam Langley (basic auth only).
|
|
|
+ - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
|
|
|
+ the fast servers that have been joining lately. (Clients are now
|
|
|
+ willing to load balance over up to 2 MB of advertised bandwidth
|
|
|
+ capacity too.)
|
|
|
+ - New config option MaxAdvertisedBandwidth which lets you advertise
|
|
|
+ a low bandwidthrate (to not attract as many circuits) while still
|
|
|
+ allowing a higher bandwidthrate in reality.
|
|
|
+ - Require BandwidthRate to be at least 20kB/s for servers.
|
|
|
+ - Add a NoPublish config option, so you can be a server (e.g. for
|
|
|
+ testing running Tor servers in other Tor networks) without
|
|
|
+ publishing your descriptor to the primary dirservers.
|
|
|
+ - Add a new AddressMap config directive to rewrite incoming socks
|
|
|
+ addresses. This lets you, for example, declare an implicit
|
|
|
+ required exit node for certain sites.
|
|
|
+ - Add a new TrackHostExits config directive to trigger addressmaps
|
|
|
+ for certain incoming socks addresses -- for sites that break when
|
|
|
+ your exit keeps changing (based on patch from Mike Perry).
|
|
|
+ - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
|
|
+ which describes how often we retry making new circuits if current
|
|
|
+ ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
|
|
+ how long we're willing to make use of an already-dirty circuit.
|
|
|
+ - Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to
|
|
|
+ a config option "ShutdownWaitLength" (when using kill -INT on
|
|
|
+ servers).
|
|
|
+ - Fix an edge case in parsing config options: if they say "--"
|
|
|
+ on the commandline, it's not a config option (thanks weasel).
|
|
|
+ - New config option DirAllowPrivateAddresses for authdirservers.
|
|
|
+ Now by default they refuse router descriptors that have non-IP or
|
|
|
+ private-IP addresses.
|
|
|
+ - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
|
|
+ smart" default value: low for servers and high for clients.
|
|
|
+ - Some people were putting "Address " in their torrc, and they had
|
|
|
+ a buggy resolver that resolved " " to 0.0.0.0. Oops.
|
|
|
+ - If DataDir is ~/.tor, and that expands to /.tor, then default to
|
|
|
+ LOCALSTATEDIR/tor instead.
|
|
|
+ - Implement --verify-config command-line option to check if your torrc
|
|
|
+ is valid without actually launching Tor.
|
|
|
+
|
|
|
+ o Logging improvements:
|
|
|
+ - When dirservers refuse a server descriptor, we now log its
|
|
|
+ contactinfo, platform, and the poster's IP address.
|
|
|
+ - Only warn once per nickname from add_nickname_list_to_smartlist()
|
|
|
+ per failure, so an entrynode or exitnode choice that's down won't
|
|
|
+ yell so much.
|
|
|
+ - When we're connecting to an OR and he's got a different nickname/key
|
|
|
+ than we were expecting, only complain loudly if we're an OP or a
|
|
|
+ dirserver. Complaining loudly to the OR admins just confuses them.
|
|
|
+ - Whine at you if you're a server and you don't set your contactinfo.
|
|
|
+ - Warn when exit policy implicitly allows local addresses.
|
|
|
+ - Give a better warning when some other server advertises an
|
|
|
+ ORPort that is actually an apache running ssl.
|
|
|
+ - If we get an incredibly skewed timestamp from a dirserver mirror
|
|
|
+ that isn't a verified OR, don't warn -- it's probably him that's
|
|
|
+ wrong.
|
|
|
+ - When a dirserver causes you to give a warn, mention which dirserver
|
|
|
+ it was.
|
|
|
+ - Initialize libevent later in the startup process, so the logs are
|
|
|
+ already established by the time we start logging libevent warns.
|
|
|
+ - Use correct errno on win32 if libevent fails.
|
|
|
+ - Check and warn about known-bad/slow libevent versions.
|
|
|
+ - Stop warning about sigpipes in the logs. We're going to
|
|
|
+ pretend that getting these occassionally is normal and fine.
|
|
|
+
|
|
|
+ o New contrib scripts:
|
|
|
+ - New experimental script tor/contrib/exitlist: a simple python
|
|
|
+ script to parse directories and find Tor nodes that exit to listed
|
|
|
+ addresses/ports.
|
|
|
+ - New experimental script tor/contrib/ExerciseServer.py (needs more
|
|
|
+ work) that uses the controller interface to build circuits and
|
|
|
+ fetch pages over them. This will help us bootstrap servers that
|
|
|
+ have lots of capacity but haven't noticed it yet.
|
|
|
+ - New experimental script tor/contrib/PathDemo.py (needs more work)
|
|
|
+ that uses the controller interface to let you choose whole paths
|
|
|
+ via addresses like
|
|
|
+ "<hostname>.<path,separated by dots>.<length of path>.path"
|
|
|
+ - New contributed script "privoxy-tor-toggle" to toggle whether
|
|
|
+ Privoxy uses Tor. Seems to be configured for Debian by default.
|
|
|
+ - Have torctl.in/tor.sh.in check for location of su binary (needed
|
|
|
+ on FreeBSD)
|
|
|
+
|
|
|
+ o Misc bugfixes:
|
|
|
+ - chdir() to your datadirectory at the *end* of the daemonize process,
|
|
|
+ not the beginning. This was a problem because the first time you
|
|
|
+ run tor, if your datadir isn't there, and you have runasdaemon set
|
|
|
+ to 1, it will try to chdir to it before it tries to create it. Oops.
|
|
|
+ - Fix several double-mark-for-close bugs, e.g. where we were finding
|
|
|
+ a conn for a cell even if that conn is already marked for close.
|
|
|
+ - Stop most cases of hanging up on a socks connection without sending
|
|
|
+ the socks reject.
|
|
|
+ - Fix a bug in the RPM package: set home directory for _tor to
|
|
|
+ something more reasonable when first installing.
|
|
|
+ - Stop putting nodename in the Platform string in server descriptors.
|
|
|
+ It doesn't actually help, and it is confusing/upsetting some people.
|
|
|
+ - When using preferred entry or exit nodes, ignore whether the
|
|
|
+ circuit wants uptime or capacity. They asked for the nodes, they
|
|
|
+ get the nodes.
|
|
|
+ - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
|
|
|
+ artificially capped at 500kB.
|
|
|
+ - Cache local dns resolves correctly even when they're .exit
|
|
|
+ addresses.
|
|
|
+ - If we're hibernating and we get a SIGINT, exit immediately.
|
|
|
+ - tor-resolve requests were ignoring .exit if there was a working circuit
|
|
|
+ they could use instead.
|
|
|
+ - Pay more attention to the ClientOnly config option.
|
|
|
+ - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in certain
|
|
|
+ installer screens; and don't put stuff into StartupItems unless
|
|
|
+ the user asks you to.
|
|
|
+
|
|
|
+ o Misc features:
|
|
|
+ - Rewrite address "serifos.exit" to "externalIP.serifos.exit"
|
|
|
+ rather than just rejecting it.
|
|
|
+ - If our clock jumps forward by 100 seconds or more, assume something
|
|
|
+ has gone wrong with our network and abandon all not-yet-used circs.
|
|
|
+ - When an application is using socks5, give him the whole variety of
|
|
|
+ potential socks5 responses (connect refused, host unreachable, etc),
|
|
|
+ rather than just "success" or "failure".
|
|
|
+ - A more sane version numbering system. See
|
|
|
+ http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
|
|
+ - Change version parsing logic: a version is "obsolete" if it is not
|
|
|
+ recommended and (1) there is a newer recommended version in the
|
|
|
+ same series, or (2) there are no recommended versions in the same
|
|
|
+ series, but there are some recommended versions in a newer series.
|
|
|
+ A version is "new" if it is newer than any recommended version in
|
|
|
+ the same series.
|
|
|
+ - Report HTTP reasons to client when getting a response from directory
|
|
|
+ servers -- so you can actually know what went wrong.
|
|
|
+ - Reject odd-looking addresses at the client (e.g. addresses that
|
|
|
+ contain a colon), rather than having the server drop them because
|
|
|
+ they're malformed.
|
|
|
+ - Stop publishing socksport in the directory, since it's not
|
|
|
+ actually meant to be public. For compatibility, publish a 0 there
|
|
|
+ for now.
|
|
|
+ - Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
|
|
+ cookies to disk and doesn't log each web request to disk. (Thanks
|
|
|
+ to Brett Carrington for pointing this out.)
|
|
|
+ - Add OSX uninstall instructions. An actual uninstall script will
|
|
|
+ come later.
|
|
|
+ - Add "opt hibernating 1" to server descriptor to make it clearer
|
|
|
+ whether the server is hibernating.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.10 - 2005-06-16
|
|
|
+ o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
|
|
|
+ - Refuse relay cells that claim to have a length larger than the
|
|
|
+ maximum allowed. This prevents a potential attack that could read
|
|
|
+ arbitrary memory (e.g. keys) from an exit server's process
|
|
|
+ (CVE-2005-2050).
