TODO 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312
  1. Legend:
  2. SPEC!! - Not specified
  3. SPEC - Spec not finalized
  4. NICK - nick claims
  5. ARMA - arma claims
  6. - Not done
  7. * Top priority
  8. . Partially done
  9. o Done
  10. D Deferred
  11. X Abandoned
  12. For 0.0.2pre17:
  13. o Put a H(K | handshake) into the onionskin response
  14. o Make cells 512 bytes
  15. o Reduce streamid footprint from 7 bytes to 2 bytes
  16. X Check for collisions in streamid (now possible with
  17. just 2 bytes), and back up & replace with padding if so
  18. o Use the 4 reserved bytes in each cell header to keep 1/5
  19. of a sha1 of the ongoing relay payload (move into stream header)
  20. o Move length into the stream header too
  21. o Make length 2 bytes
  22. D increase DH key length
  23. D increase RSA key length
  24. D Spec the stream_id stuff. Clarify that nobody on the backward
  25. stream should look at stream_id.
  26. Cell:
  27. ACI (anonymous circuit identifier) [2 bytes]
  28. Command [1 byte]
  29. Payload (padded with 0 bytes) [509 bytes]
  30. Relay payload:
  31. Relay command [1 byte]
  32. Stream ID [7 bytes]
  33. Partial SHA-1 [4 bytes]
  34. Length [2 bytes]
  35. Relay payload [495 bytes]
  36. For 0.0.2pre15:
  37. o don't pick exit nodes which will certainly reject all things.
  38. o don't pick nodes that the directory says are down
  39. o choose randomly from running dirservers, not just first one
  40. o install the man page
  41. o warn when client-side tries an address/port which no router in the dir accepts.
  42. For 0.0.2pre14:
  43. o More flexible exit policies (18.*, 18.0.0.0/8)
  44. o Work to succeed in the precense of exit policy violation
  45. o Replace desired_path_len with opaque path-selection specifier
  46. o Client-side DNS caching
  47. o Add entries to client DNS cache based on END cells
  48. o Remove port from END_REASON_EXITPOLICY cells
  49. o Start building new circuits when we get an exit-policy
  50. failure. (Defer exiting from the middle of existing
  51. circuits or extending existing circuits for later.)
  52. o Implement function to check whether a routerinfo_t
  53. supports a given exit addr.
  54. o Choose the exit node of an in-progress circuit based on
  55. pending AP connections.
  56. o Choose the exit node _first_, then beginning, then
  57. middle nodes.
  58. Short-term:
  59. - improve how it behaves when i remove a line from the approved-routers files
