|
|
@@ -3,6 +3,605 @@ This document summarizes new features and bugfixes in each stable release
|
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
+Changes in version 0.2.1.18 - 2009-07-24
|
|
|
+ o Major features (clients):
|
|
|
+ - Start sending "bootstrap phase" status events to the controller,
|
|
|
+ so it can keep the user informed of progress fetching directory
|
|
|
+ information and establishing circuits. Also inform the controller
|
|
|
+ if we think we're stuck at a particular bootstrap phase. Implements
|
|
|
+ proposal 137.
|
|
|
+ - Clients replace entry guards that were chosen more than a few months
|
|
|
+ ago. This change should significantly improve client performance,
|
|
|
+ especially once more people upgrade, since relays that have been
|
|
|
+ a guard for a long time are currently overloaded.
|
|
|
+ - Network status consensus documents and votes now contain bandwidth
|
|
|
+ information for each relay. Clients use the bandwidth values
|
|
|
+ in the consensus, rather than the bandwidth values in each
|
|
|
+ relay descriptor. This approach opens the door to more accurate
|
|
|
+ bandwidth estimates once the directory authorities start doing
|
|
|
+ active measurements. Implements part of proposal 141.
|
|
|
+
|
|
|
+ o Major features (relays):
|
|
|
+ - Disable and refactor some debugging checks that forced a linear scan
|
|
|
+ over the whole server-side DNS cache. These accounted for over 50%
|
|
|
+ of CPU time on a relatively busy exit node's gprof profile. Also,
|
|
|
+ disable some debugging checks that appeared in exit node profile
|
|
|
+ data. Found by Jacob.
|
|
|
+ - New DirPortFrontPage option that takes an html file and publishes
|
|
|
+ it as "/" on the DirPort. Now relay operators can provide a
|
|
|
+ disclaimer without needing to set up a separate webserver. There's
|
|
|
+ a sample disclaimer in contrib/tor-exit-notice.html.
|
|
|
+
|
|
|
+ o Major features (hidden services):
|
|
|
+ - Make it possible to build hidden services that only certain clients
|
|
|
+ are allowed to connect to. This is enforced at several points,
|
|
|
+ so that unauthorized clients are unable to send INTRODUCE cells
|
|
|
+ to the service, or even (depending on the type of authentication)
|
|
|
+ to learn introduction points. This feature raises the bar for
|
|
|
+ certain kinds of active attacks against hidden services. Design
|
|
|
+ and code by Karsten Loesing. Implements proposal 121.
|
|
|
+ - Relays now store and serve v2 hidden service descriptors by default,
|
|
|
+ i.e., the new default value for HidServDirectoryV2 is 1. This is
|
|
|
+ the last step in proposal 114, which aims to make hidden service
|
|
|
+ lookups more reliable.
|
|
|
+
|
|
|
+ o Major features (path selection):
|
|
|
+ - ExitNodes and Exclude*Nodes config options now allow you to restrict
|
|
|
+ by country code ("{US}") or IP address or address pattern
|
|
|
+ ("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
|
|
|
+ refinement to decide what config options should take priority if
|
|
|
+ you ask to both use a particular node and exclude it.
|
|
|
+
|
|
|
+ o Major features (misc):
|
|
|
+ - When building a consensus, do not include routers that are down.
|
|
|
+ This cuts down 30% to 40% on consensus size. Implements proposal
|
|
|
+ 138.
|
|
|
+ - New TestingTorNetwork config option to allow adjustment of
|
|
|
+ previously constant values that could slow bootstrapping. Implements
|
|
|
+ proposal 135. Patch from Karsten.
|
|
|
+ - Convert many internal address representations to optionally hold
|
|
|
+ IPv6 addresses. Generate and accept IPv6 addresses in many protocol
|
|
|
+ elements. Make resolver code handle nameservers located at IPv6
|
|
|
+ addresses.
|
|
|
+ - More work on making our TLS handshake blend in: modify the list
|
|
|
+ of ciphers advertised by OpenSSL in client mode to even more
|
|
|
+ closely resemble a common web browser. We cheat a little so that
|
|
|
+ we can advertise ciphers that the locally installed OpenSSL doesn't
|
|
|
+ know about.
|
|
|
+ - Use the TLS1 hostname extension to more closely resemble browser
|
|
|
+ behavior.
|
|
|
+
|
|
|
+ o Security fixes (anonymity/entropy):
|
|
|
+ - Never use a connection with a mismatched address to extend a
|
|
|
+ circuit, unless that connection is canonical. A canonical
|
|
|
+ connection is one whose address is authenticated by the router's
|
|
|
+ identity key, either in a NETINFO cell or in a router descriptor.