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.9 - 2005-04-23
|
|
|
+ o Bugfixes on 0.0.9.x:
|
|
|
+ - If unofficial Tor clients connect and send weird TLS certs, our
|
|
|
+ Tor server triggers an assert. This release contains a minimal
|
|
|
+ backport from the broader fix that we put into 0.1.0.4-rc.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.8 - 2005-04-07
|
|
|
+ o Bugfixes on 0.0.9.x:
|
|
|
+ - We have a bug that I haven't found yet. Sometimes, very rarely,
|
|
|
+ cpuworkers get stuck in the 'busy' state, even though the cpuworker
|
|
|
+ thinks of itself as idle. This meant that no new circuits ever got
|
|
|
+ established. Here's a workaround to kill any cpuworker that's been
|
|
|
+ busy for more than 100 seconds.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.7 - 2005-04-01
|
|
|
+ o Bugfixes on 0.0.9.x:
|
|
|
+ - Fix another race crash bug (thanks to Glenn Fink for reporting).
|
|
|
+ - Compare identity to identity, not to nickname, when extending to
|
|
|
+ a router not already in the directory. This was preventing us from
|
|
|
+ extending to unknown routers. Oops.
|
|
|
+ - Make sure to create OS X Tor user in <500 range, so we aren't
|
|
|
+ creating actual system users.
|
|
|
+ - Note where connection-that-hasn't-sent-end was marked, and fix
|
|
|
+ a few really loud instances of this harmless bug (it's fixed more
|
|
|
+ in 0.1.0.x).
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.6 - 2005-03-24
|
|
|
+ o Bugfixes on 0.0.9.x (crashes and asserts):
|
|
|
+ - Add new end stream reasons to maintainance branch. Fix bug where
|
|
|
+ reason (8) could trigger an assert. Prevent bug from recurring.
|
|
|
+ - Apparently win32 stat wants paths to not end with a slash.
|
|
|
+ - Fix assert triggers in assert_cpath_layer_ok(), where we were
|
|
|
+ blowing away the circuit that conn->cpath_layer points to, then
|
|
|
+ checking to see if the circ is well-formed. Backport check to make
|
|
|
+ sure we dont use the cpath on a closed connection.
|
|
|
+ - Prevent circuit_resume_edge_reading_helper() from trying to package
|
|
|
+ inbufs for marked-for-close streams.
|
|
|
+ - Don't crash on hup if your options->address has become unresolvable.
|
|
|
+ - Some systems (like OS X) sometimes accept() a connection and tell
|
|
|
+ you the remote host is 0.0.0.0:0. If this happens, due to some
|
|
|
+ other mis-features, we get confused; so refuse the conn for now.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.9.x (other):
|
|
|
+ - Fix harmless but scary "Unrecognized content encoding" warn message.
|
|
|
+ - Add new stream error reason: TORPROTOCOL reason means "you are not
|
|
|
+ speaking a version of Tor I understand; say bye-bye to your stream."
|
|
|
+ - Be willing to cache directories from up to ROUTER_MAX_AGE seconds
|
|
|
+ into the future, now that we are more tolerant of skew. This
|
|
|
+ resolves a bug where a Tor server would refuse to cache a directory
|
|
|
+ because all the directories it gets are too far in the future;
|
|
|
+ yet the Tor server never logs any complaints about clock skew.
|
|
|
+ - Mac packaging magic: make man pages useable, and do not overwrite
|
|
|
+ existing torrc files.
|
|
|
+ - Make OS X log happily to /var/log/tor/tor.log
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.5 - 2005-02-22
|
|
|
+ o Bugfixes on 0.0.9.x:
|
|
|
+ - Fix an assert race at exit nodes when resolve requests fail.
|
|
|
+ - Stop picking unverified dir mirrors--it only leads to misery.
|
|
|
+ - Patch from Matt Edman to make NT services work better. Service
|
|
|
+ support is still not compiled into the executable by default.
|
|
|
+ - Patch from Dmitri Bely so the Tor service runs better under
|
|
|
+ the win32 SYSTEM account.
|
|
|
+ - Make tor-resolve actually work (?) on Win32.
|
|
|
+ - Fix a sign bug when getrlimit claims to have 4+ billion
|
|
|
+ file descriptors available.
|
|
|
+ - Stop refusing to start when bandwidthburst == bandwidthrate.
|
|
|
+ - When create cells have been on the onion queue more than five
|
|
|
+ seconds, just send back a destroy and take them off the list.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.4 - 2005-02-03
|
|
|
+ o Bugfixes on 0.0.9:
|
|
|
+ - Fix an assert bug that took down most of our servers: when
|
|
|
+ a server claims to have 1 GB of bandwidthburst, don't
|
|
|
+ freak out.
|
|
|
+ - Don't crash as badly if we have spawned the max allowed number
|
|
|
+ of dnsworkers, or we're out of file descriptors.
|
|
|
+ - Block more file-sharing ports in the default exit policy.
|
|
|
+ - MaxConn is now automatically set to the hard limit of max
|
|
|
+ file descriptors we're allowed (ulimit -n), minus a few for
|
|
|
+ logs, etc.
|
|
|
+ - Give a clearer message when servers need to raise their
|
|
|
+ ulimit -n when they start running out of file descriptors.
|
|
|
+ - SGI Compatibility patches from Jan Schaumann.
|
|
|
+ - Tolerate a corrupt cached directory better.
|
|
|
+ - When a dirserver hasn't approved your server, list which one.
|
|
|
+ - Go into soft hibernation after 95% of the bandwidth is used,
|
|
|
+ not 99%. This is especially important for daily hibernators who
|
|
|
+ have a small accounting max. Hopefully it will result in fewer
|
|
|
+ cut connections when the hard hibernation starts.
|
|
|
+ - Load-balance better when using servers that claim more than
|
|
|
+ 800kB/s of capacity.
|
|
|
+ - Make NT services work (experimental, only used if compiled in).
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.3 - 2005-01-21
|
|
|
+ o Bugfixes on 0.0.9:
|
|
|
+ - Backport the cpu use fixes from main branch, so busy servers won't
|
|
|
+ need as much processor time.
|
|
|
+ - Work better when we go offline and then come back, or when we
|
|
|
+ run Tor at boot before the network is up. We do this by
|
|
|
+ optimistically trying to fetch a new directory whenever an
|
|
|
+ application request comes in and we think we're offline -- the
|
|
|
+ human is hopefully a good measure of when the network is back.
|
|
|
+ - Backport some minimal hidserv bugfixes: keep rend circuits open as
|
|
|
+ long as you keep using them; actually publish hidserv descriptors
|
|
|
+ shortly after they change, rather than waiting 20-40 minutes.
|
|
|
+ - Enable Mac startup script by default.
|
|
|
+ - Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
|
|
|
+ - When you update AllowUnverifiedNodes or FirewallPorts via the
|
|
|
+ controller's setconf feature, we were always appending, never
|
|
|
+ resetting.
|
|
|
+ - When you update HiddenServiceDir via setconf, it was screwing up
|
|
|
+ the order of reading the lines, making it fail.
|
|
|
+ - Do not rewrite a cached directory back to the cache; otherwise we
|
|
|
+ will think it is recent and not fetch a newer one on startup.
|
|
|
+ - Workaround for webservers that lie about Content-Encoding: Tor
|
|
|
+ now tries to autodetect compressed directories and compression
|
|
|
+ itself. This lets us Proxypass dir fetches through apache.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.2 - 2005-01-04
|
|
|
+ o Bugfixes on 0.0.9 (crashes and asserts):
|
|
|
+ - Fix an assert on startup when the disk is full and you're logging
|
|
|
+ to a file.
|
|
|
+ - If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
|
|
|
+ style address, then we'd crash.
|
|
|
+ - Fix an assert trigger when the running-routers string we get from
|
|
|
+ a dirserver is broken.
|
|
|
+ - Make worker threads start and run on win32. Now win32 servers
|
|
|
+ may work better.
|
|
|
+ - Bandaid (not actually fix, but now it doesn't crash) an assert
|
|
|
+ where the dns worker dies mysteriously and the main Tor process
|
|
|
+ doesn't remember anything about the address it was resolving.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.9 (Win32):
|
|
|
+ - Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
|
|
|
+ name out of the warning/assert messages.
|
|
|
+ - Fix a superficial "unhandled error on read" bug on win32.
|
|
|
+ - The win32 installer no longer requires a click-through for our
|
|
|
+ license, since our Free Software license grants rights but does not
|
|
|
+ take any away.
|
|
|
+ - Win32: When connecting to a dirserver fails, try another one
|
|
|
+ immediately. (This was already working for non-win32 Tors.)
|
|
|
+ - Stop trying to parse $HOME on win32 when hunting for default
|
|
|
+ DataDirectory.
|
|
|
+ - Make tor-resolve.c work on win32 by calling network_init().