  60. - Make tls connections tls_close intentionally
  61. o Rename ACI to circID
  62. . integrate rep_ok functions, see what breaks
  63. - update tor faq
  64. o obey SocksBindAddress, ORBindAddress
  65. o warn if we're running as root
  66. o make connection_flush_buf() more obviously obsolete
  67. o let hup reread the config file, eg so we can get new exit
  68. policies without restarting
  69. o Put recommended_versions in a config entry
  70. X use times(2) rather than gettimeofday to measure how long it
  71. takes to process a cell
  72. o Separate trying to rebuild a circuit because you have none from trying
  73. to rebuild a circuit because the current one is stale
  74. X Continue reading from socks port even while waiting for connect.
  75. o Exit policies
  76. o Spec how to write the exit policies
  77. o Path selection algorithms
  78. o Choose path more incrementally
  79. o Let user request first/last node
  80. o And disallow certain nodes
  81. D Choose path by jurisdiction, etc?
  82. o Make relay end cells have failure status and payload attached
  83. X let non-approved routers handshake.
  84. - Dirserver shouldn't put you in running-routers list if you haven't
  85. uploaded a descriptor recently
  86. . migrate to using nickname rather than addr:port for routers
  87. o decide_aci_type
  88. - generate onion skins
  89. - circuit_send_next_onion_skin
  90. - circuit_extend
  91. - onion_generate_cpath
  92. - get_unique_aci_by_addr_port
  93. - circ->n_addr and circ->n_port
  94. - circuit_enumerate_by_naddr_nport
  95. - cpath layers
  96. - connection_or_connect
  97. - connection_exact_get_by_addr_port
  98. - connection_twin_get_by_addr_port
  99. - router_get_by_addr_port
  100. - connection_or_init_conn_from_router
  101. - tag_pack, tag_unpack, connection_cpu_process_inbuf
  102. - directory_initiate_command
  103. . Move from onions to ephemeral DH
  104. o incremental path building
  105. o transition circuit-level sendmes to hop-level sendmes
  106. o implement truncate, truncated
  107. o move from 192byte DH to 128byte DH, so it isn't so damn slow
  108. - exiting from not-last hop
  109. - OP logic to decide to extend/truncate a path
  110. - make sure exiting from the not-last hop works
  111. - logic to find last *open* hop, not last hop, in cpath
  112. o Remember address and port when beginning.
  113. - Extend by nickname/hostname/something, not by IP.
  114. - Need a relay teardown cell, separate from one-way ends.
  115. - remove per-connection rate limiting
  116. - Make it harder to circumvent bandwidth caps: look at number of bytes
  117. sent across sockets, not number sent inside TLS stream.
  118. - make 'make test' exit(1) if a test fails.
  119. - fix buffer unit test so it passes
  120. On-going
  121. . Better comments for functions!
  122. . Go through log messages, reduce confusing error messages.
  123. . make the logs include more info (fd, etc)
  124. . Unit tests
  125. . Update the spec so it matches the code
  126. Mid-term:
  127. - Rotate tls-level connections -- make new ones, expire old ones.
  128. So we get actual key rotation, not just symmetric key rotation
  129. o Are there anonymity issues with sequential streamIDs? Sequential
  130. circIDs? Eg an attacker can learn how many there have been.
  131. The fix is to initialize them randomly rather than at 1.
  132. - Look at having smallcells and largecells
  133. . Redo scheduler
  134. o fix SSL_read bug for buffered records
  135. - make round-robining more fair
  136. - What happens when a circuit's length is 1? What breaks?
  137. . streams / circuits
  138. o Implement streams
  139. o Rotate circuits after N minutes?
  140. X Circuits should expire when circuit->expire triggers
  141. NICK . Handle half-open connections
  142. o openssh is an application that uses half-open connections
  143. o Figure out what causes connections to close, standardize
  144. when we mark a connection vs when we tear it down
  145. o Look at what ssl does to keep from mutating data streams
  146. o Put CPU workers in separate processes
  147. o Handle multiple cpu workers (one for each cpu, plus one)
  148. o Queue for pending tasks if all workers full
  149. o Support the 'process this onion' task
  150. D Merge dnsworkers and cpuworkers to some extent
  151. o Handle cpuworkers dying
  152. . Scrubbing proxies
  153. - Find an smtp proxy?
  154. - Check the old smtp proxy code
  155. o Find an ftp proxy? wget --passive
  156. D Wait until there are packet redirectors for Linux
  157. . Get socks4a support into Mozilla
  158. . Develop rendezvous points
  159. X Handle socks commands other than connect, eg, bind?
  160. o Design
  161. - Spec
  162. - Implement
  163. . Tests
  164. o Testing harness/infrastructure
  165. D System tests (how?)
  166. - Performance tests, so we know when we've improved
  167. . webload infrastructure (Bruce)
  168. . httperf infrastructure (easy to set up)
  169. . oprofile (installed in RH >8.0)
  170. NICK . Daemonize and package
  171. o Teach it to fork and background
  172. - Red Hat spec file
  173. - Debian spec file equivalent
  174. . Portability
  175. . Which .h files are we actually using?
  176. . Port to:
  177. o Linux
  178. o BSD
  179. . Solaris
  180. o Cygwin
  181. . Win32
  182. o OS X
  183. - deal with pollhup / reached_eof on all platforms
  184. o openssl randomness
  185. o inet_ntoa
  186. o stdint.h
  187. - Make a script to set up a local network on your machine
  188. o More flexibility in node addressing
  189. D Support IPv6 rather than just 4
  190. o Handle multihomed servers (config variable to set IP)
  191. In the distant future:
  192. D Load balancing between router twins
  193. D Keep track of load over links/nodes, to
  194. know who's hosed
  195. SPEC!! D Non-clique topologies
  196. D Implement our own memory management, at least for common structs
  197. (Not ever necessary?)
