123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768 |
- This document summarizes new features and bugfixes in each stable release
- of Tor. If you want to see more detailed descriptions of the changes in
- each development snapshot, see the ChangeLog file.
- Changes in version 0.2.2.34 - 2011-10-26
- Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
- can deanonymize Tor users. Everybody should upgrade.
- The attack relies on four components: 1) Clients reuse their TLS cert
- when talking to different relays, so relays can recognize a user by
- the identity key in her cert. 2) An attacker who knows the client's
- identity key can probe each guard relay to see if that identity key
- is connected to that guard relay right now. 3) A variety of active
- attacks in the literature (starting from "Low-Cost Traffic Analysis
- of Tor" by Murdoch and Danezis in 2005) allow a malicious website to
- discover the guard relays that a Tor user visiting the website is using.
- 4) Clients typically pick three guards at random, so the set of guards
- for a given user could well be a unique fingerprint for her. This
- release fixes components #1 and #2, which is enough to block the attack;
- the other two remain as open research problems. Special thanks to
- "frosty_un" for reporting the issue to us!
- Clients should upgrade so they are no longer recognizable by the TLS
- certs they present. Relays should upgrade so they no longer allow a
- remote attacker to probe them to test whether unpatched clients are
- currently connected to them.
- This release also fixes several vulnerabilities that allow an attacker
- to enumerate bridge relays. Some bridge enumeration attacks still
- remain; see for example proposal 188.
- o Privacy/anonymity fixes (clients):
- - Clients and bridges no longer send TLS certificate chains on
- outgoing OR connections. Previously, each client or bridge
- would use the same cert chain for all outgoing OR connections
- for up to 24 hours, which allowed any relay that the client or
- bridge contacted to determine which entry guards it is using.
- Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
- - If a relay receives a CREATE_FAST cell on a TLS connection, it
- no longer considers that connection as suitable for satisfying a
- circuit EXTEND request. Now relays can protect clients from the
- CVE-2011-2768 issue even if the clients haven't upgraded yet.
- - Directory authorities no longer assign the Guard flag to relays
- that haven't upgraded to the above "refuse EXTEND requests
- to client connections" fix. Now directory authorities can
- protect clients from the CVE-2011-2768 issue even if neither
- the clients nor the relays have upgraded yet. There's a new
- "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option
- to let us transition smoothly, else tomorrow there would be no
- guard relays.
- o Privacy/anonymity fixes (bridge enumeration):
- - Bridge relays now do their directory fetches inside Tor TLS
- connections, like all the other clients do, rather than connecting
- directly to the DirPort like public relays do. Removes another
- avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
- - Bridges relays now build circuits for themselves in a more similar
- way to how clients build them. Removes another avenue for
- enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
- when bridges were introduced.
- - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
- that they initiated. Relays could distinguish incoming bridge
- connections from client connections, creating another avenue for
- enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
- Found by "frosty_un".
- o Major bugfixes:
- - Fix a crash bug when changing node restrictions while a DNS lookup
- is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix
- by "Tey'".
- - Don't launch a useless circuit after failing to use one of a
- hidden service's introduction points. Previously, we would
- launch a new introduction circuit, but not set the hidden service
- which that circuit was intended to connect to, so it would never
- actually be used. A different piece of code would then create a
- new introduction circuit correctly. Bug reported by katmagic and
- found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
- o Minor bugfixes:
- - Change an integer overflow check in the OpenBSD_Malloc code so
- that GCC is less likely to eliminate it as impossible. Patch
- from Mansour Moufid. Fixes bug 4059.
- - When a hidden service turns an extra service-side introduction
- circuit into a general-purpose circuit, free the rend_data and
- intro_key fields first, so we won't leak memory if the circuit
- is cannibalized for use as another service-side introduction
- circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251.
- - Bridges now skip DNS self-tests, to act a little more stealthily.
- Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced
- bridges. Patch by "warms0x".
- - Fix internal bug-checking logic that was supposed to catch
- failures in digest generation so that it will fail more robustly
- if we ask for a nonexistent algorithm. Found by Coverity Scan.
- Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479.
- - Report any failure in init_keys() calls launched because our
- IP address has changed. Spotted by Coverity Scan. Bugfix on
- 0.1.1.4-alpha; fixes CID 484.
- o Minor bugfixes (log messages and documentation):
- - Remove a confusing dollar sign from the example fingerprint in the
- man page, and also make the example fingerprint a valid one. Fixes
- bug 4309; bugfix on 0.2.1.3-alpha.
- - The next version of Windows will be called Windows 8, and it has
- a major version of 6, minor version of 2. Correctly identify that
- version instead of calling it "Very recent version". Resolves
- ticket 4153; reported by funkstar.
- - Downgrade log messages about circuit timeout calibration from
- "notice" to "info": they don't require or suggest any human
- intervention. Patch from Tom Lowenthal. Fixes bug 4063;
- bugfix on 0.2.2.14-alpha.
- o Minor features:
- - Turn on directory request statistics by default and include them in
- extra-info descriptors. Don't break if we have no GeoIP database.
- Backported from 0.2.3.1-alpha; implements ticket 3951.
- - Update to the October 4 2011 Maxmind GeoLite Country database.
- Changes in version 0.2.1.31 - 2011-10-26
- Tor 0.2.1.31 backports important security and privacy fixes for
- oldstable. This release is intended only for package maintainers and
- others who cannot use the 0.2.2 stable series. All others should be
- using Tor 0.2.2.x or newer.
- o Security fixes (also included in 0.2.2.x):
- - Replace all potentially sensitive memory comparison operations
- with versions whose runtime does not depend on the data being
- compared. This will help resist a class of attacks where an
- adversary can use variations in timing information to learn
- sensitive data. Fix for one case of bug 3122. (Safe memcmp
- implementation by Robert Ransom based partially on code by DJB.)
- - Fix an assert in parsing router descriptors containing IPv6
- addresses. This one took down the directory authorities when
- somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
- o Privacy/anonymity fixes (also included in 0.2.2.x):
- - Clients and bridges no longer send TLS certificate chains on
- outgoing OR connections. Previously, each client or bridge
- would use the same cert chain for all outgoing OR connections
- for up to 24 hours, which allowed any relay that the client or
- bridge contacted to determine which entry guards it is using.
- Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un.
- - If a relay receives a CREATE_FAST cell on a TLS connection, it
- no longer considers that connection as suitable for satisfying a
- circuit EXTEND request. Now relays can protect clients from the
- CVE-2011-2768 issue even if the clients haven't upgraded yet.
- - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
- that they initiated. Relays could distinguish incoming bridge
- connections from client connections, creating another avenue for
- enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
- Found by "frosty_un".
- - When receiving a hidden service descriptor, check that it is for
- the hidden service we wanted. Previously, Tor would store any
- hidden service descriptors that a directory gave it, whether it
- wanted them or not. This wouldn't have let an attacker impersonate
- a hidden service, but it did let directories pre-seed a client
- with descriptors that it didn't want. Bugfix on 0.0.6.
- - Avoid linkability based on cached hidden service descriptors: forget
- all hidden service descriptors cached as a client when processing a
- SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
- - Make the bridge directory authority refuse to answer directory
- requests for "all" descriptors. It used to include bridge
- descriptors in its answer, which was a major information leak.
- Found by "piebeer". Bugfix on 0.2.0.3-alpha.
- - Don't attach new streams to old rendezvous circuits after SIGNAL
- NEWNYM. Previously, we would keep using an existing rendezvous
- circuit if it remained open (i.e. if it were kept open by a
- long-lived stream, or if a new stream were attached to it before
- Tor could notice that it was old and no longer in use). Bugfix on
- 0.1.1.15-rc; fixes bug 3375.
- o Minor bugfixes (also included in 0.2.2.x):
- - When we restart our relay, we might get a successful connection
- from the outside before we've started our reachability tests,
- triggering a warning: "ORPort found reachable, but I have no
- routerinfo yet. Failing to inform controller of success." This
- bug was harmless unless Tor is running under a controller
- like Vidalia, in which case the controller would never get a
- REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
- fixes bug 1172.
- - Build correctly on OSX with zlib 1.2.4 and higher with all warnings
- enabled. Fixes bug 1526.
- - Remove undocumented option "-F" from tor-resolve: it hasn't done
- anything since 0.2.1.16-rc.
- - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
- None of the cases where we did this before were wrong, but by making
- this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
- - Fix a rare crash bug that could occur when a client was configured
- with a large number of bridges. Fixes bug 2629; bugfix on
- 0.2.1.2-alpha. Bugfix by trac user "shitlei".
- - Correct the warning displayed when a rendezvous descriptor exceeds
- the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
- John Brooks.
- - Fix an uncommon assertion failure when running with DNSPort under
- heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
- - When warning about missing zlib development packages during compile,
- give the correct package names. Bugfix on 0.2.0.1-alpha.
- - Require that introduction point keys and onion keys have public
- exponent 65537. Bugfix on 0.2.0.10-alpha.
- - Do not crash when our configuration file becomes unreadable, for
- example due to a permissions change, between when we start up
- and when a controller calls SAVECONF. Fixes bug 3135; bugfix
- on 0.0.9pre6.
- - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
- Fixes bug 3208.
- - Always NUL-terminate the sun_path field of a sockaddr_un before
- passing it to the kernel. (Not a security issue: kernels are
- smart enough to reject bad sockaddr_uns.) Found by Coverity;
- CID #428. Bugfix on Tor 0.2.0.3-alpha.
- - Don't stack-allocate the list of supplementary GIDs when we're
- about to log them. Stack-allocating NGROUPS_MAX gid_t elements
- could take up to 256K, which is way too much stack. Found by
- Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
- o Minor bugfixes (only in 0.2.1.x):
- - Resume using micro-version numbers in 0.2.1.x: our Debian packages
- rely on them. Bugfix on 0.2.1.30.
- - Use git revisions instead of svn revisions when generating our
- micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
- o Minor features (also included in 0.2.2.x):
- - Adjust the expiration time on our SSL session certificates to
- better match SSL certs seen in the wild. Resolves ticket 4014.
- - Allow nameservers with IPv6 address. Resolves bug 2574.
- - Update to the October 4 2011 Maxmind GeoLite Country database.
- Changes in version 0.2.2.33 - 2011-09-13
- Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's
- TLS handshake that makes relays and bridges that run this new version
- reachable from Iran again.
- o Major bugfixes:
- - Avoid an assertion failure when reloading a configuration with
- TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug
- 3923; bugfix on 0.2.2.25-alpha.
- o Minor features (security):
- - Check for replays of the public-key encrypted portion of an
- INTRODUCE1 cell, in addition to the current check for replays of
- the g^x value. This prevents a possible class of active attacks
- by an attacker who controls both an introduction point and a
- rendezvous point, and who uses the malleability of AES-CTR to
- alter the encrypted g^x portion of the INTRODUCE1 cell. We think
- that these attacks are infeasible (requiring the attacker to send
- on the order of zettabytes of altered cells in a short interval),
- but we'd rather block them off in case there are any classes of
- this attack that we missed. Reported by Willem Pinckaers.
- o Minor features:
- - Adjust the expiration time on our SSL session certificates to
- better match SSL certs seen in the wild. Resolves ticket 4014.
- - Change the default required uptime for a relay to be accepted as
- a HSDir (hidden service directory) from 24 hours to 25 hours.
- Improves on 0.2.0.10-alpha; resolves ticket 2649.
- - Add a VoteOnHidServDirectoriesV2 config option to allow directory
- authorities to abstain from voting on assignment of the HSDir
- consensus flag. Related to bug 2649.
- - Update to the September 6 2011 Maxmind GeoLite Country database.
- o Minor bugfixes (documentation and log messages):
- - Correct the man page to explain that HashedControlPassword and
- CookieAuthentication can both be set, in which case either method
- is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha,
- when we decided to allow these config options to both be set. Issue
- raised by bug 3898.
- - Demote the 'replay detected' log message emitted when a hidden
- service receives the same Diffie-Hellman public key in two different
- INTRODUCE2 cells to info level. A normal Tor client can cause that
- log message during its normal operation. Bugfix on 0.2.1.6-alpha;
- fixes part of bug 2442.
- - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info
- level. There is nothing that a hidden service's operator can do
- to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part
- of bug 2442.
- - Clarify a log message specifying the characters permitted in
- HiddenServiceAuthorizeClient client names. Previously, the log
- message said that "[A-Za-z0-9+-_]" were permitted; that could have
- given the impression that every ASCII character between "+" and "_"
- was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
- o Build fixes:
- - Provide a substitute implementation of lround() for MSVC, which
- apparently lacks it. Patch from Gisle Vanem.
- - Clean up some code issues that prevented Tor from building on older
- BSDs. Fixes bug 3894; reported by "grarpamp".
- - Search for a platform-specific version of "ar" when cross-compiling.
- Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.
- Changes in version 0.2.2.32 - 2011-08-27
- The Tor 0.2.2 release series is dedicated to the memory of Andreas
- Pfitzmann (1958-2010), a pioneer in anonymity and privacy research,
- a founder of the PETS community, a leader in our field, a mentor,
- and a friend. He left us with these words: "I had the possibility
- to contribute to this world that is not as it should be. I hope I
- could help in some areas to make the world a better place, and that
- I could also encourage other people to be engaged in improving the
- world. Please, stay engaged. This world needs you, your love, your
- initiative -- now I cannot be part of that anymore."
- Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally
- ready. More than two years in the making, this release features improved
- client performance and hidden service reliability, better compatibility
- for Android, correct behavior for bridges that listen on more than
- one address, more extensible and flexible directory object handling,
- better reporting of network statistics, improved code security, and
- many many other features and bugfixes.
- o Major features (client performance):
- - When choosing which cells to relay first, relays now favor circuits
- that have been quiet recently, to provide lower latency for
- low-volume circuits. By default, relays enable or disable this
- feature based on a setting in the consensus. They can override
- this default by using the new "CircuitPriorityHalflife" config
- option. Design and code by Ian Goldberg, Can Tang, and Chris
- Alexander.
- - Directory authorities now compute consensus weightings that instruct
- clients how to weight relays flagged as Guard, Exit, Guard+Exit,
- and no flag. Clients use these weightings to distribute network load
- more evenly across these different relay types. The weightings are
- in the consensus so we can change them globally in the future. Extra
- thanks to "outofwords" for finding some nasty security bugs in
- the first implementation of this feature.
- o Major features (client performance, circuit build timeout):
- - Tor now tracks how long it takes to build client-side circuits
- over time, and adapts its timeout to local network performance.
- Since a circuit that takes a long time to build will also provide
- bad performance, we get significant latency improvements by
- discarding the slowest 20% of circuits. Specifically, Tor creates
- circuits more aggressively than usual until it has enough data
- points for a good timeout estimate. Implements proposal 151.
- - Circuit build timeout constants can be controlled by consensus
- parameters. We set good defaults for these parameters based on
- experimentation on broadband and simulated high-latency links.
- - Circuit build time learning can be disabled via consensus parameter
- or by the client via a LearnCircuitBuildTimeout config option. We
- also automatically disable circuit build time calculation if either
- AuthoritativeDirectory is set, or if we fail to write our state
- file. Implements ticket 1296.
- o Major features (relays use their capacity better):
- - Set SO_REUSEADDR socket option on all sockets, not just
- listeners. This should help busy exit nodes avoid running out of
- useable ports just because all the ports have been used in the
- near past. Resolves issue 2850.