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.9 (other):
|
|
|
+ - Make 0.0.9.x build on Solaris again.
|
|
|
+ - Due to a fencepost error, we were blowing away the \n when reporting
|
|
|
+ confvalue items in the controller. So asking for multiple config
|
|
|
+ values at once couldn't work.
|
|
|
+ - When listing circuits that are pending on an opening OR connection,
|
|
|
+ if we're an OR we were listing circuits that *end* at us as
|
|
|
+ being pending on every listener, dns/cpu worker, etc. Stop that.
|
|
|
+ - Dirservers were failing to create 'running-routers' or 'directory'
|
|
|
+ strings if we had more than some threshold of routers. Fix them so
|
|
|
+ they can handle any number of routers.
|
|
|
+ - Fix a superficial "Duplicate mark for close" bug.
|
|
|
+ - Stop checking for clock skew for OR connections, even for servers.
|
|
|
+ - Fix a fencepost error that was chopping off the last letter of any
|
|
|
+ nickname that is the maximum allowed nickname length.
|
|
|
+ - Update URLs in log messages so they point to the new website.
|
|
|
+ - Fix a potential problem in mangling server private keys while
|
|
|
+ writing to disk (not triggered yet, as far as we know).
|
|
|
+ - Include the licenses for other free software we include in Tor,
|
|
|
+ now that we're shipping binary distributions more regularly.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9.1 - 2004-12-15
|
|
|
+ o Bugfixes on 0.0.9:
|
|
|
+ - Make hibernation actually work.
|
|
|
+ - Make HashedControlPassword config option work.
|
|
|
+ - When we're reporting event circuit status to a controller,
|
|
|
+ don't use the stream status code.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.9 - 2004-12-12
|
|
|
+ o Bugfixes on 0.0.8.1 (Crashes and asserts):
|
|
|
+ - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
|
|
|
+ write() call will fail and we handle it there.
|
|
|
+ - When we run out of disk space, or other log writing error, don't
|
|
|
+ crash. Just stop logging to that log and continue.
|
|
|
+ - Fix isspace() and friends so they still make Solaris happy
|
|
|
+ but also so they don't trigger asserts on win32.
|
|
|
+ - Fix assert failure on malformed socks4a requests.
|
|
|
+ - Fix an assert bug where a hidden service provider would fail if
|
|
|
+ the first hop of his rendezvous circuit was down.
|
|
|
+ - Better handling of size_t vs int, so we're more robust on 64
|
|
|
+ bit platforms.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.8.1 (Win32):
|
|
|
+ - Make windows sockets actually non-blocking (oops), and handle
|
|
|
+ win32 socket errors better.
|
|
|
+ - Fix parse_iso_time on platforms without strptime (eg win32).
|
|
|
+ - win32: when being multithreaded, leave parent fdarray open.
|
|
|
+ - Better handling of winsock includes on non-MSV win32 compilers.
|
|
|
+ - Change our file IO stuff (especially wrt OpenSSL) so win32 is
|
|
|
+ happier.
|
|
|
+ - Make unit tests work on win32.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.8.1 (Path selection and streams):
|
|
|
+ - Calculate timeout for waiting for a connected cell from the time
|
|
|
+ we sent the begin cell, not from the time the stream started. If
|
|
|
+ it took a long time to establish the circuit, we would time out
|
|
|
+ right after sending the begin cell.
|
|
|
+ - Fix router_compare_addr_to_addr_policy: it was not treating a port
|
|
|
+ of * as always matching, so we were picking reject *:* nodes as
|
|
|
+ exit nodes too. Oops.
|
|
|
+ - When read() failed on a stream, we would close it without sending
|
|
|
+ back an end. So 'connection refused' would simply be ignored and
|
|
|
+ the user would get no response.
|
|
|
+ - Stop a sigpipe: when an 'end' cell races with eof from the app,
|
|
|
+ we shouldn't hold-open-until-flush if the eof arrived first.
|
|
|
+ - Let resolve conns retry/expire also, rather than sticking around
|
|
|
+ forever.
|
|
|
+ - Fix more dns related bugs: send back resolve_failed and end cells
|
|
|
+ more reliably when the resolve fails, rather than closing the
|
|
|
+ circuit and then trying to send the cell. Also attach dummy resolve
|
|
|
+ connections to a circuit *before* calling dns_resolve(), to fix
|
|
|
+ a bug where cached answers would never be sent in RESOLVED cells.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.8.1 (Circuits):
|
|
|
+ - Finally fix a bug that's been plaguing us for a year:
|
|
|
+ With high load, circuit package window was reaching 0. Whenever
|
|
|
+ we got a circuit-level sendme, we were reading a lot on each
|
|
|
+ socket, but only writing out a bit. So we would eventually reach
|
|
|
+ eof. This would be noticed and acted on even when there were still
|
|
|
+ bytes sitting in the inbuf.
|
|
|
+ - Use identity comparison, not nickname comparison, to choose which
|
|
|
+ half of circuit-ID-space each side gets to use. This is needed
|
|
|
+ because sometimes we think of a router as a nickname, and sometimes
|
|
|
+ as a hex ID, and we can't predict what the other side will do.
|
|
|
+
|
|
|
+ o Bugfixes on 0.0.8.1 (Other):
|
|
|
+ - Fix a whole slew of memory leaks.
|
|
|
+ - Disallow NDEBUG. We don't ever want anybody to turn off debug.
|
|
|
+ - If we are using select, make sure we stay within FD_SETSIZE.
|
|
|
+ - When poll() is interrupted, we shouldn't believe the revents values.
|
|
|
+ - Add a FAST_SMARTLIST define to optionally inline smartlist_get
|
|
|
+ and smartlist_len, which are two major profiling offenders.
|
|
|
+ - If do_hup fails, actually notice.
|
|
|
+ - Flush the log file descriptor after we print "Tor opening log file",
|
|
|
+ so we don't see those messages days later.
|
|
|
+ - Hidden service operators now correctly handle version 1 style
|
|
|
+ INTRODUCE1 cells (nobody generates them still, so not a critical
|
|
|
+ bug).
|
|
|
+ - Handle more errnos from accept() without closing the listener.
|
|
|
+ Some OpenBSD machines were closing their listeners because
|
|
|
+ they ran out of file descriptors.
|
|
|
+ - Some people had wrapped their tor client/server in a script
|
|
|
+ that would restart it whenever it died. This did not play well
|
|
|
+ with our "shut down if your version is obsolete" code. Now people
|
|
|
+ don't fetch a new directory if their local cached version is
|
|
|
+ recent enough.
|
|
|
+ - Make our autogen.sh work on ksh as well as bash.
|
|
|
+ - Better torrc example lines for dirbindaddress and orbindaddress.
|
|
|
+ - Improved bounds checking on parsed ints (e.g. config options and
|
|
|
+ the ones we find in directories.)
|
|
|
+ - Stop using separate defaults for no-config-file and
|
|
|
+ empty-config-file. Now you have to explicitly turn off SocksPort,
|
|
|
+ if you don't want it open.
|
|
|
+ - We were starting to daemonize before we opened our logs, so if
|
|
|
+ there were any problems opening logs, we would complain to stderr,
|
|
|
+ which wouldn't work, and then mysteriously exit.
|
|
|
+ - If a verified OR connects to us before he's uploaded his descriptor,
|
|
|
+ or we verify him and hup but he still has the original TLS
|
|
|
+ connection, then conn->nickname is still set like he's unverified.
|
|
|
+
|
|
|
+ o Code security improvements, inspired by Ilja:
|
|
|
+ - tor_snprintf wrapper over snprintf with consistent (though not C99)
|
|
|
+ overflow behavior.
|
|
|
+ - Replace sprintf with tor_snprintf. (I think they were all safe, but
|
|
|
+ hey.)
|
|
|
+ - Replace strcpy/strncpy with strlcpy in more places.
|
|
|
+ - Avoid strcat; use tor_snprintf or strlcat instead.
|
|
|
+
|
|
|
+ o Features (circuits and streams):
|
|
|
+ - New circuit building strategy: keep a list of ports that we've
|
|
|
+ used in the past 6 hours, and always try to have 2 circuits open
|
|
|
+ or on the way that will handle each such port. Seed us with port
|
|
|
+ 80 so web users won't complain that Tor is "slow to start up".
|
|
|
+ - Make kill -USR1 dump more useful stats about circuits.
|
|
|
+ - When warning about retrying or giving up, print the address, so
|
|
|
+ the user knows which one it's talking about.
|
|
|
+ - If you haven't used a clean circuit in an hour, throw it away,
|
|
|
+ just to be on the safe side. (This means after 6 hours a totally
|
|
|
+ unused Tor client will have no circuits open.)
|
|
|
+ - Support "foo.nickname.exit" addresses, to let Alice request the
|
|
|
+ address "foo" as viewed by exit node "nickname". Based on a patch
|
|
|
+ from Geoff Goodell.