  198. D Advanced directory servers
  199. D Automated reputation management
  200. SPEC!! D Figure out how to do threshold directory servers
  201. D jurisdiction info in dirserver entries? other info?
  202. Older (done) todo stuff:
  203. o Get tor to act like a socks server
  204. o socks4, socks4a
  205. o socks5
  206. o routers have identity key, link key, onion key.
  207. o link key certs are
  208. D signed by identity key
  209. D not in descriptor
  210. o not in config
  211. D not on disk
  212. o identity and onion keys are in descriptor (and disk)
  213. o upon boot, if it doesn't find identity key, generate it and write it.
  214. o also write a file with the identity key fingerprint in it
  215. o router generates descriptor: flesh out router_get_my_descriptor()
  216. o Routers sign descriptors with identity key
  217. o routers put version number in descriptor
  218. o routers should maybe have `uname -a` in descriptor?
  219. o Give nicknames to routers
  220. o in config
  221. o in descriptors
  222. o router posts descriptor
  223. o when it boots
  224. o every DirFetchPostPeriod seconds
  225. D when it changes
  226. o change tls stuff so certs don't get written to disk, or read from disk
  227. o make directory.c 'thread'safe
  228. o dirserver parses descriptor
  229. o dirserver checks signature
  230. D client checks signature?
  231. o dirserver writes directory to file
  232. o reads that file upon boot
  233. o directory includes all routers, up and down
  234. o add "up" line to directory, listing nicknames
  235. o instruments ORs to report stats
  236. o average cell fullness
  237. o average bandwidth used
  238. o configure log files. separate log file, separate severities.
  239. o what assumptions break if we fclose(0) when we daemonize?
  240. o make buffer struct elements opaque outside buffers.c
  241. o add log convention to the HACKING file
  242. o make 'make install' do the right thing
  243. o change binary name to tor
  244. o change config files so you look at commandline, else look in
  245. /etc/torrc. no cascading.
  246. o have an absolute datadir with fixed names for files, and fixed-name
  247. keydir under that with fixed names
  248. o Move (most of) the router/directory code out of main.c
  249. o Simple directory servers
  250. o Include key in source; sign directories
  251. o Signed directory backend
  252. o Document
  253. o Integrate
  254. o Add versions to code
  255. o Have directories list recommended-versions
  256. o Include line in directories
  257. o Check for presence of line.
  258. o Quit if running the wrong version
  259. o Command-line option to override quit
  260. o Add more information to directory server entries
  261. o Exit policies
  262. o Clearer bandwidth management
  263. o Do we want to remove bandwidth from OR handshakes?
  264. o What about OP handshakes?
  265. X Move away from openssl
  266. o Abstract out crypto calls
  267. X Look at nss, others? Just include code?
  268. o Use a stronger cipher
  269. o aes now, by including the code ourselves
  270. X On the fly compression of each stream
  271. o Clean up the event loop (optimize and sanitize)
  272. o Remove that awful concept of 'roles'
  273. o Terminology
  274. o Circuits, topics, cells stay named that
  275. o 'Connection' gets divided, or renamed, or something?
  276. o DNS farm
  277. o Distribute queries onto the farm, get answers
  278. o Preemptively grow a new worker before he's needed
  279. o Prune workers when too many are idle
  280. o DNS cache
  281. o Clear DNS cache over time
  282. D Honor DNS TTL info (how??)
  283. o Have strategy when all workers are busy
  284. o Keep track of which connections are in dns_wait
  285. o Need to cache positives/negatives on the tor side
  286. o Keep track of which queries have been asked
  287. o Better error handling when
  288. o An address doesn't resolve
  289. o We have max workers running
  290. o Consider taking the master out of the loop?
  291. X Implement reply onions
  292. o Total rate limiting
  293. o Look at OR handshake in more detail
  294. o Spec it
  295. o Merge OR and OP handshakes
  296. o rearrange connection_or so it doesn't suck so much to read
  297. D Periodic link key rotation. Spec?
  298. o wrap malloc with something that explodes when it fails
  299. o Clean up the number of places that get to look at prkey