|
|
|
+ - Implement most of proposal 110: The first K cells to be sent
|
|
|
+ along a circuit are marked as special "early" cells; only K "early"
|
|
|
+ cells will be allowed. Once this code is universal, we can block
|
|
|
+ certain kinds of denial-of-service attack by requiring that EXTEND
|
|
|
+ commands must be sent using an "early" cell.
|
|
|
+ - Resume using OpenSSL's RAND_poll() for better (and more portable)
|
|
|
+ cross-platform entropy collection again. We used to use it, then
|
|
|
+ stopped using it because of a bug that could crash systems that
|
|
|
+ called RAND_poll when they had a lot of fds open. It looks like the
|
|
|
+ bug got fixed in late 2006. Our new behavior is to call RAND_poll()
|
|
|
+ at startup, and to call RAND_poll() when we reseed later only if
|
|
|
+ we have a non-buggy OpenSSL version.
|
|
|
+ - When the client is choosing entry guards, now it selects at most
|
|
|
+ one guard from a given relay family. Otherwise we could end up with
|
|
|
+ all of our entry points into the network run by the same operator.
|
|
|
+ Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
|
|
|
+ - Do not use or believe expired v3 authority certificates. Patch
|
|
|
+ from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
|
|
|
+ - Drop begin cells to a hidden service if they come from the middle
|
|
|
+ of a circuit. Patch from lark.
|
|
|
+ - When we erroneously receive two EXTEND cells for the same circuit
|
|
|
+ ID on the same connection, drop the second. Patch from lark.
|
|
|
+ - Authorities now vote for the Stable flag for any router whose
|
|
|
+ weighted MTBF is at least 5 days, regardless of the mean MTBF.
|
|
|
+ - Clients now never report any stream end reason except 'MISC'.
|
|
|
+ Implements proposal 148.
|
|
|
+
|
|
|
+ o Major bugfixes (crashes):
|
|
|
+ - Parse dates and IPv4 addresses in a locale- and libc-independent
|
|
|
+ manner, to avoid platform-dependent behavior on malformed input.
|
|
|
+ - Fix a crash that occurs on exit nodes when a nameserver request
|
|
|
+ timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
|
|
|
+ been suppressing the bug since 0.1.2.10-alpha. Partial fix for
|
|
|
+ bug 929.
|
|
|
+ - Do not assume that a stack-allocated character array will be
|
|
|
+ 64-bit aligned on platforms that demand that uint64_t access is
|
|
|
+ aligned. Possible fix for bug 604.
|
|
|
+ - Resolve a very rare crash bug that could occur when the user forced
|
|
|
+ a nameserver reconfiguration during the middle of a nameserver
|
|
|
+ probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
|
|
|
+ - Avoid a "0 divided by 0" calculation when calculating router uptime
|
|
|
+ at directory authorities. Bugfix on 0.2.0.8-alpha.
|
|
|
+ - Fix an assertion bug in parsing policy-related options; possible fix
|
|
|
+ for bug 811.
|
|
|
+ - Rate-limit too-many-sockets messages: when they happen, they happen
|
|
|
+ a lot and end up filling up the disk. Resolves bug 748.
|
|
|
+ - Fix a race condition that could cause crashes or memory corruption
|
|
|
+ when running as a server with a controller listening for log
|
|
|
+ messages.
|
|
|
+ - Avoid crashing when we have a policy specified in a DirPolicy or
|
|
|
+ SocksPolicy or ReachableAddresses option with ports set on it,
|
|
|
+ and we re-load the policy. May fix bug 996.
|
|
|
+ - Fix an assertion failure on 64-bit platforms when we allocated
|
|
|
+ memory right up to the end of a memarea, then realigned the memory
|
|
|
+ one step beyond the end. Fixes a possible cause of bug 930.
|
|
|
+ - Protect the count of open sockets with a mutex, so we can't
|
|
|
+ corrupt it when two threads are closing or opening sockets at once.
|
|
|
+ Fix for bug 939. Bugfix on 0.2.0.1-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (clients):
|
|
|
+ - Discard router descriptors as we load them if they are more than
|
|
|
+ five days old. Otherwise if Tor is off for a long time and then
|
|
|
+ starts with cached descriptors, it will try to use the onion keys
|
|
|
+ in those obsolete descriptors when building circuits. Fixes bug 887.
|
|
|
+ - When we choose to abandon a new entry guard because we think our
|
|
|
+ older ones might be better, close any circuits pending on that
|
|
|
+ new entry guard connection. This fix should make us recover much
|
|
|
+ faster when our network is down and then comes back. Bugfix on
|
|
|
+ 0.1.2.8-beta; found by lodger.