|
|
|
+ - If your requested entry or exit node has advertised bandwidth 0,
|
|
|
+ pick it anyway.
|
|
|
+ - Be more greedy about filling up relay cells -- we try reading again
|
|
|
+ once we've processed the stuff we read, in case enough has arrived
|
|
|
+ to fill the last cell completely.
|
|
|
+ - Refuse application socks connections to port 0.
|
|
|
+ - Use only 0.0.9pre1 and later servers for resolve cells.
|
|
|
+
|
|
|
+ o Features (bandwidth):
|
|
|
+ - Hibernation: New config option "AccountingMax" lets you
|
|
|
+ set how many bytes per month (in each direction) you want to
|
|
|
+ allow your server to consume. Rather than spreading those
|
|
|
+ bytes out evenly over the month, we instead hibernate for some
|
|
|
+ of the month and pop up at a deterministic time, work until
|
|
|
+ the bytes are consumed, then hibernate again. Config option
|
|
|
+ "MonthlyAccountingStart" lets you specify which day of the month
|
|
|
+ your billing cycle starts on.
|
|
|
+ - Implement weekly/monthly/daily accounting: now you specify your
|
|
|
+ hibernation properties by
|
|
|
+ AccountingMax N bytes|KB|MB|GB|TB
|
|
|
+ AccountingStart day|week|month [day] HH:MM
|
|
|
+ Defaults to "month 1 0:00".
|
|
|
+ - Let bandwidth and interval config options be specified as 5 bytes,
|
|
|
+ kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
|
|
|
+
|
|
|
+ o Features (directories):
|
|
|
+ - New "router-status" line in directory, to better bind each verified
|
|
|
+ nickname to its identity key.
|
|
|
+ - Clients can ask dirservers for /dir.z to get a compressed version
|
|
|
+ of the directory. Only works for servers running 0.0.9, of course.
|
|
|
+ - Make clients cache directories and use them to seed their router
|
|
|
+ lists at startup. This means clients have a datadir again.
|
|
|
+ - Respond to content-encoding headers by trying to uncompress as
|
|
|
+ appropriate.
|
|
|
+ - Clients and servers now fetch running-routers; cache
|
|
|
+ running-routers; compress running-routers; serve compressed
|
|
|
+ running-routers.z
|
|
|
+ - Make moria2 advertise a dirport of 80, so people behind firewalls
|
|
|
+ will be able to get a directory.
|
|
|
+ - Http proxy support
|
|
|
+ - Dirservers translate requests for http://%s:%d/x to /x
|
|
|
+ - You can specify "HttpProxy %s[:%d]" and all dir fetches will
|
|
|
+ be routed through this host.
|
|
|
+ - Clients ask for /tor/x rather than /x for new enough dirservers.
|
|
|
+ This way we can one day coexist peacefully with apache.
|
|
|
+ - Clients specify a "Host: %s%d" http header, to be compatible
|
|
|
+ with more proxies, and so running squid on an exit node can work.
|
|
|
+ - Protect dirservers from overzealous descriptor uploading -- wait
|
|
|
+ 10 seconds after directory gets dirty, before regenerating.
|
|
|
+
|
|
|
+ o Features (packages and install):
|
|
|
+ - Add NSI installer contributed by J Doe.
|
|
|
+ - Apply NT service patch from Osamu Fujino. Still needs more work.
|
|
|
+ - Commit VC6 and VC7 workspace/project files.
|
|
|
+ - Commit a tor.spec for making RPM files, with help from jbash.
|
|
|
+ - Add contrib/torctl.in contributed by Glenn Fink.
|
|
|
+ - Make expand_filename handle ~ and ~username.
|
|
|
+ - Use autoconf to enable largefile support where necessary. Use
|
|
|
+ ftello where available, since ftell can fail at 2GB.
|
|
|
+ - Ship src/win32/ in the tarball, so people can use it to build.
|
|
|
+ - Make old win32 fall back to CWD if SHGetSpecialFolderLocation
|
|
|
+ is broken.
|
|
|
+
|
|
|
+ o Features (ui controller):
|
|
|
+ - Control interface: a separate program can now talk to your
|
|
|
+ client/server over a socket, and get/set config options, receive
|
|
|
+ notifications of circuits and streams starting/finishing/dying,
|
|
|
+ bandwidth used, etc. The next step is to get some GUIs working.
|
|
|
+ Let us know if you want to help out. See doc/control-spec.txt .
|
|
|
+ - Ship a contrib/tor-control.py as an example script to interact
|
|
|
+ with the control port.
|
|
|
+ - "tor --hash-password zzyxz" will output a salted password for
|
|
|
+ use in authenticating to the control interface.
|
|
|
+ - Implement the control-spec's SAVECONF command, to write your
|
|
|
+ configuration to torrc.
|
|
|
+ - Get cookie authentication for the controller closer to working.
|
|
|
+ - When set_conf changes our server descriptor, upload a new copy.
|
|
|
+ But don't upload it too often if there are frequent changes.
|
|
|
+
|
|
|
+ o Features (config and command-line):
|
|
|
+ - Deprecate unofficial config option abbreviations, and abbreviations
|
|
|
+ not on the command line.
|
|
|
+ - Configuration infrastructure support for warning on obsolete
|
|
|
+ options.
|
|
|
+ - Give a slightly more useful output for "tor -h".
|
|
|
+ - Break DirFetchPostPeriod into:
|
|
|
+ - DirFetchPeriod for fetching full directory,
|
|
|
+ - StatusFetchPeriod for fetching running-routers,
|
|
|
+ - DirPostPeriod for posting server descriptor,
|
|
|
+ - RendPostPeriod for posting hidden service descriptors.
|
|
|
+ - New log format in config:
|
|
|
+ "Log minsev[-maxsev] stdout|stderr|syslog" or
|
|
|
+ "Log minsev[-maxsev] file /var/foo"
|
|
|
+ - DirPolicy config option, to let people reject incoming addresses
|
|
|
+ from their dirserver.
|
|
|
+ - "tor --list-fingerprint" will list your identity key fingerprint
|
|
|
+ and then exit.
|
|
|
+ - Make tor --version --version dump the cvs Id of every file.
|
|
|
+ - New 'MyFamily nick1,...' config option for a server to
|
|
|
+ specify other servers that shouldn't be used in the same circuit
|
|
|
+ with it. Only believed if nick1 also specifies us.
|
|
|
+ - New 'NodeFamily nick1,nick2,...' config option for a client to
|
|
|
+ specify nodes that it doesn't want to use in the same circuit.
|
|
|
+ - New 'Redirectexit pattern address:port' config option for a
|
|
|
+ server to redirect exit connections, e.g. to a local squid.
|
|
|
+ - Add "pass" target for RedirectExit, to make it easier to break
|
|
|
+ out of a sequence of RedirectExit rules.
|
|
|
+ - Make the dirservers file obsolete.
|
|
|
+ - Include a dir-signing-key token in directories to tell the
|
|
|
+ parsing entity which key is being used to sign.
|
|
|
+ - Remove the built-in bulky default dirservers string.
|
|
|
+ - New config option "Dirserver %s:%d [fingerprint]", which can be
|
|
|
+ repeated as many times as needed. If no dirservers specified,
|
|
|
+ default to moria1,moria2,tor26.
|
|
|
+ - Make 'Routerfile' config option obsolete.
|
|
|
+ - Discourage people from setting their dirfetchpostperiod more often
|
|
|
+ than once per minute.
|
|
|
+
|
|
|
+ o Features (other):
|
|
|
+ - kill -USR2 now moves all logs to loglevel debug (kill -HUP to
|
|
|
+ get back to normal.)
|
|
|
+ - Accept *:706 (silc) in default exit policy.
|
|
|
+ - Implement new versioning format for post 0.1.
|
|
|
+ - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
|
|
|
+ log more informatively.
|
|
|
+ - Check clock skew for verified servers, but allow unverified
|
|
|
+ servers and clients to have any clock skew.
|
|
|
+ - Make sure the hidden service descriptors are at a random offset
|
|
|
+ from each other, to hinder linkability.
|
|
|
+ - Clients now generate a TLS cert too, in preparation for having
|
|
|
+ them act more like real nodes.
|
|
|
+ - Add a pure-C tor-resolve implementation.
|
|
|
+ - Use getrlimit and friends to ensure we can reach MaxConn (currently
|
|
|
+ 1024) file descriptors.
|
|
|
+ - Raise the max dns workers from 50 to 100.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.8.1 - 2004-10-13
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix a seg fault that can be triggered remotely for Tor
|
|
|
+ clients/servers with an open dirport.
|
|
|
+ - Fix a rare assert trigger, where routerinfos for entries in
|
|
|
+ our cpath would expire while we're building the path.
|
|
|
+ - Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
|
+ - Fix a rare seg fault for people running hidden services on
|
|
|
+ intermittent connections.