- - Relays now save observed peak bandwidth throughput rates to their
- state file (along with total usage, which was already saved),
- so that they can determine their correct estimated bandwidth on
- restart. Resolves bug 1863, where Tor relays would reset their
- estimated bandwidth to 0 after restarting.
- - Lower the maximum weighted-fractional-uptime cutoff to 98%. This
- should give us approximately 40-50% more Guard-flagged nodes,
- improving the anonymity the Tor network can provide and also
- decreasing the dropoff in throughput that relays experience when
- they first get the Guard flag.
- - Directory authorities now take changes in router IP address and
- ORPort into account when determining router stability. Previously,
- if a router changed its IP or ORPort, the authorities would not
- treat it as having any downtime for the purposes of stability
- calculation, whereas clients would experience downtime since the
- change would take a while to propagate to them. Resolves issue 1035.
- - New AccelName and AccelDir options add support for dynamic OpenSSL
- hardware crypto acceleration engines.
- o Major features (relays control their load better):
- - Exit relays now try harder to block exit attempts from unknown
- relays, to make it harder for people to use them as one-hop proxies
- a la tortunnel. Controlled by the refuseunknownexits consensus
- parameter (currently enabled), or you can override it on your
- relay with the RefuseUnknownExits torrc option. Resolves bug 1751;
- based on a variant of proposal 163.
- - Add separate per-conn write limiting to go with the per-conn read
- limiting. We added a global write limit in Tor 0.1.2.5-alpha,
- but never per-conn write limits.
- - New consensus params "bwconnrate" and "bwconnburst" to let us
- rate-limit client connections as they enter the network. It's
- controlled in the consensus so we can turn it on and off for
- experiments. It's starting out off. Based on proposal 163.
- o Major features (controllers):
- - Export GeoIP information on bridge usage to controllers even if we
- have not yet been running for 24 hours. Now Vidalia bridge operators
- can get more accurate and immediate feedback about their
- contributions to the network.
- - Add an __OwningControllerProcess configuration option and a
- TAKEOWNERSHIP control-port command. Now a Tor controller can ensure
- that when it exits, Tor will shut down. Implements feature 3049.
- o Major features (directory authorities):
- - Directory authorities now create, vote on, and serve multiple
- parallel formats of directory data as part of their voting process.
- Partially implements Proposal 162: "Publish the consensus in
- multiple flavors".
- - Directory authorities now agree on and publish small summaries
- of router information that clients can use in place of regular
- server descriptors. This transition will allow Tor 0.2.3 clients
- to use far less bandwidth for downloading information about the
- network. Begins the implementation of Proposal 158: "Clients
- download consensus + microdescriptors".
- - The directory voting system is now extensible to use multiple hash
- algorithms for signatures and resource selection. Newer formats
- are signed with SHA256, with a possibility for moving to a better
- hash algorithm in the future.
- - Directory authorities can now vote on arbitary integer values as
- part of the consensus process. This is designed to help set
- network-wide parameters. Implements proposal 167.
- o Major features and bugfixes (node selection):
- - Revise and reconcile the meaning of the ExitNodes, EntryNodes,
- ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes
- options. Previously, we had been ambiguous in describing what
- counted as an "exit" node, and what operations exactly "StrictNodes
- 0" would permit. This created confusion when people saw nodes built
- through unexpected circuits, and made it hard to tell real bugs from
- surprises. Now the intended behavior is:
- . "Exit", in the context of ExitNodes and ExcludeExitNodes, means
- a node that delivers user traffic outside the Tor network.
- . "Entry", in the context of EntryNodes, means a node used as the
- first hop of a multihop circuit. It doesn't include direct
- connections to directory servers.
- . "ExcludeNodes" applies to all nodes.
- . "StrictNodes" changes the behavior of ExcludeNodes only. When
- StrictNodes is set, Tor should avoid all nodes listed in
- ExcludeNodes, even when it will make user requests fail. When
- StrictNodes is *not* set, then Tor should follow ExcludeNodes
- whenever it can, except when it must use an excluded node to
- perform self-tests, connect to a hidden service, provide a
- hidden service, fulfill a .exit request, upload directory
- information, or fetch directory information.
- Collectively, the changes to implement the behavior fix bug 1090.
- - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes
- change during a config reload, mark and discard all our origin
- circuits. This fix should address edge cases where we change the
- config options and but then choose a circuit that we created before
- the change.
- - Make EntryNodes config option much more aggressive even when
- StrictNodes is not set. Before it would prepend your requested
- entrynodes to your list of guard nodes, but feel free to use others
- after that. Now it chooses only from your EntryNodes if any of
- those are available, and only falls back to others if a) they're
- all down and b) StrictNodes is not set.
- - Now we refresh your entry guards from EntryNodes at each consensus
- fetch -- rather than just at startup and then they slowly rot as
- the network changes.
- - Add support for the country code "{??}" in torrc options like
- ExcludeNodes, to indicate all routers of unknown country. Closes
- bug 1094.
- - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
- a node is listed in both, it's treated as excluded.
- - ExcludeNodes now applies to directory nodes -- as a preference if
- StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
- Don't exclude all the directory authorities and set StrictNodes to 1
- unless you really want your Tor to break.
- - ExcludeNodes and ExcludeExitNodes now override exit enclaving.
- - ExcludeExitNodes now overrides .exit requests.
- - We don't use bridges listed in ExcludeNodes.
- - When StrictNodes is 1:
- . We now apply ExcludeNodes to hidden service introduction points
- and to rendezvous points selected by hidden service users. This
- can make your hidden service less reliable: use it with caution!
- . If we have used ExcludeNodes on ourself, do not try relay
- reachability self-tests.
- . If we have excluded all the directory authorities, we will not
- even try to upload our descriptor if we're a relay.
- . Do not honor .exit requests to an excluded node.
- - When the set of permitted nodes changes, we now remove any mappings
- introduced via TrackExitHosts to now-excluded nodes. Bugfix on
- 0.1.0.1-rc.
- - We never cannibalize a circuit that had excluded nodes on it, even
- if StrictNodes is 0. Bugfix on 0.1.0.1-rc.
- - Improve log messages related to excluded nodes.
- o Major features (misc):
- - Numerous changes, bugfixes, and workarounds from Nathan Freitas
- to help Tor build correctly for Android phones.
- - The options SocksPort, ControlPort, and so on now all accept a
- value "auto" that opens a socket on an OS-selected port. A
- new ControlPortWriteToFile option tells Tor to write its
- actual control port or ports to a chosen file. If the option
- ControlPortFileGroupReadable is set, the file is created as
- group-readable. Now users can run two Tor clients on the same
- system without needing to manually mess with parameters. Resolves
- part of ticket 3076.
- - Tor now supports tunneling all of its outgoing connections over
- a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy
- configuration options. Code by Christopher Davis.
- o Code security improvements:
- - Replace all potentially sensitive memory comparison operations
- with versions whose runtime does not depend on the data being
- compared. This will help resist a class of attacks where an
- adversary can use variations in timing information to learn
- sensitive data. Fix for one case of bug 3122. (Safe memcmp
- implementation by Robert Ransom based partially on code by DJB.)
- - Enable Address Space Layout Randomization (ASLR) and Data Execution
- Prevention (DEP) by default on Windows to make it harder for
- attackers to exploit vulnerabilities. Patch from John Brooks.
- - New "--enable-gcc-hardening" ./configure flag (off by default)
- to turn on gcc compile time hardening options. It ensures
- that signed ints have defined behavior (-fwrapv), enables
- -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection
- with canaries (-fstack-protector-all), turns on ASLR protection if
- supported by the kernel (-fPIE, -pie), and adds additional security
- related warnings. Verified to work on Mac OS X and Debian Lenny.
- - New "--enable-linker-hardening" ./configure flag (off by default)
- to turn on ELF specific hardening features (relro, now). This does
- not work with Mac OS X or any other non-ELF binary format.
- - Always search the Windows system directory for system DLLs, and
- nowhere else. Bugfix on 0.1.1.23; fixes bug 1954.
- - New DisableAllSwap option. If set to 1, Tor will attempt to lock all
- current and future memory pages via mlockall(). On supported
- platforms (modern Linux and probably BSD but not Windows or OS X),
- this should effectively disable any and all attempts to page out
- memory. This option requires that you start your Tor as root --
- if you use DisableAllSwap, please consider using the User option
- to properly reduce the privileges of your Tor.
- o Major bugfixes (crashes):
- - Fix crash bug on platforms where gmtime and localtime can return
- NULL. Windows 7 users were running into this one. Fixes part of bug
- 2077. Bugfix on all versions of Tor. Found by boboper.
- - Introduce minimum/maximum values that clients will believe
- from the consensus. Now we'll have a better chance to avoid crashes
- or worse when a consensus param has a weird value.
- - Fix a rare crash bug that could occur when a client was configured
- with a large number of bridges. Fixes bug 2629; bugfix on
- 0.2.1.2-alpha. Bugfix by trac user "shitlei".
- - Do not crash when our configuration file becomes unreadable, for
- example due to a permissions change, between when we start up
- and when a controller calls SAVECONF. Fixes bug 3135; bugfix
- on 0.0.9pre6.
- - If we're in the pathological case where there's no exit bandwidth
- but there is non-exit bandwidth, or no guard bandwidth but there
- is non-guard bandwidth, don't crash during path selection. Bugfix
- on 0.2.0.3-alpha.
- - Fix a crash bug when trying to initialize the evdns module in
- Libevent 2. Bugfix on 0.2.1.16-rc.
- o Major bugfixes (stability):
- - Fix an assert in parsing router descriptors containing IPv6
- addresses. This one took down the directory authorities when
- somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
- - Fix an uncommon assertion failure when running with DNSPort under
- heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
- - Treat an unset $HOME like an empty $HOME rather than triggering an
- assert. Bugfix on 0.0.8pre1; fixes bug 1522.
- - More gracefully handle corrupt state files, removing asserts
- in favor of saving a backup and resetting state.
- - Instead of giving an assertion failure on an internal mismatch
- on estimated freelist size, just log a BUG warning and try later.
- Mitigates but does not fix bug 1125.
- - Fix an assert that got triggered when using the TestingTorNetwork
- configuration option and then issuing a GETINFO config-text control
- command. Fixes bug 2250; bugfix on 0.2.1.2-alpha.
- - If the cached cert file is unparseable, warn but don't exit.
- o Privacy fixes (relays/bridges):
- - Don't list Windows capabilities in relay descriptors. We never made
- use of them, and maybe it's a bad idea to publish them. Bugfix
- on 0.1.1.8-alpha.
- - If the Nickname configuration option isn't given, Tor would pick a
- nickname based on the local hostname as the nickname for a relay.
- Because nicknames are not very important in today's Tor and the
- "Unnamed" nickname has been implemented, this is now problematic
- behavior: It leaks information about the hostname without being
- useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which
- introduced the Unnamed nickname. Reported by tagnaq.
- - Maintain separate TLS contexts and certificates for incoming and
- outgoing connections in bridge relays. Previously we would use the
- same TLS contexts and certs for incoming and outgoing connections.
- Bugfix on 0.2.0.3-alpha; addresses bug 988.
- - Maintain separate identity keys for incoming and outgoing TLS
- contexts in bridge relays. Previously we would use the same
- identity keys for incoming and outgoing TLS contexts. Bugfix on
- 0.2.0.3-alpha; addresses the other half of bug 988.
- - Make the bridge directory authority refuse to answer directory
- requests for "all descriptors". It used to include bridge
- descriptors in its answer, which was a major information leak.
- Found by "piebeer". Bugfix on 0.2.0.3-alpha.
- o Privacy fixes (clients):
- - When receiving a hidden service descriptor, check that it is for
- the hidden service we wanted. Previously, Tor would store any
- hidden service descriptors that a directory gave it, whether it
- wanted them or not. This wouldn't have let an attacker impersonate
- a hidden service, but it did let directories pre-seed a client
- with descriptors that it didn't want. Bugfix on 0.0.6.
- - Start the process of disabling ".exit" address notation, since it
- can be used for a variety of esoteric application-level attacks
- on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix
- on 0.0.9rc5.
- - Reject attempts at the client side to open connections to private
- IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with
- a randomly chosen exit node. Attempts to do so are always
- ill-defined, generally prevented by exit policies, and usually
- in error. This will also help to detect loops in transparent
- proxy configurations. You can disable this feature by setting
- "ClientRejectInternalAddresses 0" in your torrc.
- - Log a notice when we get a new control connection. Now it's easier
- for security-conscious users to recognize when a local application
- is knocking on their controller door. Suggested by bug 1196.
- o Privacy fixes (newnym):
- - Avoid linkability based on cached hidden service descriptors: forget
- all hidden service descriptors cached as a client when processing a
- SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
- - On SIGHUP, do not clear out all TrackHostExits mappings, client
- DNS cache entries, and virtual address mappings: that's what
- NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc.
- - Don't attach new streams to old rendezvous circuits after SIGNAL
- NEWNYM. Previously, we would keep using an existing rendezvous
- circuit if it remained open (i.e. if it were kept open by a
- long-lived stream, or if a new stream were attached to it before
- Tor could notice that it was old and no longer in use). Bugfix on
- 0.1.1.15-rc; fixes bug 3375.
- o Major bugfixes (relay bandwidth accounting):
- - Fix a bug that could break accounting on 64-bit systems with large
- time_t values, making them hibernate for impossibly long intervals.
- Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper.
- - Fix a bug in bandwidth accounting that could make us use twice
- the intended bandwidth when our interval start changes due to
- daylight saving time. Now we tolerate skew in stored vs computed
- interval starts: if the start of the period changes by no more than
- 50% of the period's duration, we remember bytes that we transferred
- in the old period. Fixes bug 1511; bugfix on 0.0.9pre5.
- o Major bugfixes (bridges):
- - Bridges now use "reject *:*" as their default exit policy. Bugfix
- on 0.2.0.3-alpha. Fixes bug 1113.
- - If you configure your bridge with a known identity fingerprint,
- and the bridge authority is unreachable (as it is in at least
- one country now), fall back to directly requesting the descriptor
- from the bridge. Finishes the feature started in 0.2.0.10-alpha;
- closes bug 1138.
- - Fix a bug where bridge users who configure the non-canonical
- address of a bridge automatically switch to its canonical
- address. If a bridge listens at more than one address, it
- should be able to advertise those addresses independently and
- any non-blocked addresses should continue to work. Bugfix on Tor
- 0.2.0.3-alpha. Fixes bug 2510.
- - If you configure Tor to use bridge A, and then quit and
- configure Tor to use bridge B instead (or if you change Tor
- to use bridge B via the controller), it would happily continue
- to use bridge A if it's still reachable. While this behavior is
- a feature if your goal is connectivity, in some scenarios it's a
- dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511.
- - When the controller configures a new bridge, don't wait 10 to 60
- seconds before trying to fetch its descriptor. Bugfix on
- 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355).
- o Major bugfixes (directory authorities):
- - Many relays have been falling out of the consensus lately because
- not enough authorities know about their descriptor for them to get
- a majority of votes. When we deprecated the v2 directory protocol,
- we got rid of the only way that v3 authorities can hear from each
- other about other descriptors. Now authorities examine every v3
- vote for new descriptors, and fetch them from that authority. Bugfix
- on 0.2.1.23.
- - Authorities could be tricked into giving out the Exit flag to relays
- that didn't allow exiting to any ports. This bug could screw
- with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug
- 1238. Bug discovered by Martin Kowalczyk.