|
|
|
+ - When Tor clients restart after 1-5 days, they discard all their
|
|
|
+ cached descriptors as too old, but they still use the cached
|
|
|
+ consensus document. This approach is good for robustness, but
|
|
|
+ bad for performance: since they don't know any bandwidths, they
|
|
|
+ end up choosing at random rather than weighting their choice by
|
|
|
+ speed. Fixed by the above feature of putting bandwidths in the
|
|
|
+ consensus.
|
|
|
+
|
|
|
+ o Major bugfixes (relays):
|
|
|
+ - Relays were falling out of the networkstatus consensus for
|
|
|
+ part of a day if they changed their local config but the
|
|
|
+ authorities discarded their new descriptor as "not sufficiently
|
|
|
+ different". Now directory authorities accept a descriptor as changed
|
|
|
+ if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
|
|
|
+ patch by Sebastian.
|
|
|
+ - Ensure that two circuits can never exist on the same connection
|
|
|
+ with the same circuit ID, even if one is marked for close. This
|
|
|
+ is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
|
|
|
+ - Directory authorities were neglecting to mark relays down in their
|
|
|
+ internal histories if the relays fall off the routerlist without
|
|
|
+ ever being found unreachable. So there were relays in the histories
|
|
|
+ that haven't been seen for eight months, and are listed as being
|
|
|
+ up for eight months. This wreaked havoc on the "median wfu" and
|
|
|
+ "median mtbf" calculations, in turn making Guard and Stable flags
|
|
|
+ wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
|
|
|
+ on 0.2.0.6-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (hidden services):
|
|
|
+ - When establishing a hidden service, introduction points that
|
|
|
+ originate from cannibalized circuits were completely ignored
|
|
|
+ and not included in rendezvous service descriptors. This might
|
|
|
+ have been another reason for delay in making a hidden service
|
|
|
+ available. Bugfix from long ago (0.0.9.x?)
|
|
|
+
|
|
|
+ o Major bugfixes (memory and resource management):
|
|
|
+ - Fixed some memory leaks -- some quite frequent, some almost
|
|
|
+ impossible to trigger -- based on results from Coverity.
|
|
|
+ - Speed up parsing and cut down on memory fragmentation by using
|
|
|
+ stack-style allocations for parsing directory objects. Previously,
|
|
|
+ this accounted for over 40% of allocations from within Tor's code
|
|
|
+ on a typical directory cache.
|
|
|
+ - Use a Bloom filter rather than a digest-based set to track which
|
|
|
+ descriptors we need to keep around when we're cleaning out old
|
|
|
+ router descriptors. This speeds up the computation significantly,
|
|
|
+ and may reduce fragmentation.
|
|
|
+
|
|
|
+ o New/changed config options:
|
|
|
+ - Now NodeFamily and MyFamily config options allow spaces in
|
|
|
+ identity fingerprints, so it's easier to paste them in.
|
|
|
+ Suggested by Lucky Green.
|
|
|
+ - Allow ports 465 and 587 in the default exit policy again. We had
|
|
|
+ rejected them in 0.1.0.15, because back in 2005 they were commonly
|
|
|
+ misconfigured and ended up as spam targets. We hear they are better
|
|
|
+ locked down these days.
|
|
|
+ - Make TrackHostExit mappings expire a while after their last use, not
|
|
|
+ after their creation. Patch from Robert Hogan.
|
|
|
+ - Add an ExcludeExitNodes option so users can list a set of nodes
|
|
|
+ that should be be excluded from the exit node position, but
|
|
|
+ allowed elsewhere. Implements proposal 151.
|
|
|
+ - New --hush command-line option similar to --quiet. While --quiet
|
|
|
+ disables all logging to the console on startup, --hush limits the
|
|
|
+ output to messages of warning and error severity.
|
|
|
+ - New configure/torrc options (--enable-geoip-stats,
|
|
|
+ DirRecordUsageByCountry) to record how many IPs we've served
|
|
|
+ directory info to in each country code, how many status documents
|
|
|
+ total we've sent to each country code, and what share of the total
|
|
|
+ directory requests we should expect to see.
|
|
|
+ - Make outbound DNS packets respect the OutboundBindAddress setting.
|
|
|
+ Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
|
|
|
+ - Allow separate log levels to be configured for different logging
|
|
|
+ domains. For example, this allows one to log all notices, warnings,
|
|
|
+ or errors, plus all memory management messages of level debug or
|
|
|
+ higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
|
|
|
+ - Update to the "June 3 2009" ip-to-country file.
|
|
|
+
|
|
|
+ o Minor features (relays):
|
|
|
+ - Raise the minimum rate limiting to be a relay from 20000 bytes
|
|
|
+ to 20480 bytes (aka 20KB/s), to match our documentation. Also
|
|
|
+ update directory authorities so they always assign the Fast flag
|
|
|
+ to relays with 20KB/s of capacity. Now people running relays won't
|
|
|
+ suddenly find themselves not seeing any use, if the network gets
|
|
|
+ faster on average.