|
|
|
+ - Fix a bug in parsing opt keywords with objects.
|
|
|
+ - Fix a stale pointer assert bug when a stream detaches and
|
|
|
+ reattaches.
|
|
|
+ - Fix a string format vulnerability (probably not exploitable)
|
|
|
+ in reporting stats locally.
|
|
|
+ - Fix an assert trigger: sometimes launching circuits can fail
|
|
|
+ immediately, e.g. because too many circuits have failed recently.
|
|
|
+ - Fix a compile warning on 64 bit platforms.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.8 - 2004-08-25
|
|
|
+ o Bugfixes:
|
|
|
+ - Made our unit tests compile again on OpenBSD 3.5, and tor
|
|
|
+ itself compile again on OpenBSD on a sparc64.
|
|
|
+ - We were neglecting milliseconds when logging on win32, so
|
|
|
+ everything appeared to happen at the beginning of each second.
|
|
|
+ - Check directory signature _before_ you decide whether you're
|
|
|
+ you're running an obsolete version and should exit.
|
|
|
+ - Check directory signature _before_ you parse the running-routers
|
|
|
+ list to decide who's running.
|
|
|
+ - Check return value of fclose while writing to disk, so we don't
|
|
|
+ end up with broken files when servers run out of disk space.
|
|
|
+ - Port it to SunOS 5.9 / Athena
|
|
|
+ - Fix two bugs in saving onion keys to disk when rotating, so
|
|
|
+ hopefully we'll get fewer people using old onion keys.
|
|
|
+ - Remove our mostly unused -- and broken -- hex_encode()
|
|
|
+ function. Use base16_encode() instead. (Thanks to Timo Lindfors
|
|
|
+ for pointing out this bug.)
|
|
|
+ - Only pick and establish intro points after we've gotten a
|
|
|
+ directory.
|
|
|
+ - Fix assert triggers: if the other side returns an address 0.0.0.0,
|
|
|
+ don't put it into the client dns cache.
|
|
|
+ - If a begin failed due to exit policy, but we believe the IP
|
|
|
+ address should have been allowed, switch that router to exitpolicy
|
|
|
+ reject *:* until we get our next directory.
|
|
|
+
|
|
|
+ o Protocol changes:
|
|
|
+ - 'Extend' relay cell payloads now include the digest of the
|
|
|
+ intended next hop's identity key. Now we can verify that we're
|
|
|
+ extending to the right router, and also extend to routers we
|
|
|
+ hadn't heard of before.
|
|
|
+
|
|
|
+ o Features:
|
|
|
+ - Tor nodes can now act as relays (with an advertised ORPort)
|
|
|
+ without being manually verified by the dirserver operators.
|
|
|
+ - Uploaded descriptors of unverified routers are now accepted
|
|
|
+ by the dirservers, and included in the directory.
|
|
|
+ - Verified routers are listed by nickname in the running-routers
|
|
|
+ list; unverified routers are listed as "$<fingerprint>".
|
|
|
+ - We now use hash-of-identity-key in most places rather than
|
|
|
+ nickname or addr:port, for improved security/flexibility.
|
|
|
+ - AllowUnverifiedNodes config option to let circuits choose no-name
|
|
|
+ routers in entry,middle,exit,introduction,rendezvous positions.
|
|
|
+ Allow middle and rendezvous positions by default.
|
|
|
+ - When picking unverified routers, skip those with low uptime and/or
|
|
|
+ low bandwidth, depending on what properties you care about.
|
|
|
+ - ClientOnly option for nodes that never want to become servers.
|
|
|
+ - Directory caching.
|
|
|
+ - "AuthoritativeDir 1" option for the official dirservers.
|
|
|
+ - Now other nodes (clients and servers) will cache the latest
|
|
|
+ directory they've pulled down.
|
|
|
+ - They can enable their DirPort to serve it to others.
|
|
|
+ - Clients will pull down a directory from any node with an open
|
|
|
+ DirPort, and check the signature/timestamp correctly.
|
|
|
+ - Authoritative dirservers now fetch directories from other
|
|
|
+ authdirservers, to stay better synced.
|
|
|
+ - Running-routers list tells who's down also, along with noting
|
|
|
+ if they're verified (listed by nickname) or unverified (listed
|
|
|
+ by hash-of-key).
|
|
|
+ - Allow dirservers to serve running-router list separately.
|
|
|
+ This isn't used yet.
|
|
|
+ - You can now fetch $DIRURL/running-routers to get just the
|
|
|
+ running-routers line, not the whole descriptor list. (But
|
|
|
+ clients don't use this yet.)
|
|
|
+ - Clients choose nodes proportional to advertised bandwidth.
|
|
|
+ - Clients avoid using nodes with low uptime as introduction points.
|
|
|
+ - Handle servers with dynamic IP addresses: don't just replace
|
|
|
+ options->Address with the resolved one at startup, and
|
|
|
+ detect our address right before we make a routerinfo each time.
|
|
|
+ - 'FascistFirewall' option to pick dirservers and ORs on specific
|
|
|
+ ports; plus 'FirewallPorts' config option to tell FascistFirewall
|
|
|
+ which ports are open. (Defaults to 80,443)
|
|
|
+ - Try other dirservers immediately if the one you try is down. This
|
|
|
+ should tolerate down dirservers better now.
|
|
|
+ - ORs connect-on-demand to other ORs
|
|
|
+ - If you get an extend cell to an OR you're not connected to,
|
|
|
+ connect, handshake, and forward the create cell.
|
|
|
+ - The authoritative dirservers stay connected to everybody,
|
|
|
+ and everybody stays connected to 0.0.7 servers, but otherwise
|
|
|
+ clients/servers expire unused connections after 5 minutes.
|
|
|
+ - When servers get a sigint, they delay 30 seconds (refusing new
|
|
|
+ connections) then exit. A second sigint causes immediate exit.
|
|
|
+ - File and name management:
|
|
|
+ - Look for .torrc if no CONFDIR "torrc" is found.
|
|
|
+ - If no datadir is defined, then choose, make, and secure ~/.tor
|
|
|
+ as datadir.
|
|
|
+ - If torrc not found, exitpolicy reject *:*.
|
|
|
+ - Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
|
|
|
+ - If no nickname is defined, derive default from hostname.
|
|
|
+ - Rename secret key files, e.g. identity.key -> secret_id_key,
|
|
|
+ to discourage people from mailing their identity key to tor-ops.
|
|
|
+ - Refuse to build a circuit before the directory has arrived --
|
|
|
+ it won't work anyway, since you won't know the right onion keys
|
|
|
+ to use.
|
|
|
+ - Parse tor version numbers so we can do an is-newer-than check
|
|
|
+ rather than an is-in-the-list check.
|
|
|
+ - New socks command 'resolve', to let us shim gethostbyname()
|
|
|
+ locally.
|
|
|
+ - A 'tor_resolve' script to access the socks resolve functionality.
|
|
|
+ - A new socks-extensions.txt doc file to describe our
|
|
|
+ interpretation and extensions to the socks protocols.
|
|
|
+ - Add a ContactInfo option, which gets published in descriptor.
|
|
|
+ - Write tor version at the top of each log file
|
|
|
+ - New docs in the tarball:
|
|
|
+ - tor-doc.html.
|
|
|
+ - Document that you should proxy your SSL traffic too.
|
|
|
+ - Log a warning if the user uses an unsafe socks variant, so people
|
|
|
+ are more likely to learn about privoxy or socat.
|
|
|
+ - Log a warning if you're running an unverified server, to let you
|
|
|
+ know you might want to get it verified.
|
|
|
+ - Change the default exit policy to reject the default edonkey,
|
|
|
+ kazaa, gnutella ports.
|
|
|
+ - Add replace_file() to util.[ch] to handle win32's rename().
|
|
|
+ - Publish OR uptime in descriptor (and thus in directory) too.
|
|
|
+ - Remember used bandwidth (both in and out), and publish 15-minute
|
|
|
+ snapshots for the past day into our descriptor.
|
|
|
+ - Be more aggressive about trying to make circuits when the network
|
|
|
+ has changed (e.g. when you unsuspend your laptop).
|
|
|
+ - Check for time skew on http headers; report date in response to
|
|
|
+ "GET /".
|
|
|
+ - If the entrynode config line has only one node, don't pick it as
|
|
|
+ an exitnode.
|
|
|
+ - Add strict{entry|exit}nodes config options. If set to 1, then
|
|
|
+ we refuse to build circuits that don't include the specified entry
|
|
|
+ or exit nodes.
|
|
|
+ - OutboundBindAddress config option, to bind to a specific
|
|
|
+ IP address for outgoing connect()s.
|
|
|
+ - End truncated log entries (e.g. directories) with "[truncated]".
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.7.3 - 2004-08-12
|
|
|
+ o Stop dnsworkers from triggering an assert failure when you
|
|
|
+ ask them to resolve the host "".