- - If all authorities restart at once right before a consensus vote,
- nobody will vote about "Running", and clients will get a consensus
- with no usable relays. Instead, authorities refuse to build a
- consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
- o Major bugfixes (stream-level fairness):
- - When receiving a circuit-level SENDME for a blocked circuit, try
- to package cells fairly from all the streams that had previously
- been blocked on that circuit. Previously, we had started with the
- oldest stream, and allowed each stream to potentially exhaust
- the circuit's package window. This gave older streams on any
- given circuit priority over newer ones. Fixes bug 1937. Detected
- originally by Camilo Viecco. This bug was introduced before the
- first Tor release, in svn commit r152: it is the new winner of
- the longest-lived bug prize.
- - Fix a stream fairness bug that would cause newer streams on a given
- circuit to get preference when reading bytes from the origin or
- destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was
- introduced before the first Tor release, in svn revision r152.
- - When the exit relay got a circuit-level sendme cell, it started
- reading on the exit streams, even if had 500 cells queued in the
- circuit queue already, so the circuit queue just grew and grew in
- some cases. We fix this by not re-enabling reading on receipt of a
- sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix
- on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by
- "yetonetime".
- - Newly created streams were allowed to read cells onto circuits,
- even if the circuit's cell queue was blocked and waiting to drain.
- This created potential unfairness, as older streams would be
- blocked, but newer streams would gladly fill the queue completely.
- We add code to detect this situation and prevent any stream from
- getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially
- fixes bug 1298.
- o Major bugfixes (hidden services):
- - Apply circuit timeouts to opened hidden-service-related circuits
- based on the correct start time. Previously, we would apply the
- circuit build timeout based on time since the circuit's creation;
- it was supposed to be applied based on time since the circuit
- entered its current state. Bugfix on 0.0.6; fixes part of bug 1297.
- - Improve hidden service robustness: When we find that we have
- extended a hidden service's introduction circuit to a relay not
- listed as an introduction point in the HS descriptor we currently
- have, retry with an introduction point from the current
- descriptor. Previously we would just give up. Fixes bugs 1024 and
- 1930; bugfix on 0.2.0.10-alpha.
- - Directory authorities now use data collected from their own
- uptime observations when choosing whether to assign the HSDir flag
- to relays, instead of trusting the uptime value the relay reports in
- its descriptor. This change helps prevent an attack where a small
- set of nodes with frequently-changing identity keys can blackhole
- a hidden service. (Only authorities need upgrade; others will be
- fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709.
- - Stop assigning the HSDir flag to relays that disable their
- DirPort (and thus will refuse to answer directory requests). This
- fix should dramatically improve the reachability of hidden services:
- hidden services and hidden service clients pick six HSDir relays
- to store and retrieve the hidden service descriptor, and currently
- about half of the HSDir relays will refuse to work. Bugfix on
- 0.2.0.10-alpha; fixes part of bug 1693.
- o Major bugfixes (misc):
- - Clients now stop trying to use an exit node associated with a given
- destination by TrackHostExits if they fail to reach that exit node.
- Fixes bug 2999. Bugfix on 0.2.0.20-rc.
- - Fix a regression that caused Tor to rebind its ports if it receives
- SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919.
- - Remove an extra pair of quotation marks around the error
- message in control-port STATUS_GENERAL BUG events. Bugfix on
- 0.1.2.6-alpha; fixes bug 3732.
- o Minor features (relays):
- - Ensure that no empty [dirreq-](read|write)-history lines are added
- to an extrainfo document. Implements ticket 2497.
- - When bandwidth accounting is enabled, be more generous with how
- much bandwidth we'll use up before entering "soft hibernation".
- Previously, we'd refuse new connections and circuits once we'd
- used up 95% of our allotment. Now, we use up 95% of our allotment,
- AND make sure that we have no more than 500MB (or 3 hours of
- expected traffic, whichever is lower) remaining before we enter
- soft hibernation.
- - Relays now log the reason for publishing a new relay descriptor,
- so we have a better chance of hunting down instances of bug 1810.
- Resolves ticket 3252.
- - Log a little more clearly about the times at which we're no longer
- accepting new connections (e.g. due to hibernating). Resolves
- bug 2181.
- - When AllowSingleHopExits is set, print a warning to explain to the
- relay operator why most clients are avoiding her relay.
- - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
- Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such
- clients are already deprecated because of security bugs.
- o Minor features (network statistics):
- - Directory mirrors that set "DirReqStatistics 1" write statistics
- about directory requests to disk every 24 hours. As compared to the
- "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few
- improvements: 1) stats are written to disk exactly every 24 hours;
- 2) estimated shares of v2 and v3 requests are determined as mean
- values, not at the end of a measurement period; 3) unresolved
- requests are listed with country code '??'; 4) directories also
- measure download times.
- - Exit nodes that set "ExitPortStatistics 1" write statistics on the
- number of exit streams and transferred bytes per port to disk every
- 24 hours.
- - Relays that set "CellStatistics 1" write statistics on how long
- cells spend in their circuit queues to disk every 24 hours.
- - Entry nodes that set "EntryStatistics 1" write statistics on the
- rough number and origins of connecting clients to disk every 24
- hours.
- - Relays that write any of the above statistics to disk and set
- "ExtraInfoStatistics 1" include the past 24 hours of statistics in
- their extra-info documents. Implements proposal 166.
- o Minor features (GeoIP and statistics):
- - Provide a log message stating which geoip file we're parsing
- instead of just stating that we're parsing the geoip file.
- Implements ticket 2432.
- - Make sure every relay writes a state file at least every 12 hours.
- Previously, a relay could go for weeks without writing its state
- file, and on a crash could lose its bandwidth history, capacity
- estimates, client country statistics, and so on. Addresses bug 3012.
- - Relays report the number of bytes spent on answering directory
- requests in extra-info descriptors similar to {read,write}-history.
- Implements enhancement 1790.
- - Report only the top 10 ports in exit-port stats in order not to
- exceed the maximum extra-info descriptor length of 50 KB. Implements
- task 2196.
- - If writing the state file to disk fails, wait up to an hour before
- retrying again, rather than trying again each second. Fixes bug
- 2346; bugfix on Tor 0.1.1.3-alpha.
- - Delay geoip stats collection by bridges for 6 hours, not 2 hours,
- when we switch from being a public relay to a bridge. Otherwise
- there will still be clients that see the relay in their consensus,
- and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes
- bug 932.
- - Update to the August 2 2011 Maxmind GeoLite Country database.
- o Minor features (clients):
- - When expiring circuits, use microsecond timers rather than
- one-second timers. This can avoid an unpleasant situation where a
- circuit is launched near the end of one second and expired right
- near the beginning of the next, and prevent fluctuations in circuit
- timeout values.
- - If we've configured EntryNodes and our network goes away and/or all
- our entrynodes get marked down, optimistically retry them all when
- a new socks application request appears. Fixes bug 1882.
- - Always perform router selections using weighted relay bandwidth,
- even if we don't need a high capacity circuit at the time. Non-fast
- circuits now only differ from fast ones in that they can use relays
- not marked with the Fast flag. This "feature" could turn out to
- be a horrible bug; we should investigate more before it goes into
- a stable release.
- - When we run out of directory information such that we can't build
- circuits, but then get enough that we can build circuits, log when
- we actually construct a circuit, so the user has a better chance of
- knowing what's going on. Fixes bug 1362.
- - Log SSL state transitions at debug level during handshake, and
- include SSL states in error messages. This may help debug future
- SSL handshake issues.
- o Minor features (directory authorities):
- - When a router changes IP address or port, authorities now launch
- a new reachability test for it. Implements ticket 1899.
- - Directory authorities now reject relays running any versions of
- Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have
- known bugs that keep RELAY_EARLY cells from working on rendezvous
- circuits. Followup to fix for bug 2081.
- - Directory authorities now reject relays running any version of Tor
- older than 0.2.0.26-rc. That version is the earliest that fetches
- current directory information correctly. Fixes bug 2156.
- - Directory authorities now do an immediate reachability check as soon
- as they hear about a new relay. This change should slightly reduce
- the time between setting up a relay and getting listed as running
- in the consensus. It should also improve the time between setting
- up a bridge and seeing use by bridge users.
- - Directory authorities no longer launch a TLS connection to every
- relay as they startup. Now that we have 2k+ descriptors cached,
- the resulting network hiccup is becoming a burden. Besides,
- authorities already avoid voting about Running for the first half
- hour of their uptime.
- - Directory authorities now log the source of a rejected POSTed v3
- networkstatus vote, so we can track failures better.
- - Backport code from 0.2.3.x that allows directory authorities to
- clean their microdescriptor caches. Needed to resolve bug 2230.
- o Minor features (hidden services):
- - Use computed circuit-build timeouts to decide when to launch
- parallel introduction circuits for hidden services. (Previously,
- we would retry after 15 seconds.)
- - Don't allow v0 hidden service authorities to act as clients.
- Required by fix for bug 3000.
- - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
- by fix for bug 3000.
- - Make hidden services work better in private Tor networks by not
- requiring any uptime to join the hidden service descriptor
- DHT. Implements ticket 2088.
- - Log (at info level) when purging pieces of hidden-service-client
- state because of SIGNAL NEWNYM.
- o Minor features (controller interface):
- - New "GETINFO net/listeners/(type)" controller command to return
- a list of addresses and ports that are bound for listeners for a
- given connection type. This is useful when the user has configured
- "SocksPort auto" and the controller needs to know which port got
- chosen. Resolves another part of ticket 3076.
- - Have the controller interface give a more useful message than
- "Internal Error" in response to failed GETINFO requests.
- - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port
- event, to give information on the current rate of circuit timeouts
- over our stored history.
- - The 'EXTENDCIRCUIT' control port command can now be used with
- a circ id of 0 and no path. This feature will cause Tor to build
- a new 'fast' general purpose circuit using its own path selection
- algorithms.
- - Added a BUILDTIMEOUT_SET controller event to describe changes
- to the circuit build timeout.
- - New controller command "getinfo config-text". It returns the
- contents that Tor would write if you send it a SAVECONF command,
- so the controller can write the file to disk itself.
- o Minor features (controller protocol):
- - Add a new ControlSocketsGroupWritable configuration option: when
- it is turned on, ControlSockets are group-writeable by the default
- group of the current user. Patch by Jérémy Bobbio; implements
- ticket 2972.
- - Tor now refuses to create a ControlSocket in a directory that is
- world-readable (or group-readable if ControlSocketsGroupWritable
- is 0). This is necessary because some operating systems do not
- enforce permissions on an AF_UNIX sockets. Permissions on the
- directory holding the socket, however, seems to work everywhere.
- - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is
- not. This would lead to a cookie that is still not group readable.
- Closes bug 1843. Suggested by katmagic.
- - Future-proof the controller protocol a bit by ignoring keyword
- arguments we do not recognize.
- o Minor features (more useful logging):
- - Revise most log messages that refer to nodes by nickname to
- instead use the "$key=nickname at address" format. This should be
- more useful, especially since nicknames are less and less likely
- to be unique. Resolves ticket 3045.
- - When an HTTPS proxy reports "403 Forbidden", we now explain
- what it means rather than calling it an unexpected status code.
- Closes bug 2503. Patch from Michael Yakubovich.
- - Rate-limit a warning about failures to download v2 networkstatus
- documents. Resolves part of bug 1352.
- - Rate-limit the "your application is giving Tor only an IP address"
- warning. Addresses bug 2000; bugfix on 0.0.8pre2.
- - Rate-limit "Failed to hand off onionskin" warnings.
- - When logging a rate-limited warning, we now mention how many messages
- got suppressed since the last warning.
- - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad,
- 2 no signature, 4 required" messages about consensus signatures
- easier to read, and make sure they get logged at the same severity
- as the messages explaining which keys are which. Fixes bug 1290.
- - Don't warn when we have a consensus that we can't verify because
- of missing certificates, unless those certificates are ones
- that we have been trying and failing to download. Fixes bug 1145.
- o Minor features (log domains):
- - Add documentation for configuring logging at different severities in
- different log domains. We've had this feature since 0.2.1.1-alpha,
- but for some reason it never made it into the manpage. Fixes
- bug 2215.
- - Make it simpler to specify "All log domains except for A and B".
- Previously you needed to say "[*,~A,~B]". Now you can just say
- "[~A,~B]".
- - Add a "LogMessageDomains 1" option to include the domains of log
- messages along with the messages. Without this, there's no way
- to use log domains without reading the source or doing a lot
- of guessing.
- - Add a new "Handshake" log domain for activities that happen
- during the TLS handshake.
- o Minor features (build process):
- - Make compilation with clang possible when using
- "--enable-gcc-warnings" by removing two warning options that clang
- hasn't implemented yet and by fixing a few warnings. Resolves
- ticket 2696.
- - Detect platforms that brokenly use a signed size_t, and refuse to
- build there. Found and analyzed by doorss and rransom.
- - Fix a bunch of compile warnings revealed by mingw with gcc 4.5.
- Resolves bug 2314.
- - Add support for statically linking zlib by specifying
- "--enable-static-zlib", to go with our support for statically
- linking openssl and libevent. Resolves bug 1358.
- - Instead of adding the svn revision to the Tor version string, report
- the git commit (when we're building from a git checkout).
- - Rename the "log.h" header to "torlog.h" so as to conflict with fewer
- system headers.
- - New --digests command-line switch to output the digests of the
- source files Tor was built with.
- - Generate our manpage and HTML documentation using Asciidoc. This
- change should make it easier to maintain the documentation, and
- produce nicer HTML. The build process fails if asciidoc cannot
- be found and building with asciidoc isn't disabled (via the
- "--disable-asciidoc" argument to ./configure. Skipping the manpage
- speeds up the build considerably.
- o Minor features (options / torrc):
- - Warn when the same option is provided more than once in a torrc
- file, on the command line, or in a single SETCONF statement, and
- the option is one that only accepts a single line. Closes bug 1384.
- - Warn when the user configures two HiddenServiceDir lines that point
- to the same directory. Bugfix on 0.0.6 (the version introducing
- HiddenServiceDir); fixes bug 3289.
- - Add new "perconnbwrate" and "perconnbwburst" consensus params to
- do individual connection-level rate limiting of clients. The torrc
- config options with the same names trump the consensus params, if
- both are present. Replaces the old "bwconnrate" and "bwconnburst"
- consensus params which were broken from 0.2.2.7-alpha through
- 0.2.2.14-alpha. Closes bug 1947.
- - New config option "WarnUnsafeSocks 0" disables the warning that
- occurs whenever Tor receives a socks handshake using a version of
- the socks protocol that can only provide an IP address (rather
- than a hostname). Setups that do DNS locally over Tor are fine,
- and we shouldn't spam the logs in that case.
- - New config option "CircuitStreamTimeout" to override our internal
- timeout schedule for how many seconds until we detach a stream from
- a circuit and try a new circuit. If your network is particularly
- slow, you might want to set this to a number like 60.
- - New options for SafeLogging to allow scrubbing only log messages
- generated while acting as a relay. Specify "SafeLogging relay" if
- you want to ensure that only messages known to originate from
- client use of the Tor process will be logged unsafely.
- - Time and memory units in the configuration file can now be set to
- fractional units. For example, "2.5 GB" is now a valid value for
- AccountingMax.
- - Support line continuations in the torrc config file. If a line
- ends with a single backslash character, the newline is ignored, and
- the configuration value is treated as continuing on the next line.
- Resolves bug 1929.
- o Minor features (unit tests):
- - Revise our unit tests to use the "tinytest" framework, so we
- can run tests in their own processes, have smarter setup/teardown
- code, and so on. The unit test code has moved to its own
- subdirectory, and has been split into multiple modules.