|
|
|
+ - If we're a relay and we change our IP address, be more verbose
|
|
|
+ about the reason that made us change. Should help track down
|
|
|
+ further bugs for relays on dynamic IP addresses.
|
|
|
+ - Exit servers can now answer resolve requests for ip6.arpa addresses.
|
|
|
+ - Implement most of Proposal 152: allow specialized servers to permit
|
|
|
+ single-hop circuits, and clients to use those servers to build
|
|
|
+ single-hop circuits when using a specialized controller. Patch
|
|
|
+ from Josh Albrecht. Resolves feature request 768.
|
|
|
+ - When relays do their initial bandwidth measurement, don't limit
|
|
|
+ to just our entry guards for the test circuits. Otherwise we tend
|
|
|
+ to have multiple test circuits going through a single entry guard,
|
|
|
+ which makes our bandwidth test less accurate. Fixes part of bug 654;
|
|
|
+ patch contributed by Josh Albrecht.
|
|
|
+
|
|
|
+ o Minor features (directory authorities):
|
|
|
+ - Try not to open more than one descriptor-downloading connection
|
|
|
+ to an authority at once. This should reduce load on directory
|
|
|
+ authorities. Fixes bug 366.
|
|
|
+ - Add cross-certification to newly generated certificates, so that
|
|
|
+ a signing key is enough information to look up a certificate. Start
|
|
|
+ serving certificates by <identity digest, signing key digest>
|
|
|
+ pairs. Implements proposal 157.
|
|
|
+ - When a directory authority downloads a descriptor that it then
|
|
|
+ immediately rejects, do not retry downloading it right away. Should
|
|
|
+ save some bandwidth on authorities. Fix for bug 888. Patch by
|
|
|
+ Sebastian Hahn.
|
|
|
+ - Directory authorities now serve a /tor/dbg-stability.txt URL to
|
|
|
+ help debug WFU and MTBF calculations.
|
|
|
+ - In directory authorities' approved-routers files, allow
|
|
|
+ fingerprints with or without space.
|
|
|
+
|
|
|
+ o Minor features (directory mirrors):
|
|
|
+ - When a download gets us zero good descriptors, do not notify
|
|
|
+ Tor that new directory information has arrived.
|
|
|
+ - Servers support a new URL scheme for consensus downloads that
|
|
|
+ allows the client to specify which authorities are trusted.
|
|
|
+ The server then only sends the consensus if the client will trust
|
|
|
+ it. Otherwise a 404 error is sent back. Clients use this
|
|
|
+ new scheme when the server supports it (meaning it's running
|
|
|
+ 0.2.1.1-alpha or later). Implements proposal 134.
|
|
|
+
|
|
|
+ o Minor features (bridges):
|
|
|
+ - If the bridge config line doesn't specify a port, assume 443.
|
|
|
+ This makes bridge lines a bit smaller and easier for users to
|
|
|
+ understand.
|
|
|
+ - If we're using bridges and our network goes away, be more willing
|
|
|
+ to forgive our bridges and try again when we get an application
|
|
|
+ request.
|
|
|
+
|
|
|
+ o Minor features (hidden services):
|
|
|
+ - When the client launches an introduction circuit, retry with a
|
|
|
+ new circuit after 30 seconds rather than 60 seconds.
|
|
|
+ - Launch a second client-side introduction circuit in parallel
|
|
|
+ after a delay of 15 seconds (based on work by Christian Wilms).
|
|
|
+ - Hidden services start out building five intro circuits rather
|
|
|
+ than three, and when the first three finish they publish a service
|
|
|
+ descriptor using those. Now we publish our service descriptor much
|
|
|
+ faster after restart.
|
|
|
+ - Drop the requirement to have an open dir port for storing and
|
|
|
+ serving v2 hidden service descriptors.
|
|
|
+
|
|
|
+ o Minor features (build and packaging):
|
|
|
+ - On Linux, use the prctl call to re-enable core dumps when the User
|
|
|
+ option is set.
|
|
|
+ - Try to make sure that the version of Libevent we're running with
|
|
|
+ is binary-compatible with the one we built with. May address bug
|
|
|
+ 897 and others.
|
|
|
+ - Add a new --enable-local-appdata configuration switch to change
|
|
|
+ the default location of the datadir on win32 from APPDATA to
|
|
|
+ LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
|
|
|
+ entirely. Patch from coderman.
|
|
|
+ - Build correctly against versions of OpenSSL 0.9.8 or later that
|
|
|
+ are built without support for deprecated functions.
|
|
|
+ - On platforms with a maximum syslog string length, truncate syslog
|
|
|
+ messages to that length ourselves, rather than relying on the
|
|
|
+ system to do it for us.