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.7.2 - 2004-07-07
|
|
|
+ o A better fix for the 0.0.0.0 problem, that will hopefully
|
|
|
+ eliminate the remaining related assertion failures.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.7.1 - 2004-07-04
|
|
|
+ o When an address resolves to 0.0.0.0, treat it as a failed resolve,
|
|
|
+ since internally we use 0.0.0.0 to signify "not yet resolved".
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.7 - 2004-06-07
|
|
|
+ o Fixes for crashes and other obnoxious bugs:
|
|
|
+ - Fix an epipe bug: sometimes when directory connections failed
|
|
|
+ to connect, we would give them a chance to flush before closing
|
|
|
+ them.
|
|
|
+ - When we detached from a circuit because of resolvefailed, we
|
|
|
+ would immediately try the same circuit twice more, and then
|
|
|
+ give up on the resolve thinking we'd tried three different
|
|
|
+ exit nodes.
|
|
|
+ - Limit the number of intro circuits we'll attempt to build for a
|
|
|
+ hidden service per 15-minute period.
|
|
|
+ - Check recommended-software string *early*, before actually parsing
|
|
|
+ the directory. Thus we can detect an obsolete version and exit,
|
|
|
+ even if the new directory format doesn't parse.
|
|
|
+ o Fixes for security bugs:
|
|
|
+ - Remember which nodes are dirservers when you startup, and if a
|
|
|
+ random OR enables his dirport, don't automatically assume he's
|
|
|
+ a trusted dirserver.
|
|
|
+ o Other bugfixes:
|
|
|
+ - Directory connections were asking the wrong poll socket to
|
|
|
+ start writing, and not asking themselves to start writing.
|
|
|
+ - When we detached from a circuit because we sent a begin but
|
|
|
+ didn't get a connected, we would use it again the first time;
|
|
|
+ but after that we would correctly switch to a different one.
|
|
|
+ - Stop warning when the first onion decrypt attempt fails; they
|
|
|
+ will sometimes legitimately fail now that we rotate keys.
|
|
|
+ - Override unaligned-access-ok check when $host_cpu is ia64 or
|
|
|
+ arm. Apparently they allow it but the kernel whines.
|
|
|
+ - Dirservers try to reconnect periodically too, in case connections
|
|
|
+ have failed.
|
|
|
+ - Fix some memory leaks in directory servers.
|
|
|
+ - Allow backslash in Win32 filenames.
|
|
|
+ - Made Tor build complain-free on FreeBSD, hopefully without
|
|
|
+ breaking other BSD builds. We'll see.
|
|
|
+ - Check directory signatures based on name of signer, not on whom
|
|
|
+ we got the directory from. This will let us cache directories more
|
|
|
+ easily.
|
|
|
+ - Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
|
|
|
+ settings too.
|
|
|
+ o Features:
|
|
|
+ - Doxygen markup on all functions and global variables.
|
|
|
+ - Make directory functions update routerlist, not replace it. So
|
|
|
+ now directory disagreements are not so critical a problem.
|
|
|
+ - Remove the upper limit on number of descriptors in a dirserver's
|
|
|
+ directory (not that we were anywhere close).
|
|
|
+ - Allow multiple logfiles at different severity ranges.
|
|
|
+ - Allow *BindAddress to specify ":port" rather than setting *Port
|
|
|
+ separately. Allow multiple instances of each BindAddress config
|
|
|
+ option, so you can bind to multiple interfaces if you want.
|
|
|
+ - Allow multiple exit policy lines, which are processed in order.
|
|
|
+ Now we don't need that huge line with all the commas in it.
|
|
|
+ - Enable accept/reject policies on SOCKS connections, so you can bind
|
|
|
+ to 0.0.0.0 but still control who can use your OP.
|
|
|
+ - Updated the man page to reflect these features.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.6.2 - 2004-05-16
|
|
|
+ o Our integrity-checking digest was checking only the most recent cell,
|
|
|
+ not the previous cells like we'd thought.
|
|
|
+ Thanks to Stefan Mark for finding the flaw!
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.6.1 - 2004-05-06
|
|
|
+ o Fix two bugs in our AES counter-mode implementation (this affected
|
|
|
+ onion-level stream encryption, but not TLS-level). It turns
|
|
|
+ out we were doing something much more akin to a 16-character
|
|
|
+ polyalphabetic cipher. Oops.
|
|
|
+ Thanks to Stefan Mark for finding the flaw!
|
|
|
+ o Retire moria3 as a directory server, and add tor26 as a directory
|
|
|
+ server.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.6 - 2004-05-02
|
|
|
+ o Features:
|
|
|
+ - Hidden services and rendezvous points are implemented. Go to
|
|
|
+ http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
|
|
|
+ hidden services. (This only works via a socks4a proxy such as
|
|
|
+ Privoxy, and currently it's quite slow.)
|
|
|
+ - We now rotate link (tls context) keys and onion keys.
|
|
|
+ - CREATE cells now include oaep padding, so you can tell
|
|
|
+ if you decrypted them correctly.
|
|
|
+ - Retry stream correctly when we fail to connect because of
|
|
|
+ exit-policy-reject (should try another) or can't-resolve-address.
|
|
|
+ - When we hup a dirserver and we've *removed* a server from the
|
|
|
+ approved-routers list, now we remove that server from the
|
|
|
+ in-memory directories too.
|
|
|
+ - Add bandwidthburst to server descriptor.
|
|
|
+ - Directories now say which dirserver signed them.
|
|
|
+ - Use a tor_assert macro that logs failed assertions too.
|
|
|
+ - Since we don't support truncateds much, don't bother sending them;
|
|
|
+ just close the circ.
|
|
|
+ - Fetch randomness from /dev/urandom better (not via fopen/fread)
|
|
|
+ - Better debugging for tls errors
|
|
|
+ - Set Content-Type on the directory and hidserv descriptor.
|
|
|
+ - Remove IVs from cipher code, since AES-ctr has none.
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix an assert trigger for exit nodes that's been plaguing us since
|
|
|
+ the days of 0.0.2prexx (thanks weasel!)
|
|
|
+ - Fix a bug where we were closing tls connections intermittently.
|
|
|
+ It turns out openssl keeps its errors around -- so if an error
|
|
|
+ happens, and you don't ask about it, and then another openssl
|
|
|
+ operation happens and succeeds, and you ask if there was an error,
|
|
|
+ it tells you about the first error.
|
|
|
+ - Fix a bug that's been lurking since 27 may 03 (!)
|
|
|
+ When passing back a destroy cell, we would use the wrong circ id.
|
|
|
+ - Don't crash if a conn that sent a begin has suddenly lost its circuit.
|
|
|
+ - Some versions of openssl have an SSL_pending function that erroneously
|
|
|
+ returns bytes when there is a non-application record pending.
|
|
|
+ - Win32 fixes. Tor now compiles on win32 with no warnings/errors.
|
|
|
+ o We were using an array of length zero in a few places.
|
|
|
+ o Win32's gethostbyname can't resolve an IP to an IP.
|
|
|
+ o Win32's close can't close a socket.
|
|
|
+ o Handle windows socket errors correctly.
|
|
|
+ o Portability:
|
|
|
+ - check for <sys/limits.h> so we build on FreeBSD again, and
|
|
|
+ <machine/limits.h> for NetBSD.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.5 - 2004-03-30
|
|
|
+ o Install torrc as torrc.sample -- we no longer clobber your
|
|
|
+ torrc. (Woo!)
|
|
|
+ o Fix mangled-state bug in directory fetching (was causing sigpipes).
|
|
|
+ o Only build circuits after we've fetched the directory: clients were
|
|
|
+ using only the directory servers before they'd fetched a directory.
|
|
|
+ This also means longer startup time; so it goes.
|
|
|
+ o Fix an assert trigger where an OP would fail to handshake, and we'd
|
|
|
+ expect it to have a nickname.
|
|
|
+ o Work around a tsocks bug: do a socks reject when AP connection dies
|
|
|
+ early, else tsocks goes into an infinite loop.
|
|
|
+ o Hold socks connection open until reply is flushed (if possible)
|
|
|
+ o Make exit nodes resolve IPs to IPs immediately, rather than asking
|
|
|
+ the dns farm to do it.
|
|
|
+ o Fix c99 aliasing warnings in rephist.c
|
|
|
+ o Don't include server descriptors that are older than 24 hours in the
|
|
|
+ directory.
|
|
|
+ o Give socks 'reject' replies their whole 15s to attempt to flush,
|
|
|
+ rather than seeing the 60s timeout and assuming the flush had failed.