- - Add a unit test for cross-platform directory-listing code.
- - Add some forgotten return value checks during unit tests. Found
- by coverity.
- - Use GetTempDir to find the proper temporary directory location on
- Windows when generating temporary files for the unit tests. Patch
- by Gisle Vanem.
- o Minor features (misc):
- - The "torify" script now uses torsocks where available.
- - Make Libevent log messages get delivered to controllers later,
- and not from inside the Libevent log handler. This prevents unsafe
- reentrant Libevent calls while still letting the log messages
- get through.
- - Certain Tor clients (such as those behind check.torproject.org) may
- want to fetch the consensus in an extra early manner. To enable this
- a user may now set FetchDirInfoExtraEarly to 1. This also depends on
- setting FetchDirInfoEarly to 1. Previous behavior will stay the same
- as only certain clients who must have this information sooner should
- set this option.
- - Expand homedirs passed to tor-checkkey. This should silence a
- coverity complaint about passing a user-supplied string into
- open() without checking it.
- - Make sure to disable DirPort if running as a bridge. DirPorts aren't
- used on bridges, and it makes bridge scanning somewhat easier.
- - Create the /var/run/tor directory on startup on OpenSUSE if it is
- not already created. Patch from Andreas Stieger. Fixes bug 2573.
- o Minor bugfixes (relays):
- - When a relay decides that its DNS is too broken for it to serve
- as an exit server, it advertised itself as a non-exit, but
- continued to act as an exit. This could create accidental
- partitioning opportunities for users. Instead, if a relay is
- going to advertise reject *:* as its exit policy, it should
- really act with exit policy "reject *:*". Fixes bug 2366.
- Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac.
- - Publish a router descriptor even if generating an extra-info
- descriptor fails. Previously we would not publish a router
- descriptor without an extra-info descriptor; this can cause fast
- exit relays collecting exit-port statistics to drop from the
- consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195.
- - When we're trying to guess whether we know our IP address as
- a relay, we would log various ways that we failed to guess
- our address, but never log that we ended up guessing it
- successfully. Now add a log line to help confused and anxious
- relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534.
- - For bandwidth accounting, calculate our expected bandwidth rate
- based on the time during which we were active and not in
- soft-hibernation during the last interval. Previously, we were
- also considering the time spent in soft-hibernation. If this
- was a long time, we would wind up underestimating our bandwidth
- by a lot, and skewing our wakeup time towards the start of the
- accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5.
- - Demote a confusing TLS warning that relay operators might get when
- someone tries to talk to their ORPort. It is not the operator's
- fault, nor can they do anything about it. Fixes bug 1364; bugfix
- on 0.2.0.14-alpha.
- - Change "Application request when we're believed to be offline."
- notice to "Application request when we haven't used client
- functionality lately.", to clarify that it's not an error. Bugfix
- on 0.0.9.3; fixes bug 1222.
- o Minor bugfixes (bridges):
- - When a client starts or stops using bridges, never use a circuit
- that was built before the configuration change. This behavior could
- put at risk a user who uses bridges to ensure that her traffic
- only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes
- bug 3200.
- - Do not reset the bridge descriptor download status every time we
- re-parse our configuration or get a configuration change. Fixes
- bug 3019; bugfix on 0.2.0.3-alpha.
- - Users couldn't configure a regular relay to be their bridge. It
- didn't work because when Tor fetched the bridge descriptor, it found
- that it already had it, and didn't realize that the purpose of the
- descriptor had changed. Now we replace routers with a purpose other
- than bridge with bridge descriptors when fetching them. Bugfix on
- 0.1.1.9-alpha. Fixes bug 1776.
- - In the special case where you configure a public exit relay as your
- bridge, Tor would be willing to use that exit relay as the last
- hop in your circuit as well. Now we fail that circuit instead.
- Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer".
- o Minor bugfixes (clients):
- - We now ask the other side of a stream (the client or the exit)
- for more data on that stream when the amount of queued data on
- that stream dips low enough. Previously, we wouldn't ask the
- other side for more data until either it sent us more data (which
- it wasn't supposed to do if it had exhausted its window!) or we
- had completely flushed all our queued data. This flow control fix
- should improve throughput. Fixes bug 2756; bugfix on the earliest
- released versions of Tor (svn commit r152).
- - When a client finds that an origin circuit has run out of 16-bit
- stream IDs, we now mark it as unusable for new streams. Previously,
- we would try to close the entire circuit. Bugfix on 0.0.6.
- - Make it explicit that we don't cannibalize one-hop circuits. This
- happens in the wild, but doesn't turn out to be a problem because
- we fortunately don't use those circuits. Many thanks to outofwords
- for the initial analysis and to swissknife who confirmed that
- two-hop circuits are actually created.
- - Resolve an edge case in path weighting that could make us misweight
- our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1.
- - Make the DNSPort option work with libevent 2.x. Don't alter the
- behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit.
- o Minor bugfixes (directory authorities):
- - Make directory authorities more accurate at recording when
- relays that have failed several reachability tests became
- unreachable, so we can provide more accuracy at assigning Stable,
- Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716.
- - Directory authorities are now more robust to hops back in time
- when calculating router stability. Previously, if a run of uptime
- or downtime appeared to be negative, the calculation could give
- incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing
- bug 1035.
- - Directory authorities will now attempt to download consensuses
- if their own efforts to make a live consensus have failed. This
- change means authorities that restart will fetch a valid
- consensus, and it means authorities that didn't agree with the
- current consensus will still fetch and serve it if it has enough
- signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300.
- - Never vote for a server as "Running" if we have a descriptor for
- it claiming to be hibernating, and that descriptor was published
- more recently than our last contact with the server. Bugfix on
- 0.2.0.3-alpha; fixes bug 911.
- - Directory authorities no longer change their opinion of, or vote on,
- whether a router is Running, unless they have themselves been
- online long enough to have some idea. Bugfix on 0.2.0.6-alpha.
- Fixes bug 1023.
- o Minor bugfixes (hidden services):
- - Log malformed requests for rendezvous descriptors as protocol
- warnings, not warnings. Also, use a more informative log message
- in case someone sees it at log level warning without prior
- info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha.
- - Accept hidden service descriptors if we think we might be a hidden
- service directory, regardless of what our consensus says. This
- helps robustness, since clients and hidden services can sometimes
- have a more up-to-date view of the network consensus than we do,
- and if they think that the directory authorities list us a HSDir,
- we might actually be one. Related to bug 2732; bugfix on
- 0.2.0.10-alpha.
- - Correct the warning displayed when a rendezvous descriptor exceeds
- the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
- John Brooks.
- - Clients and hidden services now use HSDir-flagged relays for hidden
- service descriptor downloads and uploads even if the relays have no
- DirPort set and the client has disabled TunnelDirConns. This will
- eventually allow us to give the HSDir flag to relays with no
- DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha.
- - Only limit the lengths of single HS descriptors, even when multiple
- HS descriptors are published to an HSDir relay in a single POST
- operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir.
- o Minor bugfixes (controllers):
- - Allow GETINFO fingerprint to return a fingerprint even when
- we have not yet built a router descriptor. Fixes bug 3577;
- bugfix on 0.2.0.1-alpha.
- - Send a SUCCEEDED stream event to the controller when a reverse
- resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue
- discovered by katmagic.
- - Remove a trailing asterisk from "exit-policy/default" in the
- output of the control port command "GETINFO info/names". Bugfix
- on 0.1.2.5-alpha.
- - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug
- 2917. Bugfix on 0.1.1.1-alpha.
- - When we restart our relay, we might get a successful connection
- from the outside before we've started our reachability tests,
- triggering a warning: "ORPort found reachable, but I have no
- routerinfo yet. Failing to inform controller of success." This
- bug was harmless unless Tor is running under a controller
- like Vidalia, in which case the controller would never get a
- REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
- fixes bug 1172.
- - When a controller changes TrackHostExits, remove mappings for
- hosts that should no longer have their exits tracked. Bugfix on
- 0.1.0.1-rc.
- - When a controller changes VirtualAddrNetwork, remove any mappings
- for hosts that were automapped to the old network. Bugfix on
- 0.1.1.19-rc.
- - When a controller changes one of the AutomapHosts* options, remove
- any mappings for hosts that should no longer be automapped. Bugfix
- on 0.2.0.1-alpha.
- - Fix an off-by-one error in calculating some controller command
- argument lengths. Fortunately, this mistake is harmless since
- the controller code does redundant NUL termination too. Found by
- boboper. Bugfix on 0.1.1.1-alpha.
- - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl"
- would return "551 Internal error" rather than "552 Unrecognized key
- ns/asdaskljkl". Bugfix on 0.1.2.3-alpha.
- - Don't spam the controller with events when we have no file
- descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting
- for log messages was already solved from bug 748.)
- - Emit a GUARD DROPPED controller event for a case we missed.
- - Ensure DNS requests launched by "RESOLVE" commands from the
- controller respect the __LeaveStreamsUnattached setconf options. The
- same goes for requests launched via DNSPort or transparent
- proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525.
- o Minor bugfixes (config options):
- - Tor used to limit HttpProxyAuthenticator values to 48 characters.
- Change the limit to 512 characters by removing base64 newlines.
- Fixes bug 2752. Fix by Michael Yakubovich.
- - Complain if PublishServerDescriptor is given multiple arguments that
- include 0 or 1. This configuration will be rejected in the future.
- Bugfix on 0.2.0.1-alpha; closes bug 1107.
- - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration.
- Bugfix on 0.2.0.13-alpha; closes bug 928.
- o Minor bugfixes (log subsystem fixes):
- - When unable to format an address as a string, report its value
- as "???" rather than reusing the last formatted address. Bugfix
- on 0.2.1.5-alpha.
- - Be more consistent in our treatment of file system paths. "~" should
- get expanded to the user's home directory in the Log config option.
- Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the
- feature for the -f and --DataDirectory options.
- o Minor bugfixes (memory management):
- - Don't stack-allocate the list of supplementary GIDs when we're
- about to log them. Stack-allocating NGROUPS_MAX gid_t elements
- could take up to 256K, which is way too much stack. Found by
- Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
- - Save a couple bytes in memory allocation every time we escape
- certain characters in a string. Patch from Florian Zumbiehl.
- o Minor bugfixes (protocol correctness):
- - When checking for 1024-bit keys, check for 1024 bits, not 128
- bytes. This allows Tor to correctly discard keys of length 1017
- through 1023. Bugfix on 0.0.9pre5.
- - Require that introduction point keys and onion handshake keys
- have a public exponent of 65537. Starts to fix bug 3207; bugfix
- on 0.2.0.10-alpha.
- - Handle SOCKS messages longer than 128 bytes long correctly, rather
- than waiting forever for them to finish. Fixes bug 2330; bugfix
- on 0.2.0.16-alpha. Found by doorss.
- - Never relay a cell for a circuit we have already destroyed.
- Between marking a circuit as closeable and finally closing it,
- it may have been possible for a few queued cells to get relayed,
- even though they would have been immediately dropped by the next
- OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha.
- - Never queue a cell for a circuit that's already been marked
- for close.
- - Fix a spec conformance issue: the network-status-version token
- must be the first token in a v3 consensus or vote. Discovered by
- "parakeep". Bugfix on 0.2.0.3-alpha.
- - A networkstatus vote must contain exactly one signature. Spec
- conformance issue. Bugfix on 0.2.0.3-alpha.
- - When asked about a DNS record type we don't support via a
- client DNSPort, reply with NOTIMPL rather than an empty
- reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha.
- - Make more fields in the controller protocol case-insensitive, since
- control-spec.txt said they were.
- o Minor bugfixes (log messages):
- - Fix a log message that said "bits" while displaying a value in
- bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on
- 0.2.0.1-alpha.
- - Downgrade "no current certificates known for authority" message from
- Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha.
- - Correctly describe errors that occur when generating a TLS object.
- Previously we would attribute them to a failure while generating a
- TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes
- bug 1994.
- - Fix an instance where a Tor directory mirror might accidentally
- log the IP address of a misbehaving Tor client. Bugfix on
- 0.1.0.1-rc.
- - Stop logging at severity 'warn' when some other Tor client tries
- to establish a circuit with us using weak DH keys. It's a protocol
- violation, but that doesn't mean ordinary users need to hear about
- it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
- - If your relay can't keep up with the number of incoming create
- cells, it would log one warning per failure into your logs. Limit
- warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
- o Minor bugfixes (build fixes):
- - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
- - When warning about missing zlib development packages during compile,
- give the correct package names. Bugfix on 0.2.0.1-alpha.
- - Fix warnings that newer versions of autoconf produce during
- ./autogen.sh. These warnings appear to be harmless in our case,
- but they were extremely verbose. Fixes bug 2020.
- - Squash a compile warning on OpenBSD. Reported by Tas; fixes
- bug 1848.
- o Minor bugfixes (portability):
- - Write several files in text mode, on OSes that distinguish text
- mode from binary mode (namely, Windows). These files are:
- 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays
- that collect those statistics; 'client_keys' and 'hostname' for
- hidden services that use authentication; and (in the tor-gencert
- utility) newly generated identity and signing keys. Previously,
- we wouldn't specify text mode or binary mode, leading to an
- assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when
- the DirRecordUsageByCountry option which would have triggered
- the assertion failure was added), although this assertion failure
- would have occurred in tor-gencert on Windows in 0.2.0.1-alpha.
- - Selectively disable deprecation warnings on OS X because Lion
- started deprecating the shipped copy of openssl. Fixes bug 3643.
- - Use a wide type to hold sockets when built for 64-bit Windows.
- Fixes bug 3270.
- - Fix an issue that prevented static linking of libevent on
- some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23,
- where we introduced the "--with-static-libevent" configure option.
- - Fix a bug with our locking implementation on Windows that couldn't
- correctly detect when a file was already locked. Fixes bug 2504,
- bugfix on 0.2.1.6-alpha.
- - Build correctly on OSX with zlib 1.2.4 and higher with all warnings
- enabled.
- - Fix IPv6-related connect() failures on some platforms (BSD, OS X).
- Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by
- "piebeer".
- o Minor bugfixes (code correctness):
- - Always NUL-terminate the sun_path field of a sockaddr_un before
- passing it to the kernel. (Not a security issue: kernels are
- smart enough to reject bad sockaddr_uns.) Found by Coverity;
- CID #428. Bugfix on Tor 0.2.0.3-alpha.
- - Make connection_printf_to_buf()'s behaviour sane. Its callers
- expect it to emit a CRLF iff the format string ends with CRLF;
- it actually emitted a CRLF iff (a) the format string ended with
- CRLF or (b) the resulting string was over 1023 characters long or
- (c) the format string did not end with CRLF *and* the resulting
- string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha;
- fixes part of bug 3407.
- - Make send_control_event_impl()'s behaviour sane. Its callers
- expect it to always emit a CRLF at the end of the string; it
- might have emitted extra control characters as well. Bugfix on
- 0.1.1.9-alpha; fixes another part of bug 3407.
- - Make crypto_rand_int() check the value of its input correctly.
- Previously, it accepted values up to UINT_MAX, but could return a
- negative number if given a value above INT_MAX+1. Found by George
- Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14.
- - Fix a potential null-pointer dereference while computing a
- consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of
- clang's analyzer.
- - If we fail to compute the identity digest of a v3 legacy keypair,
- warn, and don't use a buffer-full of junk instead. Bugfix on
- 0.2.1.1-alpha; fixes bug 3106.