|
|
|
+ - Automatically detect MacOSX versions earlier than 10.4.0, and
|
|
|
+ disable kqueue from inside Tor when running with these versions.
|
|
|
+ We previously did this from the startup script, but that was no
|
|
|
+ help to people who didn't use the startup script. Resolves bug 863.
|
|
|
+ - Build correctly when configured to build outside the main source
|
|
|
+ path. Patch from Michael Gold.
|
|
|
+ - Disable GCC's strict alias optimization by default, to avoid the
|
|
|
+ likelihood of its introducing subtle bugs whenever our code violates
|
|
|
+ the letter of C99's alias rules.
|
|
|
+ - Change the contrib/tor.logrotate script so it makes the new
|
|
|
+ logs as "_tor:_tor" rather than the default, which is generally
|
|
|
+ "root:wheel". Fixes bug 676, reported by Serge Koksharov.
|
|
|
+ - Change our header file guard macros to be less likely to conflict
|
|
|
+ with system headers. Adam Langley noticed that we were conflicting
|
|
|
+ with log.h on Android.
|
|
|
+ - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
|
|
|
+ and stop using a warning that had become unfixably verbose under
|
|
|
+ GCC 4.3.
|
|
|
+ - Use a lockfile to make sure that two Tor processes are not
|
|
|
+ simultaneously running with the same datadir.
|
|
|
+ - Allow OpenSSL to use dynamic locks if it wants.
|
|
|
+ - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
|
|
|
+
|
|
|
+ o Minor features (controllers):
|
|
|
+ - When generating circuit events with verbose nicknames for
|
|
|
+ controllers, try harder to look up nicknames for routers on a
|
|
|
+ circuit. (Previously, we would look in the router descriptors we had
|
|
|
+ for nicknames, but not in the consensus.) Partial fix for bug 941.
|
|
|
+ - New controller event NEWCONSENSUS that lists the networkstatus
|
|
|
+ lines for every recommended relay. Now controllers like Torflow
|
|
|
+ can keep up-to-date on which relays they should be using.
|
|
|
+ - New controller event "clients_seen" to report a geoip-based summary
|
|
|
+ of which countries we've seen clients from recently. Now controllers
|
|
|
+ like Vidalia can show bridge operators that they're actually making
|
|
|
+ a difference.
|
|
|
+ - Add a 'getinfo status/clients-seen' controller command, in case
|
|
|
+ controllers want to hear clients_seen events but connect late.
|
|
|
+ - New CONSENSUS_ARRIVED event to note when a new consensus has
|
|
|
+ been fetched and validated.
|
|
|
+ - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
|
|
|
+ controllers to prevent SIGHUP from reloading the configuration.
|
|
|
+ Fixes bug 856.
|
|
|
+ - Return circuit purposes in response to GETINFO circuit-status.
|
|
|
+ Fixes bug 858.
|
|
|
+ - Serve the latest v3 networkstatus consensus via the control
|
|
|
+ port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
|
|
|
+ - Add a "GETINFO /status/bootstrap-phase" controller option, so the
|
|
|
+ controller can query our current bootstrap state in case it attaches
|
|
|
+ partway through and wants to catch up.
|
|
|
+ - Provide circuit purposes along with circuit events to the controller.
|
|
|
+
|
|
|
+ o Minor features (tools):
|
|
|
+ - Do not have tor-resolve automatically refuse all .onion addresses;
|
|
|
+ if AutomapHostsOnResolve is set in your torrc, this will work fine.
|
|
|
+ - Add a -p option to tor-resolve for specifying the SOCKS port: some
|
|
|
+ people find host:port too confusing.
|
|
|
+ - Print the SOCKS5 error message string as well as the error code
|
|
|
+ when a tor-resolve request fails. Patch from Jacob.
|
|
|
+
|
|
|
+ o Minor bugfixes (memory and resource management):
|
|
|
+ - Clients no longer cache certificates for authorities they do not
|
|
|
+ recognize. Bugfix on 0.2.0.9-alpha.
|
|
|
+ - Do not use C's stdio library for writing to log files. This will
|
|
|
+ improve logging performance by a minute amount, and will stop
|
|
|
+ leaking fds when our disk is full. Fixes bug 861.
|
|
|
+ - Stop erroneous use of O_APPEND in cases where we did not in fact
|
|
|
+ want to re-seek to the end of a file before every last write().
|
|
|
+ - Fix a small alignment and memory-wasting bug on buffer chunks.
|
|
|
+ Spotted by rovv.
|
|
|
+ - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
|
|
|
+ to avoid unused RAM in buffer chunks and memory pools.