|
|
|
+ o Clean automake droppings from the cvs repository
|
|
|
+ o Add in a 'notice' log level for things the operator should hear
|
|
|
+ but that aren't warnings
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.4 - 2004-03-26
|
|
|
+ o When connecting to a dirserver or OR and the network is down,
|
|
|
+ we would crash.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.3 - 2004-03-26
|
|
|
+ o Warn and fail if server chose a nickname with illegal characters
|
|
|
+ o Port to Solaris and Sparc:
|
|
|
+ - include missing header fcntl.h
|
|
|
+ - have autoconf find -lsocket -lnsl automatically
|
|
|
+ - deal with hardware word alignment
|
|
|
+ - make uname() work (solaris has a different return convention)
|
|
|
+ - switch from using signal() to sigaction()
|
|
|
+ o Preliminary work on reputation system:
|
|
|
+ - Keep statistics on success/fail of connect attempts; they're published
|
|
|
+ by kill -USR1 currently.
|
|
|
+ - Add a RunTesting option to try to learn link state by creating test
|
|
|
+ circuits, even when SocksPort is off.
|
|
|
+ - Remove unused open circuits when there are too many.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2 - 2004-03-19
|
|
|
+ - Include strlcpy and strlcat for safer string ops
|
|
|
+ - define INADDR_NONE so we compile (but still not run) on solaris
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre27 - 2004-03-14
|
|
|
+ o Bugfixes:
|
|
|
+ - Allow internal tor networks (we were rejecting internal IPs,
|
|
|
+ now we allow them if they're set explicitly).
|
|
|
+ - And fix a few endian issues.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre26 - 2004-03-14
|
|
|
+ o New features:
|
|
|
+ - If a stream times out after 15s without a connected cell, don't
|
|
|
+ try that circuit again: try a new one.
|
|
|
+ - Retry streams at most 4 times. Then give up.
|
|
|
+ - When a dirserver gets a descriptor from an unknown router, it
|
|
|
+ logs its fingerprint (so the dirserver operator can choose to
|
|
|
+ accept it even without mail from the server operator).
|
|
|
+ - Inform unapproved servers when we reject their descriptors.
|
|
|
+ - Make tor build on Windows again. It works as a client, who knows
|
|
|
+ about as a server.
|
|
|
+ - Clearer instructions in the torrc for how to set up a server.
|
|
|
+ - Be more efficient about reading fd's when our global token bucket
|
|
|
+ (used for rate limiting) becomes empty.
|
|
|
+ o Bugfixes:
|
|
|
+ - Stop asserting that computers always go forward in time. It's
|
|
|
+ simply not true.
|
|
|
+ - When we sent a cell (e.g. destroy) and then marked an OR connection
|
|
|
+ expired, we might close it before finishing a flush if the other
|
|
|
+ side isn't reading right then.
|
|
|
+ - Don't allow dirservers to start if they haven't defined
|
|
|
+ RecommendedVersions
|
|
|
+ - We were caching transient dns failures. Oops.
|
|
|
+ - Prevent servers from publishing an internal IP as their address.
|
|
|
+ - Address a strcat vulnerability in circuit.c
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre25 - 2004-03-04
|
|
|
+ o New features:
|
|
|
+ - Put the OR's IP in its router descriptor, not its fqdn. That way
|
|
|
+ we'll stop being stalled by gethostbyname for nodes with flaky dns,
|
|
|
+ e.g. poblano.
|
|
|
+ o Bugfixes:
|
|
|
+ - If the user typed in an address that didn't resolve, the server
|
|
|
+ crashed.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre24 - 2004-03-03
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix an assertion failure in dns.c, where we were trying to dequeue
|
|
|
+ a pending dns resolve even if it wasn't pending
|
|
|
+ - Fix a spurious socks5 warning about still trying to write after the
|
|
|
+ connection is finished.
|
|
|
+ - Hold certain marked_for_close connections open until they're finished
|
|
|
+ flushing, rather than losing bytes by closing them too early.
|
|
|
+ - Correctly report the reason for ending a stream
|
|
|
+ - Remove some duplicate calls to connection_mark_for_close
|
|
|
+ - Put switch_id and start_daemon earlier in the boot sequence, so it
|
|
|
+ will actually try to chdir() to options.DataDirectory
|
|
|
+ - Make 'make test' exit(1) if a test fails; fix some unit tests
|
|
|
+ - Make tor fail when you use a config option it doesn't know about,
|
|
|
+ rather than warn and continue.
|
|
|
+ - Make --version work
|
|
|
+ - Bugfixes on the rpm spec file and tor.sh, so it's more up to date
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre23 - 2004-02-29
|
|
|
+ o New features:
|
|
|
+ - Print a statement when the first circ is finished, so the user
|
|
|
+ knows it's working.
|
|
|
+ - If a relay cell is unrecognized at the end of the circuit,
|
|
|
+ send back a destroy. (So attacks to mutate cells are more
|
|
|
+ clearly thwarted.)
|
|
|
+ - New config option 'excludenodes' to avoid certain nodes for circuits.
|
|
|
+ - When it daemonizes, it chdir's to the DataDirectory rather than "/",
|
|
|
+ so you can collect coredumps there.
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix a bug in tls flushing where sometimes data got wedged and
|
|
|
+ didn't flush until more data got sent. Hopefully this bug was
|
|
|
+ a big factor in the random delays we were seeing.
|
|
|
+ - Make 'connected' cells include the resolved IP, so the client
|
|
|
+ dns cache actually gets populated.
|
|
|
+ - Disallow changing from ORPort=0 to ORPort>0 on hup.
|
|
|
+ - When we time-out on a stream and detach from the circuit, send an
|
|
|
+ end cell down it first.
|
|
|
+ - Only warn about an unknown router (in exitnodes, entrynodes,
|
|
|
+ excludenodes) after we've fetched a directory.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre22 - 2004-02-26
|
|
|
+ o New features:
|
|
|
+ - Servers publish less revealing uname information in descriptors.
|
|
|
+ - More memory tracking and assertions, to crash more usefully when
|
|
|
+ errors happen.
|
|
|
+ - If the default torrc isn't there, just use some default defaults.
|
|
|
+ Plus provide an internal dirservers file if they don't have one.
|
|
|
+ - When the user tries to use Tor as an http proxy, give them an http
|
|
|
+ 501 failure explaining that we're a socks proxy.
|
|
|
+ - Dump a new router.desc on hup, to help confused people who change
|
|
|
+ their exit policies and then wonder why router.desc doesn't reflect
|
|
|
+ it.
|
|
|
+ - Clean up the generic tor.sh init script that we ship with.
|
|
|
+ o Bugfixes:
|
|
|
+ - If the exit stream is pending on the resolve, and a destroy arrives,
|
|
|
+ then the stream wasn't getting removed from the pending list. I
|
|
|
+ think this was the one causing recent server crashes.
|
|
|
+ - Use a more robust poll on OSX 10.3, since their poll is flaky.
|
|
|
+ - When it couldn't resolve any dirservers, it was useless from then on.
|
|
|
+ Now it reloads the RouterFile (or default dirservers) if it has no
|
|
|
+ dirservers.
|
|
|
+ - Move the 'tor' binary back to /usr/local/bin/ -- it turns out
|
|
|
+ many users don't even *have* a /usr/local/sbin/.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre21 - 2004-02-18
|
|
|
+ o New features:
|
|
|
+ - There's a ChangeLog file that actually reflects the changelog.
|
|
|
+ - There's a 'torify' wrapper script, with an accompanying
|
|
|
+ tor-tsocks.conf, that simplifies the process of using tsocks for
|
|
|
+ tor. It even has a man page.
|
|
|
+ - The tor binary gets installed to sbin rather than bin now.
|
|
|
+ - Retry streams where the connected cell hasn't arrived in 15 seconds
|
|
|
+ - Clean up exit policy handling -- get the default out of the torrc,
|
|
|
+ so we can update it without forcing each server operator to fix
|
|
|
+ his/her torrc.
|
|
|
+ - Allow imaps and pop3s in default exit policy
|
|
|
+ o Bugfixes:
|
|
|
+ - Prevent picking middleman nodes as the last node in the circuit
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre20 - 2004-01-30
|
|
|
+ o New features:
|
|
|
+ - We now have a deb package, and it's in debian unstable. Go to
|
|
|
+ it, apt-getters. :)
|
|
|
+ - I've split the TotalBandwidth option into BandwidthRate (how many
|
|
|
+ bytes per second you want to allow, long-term) and
|
|
|
+ BandwidthBurst (how many bytes you will allow at once before the cap
|
|
|
+ kicks in). This better token bucket approach lets you, say, set
|
|
|
+ BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
|
|
|
+ performance while not exceeding your monthly bandwidth quota.
|
|
|
+ - Push out a tls record's worth of data once you've got it, rather
|
|
|
+ than waiting until you've read everything waiting to be read. This
|
|
|
+ may improve performance by pipelining better. We'll see.
|
|
|
+ - Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
|
|
|
+ from failed circuits (if they haven't been connected yet) and attach
|
|
|
+ to new ones.
|
|
|
+ - Expire old streams that haven't managed to connect. Some day we'll
|
|
|
+ have them reattach to new circuits instead.