- - Resolve an untriggerable issue in smartlist_string_num_isin(),
- where if the function had ever in the future been used to check
- for the presence of a too-large number, it would have given an
- incorrect result. (Fortunately, we only used it for 16-bit
- values.) Fixes bug 3175; bugfix on 0.1.0.1-rc.
- - Be more careful about reporting the correct error from a failed
- connect() system call. Under some circumstances, it was possible to
- look at an incorrect value for errno when sending the end reason.
- Bugfix on 0.1.0.1-rc.
- - Correctly handle an "impossible" overflow cases in connection byte
- counting, where we write or read more than 4GB on an edge connection
- in a single second. Bugfix on 0.1.2.8-beta.
- - Avoid a double mark-for-free warning when failing to attach a
- transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes
- bug 2279.
- - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378;
- found by "cypherpunks". This bug was introduced before the first
- Tor release, in svn commit r110.
- - Fix a bug in bandwidth history state parsing that could have been
- triggered if a future version of Tor ever changed the timing
- granularity at which bandwidth history is measured. Bugfix on
- Tor 0.1.1.11-alpha.
- - Add assertions to check for overflow in arguments to
- base32_encode() and base32_decode(); fix a signed-unsigned
- comparison there too. These bugs are not actually reachable in Tor,
- but it's good to prevent future errors too. Found by doorss.
- - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by
- "memcpyfail".
- - Set target port in get_interface_address6() correctly. Bugfix
- on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660.
- - Fix an impossible-to-actually-trigger buffer overflow in relay
- descriptor generation. Bugfix on 0.1.0.15.
- - Fix numerous small code-flaws found by Coverity Scan Rung 3.
- o Minor bugfixes (code improvements):
- - After we free an internal connection structure, overwrite it
- with a different memory value than we use for overwriting a freed
- internal circuit structure. Should help with debugging. Suggested
- by bug 1055.
- - If OpenSSL fails to make a duplicate of a private or public key, log
- an error message and try to exit cleanly. May help with debugging
- if bug 1209 ever remanifests.
- - Some options used different conventions for uppercasing of acronyms
- when comparing manpage and source. Fix those in favor of the
- manpage, as it makes sense to capitalize acronyms.
- - Take a first step towards making or.h smaller by splitting out
- function definitions for all source files in src/or/. Leave
- structures and defines in or.h for now.
- - Remove a few dead assignments during router parsing. Found by
- coverity.
- - Don't use 1-bit wide signed bit fields. Found by coverity.
- - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
- None of the cases where we did this before were wrong, but by making
- this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
- - The memarea code now uses a sentinel value at the end of each area
- to make sure nothing writes beyond the end of an area. This might
- help debug some conceivable causes of bug 930.
- - Always treat failure to allocate an RSA key as an unrecoverable
- allocation error.
- - Add some more defensive programming for architectures that can't
- handle unaligned integer accesses. We don't know of any actual bugs
- right now, but that's the best time to fix them. Fixes bug 1943.
- o Minor bugfixes (misc):
- - Fix a rare bug in rend_fn unit tests: we would fail a test when
- a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix
- on 0.2.0.10-alpha; fixes bug 1808.
- - Where available, use Libevent 2.0's periodic timers so that our
- once-per-second cleanup code gets called even more closely to
- once per second than it would otherwise. Fixes bug 943.
- - Ignore OutboundBindAddress when connecting to localhost.
- Connections to localhost need to come _from_ localhost, or else
- local servers (like DNS and outgoing HTTP/SOCKS proxies) will often
- refuse to listen.
- - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m
- too.
- - If any of the v3 certs we download are unparseable, we should
- actually notice the failure so we don't retry indefinitely. Bugfix
- on 0.2.0.x; reported by "rotator".
- - When Tor fails to parse a descriptor of any kind, dump it to disk.
- Might help diagnosing bug 1051.
- - Make our 'torify' script more portable; if we have only one of
- 'torsocks' or 'tsocks' installed, don't complain to the user;
- and explain our warning about tsocks better.
- - Fix some urls in the exit notice file and make it XHTML1.1 strict
- compliant. Based on a patch from Christian Kujau.
- o Documentation changes:
- - Modernize the doxygen configuration file slightly. Fixes bug 2707.
- - Resolve all doxygen warnings except those for missing documentation.
- Fixes bug 2705.
- - Add doxygen documentation for more functions, fields, and types.
- - Convert the HACKING file to asciidoc, and add a few new sections
- to it, explaining how we use Git, how we make changelogs, and
- what should go in a patch.
- - Document the default socks host and port (127.0.0.1:9050) for
- tor-resolve.
- - Removed some unnecessary files from the source distribution. The
- AUTHORS file has now been merged into the people page on the
- website. The roadmaps and design doc can now be found in the
- projects directory in svn.
- o Deprecated and removed features (config):
- - Remove the torrc.complete file. It hasn't been kept up to date
- and users will have better luck checking out the manpage.
- - Remove the HSAuthorityRecordStats option that version 0 hidden
- service authorities could use to track statistics of overall v0
- hidden service usage.
- - Remove the obsolete "NoPublish" option; it has been flagged
- as obsolete and has produced a warning since 0.1.1.18-rc.
- - Caches no longer download and serve v2 networkstatus documents
- unless FetchV2Networkstatus flag is set: these documents haven't
- haven't been used by clients or relays since 0.2.0.x. Resolves
- bug 3022.
- o Deprecated and removed features (controller):
- - The controller no longer accepts the old obsolete "addr-mappings/"
- or "unregistered-servers-" GETINFO values.
- - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now
- always on; using them is necessary for correct forward-compatible
- controllers.
- o Deprecated and removed features (misc):
- - Hidden services no longer publish version 0 descriptors, and clients
- do not request or use version 0 descriptors. However, the old hidden
- service authorities still accept and serve version 0 descriptors
- when contacted by older hidden services/clients.
- - Remove undocumented option "-F" from tor-resolve: it hasn't done
- anything since 0.2.1.16-rc.
- - Remove everything related to building the expert bundle for OS X.
- It has confused many users, doesn't work right on OS X 10.6,
- and is hard to get rid of once installed. Resolves bug 1274.
- - Remove support for .noconnect style addresses. Nobody was using
- them, and they provided another avenue for detecting Tor users
- via application-level web tricks.
- - When we fixed bug 1038 we had to put in a restriction not to send
- RELAY_EARLY cells on rend circuits. This was necessary as long
- as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were
- active. Now remove this obsolete check. Resolves bug 2081.
- - Remove workaround code to handle directory responses from servers
- that had bug 539 (they would send HTTP status 503 responses _and_
- send a body too). Since only server versions before
- 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to
- keep the workaround in place.
- - Remove the old 'fuzzy time' logic. It was supposed to be used for
- handling calculations where we have a known amount of clock skew and
- an allowed amount of unknown skew. But we only used it in three
- places, and we never adjusted the known/unknown skew values. This is
- still something we might want to do someday, but if we do, we'll
- want to do it differently.
- - Remove the "--enable-iphone" option to ./configure. According to
- reports from Marco Bonetti, Tor builds fine without any special
- tweaking on recent iPhone SDK versions.
- Changes in version 0.2.1.30 - 2011-02-23
- Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
- change is a slight tweak to Tor's TLS handshake that makes relays
- and bridges that run this new version reachable from Iran again.
- We don't expect this tweak will win the arms race long-term, but it
- buys us time until we roll out a better solution.
- o Major bugfixes:
- - Stop sending a CLOCK_SKEW controller status event whenever
- we fetch directory information from a relay that has a wrong clock.
- Instead, only inform the controller when it's a trusted authority
- that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
- the rest of bug 1074.
- - Fix a bounds-checking error that could allow an attacker to
- remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
- Found by "piebeer".
- - If relays set RelayBandwidthBurst but not RelayBandwidthRate,
- Tor would ignore their RelayBandwidthBurst setting,
- potentially using more bandwidth than expected. Bugfix on
- 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
- - Ignore and warn if the user mistakenly sets "PublishServerDescriptor
- hidserv" in her torrc. The 'hidserv' argument never controlled
- publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
- o Minor features:
- - Adjust our TLS Diffie-Hellman parameters to match those used by
- Apache's mod_ssl.
- - Update to the February 1 2011 Maxmind GeoLite Country database.
- o Minor bugfixes:
- - Check for and reject overly long directory certificates and
- directory tokens before they have a chance to hit any assertions.
- Bugfix on 0.2.1.28. Found by "doorss".
- - Bring the logic that gathers routerinfos and assesses the
- acceptability of circuits into line. This prevents a Tor OP from
- getting locked in a cycle of choosing its local OR as an exit for a
- path (due to a .exit request) and then rejecting the circuit because
- its OR is not listed yet. It also prevents Tor clients from using an
- OR running in the same instance as an exit (due to a .exit request)
- if the OR does not meet the same requirements expected of an OR
- running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
- o Packaging changes:
- - Stop shipping the Tor specs files and development proposal documents
- in the tarball. They are now in a separate git repository at
- git://git.torproject.org/torspec.git
- - Do not include Git version tags as though they are SVN tags when
- generating a tarball from inside a repository that has switched
- between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
- Changes in version 0.2.1.29 - 2011-01-15
- Tor 0.2.1.29 continues our recent code security audit work. The main
- fix resolves a remote heap overflow vulnerability that can allow remote
- code execution. Other fixes address a variety of assert and crash bugs,
- most of which we think are hard to exploit remotely.
- o Major bugfixes (security):
- - Fix a heap overflow bug where an adversary could cause heap
- corruption. This bug probably allows remote code execution
- attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
- 0.1.2.10-rc.
- - Prevent a denial-of-service attack by disallowing any
- zlib-compressed data whose compression factor is implausibly
- high. Fixes part of bug 2324; reported by "doorss".
- - Zero out a few more keys in memory before freeing them. Fixes
- bug 2384 and part of bug 2385. These key instances found by
- "cypherpunks", based on Andrew Case's report about being able
- to find sensitive data in Tor's memory space if you have enough
- permissions. Bugfix on 0.0.2pre9.
- o Major bugfixes (crashes):
- - Prevent calls to Libevent from inside Libevent log handlers.
- This had potential to cause a nasty set of crashes, especially
- if running Libevent with debug logging enabled, and running
- Tor with a controller watching for low-severity log messages.
- Bugfix on 0.1.0.2-rc. Fixes bug 2190.
- - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
- underflow errors there too. Fixes the other part of bug 2324.
- - Fix a bug where we would assert if we ever had a
- cached-descriptors.new file (or another file read directly into
- memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
- on 0.2.1.25. Found by doorss.
- - Fix some potential asserts and parsing issues with grossly
- malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
- Found by doorss.
- o Minor bugfixes (other):
- - Fix a bug with handling misformed replies to reverse DNS lookup
- requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
- bug reported by doorss.
- - Fix compilation on mingw when a pthreads compatibility library
- has been installed. (We don't want to use it, so we shouldn't
- be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
- - Fix a bug where we would declare that we had run out of virtual
- addresses when the address space was only half-exhausted. Bugfix
- on 0.1.2.1-alpha.
- - Correctly handle the case where AutomapHostsOnResolve is set but
- no virtual addresses are available. Fixes bug 2328; bugfix on
- 0.1.2.1-alpha. Bug found by doorss.
- - Correctly handle wrapping around when we run out of virtual
- address space. Found by cypherpunks; bugfix on 0.2.0.5-alpha.
- o Minor features:
- - Update to the January 1 2011 Maxmind GeoLite Country database.
- - Introduce output size checks on all of our decryption functions.
- o Build changes:
- - Tor does not build packages correctly with Automake 1.6 and earlier;
- added a check to Makefile.am to make sure that we're building with
- Automake 1.7 or later.
- - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
- because we built it with a too-old version of automake. Thus that
- release broke ./configure --enable-openbsd-malloc, which is popular
- among really fast exit relays on Linux.
- Changes in version 0.2.1.28 - 2010-12-17
- Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
- exploitable bugs. We also took this opportunity to change the IP address
- for one of our directory authorities, and to update the geoip database
- we ship.
- o Major bugfixes:
- - Fix a remotely exploitable bug that could be used to crash instances
- of Tor remotely by overflowing on the heap. Remote-code execution
- hasn't been confirmed, but can't be ruled out. Everyone should
- upgrade. Bugfix on the 0.1.1 series and later.
- o Directory authority changes:
- - Change IP address and ports for gabelmoo (v3 directory authority).
- o Minor features:
- - Update to the December 1 2010 Maxmind GeoLite Country database.
- Changes in version 0.2.1.27 - 2010-11-23
- Yet another OpenSSL security patch broke its compatibility with Tor:
- Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
- also took this opportunity to fix several crash bugs, integrate a new
- directory authority, and update the bundled GeoIP database.
- o Major bugfixes:
- - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
- No longer set the tlsext_host_name extension on server SSL objects;
- but continue to set it on client SSL objects. Our goal in setting
- it was to imitate a browser, not a vhosting server. Fixes bug 2204;
- bugfix on 0.2.1.1-alpha.
- - Do not log messages to the controller while shrinking buffer
- freelists. Doing so would sometimes make the controller connection
- try to allocate a buffer chunk, which would mess up the internals
- of the freelist and cause an assertion failure. Fixes bug 1125;
- fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
- - Learn our external IP address when we're a relay or bridge, even if
- we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
- where we introduced bridge relays that don't need to publish to
- be useful. Fixes bug 2050.
- - Do even more to reject (and not just ignore) annotations on
- router descriptors received anywhere but from the cache. Previously
- we would ignore such annotations at first, but cache them to disk
- anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
- - When you're using bridges and your network goes away and your
- bridges get marked as down, recover when you attempt a new socks
- connection (if the network is back), rather than waiting up to an
- hour to try fetching new descriptors for your bridges. Bugfix on
- 0.2.0.3-alpha; fixes bug 1981.
- o Major features:
- - Move to the November 2010 Maxmind GeoLite country db (rather
- than the June 2009 ip-to-country GeoIP db) for our statistics that
- count how many users relays are seeing from each country. Now we'll
- have more accurate data, especially for many African countries.
- o New directory authorities:
- - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
- authority.
- o Minor bugfixes:
- - Fix an assertion failure that could occur in directory caches or
- bridge users when using a very short voting interval on a testing
- network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
- 0.2.0.8-alpha.
- - Enforce multiplicity rules when parsing annotations. Bugfix on
- 0.2.0.8-alpha. Found by piebeer.
- - Allow handshaking OR connections to take a full KeepalivePeriod
- seconds to handshake. Previously, we would close them after
- IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
- were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
- for analysis help.
- - When building with --enable-gcc-warnings on OpenBSD, disable
- warnings in system headers. This makes --enable-gcc-warnings
- pass on OpenBSD 4.8.
- o Minor features:
- - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
- and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
- stream ending reason for this case: END_STREAM_REASON_NOROUTE.
- Servers can start sending this code when enough clients recognize
- it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
- - Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
- Patch from mingw-san.
- o Removed files:
- - Remove the old debian/ directory from the main Tor distribution.
- The official Tor-for-debian git repository lives at the URL
- https://git.torproject.org/debian/tor.git
- - Stop shipping the old doc/website/ directory in the tarball. We
- changed the website format in late 2010, and what we shipped in
- 0.2.1.26 really wasn't that useful anyway.
- Changes in version 0.2.1.26 - 2010-05-02
- Tor 0.2.1.26 addresses the recent connection and memory overload
- problems we've been seeing on relays, especially relays with their
- DirPort open. If your relay has been crashing, or you turned it off
- because it used too many resources, give this release a try.