|
|
|
+ - Reduce the default smartlist size from 32 to 16; it turns out that
|
|
|
+ most smartlists hold around 8-12 elements tops.
|
|
|
+ - Make dumpstats() log the fullness and size of openssl-internal
|
|
|
+ buffers.
|
|
|
+ - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
|
|
|
+ patch to their OpenSSL, turn it on to save memory on servers. This
|
|
|
+ patch will (with any luck) get included in a mainline distribution
|
|
|
+ before too long.
|
|
|
+ - Fix a memory leak when v3 directory authorities load their keys
|
|
|
+ and cert from disk. Bugfix on 0.2.0.1-alpha.
|
|
|
+ - Stop using malloc_usable_size() to use more area than we had
|
|
|
+ actually allocated: it was safe, but made valgrind really unhappy.
|
|
|
+ - Make the assert_circuit_ok() function work correctly on circuits that
|
|
|
+ have already been marked for close.
|
|
|
+ - Fix uninitialized size field for memory area allocation: may improve
|
|
|
+ memory performance during directory parsing.
|
|
|
+
|
|
|
+ o Minor bugfixes (clients):
|
|
|
+ - Stop reloading the router list from disk for no reason when we
|
|
|
+ run out of reachable directory mirrors. Once upon a time reloading
|
|
|
+ it would set the 'is_running' flag back to 1 for them. It hasn't
|
|
|
+ done that for a long time.
|
|
|
+ - When we had picked an exit node for a connection, but marked it as
|
|
|
+ "optional", and it turned out we had no onion key for the exit,
|
|
|
+ stop wanting that exit and try again. This situation may not
|
|
|
+ be possible now, but will probably become feasible with proposal
|
|
|
+ 158. Spotted by rovv. Fixes another case of bug 752.
|
|
|
+ - Fix a bug in address parsing that was preventing bridges or hidden
|
|
|
+ service targets from being at IPv6 addresses.
|
|
|
+ - Do not remove routers as too old if we do not have any consensus
|
|
|
+ document. Bugfix on 0.2.0.7-alpha.
|
|
|
+ - When an exit relay resolves a stream address to a local IP address,
|
|
|
+ do not just keep retrying that same exit relay over and
|
|
|
+ over. Instead, just close the stream. Addresses bug 872. Bugfix
|
|
|
+ on 0.2.0.32. Patch from rovv.
|
|
|
+ - Made Tor a little less aggressive about deleting expired
|
|
|
+ certificates. Partial fix for bug 854.
|
|
|
+ - Treat duplicate certificate fetches as failures, so that we do
|
|
|
+ not try to re-fetch an expired certificate over and over and over.
|
|
|
+ - Do not say we're fetching a certificate when we'll in fact skip it
|
|
|
+ because of a pending download.
|
|
|
+ - If we have correct permissions on $datadir, we complain to stdout
|
|
|
+ and fail to start. But dangerous permissions on
|
|
|
+ $datadir/cached-status/ would cause us to open a log and complain
|
|
|
+ there. Now complain to stdout and fail to start in both cases. Fixes
|
|
|
+ bug 820, reported by seeess.
|
|
|
+
|
|
|
+ o Minor bugfixes (bridges):
|
|
|
+ - When we made bridge authorities stop serving bridge descriptors over
|
|
|
+ unencrypted links, we also broke DirPort reachability testing for
|
|
|
+ bridges. So bridges with a non-zero DirPort were printing spurious
|
|
|
+ warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
|
|
|
+ - Don't allow a bridge to publish its router descriptor to a
|
|
|
+ non-bridge directory authority. Fixes part of bug 932.
|
|
|
+ - When we change to or from being a bridge, reset our counts of
|
|
|
+ client usage by country. Fixes bug 932.
|
|
|
+
|
|
|
+ o Minor bugfixes (relays):
|
|
|
+ - Log correct error messages for DNS-related network errors on
|
|
|
+ Windows.
|
|
|
+ - Actually return -1 in the error case for read_bandwidth_usage().
|
|
|
+ Harmless bug, since we currently don't care about the return value
|
|
|
+ anywhere. Bugfix on 0.2.0.9-alpha.
|
|
|
+ - Provide a more useful log message if bug 977 (related to buffer
|
|
|
+ freelists) ever reappears, and do not crash right away.
|
|
|
+ - We were already rejecting relay begin cells with destination port
|
|
|
+ of 0. Now also reject extend cells with destination port or address
|
|
|
+ of 0. Suggested by lark.
|
|
|
+ - When we can't transmit a DNS request due to a network error, retry
|
|
|
+ it after a while, and eventually transmit a failing response to
|
|
|
+ the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
|
|
|
+ - Solve a bug that kept hardware crypto acceleration from getting
|
|
|
+ enabled when accounting was turned on. Fixes bug 907. Bugfix on
|
|
|
+ 0.0.9pre6.