|
|
|
+
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix several memory leaks that were causing servers to become bloated
|
|
|
+ after a while.
|
|
|
+ - Fix a few very rare assert triggers. A few more remain.
|
|
|
+ - Setuid to User _before_ complaining about running as root.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre19 - 2004-01-07
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix deadlock condition in dns farm. We were telling a child to die by
|
|
|
+ closing the parent's file descriptor to him. But newer children were
|
|
|
+ inheriting the open file descriptor from the parent, and since they
|
|
|
+ weren't closing it, the socket never closed, so the child never read
|
|
|
+ eof, so he never knew to exit. Similarly, dns workers were holding
|
|
|
+ open other sockets, leading to all sorts of chaos.
|
|
|
+ - New cleaner daemon() code for forking and backgrounding.
|
|
|
+ - If you log to a file, it now prints an entry at the top of the
|
|
|
+ logfile so you know it's working.
|
|
|
+ - The onionskin challenge length was 30 bytes longer than necessary.
|
|
|
+ - Started to patch up the spec so it's not quite so out of date.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre18 - 2004-01-02
|
|
|
+ o Bugfixes:
|
|
|
+ - Fix endian issues with the 'integrity' field in the relay header.
|
|
|
+ - Fix a potential bug where connections in state
|
|
|
+ AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre17 - 2003-12-30
|
|
|
+ o Bugfixes:
|
|
|
+ - Made --debuglogfile (or any second log file, actually) work.
|
|
|
+ - Resolved an edge case in get_unique_circ_id_by_conn where a smart
|
|
|
+ adversary could force us into an infinite loop.
|
|
|
+
|
|
|
+ o Features:
|
|
|
+ - Each onionskin handshake now includes a hash of the computed key,
|
|
|
+ to prove the server's identity and help perfect forward secrecy.
|
|
|
+ - Changed cell size from 256 to 512 bytes (working toward compatibility
|
|
|
+ with MorphMix).
|
|
|
+ - Changed cell length to 2 bytes, and moved it to the relay header.
|
|
|
+ - Implemented end-to-end integrity checking for the payloads of
|
|
|
+ relay cells.
|
|
|
+ - Separated streamid from 'recognized' (otherwise circuits will get
|
|
|
+ messed up when we try to have streams exit from the middle). We
|
|
|
+ use the integrity-checking to confirm that a cell is addressed to
|
|
|
+ this hop.
|
|
|
+ - Randomize the initial circid and streamid values, so an adversary who
|
|
|
+ breaks into a node can't learn how many circuits or streams have
|
|
|
+ been made so far.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre16 - 2003-12-14
|
|
|
+ o Bugfixes:
|
|
|
+ - Fixed a bug that made HUP trigger an assert
|
|
|
+ - Fixed a bug where a circuit that immediately failed wasn't being
|
|
|
+ counted as a failed circuit in counting retries.
|
|
|
+
|
|
|
+ o Features:
|
|
|
+ - Now we close the circuit when we get a truncated cell: otherwise we're
|
|
|
+ open to an anonymity attack where a bad node in the path truncates
|
|
|
+ the circuit and then we open streams at him.
|
|
|
+ - Add port ranges to exit policies
|
|
|
+ - Add a conservative default exit policy
|
|
|
+ - Warn if you're running tor as root
|
|
|
+ - on HUP, retry OR connections and close/rebind listeners
|
|
|
+ - options.EntryNodes: try these nodes first when picking the first node
|
|
|
+ - options.ExitNodes: if your best choices happen to include any of
|
|
|
+ your preferred exit nodes, you choose among just those preferred
|
|
|
+ exit nodes.
|
|
|
+ - options.ExcludedNodes: nodes that are never picked in path building
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre15 - 2003-12-03
|
|
|
+ o Robustness and bugfixes:
|
|
|
+ - Sometimes clients would cache incorrect DNS resolves, which would
|
|
|
+ really screw things up.
|
|
|
+ - An OP that goes offline would slowly leak all its sockets and stop
|
|
|
+ working.
|
|
|
+ - A wide variety of bugfixes in exit node selection, exit policy
|
|
|
+ handling, and processing pending streams when a new circuit is
|
|
|
+ established.
|
|
|
+ - Pick nodes for a path only from those the directory says are up
|
|
|
+ - Choose randomly from all running dirservers, not always the first one
|
|
|
+ - Increase allowed http header size for directory fetch.
|
|
|
+ - Stop writing to stderr (if we're daemonized it will be closed).
|
|
|
+ - Enable -g always, so cores will be more useful to me.
|
|
|
+ - Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Wrote a man page. It lists commonly used options.
|
|
|
+
|
|
|
+ o Configuration:
|
|
|
+ - Change default loglevel to warn.
|
|
|
+ - Make PidFile default to null rather than littering in your CWD.
|
|
|
+ - OnionRouter config option is now obsolete. Instead it just checks
|
|
|
+ ORPort>0.
|
|
|
+ - Moved to a single unified torrc file for both clients and servers.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.0.2pre14 - 2003-11-29
|
|
|
+ o Robustness and bugfixes:
|
|
|
+ - Force the admin to make the DataDirectory himself
|
|
|
+ - to get ownership/permissions right
|
|
|
+ - so clients no longer make a DataDirectory and then never use it
|
|
|
+ - fix bug where a client who was offline for 45 minutes would never
|
|
|
+ pull down a directory again
|
|
|
+ - fix (or at least hide really well) the dns assert bug that was
|
|
|
+ causing server crashes
|
|
|
+ - warnings and improved robustness wrt clockskew for certs
|
|
|
+ - use the native daemon(3) to daemonize, when available
|
|
|
+ - exit if bind() fails
|
|
|
+ - exit if neither socksport nor orport is defined
|
|
|
+ - include our own tor_timegm (Win32 doesn't have its own)
|
|
|
+ - bugfix for win32 with lots of connections
|
|
|
+ - fix minor bias in PRNG
|
|
|
+ - make dirserver more robust to corrupt cached directory
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Wrote the design document (woo)
|
|
|
+
|
|
|
+ o Circuit building and exit policies:
|
|
|
+ - Circuits no longer try to use nodes that the directory has told them
|
|
|
+ are down.
|
|
|
+ - Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
|
|
|
+ bitcounts (18.0.0.0/8).
|
|
|
+ - Make AP connections standby for a circuit if no suitable circuit
|
|
|
+ exists, rather than failing
|
|
|
+ - Circuits choose exit node based on addr/port, exit policies, and
|
|
|
+ which AP connections are standing by
|
|
|
+ - Bump min pathlen from 2 to 3
|
|
|
+ - Relay end cells have a payload to describe why the stream ended.
|
|
|
+ - If the stream failed because of exit policy, try again with a new
|
|
|
+ circuit.
|
|
|
+ - Clients have a dns cache to remember resolved addresses.
|
|
|
+ - Notice more quickly when we have no working circuits
|
|
|
+
|
|
|
+ o Configuration:
|
|
|
+ - APPort is now called SocksPort
|
|
|
+ - SocksBindAddress, ORBindAddress, DirBindAddress let you configure
|
|
|
+ where to bind
|
|
|
+ - RecommendedVersions is now a config variable rather than
|
|
|
+ hardcoded (for dirservers)
|
|
|
+ - Reloads config on HUP
|
|
|
+ - Usage info on -h or --help
|
|
|
+ - If you set User and Group config vars, it'll setu/gid to them.
|
|
|
+
|
|
|
+Changes in version 0.0.2pre13 - 2003-10-19
|
|
|
+ o General stability:
|
|
|
+ - SSL_write no longer fails when it returns WANTWRITE and the number
|
|
|
+ of bytes in the buf has changed by the next SSL_write call.
|
|
|
+ - Fix segfault fetching directory when network is down
|
|
|
+ - Fix a variety of minor memory leaks
|
|
|
+ - Dirservers reload the fingerprints file on HUP, so I don't have
|
|
|
+ to take down the network when I approve a new router
|
|
|
+ - Default server config file has explicit Address line to specify fqdn
|
|
|
+
|
|
|
+ o Buffers:
|
|
|
+ - Buffers grow and shrink as needed (Cut process size from 20M to 2M)
|
|
|
+ - Make listener connections not ever alloc bufs
|
|
|
+
|
|
|
+ o Autoconf improvements:
|
|
|
+ - don't clobber an external CFLAGS in ./configure
|
|
|
+ - Make install now works
|
|
|
+ - create var/lib/tor on make install
|
|
|
+ - autocreate a tor.sh initscript to help distribs
|
|
|
+ - autocreate the torrc and sample-server-torrc with correct paths
|
|
|
+
|
|
|
+ o Log files and Daemonizing now work:
|
|
|
+ - If --DebugLogFile is specified, log to it at -l debug
|
|
|
+ - If --LogFile is specified, use it instead of commandline
|
|
|
+ - If --RunAsDaemon is set, tor forks and backgrounds on startup
|
|
|
+
|