- This release also fixes yet another instance of broken OpenSSL libraries
- that was causing some relays to drop out of the consensus.
- o Major bugfixes:
- - Teach relays to defend themselves from connection overload. Relays
- now close idle circuits early if it looks like they were intended
- for directory fetches. Relays are also more aggressive about closing
- TLS connections that have no circuits on them. Such circuits are
- unlikely to be re-used, and tens of thousands of them were piling
- up at the fast relays, causing the relays to run out of sockets
- and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
- their directory fetches over TLS).
- - Fix SSL renegotiation behavior on OpenSSL versions like on Centos
- that claim to be earlier than 0.9.8m, but which have in reality
- backported huge swaths of 0.9.8m or 0.9.8n renegotiation
- behavior. Possible fix for some cases of bug 1346.
- - Directory mirrors were fetching relay descriptors only from v2
- directory authorities, rather than v3 authorities like they should.
- Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
- to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
- o Minor bugfixes:
- - Finally get rid of the deprecated and now harmful notion of "clique
- mode", where directory authorities maintain TLS connections to
- every other relay.
- o Testsuite fixes:
- - In the util/threads test, no longer free the test_mutex before all
- worker threads have finished. Bugfix on 0.2.1.6-alpha.
- - The master thread could starve the worker threads quite badly on
- certain systems, causing them to run only partially in the allowed
- window. This resulted in test failures. Now the master thread sleeps
- occasionally for a few microseconds while the two worker-threads
- compete for the mutex. Bugfix on 0.2.0.1-alpha.
- Changes in version 0.2.1.25 - 2010-03-16
- Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could
- prevent relays from guessing their IP address correctly. It also fixes
- several minor potential security bugs.
- o Major bugfixes:
- - Fix a regression from our patch for bug 1244 that caused relays
- to guess their IP address incorrectly if they didn't set Address
- in their torrc and/or their address fails to resolve. Bugfix on
- 0.2.1.23; fixes bug 1269.
- - When freeing a session key, zero it out completely. We only zeroed
- the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
- patched by ekir. Fixes bug 1254.
- o Minor bugfixes:
- - Fix a dereference-then-NULL-check sequence when publishing
- descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
- bug 1255.
- - Fix another dereference-then-NULL-check sequence. Bugfix on
- 0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
- - Make sure we treat potentially not NUL-terminated strings correctly.
- Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.
- Changes in version 0.2.1.24 - 2010-02-21
- Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
- for sure!
- o Minor bugfixes:
- - Work correctly out-of-the-box with even more vendor-patched versions
- of OpenSSL. In particular, make it so Debian and OS X don't need
- customized patches to run/build.
- Changes in version 0.2.1.23 - 2010-02-13
- Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
- again on the latest OS X, and updates the location of a directory
- authority.
- o Major bugfixes (performance):
- - We were selecting our guards uniformly at random, and then weighting
- which of our guards we'd use uniformly at random. This imbalance
- meant that Tor clients were severely limited on throughput (and
- probably latency too) by the first hop in their circuit. Now we
- select guards weighted by currently advertised bandwidth. We also
- automatically discard guards picked using the old algorithm. Fixes
- bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
- o Major bugfixes:
- - Make Tor work again on the latest OS X: when deciding whether to
- use strange flags to turn TLS renegotiation on, detect the OpenSSL
- version at run-time, not compile time. We need to do this because
- Apple doesn't update its dev-tools headers when it updates its
- libraries in a security patch.
- - Fix a potential buffer overflow in lookup_last_hid_serv_request()
- that could happen on 32-bit platforms with 64-bit time_t. Also fix
- a memory leak when requesting a hidden service descriptor we've
- requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
- by aakova.
- o Minor bugfixes:
- - Refactor resolve_my_address() to not use gethostbyname() anymore.
- Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
- o Minor features:
- - Avoid a mad rush at the beginning of each month when each client
- rotates half of its guards. Instead we spread the rotation out
- throughout the month, but we still avoid leaving a precise timestamp
- in the state file about when we first picked the guard. Improves
- over the behavior introduced in 0.1.2.17.
- Changes in version 0.2.1.22 - 2010-01-19
- Tor 0.2.1.22 fixes a critical privacy problem in bridge directory
- authorities -- it would tell you its whole history of bridge descriptors
- if you make the right directory request. This stable update also
- rotates two of the seven v3 directory authority keys and locations.
- o Directory authority changes:
- - Rotate keys (both v3 identity and relay identity) for moria1
- and gabelmoo.
- o Major bugfixes:
- - Stop bridge directory authorities from answering dbg-stability.txt
- directory queries, which would let people fetch a list of all
- bridge identities they track. Bugfix on 0.2.1.6-alpha.
- Changes in version 0.2.1.21 - 2009-12-21
- Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL
- library. If you use Tor on Linux / Unix and you're getting SSL
- renegotiation errors, upgrading should help. We also recommend an
- upgrade if you're an exit relay.
- o Major bugfixes:
- - Work around a security feature in OpenSSL 0.9.8l that prevents our
- handshake from working unless we explicitly tell OpenSSL that we
- are using SSL renegotiation safely. We are, of course, but OpenSSL
- 0.9.8l won't work unless we say we are.
- - Avoid crashing if the client is trying to upload many bytes and the
- circuit gets torn down at the same time, or if the flip side
- happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
- o Minor bugfixes:
- - Do not refuse to learn about authority certs and v2 networkstatus
- documents that are older than the latest consensus. This bug might
- have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
- Spotted and fixed by xmux.
- - Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
- trigger platform-specific option misparsing case found by Coverity
- Scan.
- - Fix a compilation warning on Fedora 12 by removing an impossible-to-
- trigger assert. Fixes bug 1173.
- Changes in version 0.2.1.20 - 2009-10-15
- Tor 0.2.1.20 fixes a crash bug when you're accessing many hidden
- services at once, prepares for more performance improvements, and
- fixes a bunch of smaller bugs.
- The Windows and OS X bundles also include a more recent Vidalia,
- and switch from Privoxy to Polipo.
- The OS X installers are now drag and drop. It's best to un-install
- Tor/Vidalia and then install this new bundle, rather than upgrade. If
- you want to upgrade, you'll need to update the paths for Tor and Polipo
- in the Vidalia Settings window.
- o Major bugfixes:
- - Send circuit or stream sendme cells when our window has decreased
- by 100 cells, not when it has decreased by 101 cells. Bug uncovered
- by Karsten when testing the "reduce circuit window" performance
- patch. Bugfix on the 54th commit on Tor -- from July 2002,
- before the release of Tor 0.0.0. This is the new winner of the
- oldest-bug prize.
- - Fix a remotely triggerable memory leak when a consensus document
- contains more than one signature from the same voter. Bugfix on
- 0.2.0.3-alpha.
- - Avoid segfault in rare cases when finishing an introduction circuit
- as a client and finding out that we don't have an introduction key
- for it. Fixes bug 1073. Reported by Aaron Swartz.
- o Major features:
- - Tor now reads the "circwindow" parameter out of the consensus,
- and uses that value for its circuit package window rather than the
- default of 1000 cells. Begins the implementation of proposal 168.
- o New directory authorities:
- - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
- authority.
- - Move moria1 and tonga to alternate IP addresses.
- o Minor bugfixes:
- - Fix a signed/unsigned compile warning in 0.2.1.19.
- - Fix possible segmentation fault on directory authorities. Bugfix on
- 0.2.1.14-rc.
- - Fix an extremely rare infinite recursion bug that could occur if
- we tried to log a message after shutting down the log subsystem.
- Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
- - Fix an obscure bug where hidden services on 64-bit big-endian
- systems might mis-read the timestamp in v3 introduce cells, and
- refuse to connect back to the client. Discovered by "rotor".
- Bugfix on 0.2.1.6-alpha.
- - We were triggering a CLOCK_SKEW controller status event whenever
- we connect via the v2 connection protocol to any relay that has
- a wrong clock. Instead, we should only inform the controller when
- it's a trusted authority that claims our clock is wrong. Bugfix
- on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
- - We were telling the controller about CHECKING_REACHABILITY and
- REACHABILITY_FAILED status events whenever we launch a testing
- circuit or notice that one has failed. Instead, only tell the
- controller when we want to inform the user of overall success or
- overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
- by SwissTorExit.
- - Don't warn when we're using a circuit that ends with a node
- excluded in ExcludeExitNodes, but the circuit is not used to access
- the outside world. This should help fix bug 1090. Bugfix on
- 0.2.1.6-alpha.
- - Work around a small memory leak in some versions of OpenSSL that
- stopped the memory used by the hostname TLS extension from being
- freed.
- o Minor features:
- - Add a "getinfo status/accepted-server-descriptor" controller
- command, which is the recommended way for controllers to learn
- whether our server descriptor has been successfully received by at
- least on directory authority. Un-recommend good-server-descriptor
- getinfo and status events until we have a better design for them.
- Changes in version 0.2.1.19 - 2009-07-28
- Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
- services.
- o Major bugfixes:
- - Make accessing hidden services on 0.2.1.x work right again.
- Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
- part of patch provided by "optimist".
- o Minor features:
- - When a relay/bridge is writing out its identity key fingerprint to
- the "fingerprint" file and to its logs, write it without spaces. Now
- it will look like the fingerprints in our bridges documentation,
- and confuse fewer users.
- o Minor bugfixes:
- - Relays no longer publish a new server descriptor if they change
- their MaxAdvertisedBandwidth config option but it doesn't end up
- changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
- fixes bug 1026. Patch from Sebastian.
- - Avoid leaking memory every time we get a create cell but we have
- so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
- fixes bug 1034. Reported by BarkerJr.
- Changes in version 0.2.1.18 - 2009-07-24
- Tor 0.2.1.18 lays the foundations for performance improvements,
- adds status events to help users diagnose bootstrap problems, adds
- optional authentication/authorization for hidden services, fixes a
- variety of potential anonymity problems, and includes a huge pile of
- other features and bug fixes.
- o Major features (clients):
- - Start sending "bootstrap phase" status events to the controller,
- so it can keep the user informed of progress fetching directory
- information and establishing circuits. Also inform the controller
- if we think we're stuck at a particular bootstrap phase. Implements
- proposal 137.
- - Clients replace entry guards that were chosen more than a few months
- ago. This change should significantly improve client performance,
- especially once more people upgrade, since relays that have been
- a guard for a long time are currently overloaded.
- - Network status consensus documents and votes now contain bandwidth
- information for each relay. Clients use the bandwidth values
- in the consensus, rather than the bandwidth values in each
- relay descriptor. This approach opens the door to more accurate
- bandwidth estimates once the directory authorities start doing
- active measurements. Implements part of proposal 141.
- o Major features (relays):
- - Disable and refactor some debugging checks that forced a linear scan
- over the whole server-side DNS cache. These accounted for over 50%
- of CPU time on a relatively busy exit node's gprof profile. Also,
- disable some debugging checks that appeared in exit node profile
- data. Found by Jacob.
- - New DirPortFrontPage option that takes an html file and publishes
- it as "/" on the DirPort. Now relay operators can provide a
- disclaimer without needing to set up a separate webserver. There's
- a sample disclaimer in contrib/tor-exit-notice.html.
- o Major features (hidden services):
- - Make it possible to build hidden services that only certain clients
- are allowed to connect to. This is enforced at several points,
- so that unauthorized clients are unable to send INTRODUCE cells
- to the service, or even (depending on the type of authentication)
- to learn introduction points. This feature raises the bar for
- certain kinds of active attacks against hidden services. Design
- and code by Karsten Loesing. Implements proposal 121.
- - Relays now store and serve v2 hidden service descriptors by default,
- i.e., the new default value for HidServDirectoryV2 is 1. This is
- the last step in proposal 114, which aims to make hidden service
- lookups more reliable.
- o Major features (path selection):
- - ExitNodes and Exclude*Nodes config options now allow you to restrict
- by country code ("{US}") or IP address or address pattern
- ("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
- refinement to decide what config options should take priority if
- you ask to both use a particular node and exclude it.
- o Major features (misc):
- - When building a consensus, do not include routers that are down.
- This cuts down 30% to 40% on consensus size. Implements proposal
- 138.
- - New TestingTorNetwork config option to allow adjustment of
- previously constant values that could slow bootstrapping. Implements
- proposal 135. Patch from Karsten.
- - Convert many internal address representations to optionally hold
- IPv6 addresses. Generate and accept IPv6 addresses in many protocol
- elements. Make resolver code handle nameservers located at IPv6
- addresses.
- - More work on making our TLS handshake blend in: modify the list
- of ciphers advertised by OpenSSL in client mode to even more
- closely resemble a common web browser. We cheat a little so that
- we can advertise ciphers that the locally installed OpenSSL doesn't
- know about.
- - Use the TLS1 hostname extension to more closely resemble browser
- behavior.
- o Security fixes (anonymity/entropy):
- - Never use a connection with a mismatched address to extend a
- circuit, unless that connection is canonical. A canonical
- connection is one whose address is authenticated by the router's
- identity key, either in a NETINFO cell or in a router descriptor.
- - Implement most of proposal 110: The first K cells to be sent
- along a circuit are marked as special "early" cells; only K "early"
- cells will be allowed. Once this code is universal, we can block
- certain kinds of denial-of-service attack by requiring that EXTEND
- commands must be sent using an "early" cell.
- - Resume using OpenSSL's RAND_poll() for better (and more portable)
- cross-platform entropy collection again. We used to use it, then
- stopped using it because of a bug that could crash systems that
- called RAND_poll when they had a lot of fds open. It looks like the
- bug got fixed in late 2006. Our new behavior is to call RAND_poll()
- at startup, and to call RAND_poll() when we reseed later only if
- we have a non-buggy OpenSSL version.
- - When the client is choosing entry guards, now it selects at most
- one guard from a given relay family. Otherwise we could end up with
- all of our entry points into the network run by the same operator.
- Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
- - Do not use or believe expired v3 authority certificates. Patch
- from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
- - Drop begin cells to a hidden service if they come from the middle
- of a circuit. Patch from lark.
- - When we erroneously receive two EXTEND cells for the same circuit
- ID on the same connection, drop the second. Patch from lark.
- - Authorities now vote for the Stable flag for any router whose
- weighted MTBF is at least 5 days, regardless of the mean MTBF.
- - Clients now never report any stream end reason except 'MISC'.
- Implements proposal 148.
- o Major bugfixes (crashes):
- - Parse dates and IPv4 addresses in a locale- and libc-independent
- manner, to avoid platform-dependent behavior on malformed input.
- - Fix a crash that occurs on exit nodes when a nameserver request
- timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
- been suppressing the bug since 0.1.2.10-alpha. Partial fix for
- bug 929.
- - Do not assume that a stack-allocated character array will be
- 64-bit aligned on platforms that demand that uint64_t access is
- aligned. Possible fix for bug 604.
- - Resolve a very rare crash bug that could occur when the user forced
- a nameserver reconfiguration during the middle of a nameserver
- probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
- - Avoid a "0 divided by 0" calculation when calculating router uptime
- at directory authorities. Bugfix on 0.2.0.8-alpha.
- - Fix an assertion bug in parsing policy-related options; possible fix
- for bug 811.
- - Rate-limit too-many-sockets messages: when they happen, they happen
- a lot and end up filling up the disk. Resolves bug 748.
- - Fix a race condition that could cause crashes or memory corruption
- when running as a server with a controller listening for log
- messages.