|
|
|
+ - When a canonical connection appears later in our internal list
|
|
|
+ than a noncanonical one for a given OR ID, always use the
|
|
|
+ canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
|
|
|
+ Spotted by rovv.
|
|
|
+ - Avoid some nasty corner cases in the logic for marking connections
|
|
|
+ as too old or obsolete or noncanonical for circuits. Partial
|
|
|
+ bugfix on bug 891.
|
|
|
+ - Fix another interesting corner-case of bug 891 spotted by rovv:
|
|
|
+ Previously, if two hosts had different amounts of clock drift, and
|
|
|
+ one of them created a new connection with just the wrong timing,
|
|
|
+ the other might decide to deprecate the new connection erroneously.
|
|
|
+ Bugfix on 0.1.1.13-alpha.
|
|
|
+ - If one win32 nameserver fails to get added, continue adding the
|
|
|
+ rest, and don't automatically fail.
|
|
|
+ - Fix a bug where an unreachable relay would establish enough
|
|
|
+ reachability testing circuits to do a bandwidth test -- if
|
|
|
+ we already have a connection to the middle hop of the testing
|
|
|
+ circuit, then it could establish the last hop by using the existing
|
|
|
+ connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
|
|
|
+ circuits no longer use entry guards in 0.2.1.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (directory authorities):
|
|
|
+ - Limit uploaded directory documents to be 16M rather than 500K.
|
|
|
+ The directory authorities were refusing v3 consensus votes from
|
|
|
+ other authorities, since the votes are now 504K. Fixes bug 959;
|
|
|
+ bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
|
|
|
+ - Directory authorities should never send a 503 "busy" response to
|
|
|
+ requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
|
|
|
+ bug 959.
|
|
|
+ - Fix code so authorities _actually_ send back X-Descriptor-Not-New
|
|
|
+ headers. Bugfix on 0.2.0.10-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden services):
|
|
|
+ - When we can't find an intro key for a v2 hidden service descriptor,
|
|
|
+ fall back to the v0 hidden service descriptor and log a bug message.
|
|
|
+ Workaround for bug 1024.
|
|
|
+ - In very rare situations new hidden service descriptors were
|
|
|
+ published earlier than 30 seconds after the last change to the
|
|
|
+ service. (We currently think that a hidden service descriptor
|
|
|
+ that's been stable for 30 seconds is worth publishing.)
|
|
|
+ - If a hidden service sends us an END cell, do not consider
|
|
|
+ retrying the connection; just close it. Patch from rovv.
|
|
|
+ - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
|
|
|
+ service directories if they have no advertised dir port. Bugfix
|
|
|
+ on 0.2.0.10-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (tools):
|
|
|
+ - In the torify(1) manpage, mention that tsocks will leak your
|
|
|
+ DNS requests.
|
|
|
+
|
|
|
+ o Minor bugfixes (controllers):
|
|
|
+ - If the controller claimed responsibility for a stream, but that
|
|
|
+ stream never finished making its connection, it would live
|
|
|
+ forever in circuit_wait state. Now we close it after SocksTimeout
|
|
|
+ seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
|
|
|
+ - Make DNS resolved controller events into "CLOSED", not
|
|
|
+ "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
|
|
|
+ bug 807.
|
|
|
+ - The control port would close the connection before flushing long
|
|
|
+ replies, such as the network consensus, if a QUIT command was issued
|
|
|
+ before the reply had completed. Now, the control port flushes all
|
|
|
+ pending replies before closing the connection. Also fix a spurious
|
|
|
+ warning when a QUIT command is issued after a malformed or rejected
|
|
|
+ AUTHENTICATE command, but before the connection was closed. Patch
|
|
|
+ by Marcus Griep. Fixes bugs 1015 and 1016.
|
|
|
+ - Fix a bug that made stream bandwidth get misreported to the
|
|
|
+ controller.
|
|
|
+
|
|
|
+ o Deprecated and removed features:
|
|
|
+ - The old "tor --version --version" command, which would print out
|
|
|
+ the subversion "Id" of most of the source files, is now removed. It
|
|
|
+ turned out to be less useful than we'd expected, and harder to
|
|
|
+ maintain.
|
|
|
+ - RedirectExits has been removed. It was deprecated since
|
|
|
+ 0.2.0.3-alpha.
|
|
|
+ - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
|
|
|
+ has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
|
|
|
+ - Cell pools are now always enabled; --disable-cell-pools is ignored.
|
|
|
+ - Directory mirrors no longer fetch the v1 directory or
|
|
|
+ running-routers files. They are obsolete, and nobody asks for them
|
|
|
+ anymore. This is the first step to making v1 authorities obsolete.
|
|
|
+ - Take out the TestVia config option, since it was a workaround for
|
|
|
+ a bug that was fixed in Tor 0.1.1.21.
|
|
|
+ - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
|
|
|
+ HiddenServiceExcludeNodes as obsolete: they never worked properly,
|
|
|
+ and nobody seems to be using them. Fixes bug 754. Bugfix on
|
|
|
+ 0.1.0.1-rc. Patch from Christian Wilms.
|
|
|
+ - Remove all backward-compatibility code for relays running
|
|
|
+ versions of Tor so old that they no longer work at all on the
|
|
|
+ Tor network.
|
|
|
+
|
|
|
+ o Code simplifications and refactoring:
|
|
|
+ - Tool-assisted documentation cleanup. Nearly every function or
|
|
|
+ static variable in Tor should have its own documentation now.
|
|
|
+ - Rename the confusing or_is_obsolete field to the more appropriate
|
|
|
+ is_bad_for_new_circs, and move it to or_connection_t where it
|
|
|
+ belongs.
|
|
|
+ - Move edge-only flags from connection_t to edge_connection_t: not
|
|
|
+ only is this better coding, but on machines of plausible alignment,
|
|
|
+ it should save 4-8 bytes per connection_t. "Every little bit helps."
|
|
|
+ - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
|
|
|
+ for consistency; keep old option working for backward compatibility.
|
|
|
+ - Simplify the code for finding connections to use for a circuit.
|
|
|
+ - Revise the connection_new functions so that a more typesafe variant
|
|
|
+ exists. This will work better with Coverity, and let us find any
|
|
|
+ actual mistakes we're making here.
|
|
|
+ - Refactor unit testing logic so that dmalloc can be used sensibly
|
|
|
+ with unit tests to check for memory leaks.
|
|
|
+ - Move all hidden-service related fields from connection and circuit
|
|
|
+ structure to substructures: this way they won't eat so much memory.
|
|
|
+ - Squeeze 2-5% out of client performance (according to oprofile) by
|
|
|
+ improving the implementation of some policy-manipulation functions.
|
|
|
+ - Change the implementation of ExcludeNodes and ExcludeExitNodes to
|
|
|
+ be more efficient. Formerly it was quadratic in the number of
|
|
|
+ servers; now it should be linear. Fixes bug 509.
|
|
|
+ - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
|
|
|
+ and n_conn_id_digest fields into a separate structure that's
|
|
|
+ only needed when the circuit has not yet attached to an n_conn.
|
|
|
+ - Optimize out calls to time(NULL) that occur for every IO operation,
|
|
|
+ or for every cell. On systems like Windows where time() is a
|
|
|
+ slow syscall, this fix will be slightly helpful.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.2.0.35 - 2009-06-24
|
|
|
+ o Security fix:
|
|
|
+ - Avoid crashing in the presence of certain malformed descriptors.
|
|
|
+ Found by lark, and by automated fuzzing.
|
|
|
+ - Fix an edge case where a malicious exit relay could convince a
|
|
|
+ controller that the client's DNS question resolves to an internal IP
|
|
|
+ address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
|
|
+
|
|
|
+ o Major bugfixes:
|
|
|
+ - Finally fix the bug where dynamic-IP relays disappear when their
|
|
|
+ IP address changes: directory mirrors were mistakenly telling
|
|
|
+ them their old address if they asked via begin_dir, so they
|
|
|
+ never got an accurate answer about their new address, so they
|
|
|
+ just vanished after a day. For belt-and-suspenders, relays that
|
|
|
+ don't set Address in their config now avoid using begin_dir for
|
|
|
+ all direct connections. Should fix bugs 827, 883, and 900.
|
|
|
+ - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
|
|
+ that would occur on some exit nodes when DNS failures and timeouts
|
|
|
+ occurred in certain patterns. Fix for bug 957.
|
|
|
+
|
|
|
+ o Minor bugfixes:
|
|
|
+ - When starting with a cache over a few days old, do not leak
|
|
|
+ memory for the obsolete router descriptors in it. Bugfix on
|
|
|
+ 0.2.0.33; fixes bug 672.
|
|
|
+ - Hidden service clients didn't use a cached service descriptor that
|
|
|
+ was older than 15 minutes, but wouldn't fetch a new one either,
|
|
|
+ because there was already one in the cache. Now, fetch a v2
|
|
|
+ descriptor unless the same descriptor was added to the cache within
|
|
|
+ the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
|
|
+
|
|
|
+
|
|
|
Changes in version 0.2.0.34 - 2009-02-08
|
|
|
Tor 0.2.0.34 features several more security-related fixes. You should
|
|
|
upgrade, especially if you run an exit relay (remote crash) or a
|
Peter Palfrader