- - Avoid crashing when we have a policy specified in a DirPolicy or
- SocksPolicy or ReachableAddresses option with ports set on it,
- and we re-load the policy. May fix bug 996.
- - Fix an assertion failure on 64-bit platforms when we allocated
- memory right up to the end of a memarea, then realigned the memory
- one step beyond the end. Fixes a possible cause of bug 930.
- - Protect the count of open sockets with a mutex, so we can't
- corrupt it when two threads are closing or opening sockets at once.
- Fix for bug 939. Bugfix on 0.2.0.1-alpha.
- o Major bugfixes (clients):
- - Discard router descriptors as we load them if they are more than
- five days old. Otherwise if Tor is off for a long time and then
- starts with cached descriptors, it will try to use the onion keys
- in those obsolete descriptors when building circuits. Fixes bug 887.
- - When we choose to abandon a new entry guard because we think our
- older ones might be better, close any circuits pending on that
- new entry guard connection. This fix should make us recover much
- faster when our network is down and then comes back. Bugfix on
- 0.1.2.8-beta; found by lodger.
- - When Tor clients restart after 1-5 days, they discard all their
- cached descriptors as too old, but they still use the cached
- consensus document. This approach is good for robustness, but
- bad for performance: since they don't know any bandwidths, they
- end up choosing at random rather than weighting their choice by
- speed. Fixed by the above feature of putting bandwidths in the
- consensus.
- o Major bugfixes (relays):
- - Relays were falling out of the networkstatus consensus for
- part of a day if they changed their local config but the
- authorities discarded their new descriptor as "not sufficiently
- different". Now directory authorities accept a descriptor as changed
- if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
- patch by Sebastian.
- - Ensure that two circuits can never exist on the same connection
- with the same circuit ID, even if one is marked for close. This
- is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
- - Directory authorities were neglecting to mark relays down in their
- internal histories if the relays fall off the routerlist without
- ever being found unreachable. So there were relays in the histories
- that haven't been seen for eight months, and are listed as being
- up for eight months. This wreaked havoc on the "median wfu" and
- "median mtbf" calculations, in turn making Guard and Stable flags
- wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
- on 0.2.0.6-alpha.
- o Major bugfixes (hidden services):
- - When establishing a hidden service, introduction points that
- originate from cannibalized circuits were completely ignored
- and not included in rendezvous service descriptors. This might
- have been another reason for delay in making a hidden service
- available. Bugfix from long ago (0.0.9.x?)
- o Major bugfixes (memory and resource management):
- - Fixed some memory leaks -- some quite frequent, some almost
- impossible to trigger -- based on results from Coverity.
- - Speed up parsing and cut down on memory fragmentation by using
- stack-style allocations for parsing directory objects. Previously,
- this accounted for over 40% of allocations from within Tor's code
- on a typical directory cache.
- - Use a Bloom filter rather than a digest-based set to track which
- descriptors we need to keep around when we're cleaning out old
- router descriptors. This speeds up the computation significantly,
- and may reduce fragmentation.
- o New/changed config options:
- - Now NodeFamily and MyFamily config options allow spaces in
- identity fingerprints, so it's easier to paste them in.
- Suggested by Lucky Green.
- - Allow ports 465 and 587 in the default exit policy again. We had
- rejected them in 0.1.0.15, because back in 2005 they were commonly
- misconfigured and ended up as spam targets. We hear they are better
- locked down these days.
- - Make TrackHostExit mappings expire a while after their last use, not
- after their creation. Patch from Robert Hogan.
- - Add an ExcludeExitNodes option so users can list a set of nodes
- that should be be excluded from the exit node position, but
- allowed elsewhere. Implements proposal 151.
- - New --hush command-line option similar to --quiet. While --quiet
- disables all logging to the console on startup, --hush limits the
- output to messages of warning and error severity.
- - New configure/torrc options (--enable-geoip-stats,
- DirRecordUsageByCountry) to record how many IPs we've served
- directory info to in each country code, how many status documents
- total we've sent to each country code, and what share of the total
- directory requests we should expect to see.
- - Make outbound DNS packets respect the OutboundBindAddress setting.
- Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
- - Allow separate log levels to be configured for different logging
- domains. For example, this allows one to log all notices, warnings,
- or errors, plus all memory management messages of level debug or
- higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
- - Update to the "June 3 2009" ip-to-country file.
- o Minor features (relays):
- - Raise the minimum rate limiting to be a relay from 20000 bytes
- to 20480 bytes (aka 20KB/s), to match our documentation. Also
- update directory authorities so they always assign the Fast flag
- to relays with 20KB/s of capacity. Now people running relays won't
- suddenly find themselves not seeing any use, if the network gets
- faster on average.
- - If we're a relay and we change our IP address, be more verbose
- about the reason that made us change. Should help track down
- further bugs for relays on dynamic IP addresses.
- - Exit servers can now answer resolve requests for ip6.arpa addresses.
- - Implement most of Proposal 152: allow specialized servers to permit
- single-hop circuits, and clients to use those servers to build
- single-hop circuits when using a specialized controller. Patch
- from Josh Albrecht. Resolves feature request 768.
- - When relays do their initial bandwidth measurement, don't limit
- to just our entry guards for the test circuits. Otherwise we tend
- to have multiple test circuits going through a single entry guard,
- which makes our bandwidth test less accurate. Fixes part of bug 654;
- patch contributed by Josh Albrecht.
- o Minor features (directory authorities):
- - Try not to open more than one descriptor-downloading connection
- to an authority at once. This should reduce load on directory
- authorities. Fixes bug 366.
- - Add cross-certification to newly generated certificates, so that
- a signing key is enough information to look up a certificate. Start
- serving certificates by <identity digest, signing key digest>
- pairs. Implements proposal 157.
- - When a directory authority downloads a descriptor that it then
- immediately rejects, do not retry downloading it right away. Should
- save some bandwidth on authorities. Fix for bug 888. Patch by
- Sebastian Hahn.
- - Directory authorities now serve a /tor/dbg-stability.txt URL to
- help debug WFU and MTBF calculations.
- - In directory authorities' approved-routers files, allow
- fingerprints with or without space.
- o Minor features (directory mirrors):
- - When a download gets us zero good descriptors, do not notify
- Tor that new directory information has arrived.
- - Servers support a new URL scheme for consensus downloads that
- allows the client to specify which authorities are trusted.
- The server then only sends the consensus if the client will trust
- it. Otherwise a 404 error is sent back. Clients use this
- new scheme when the server supports it (meaning it's running
- 0.2.1.1-alpha or later). Implements proposal 134.
- o Minor features (bridges):
- - If the bridge config line doesn't specify a port, assume 443.
- This makes bridge lines a bit smaller and easier for users to
- understand.
- - If we're using bridges and our network goes away, be more willing
- to forgive our bridges and try again when we get an application
- request.
- o Minor features (hidden services):
- - When the client launches an introduction circuit, retry with a
- new circuit after 30 seconds rather than 60 seconds.
- - Launch a second client-side introduction circuit in parallel
- after a delay of 15 seconds (based on work by Christian Wilms).
- - Hidden services start out building five intro circuits rather
- than three, and when the first three finish they publish a service
- descriptor using those. Now we publish our service descriptor much
- faster after restart.
- - Drop the requirement to have an open dir port for storing and
- serving v2 hidden service descriptors.
- o Minor features (build and packaging):
- - On Linux, use the prctl call to re-enable core dumps when the User
- option is set.
- - Try to make sure that the version of Libevent we're running with
- is binary-compatible with the one we built with. May address bug
- 897 and others.
- - Add a new --enable-local-appdata configuration switch to change
- the default location of the datadir on win32 from APPDATA to
- LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
- entirely. Patch from coderman.
- - Build correctly against versions of OpenSSL 0.9.8 or later that
- are built without support for deprecated functions.
- - On platforms with a maximum syslog string length, truncate syslog
- messages to that length ourselves, rather than relying on the
- system to do it for us.
- - Automatically detect MacOSX versions earlier than 10.4.0, and
- disable kqueue from inside Tor when running with these versions.
- We previously did this from the startup script, but that was no
- help to people who didn't use the startup script. Resolves bug 863.
- - Build correctly when configured to build outside the main source
- path. Patch from Michael Gold.
- - Disable GCC's strict alias optimization by default, to avoid the
- likelihood of its introducing subtle bugs whenever our code violates
- the letter of C99's alias rules.
- - Change the contrib/tor.logrotate script so it makes the new
- logs as "_tor:_tor" rather than the default, which is generally
- "root:wheel". Fixes bug 676, reported by Serge Koksharov.
- - Change our header file guard macros to be less likely to conflict
- with system headers. Adam Langley noticed that we were conflicting
- with log.h on Android.
- - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
- and stop using a warning that had become unfixably verbose under
- GCC 4.3.
- - Use a lockfile to make sure that two Tor processes are not
- simultaneously running with the same datadir.
- - Allow OpenSSL to use dynamic locks if it wants.
- - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
- o Minor features (controllers):
- - When generating circuit events with verbose nicknames for
- controllers, try harder to look up nicknames for routers on a
- circuit. (Previously, we would look in the router descriptors we had
- for nicknames, but not in the consensus.) Partial fix for bug 941.
- - New controller event NEWCONSENSUS that lists the networkstatus
- lines for every recommended relay. Now controllers like Torflow
- can keep up-to-date on which relays they should be using.
- - New controller event "clients_seen" to report a geoip-based summary
- of which countries we've seen clients from recently. Now controllers
- like Vidalia can show bridge operators that they're actually making
- a difference.
- - Add a 'getinfo status/clients-seen' controller command, in case
- controllers want to hear clients_seen events but connect late.
- - New CONSENSUS_ARRIVED event to note when a new consensus has
- been fetched and validated.
- - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
- controllers to prevent SIGHUP from reloading the configuration.
- Fixes bug 856.
- - Return circuit purposes in response to GETINFO circuit-status.
- Fixes bug 858.
- - Serve the latest v3 networkstatus consensus via the control
- port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
- - Add a "GETINFO /status/bootstrap-phase" controller option, so the
- controller can query our current bootstrap state in case it attaches
- partway through and wants to catch up.
- - Provide circuit purposes along with circuit events to the controller.
- o Minor features (tools):
- - Do not have tor-resolve automatically refuse all .onion addresses;
- if AutomapHostsOnResolve is set in your torrc, this will work fine.
- - Add a -p option to tor-resolve for specifying the SOCKS port: some
- people find host:port too confusing.
- - Print the SOCKS5 error message string as well as the error code
- when a tor-resolve request fails. Patch from Jacob.
- o Minor bugfixes (memory and resource management):
- - Clients no longer cache certificates for authorities they do not
- recognize. Bugfix on 0.2.0.9-alpha.
- - Do not use C's stdio library for writing to log files. This will
- improve logging performance by a minute amount, and will stop
- leaking fds when our disk is full. Fixes bug 861.
- - Stop erroneous use of O_APPEND in cases where we did not in fact
- want to re-seek to the end of a file before every last write().
- - Fix a small alignment and memory-wasting bug on buffer chunks.
- Spotted by rovv.
- - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
- to avoid unused RAM in buffer chunks and memory pools.
- - Reduce the default smartlist size from 32 to 16; it turns out that
- most smartlists hold around 8-12 elements tops.
- - Make dumpstats() log the fullness and size of openssl-internal
- buffers.
- - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
- patch to their OpenSSL, turn it on to save memory on servers. This
- patch will (with any luck) get included in a mainline distribution
- before too long.
- - Fix a memory leak when v3 directory authorities load their keys
- and cert from disk. Bugfix on 0.2.0.1-alpha.
- - Stop using malloc_usable_size() to use more area than we had
- actually allocated: it was safe, but made valgrind really unhappy.
- - Make the assert_circuit_ok() function work correctly on circuits that
- have already been marked for close.
- - Fix uninitialized size field for memory area allocation: may improve
- memory performance during directory parsing.
- o Minor bugfixes (clients):
- - Stop reloading the router list from disk for no reason when we
- run out of reachable directory mirrors. Once upon a time reloading
- it would set the 'is_running' flag back to 1 for them. It hasn't
- done that for a long time.
- - When we had picked an exit node for a connection, but marked it as
- "optional", and it turned out we had no onion key for the exit,
- stop wanting that exit and try again. This situation may not
- be possible now, but will probably become feasible with proposal
- 158. Spotted by rovv. Fixes another case of bug 752.
- - Fix a bug in address parsing that was preventing bridges or hidden
- service targets from being at IPv6 addresses.
- - Do not remove routers as too old if we do not have any consensus
- document. Bugfix on 0.2.0.7-alpha.
- - When an exit relay resolves a stream address to a local IP address,
- do not just keep retrying that same exit relay over and
- over. Instead, just close the stream. Addresses bug 872. Bugfix
- on 0.2.0.32. Patch from rovv.
- - Made Tor a little less aggressive about deleting expired
- certificates. Partial fix for bug 854.
- - Treat duplicate certificate fetches as failures, so that we do
- not try to re-fetch an expired certificate over and over and over.
- - Do not say we're fetching a certificate when we'll in fact skip it
- because of a pending download.
- - If we have correct permissions on $datadir, we complain to stdout
- and fail to start. But dangerous permissions on
- $datadir/cached-status/ would cause us to open a log and complain
- there. Now complain to stdout and fail to start in both cases. Fixes
- bug 820, reported by seeess.
- o Minor bugfixes (bridges):
- - When we made bridge authorities stop serving bridge descriptors over
- unencrypted links, we also broke DirPort reachability testing for
- bridges. So bridges with a non-zero DirPort were printing spurious
- warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
- - Don't allow a bridge to publish its router descriptor to a
- non-bridge directory authority. Fixes part of bug 932.
- - When we change to or from being a bridge, reset our counts of
- client usage by country. Fixes bug 932.
- o Minor bugfixes (relays):
- - Log correct error messages for DNS-related network errors on
- Windows.
- - Actually return -1 in the error case for read_bandwidth_usage().
- Harmless bug, since we currently don't care about the return value
- anywhere. Bugfix on 0.2.0.9-alpha.
- - Provide a more useful log message if bug 977 (related to buffer
- freelists) ever reappears, and do not crash right away.
- - We were already rejecting relay begin cells with destination port
- of 0. Now also reject extend cells with destination port or address
- of 0. Suggested by lark.
- - When we can't transmit a DNS request due to a network error, retry
- it after a while, and eventually transmit a failing response to
- the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
- - Solve a bug that kept hardware crypto acceleration from getting
- enabled when accounting was turned on. Fixes bug 907. Bugfix on
- 0.0.9pre6.
- - When a canonical connection appears later in our internal list
- than a noncanonical one for a given OR ID, always use the
- canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
- Spotted by rovv.
- - Avoid some nasty corner cases in the logic for marking connections
- as too old or obsolete or noncanonical for circuits. Partial
- bugfix on bug 891.
- - Fix another interesting corner-case of bug 891 spotted by rovv:
- Previously, if two hosts had different amounts of clock drift, and
- one of them created a new connection with just the wrong timing,
- the other might decide to deprecate the new connection erroneously.
- Bugfix on 0.1.1.13-alpha.
- - If one win32 nameserver fails to get added, continue adding the
- rest, and don't automatically fail.
- - Fix a bug where an unreachable relay would establish enough
- reachability testing circuits to do a bandwidth test -- if
- we already have a connection to the middle hop of the testing
- circuit, then it could establish the last hop by using the existing
- connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
- circuits no longer use entry guards in 0.2.1.3-alpha.
- o Minor bugfixes (directory authorities):
- - Limit uploaded directory documents to be 16M rather than 500K.
- The directory authorities were refusing v3 consensus votes from
- other authorities, since the votes are now 504K. Fixes bug 959;
- bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
- - Directory authorities should never send a 503 "busy" response to
- requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
- bug 959.
- - Fix code so authorities _actually_ send back X-Descriptor-Not-New
- headers. Bugfix on 0.2.0.10-alpha.
- o Minor bugfixes (hidden services):
- - When we can't find an intro key for a v2 hidden service descriptor,
- fall back to the v0 hidden service descriptor and log a bug message.
- Workaround for bug 1024.
- - In very rare situations new hidden service descriptors were
- published earlier than 30 seconds after the last change to the
- service. (We currently think that a hidden service descriptor
- that's been stable for 30 seconds is worth publishing.)
- - If a hidden service sends us an END cell, do not consider
- retrying the connection; just close it. Patch from rovv.
- - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
- service directories if they have no advertised dir port. Bugfix
- on 0.2.0.10-alpha.
- o Minor bugfixes (tools):
- - In the torify(1) manpage, mention that tsocks will leak your
- DNS requests.
- o Minor bugfixes (controllers):
- - If the controller claimed responsibility for a stream, but that
- stream never finished making its connection, it would live
- forever in circuit_wait state. Now we close it after SocksTimeout
- seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
- - Make DNS resolved controller events into "CLOSED", not
- "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
- bug 807.
- - The control port would close the connection before flushing long
- replies, such as the network consensus, if a QUIT command was issued
- before the reply had completed. Now, the control port flushes all
- pending replies before closing the connection. Also fix a spurious
- warning when a QUIT command is issued after a malformed or rejected
- AUTHENTICATE command, but before the connection was closed. Patch
- by Marcus Griep. Fixes bugs 1015 and 1016.
- - Fix a bug that made stream bandwidth get misreported to the
- controller.
- o Deprecated and removed features:
- - The old "tor --version --version" command, which would print out
- the subversion "Id" of most of the source files, is now removed. It
- turned out to be less useful than we'd expected, and harder to
- maintain.
- - RedirectExits has been removed. It was deprecated since
- 0.2.0.3-alpha.
- - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
- has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
- - Cell pools are now always enabled; --disable-cell-pools is ignored.
- - Directory mirrors no longer fetch the v1 directory or
- running-routers files. They are obsolete, and nobody asks for them
- anymore. This is the first step to making v1 authorities obsolete.
- - Take out the TestVia config option, since it was a workaround for
- a bug that was fixed in Tor 0.1.1.21.
- - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
- HiddenServiceExcludeNodes as obsolete: they never worked properly,
- and nobody seems to be using them. Fixes bug 754. Bugfix on
- 0.1.0.1-rc. Patch from Christian Wilms.
- - Remove all backward-compatibility code for relays running
- versions of Tor so old that they no longer work at all on the
- Tor network.
- o Code simplifications and refactoring:
- - Tool-assisted documentation cleanup. Nearly every function or
- static variable in Tor should have its own documentation now.
- - Rename the confusing or_is_obsolete field to the more appropriate
- is_bad_for_new_circs, and move it to or_connection_t where it
- belongs.
- - Move edge-only flags from connection_t to edge_connection_t: not
- only is this better coding, but on machines of plausible alignment,
- it should save 4-8 bytes per connection_t. "Every little bit helps."
- - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
- for consistency; keep old option working for backward compatibility.
- - Simplify the code for finding connections to use for a circuit.
- - Revise the connection_new functions so that a more typesafe variant
- exists. This will work better with Coverity, and let us find any
- actual mistakes we're making here.
- - Refactor unit testing logic so that dmalloc can be used sensibly
- with unit tests to check for memory leaks.
- - Move all hidden-service related fields from connection and circuit
- structure to substructures: this way they won't eat so much memory.
- - Squeeze 2-5% out of client performance (according to oprofile) by
- improving the implementation of some policy-manipulation functions.
- - Change the implementation of ExcludeNodes and ExcludeExitNodes to
- be more efficient. Formerly it was quadratic in the number of
- servers; now it should be linear. Fixes bug 509.
- - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
- and n_conn_id_digest fields into a separate structure that's
- only needed when the circuit has not yet attached to an n_conn.
- - Optimize out calls to time(NULL) that occur for every IO operation,
- or for every cell. On systems like Windows where time() is a
- slow syscall, this fix will be slightly helpful.
- Changes in version 0.2.0.35 - 2009-06-24
- o Security fix:
- - Avoid crashing in the presence of certain malformed descriptors.
- Found by lark, and by automated fuzzing.
- - Fix an edge case where a malicious exit relay could convince a
- controller that the client's DNS question resolves to an internal IP
- address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
- o Major bugfixes:
- - Finally fix the bug where dynamic-IP relays disappear when their
- IP address changes: directory mirrors were mistakenly telling
- them their old address if they asked via begin_dir, so they
- never got an accurate answer about their new address, so they
- just vanished after a day. For belt-and-suspenders, relays that
- don't set Address in their config now avoid using begin_dir for
- all direct connections. Should fix bugs 827, 883, and 900.
- - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
- that would occur on some exit nodes when DNS failures and timeouts
- occurred in certain patterns. Fix for bug 957.
- o Minor bugfixes:
- - When starting with a cache over a few days old, do not leak
- memory for the obsolete router descriptors in it. Bugfix on
- 0.2.0.33; fixes bug 672.
- - Hidden service clients didn't use a cached service descriptor that
- was older than 15 minutes, but wouldn't fetch a new one either,
- because there was already one in the cache. Now, fetch a v2
- descriptor unless the same descriptor was added to the cache within
- the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
- Changes in version 0.2.0.34 - 2009-02-08
- Tor 0.2.0.34 features several more security-related fixes. You should
- upgrade, especially if you run an exit relay (remote crash) or a
- directory authority (remote infinite loop), or you're on an older
- (pre-XP) or not-recently-patched Windows (remote exploit).
- This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
- have many known flaws, and nobody should be using them. You should
- upgrade. If you're using a Linux or BSD and its packages are obsolete,
- stop using those packages and upgrade anyway.
- o Security fixes:
- - Fix an infinite-loop bug on handling corrupt votes under certain
- circumstances. Bugfix on 0.2.0.8-alpha.
- - Fix a temporary DoS vulnerability that could be performed by
- a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
- - Avoid a potential crash on exit nodes when processing malformed
- input. Remote DoS opportunity. Bugfix on 0.2.0.33.
- - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
- Spec conformance issue. Bugfix on Tor 0.0.2pre27.
- o Minor bugfixes:
- - Fix compilation on systems where time_t is a 64-bit integer.
- Patch from Matthias Drochner.
- - Don't consider expiring already-closed client connections. Fixes
- bug 893. Bugfix on 0.0.2pre20.
- Changes in version 0.2.0.33 - 2009-01-21
- Tor 0.2.0.33 fixes a variety of bugs that were making relays less
- useful to users. It also finally fixes a bug where a relay or client
- that's been off for many days would take a long time to bootstrap.
- This update also fixes an important security-related bug reported by
- Ilja van Sprundel. You should upgrade. (We'll send out more details
- about the bug once people have had some time to upgrade.)
- o Security fixes:
- - Fix a heap-corruption bug that may be remotely triggerable on
- some platforms. Reported by Ilja van Sprundel.
- o Major bugfixes:
- - When a stream at an exit relay is in state "resolving" or
- "connecting" and it receives an "end" relay cell, the exit relay
- would silently ignore the end cell and not close the stream. If
- the client never closes the circuit, then the exit relay never
- closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
- reported by "wood".
- - When sending CREATED cells back for a given circuit, use a 64-bit
- connection ID to find the right connection, rather than an addr:port
- combination. Now that we can have multiple OR connections between
- the same ORs, it is no longer possible to use addr:port to uniquely
- identify a connection.
- - Bridge relays that had DirPort set to 0 would stop fetching
- descriptors shortly after startup, and then briefly resume
- after a new bandwidth test and/or after publishing a new bridge
- descriptor. Bridge users that try to bootstrap from them would
- get a recent networkstatus but would get descriptors from up to
- 18 hours earlier, meaning most of the descriptors were obsolete
- already. Reported by Tas; bugfix on 0.2.0.13-alpha.
- - Prevent bridge relays from serving their 'extrainfo' document
- to anybody who asks, now that extrainfo docs include potentially
- sensitive aggregated client geoip summaries. Bugfix on
- 0.2.0.13-alpha.
- - If the cached networkstatus consensus is more than five days old,
- discard it rather than trying to use it. In theory it could be
- useful because it lists alternate directory mirrors, but in practice
- it just means we spend many minutes trying directory mirrors that
- are long gone from the network. Also discard router descriptors as
- we load them if they are more than five days old, since the onion
- key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
- o Minor bugfixes:
- - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
- could make gcc generate non-functional binary search code. Bugfix
- on 0.2.0.10-alpha.
- - Build correctly on platforms without socklen_t.
- - Compile without warnings on solaris.
- - Avoid potential crash on internal error during signature collection.
- Fixes bug 864. Patch from rovv.
- - Correct handling of possible malformed authority signing key
- certificates with internal signature types. Fixes bug 880.
- Bugfix on 0.2.0.3-alpha.
- - Fix a hard-to-trigger resource leak when logging credential status.
- CID 349.
- - When we can't initialize DNS because the network is down, do not
- automatically stop Tor from starting. Instead, we retry failed
- dns_init() every 10 minutes, and change the exit policy to reject
- *:* until one succeeds. Fixes bug 691.
- - Use 64 bits instead of 32 bits for connection identifiers used with
- the controller protocol, to greatly reduce risk of identifier reuse.
- - When we're choosing an exit node for a circuit, and we have
- no pending streams, choose a good general exit rather than one that
- supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
- - Fix another case of assuming, when a specific exit is requested,
- that we know more than the user about what hosts it allows.
- Fixes one case of bug 752. Patch from rovv.
- - Clip the MaxCircuitDirtiness config option to a minimum of 10
- seconds. Warn the user if lower values are given in the
- configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
- - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
- user if lower values are given in the configuration. Bugfix on
- 0.1.1.17-rc. Patch by Sebastian.
- - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
- the cache because we already had a v0 descriptor with the same ID.
- Bugfix on 0.2.0.18-alpha.
- - Fix a race condition when freeing keys shared between main thread
- and CPU workers that could result in a memory leak. Bugfix on
- 0.1.0.1-rc. Fixes bug 889.
- - Send a valid END cell back when a client tries to connect to a
- nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
- 840. Patch from rovv.
- - Check which hops rendezvous stream cells are associated with to
- prevent possible guess-the-streamid injection attacks from
- intermediate hops. Fixes another case of bug 446. Based on patch
- from rovv.
- - If a broken client asks a non-exit router to connect somewhere,
- do not even do the DNS lookup before rejecting the connection.
- Fixes another case of bug 619. Patch from rovv.
- - When a relay gets a create cell it can't decrypt (e.g. because it's
- using the wrong onion key), we were dropping it and letting the
- client time out. Now actually answer with a destroy cell. Fixes
- bug 904. Bugfix on 0.0.2pre8.
- o Minor bugfixes (hidden services):
- - Do not throw away existing introduction points on SIGHUP. Bugfix on
- 0.0.6pre1. Patch by Karsten. Fixes bug 874.
- o Minor features:
- - Report the case where all signatures in a detached set are rejected
- differently than the case where there is an error handling the
- detached set.
- - When we realize that another process has modified our cached
- descriptors, print out a more useful error message rather than
- triggering an assertion. Fixes bug 885. Patch from Karsten.
- - Implement the 0x20 hack to better resist DNS poisoning: set the
- case on outgoing DNS requests randomly, and reject responses that do
- not match the case correctly. This logic can be disabled with the
- ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
- of servers that do not reliably preserve case in replies. See
- "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
- for more info.
- - Check DNS replies for more matching fields to better resist DNS
- poisoning.
- - Never use OpenSSL compression: it wastes RAM and CPU trying to
- compress cells, which are basically all encrypted, compressed, or
- both.
- Changes in version 0.2.0.32 - 2008-11-20
- Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
- packages (and maybe other packages) noticed by Theo de Raadt, fixes
- a smaller security flaw that might allow an attacker to access local
- services, further improves hidden service performance, and fixes a
- variety of other issues.
- o Security fixes:
- - The "User" and "Group" config options did not clear the
- supplementary group entries for the Tor process. The "User" option
- is now more robust, and we now set the groups to the specified
- user's primary group. The "Group" option is now ignored. For more
- detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
- in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
- and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
- - The "ClientDNSRejectInternalAddresses" config option wasn't being
- consistently obeyed: if an exit relay refuses a stream because its
- exit policy doesn't allow it, we would remember what IP address
- the relay said the destination address resolves to, even if it's
- an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
- o Major bugfixes:
- - Fix a DOS opportunity during the voting signature collection process
- at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
- o Major bugfixes (hidden services):
- - When fetching v0 and v2 rendezvous service descriptors in parallel,
- we were failing the whole hidden service request when the v0
- descriptor fetch fails, even if the v2 fetch is still pending and
- might succeed. Similarly, if the last v2 fetch fails, we were
- failing the whole hidden service request even if a v0 fetch is
- still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
- - When extending a circuit to a hidden service directory to upload a
- rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
- requests failed, because the router descriptor has not been
- downloaded yet. In these cases, do not attempt to upload the
- rendezvous descriptor, but wait until the router descriptor is
- downloaded and retry. Likewise, do not attempt to fetch a rendezvous
- descriptor from a hidden service directory for which the router
- descriptor has not yet been downloaded. Fixes bug 767. Bugfix
- on 0.2.0.10-alpha.
- o Minor bugfixes:
- - Fix several infrequent memory leaks spotted by Coverity.
- - When testing for libevent functions, set the LDFLAGS variable
- correctly. Found by Riastradh.
- - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
- bootstrapping with tunneled directory connections. Bugfix on
- 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
- - When asked to connect to A.B.exit:80, if we don't know the IP for A
- and we know that server B rejects most-but-not all connections to
- port 80, we would previously reject the connection. Now, we assume
- the user knows what they were asking for. Fixes bug 752. Bugfix
- on 0.0.9rc5. Diagnosed by BarkerJr.
- - If we overrun our per-second write limits a little, count this as
- having used up our write allocation for the second, and choke
- outgoing directory writes. Previously, we had only counted this when
- we had met our limits precisely. Fixes bug 824. Patch from by rovv.
- Bugfix on 0.2.0.x (??).
- - Remove the old v2 directory authority 'lefkada' from the default
- list. It has been gone for many months.
- - Stop doing unaligned memory access that generated bus errors on
- sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
- - Make USR2 log-level switch take effect immediately. Bugfix on
- 0.1.2.8-beta.
- o Minor bugfixes (controller):
- - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
- 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
- Changes in version 0.2.0.31 - 2008-09-03
- Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
- a big bug we're seeing where in rare cases traffic from one Tor stream
- gets mixed into another stream, and fixes a variety of smaller issues.
- o Major bugfixes:
- - Make sure that two circuits can never exist on the same connection
- with the same circuit ID, even if one is marked for close. This
- is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- - Relays now reject risky extend cells: if the extend cell includes
- a digest of all zeroes, or asks to extend back to the relay that
- sent the extend cell, tear down the circuit. Ideas suggested
- by rovv.
- - If not enough of our entry guards are available so we add a new
- one, we might use the new one even if it overlapped with the
- current circuit's exit relay (or its family). Anonymity bugfix
- pointed out by rovv.
- o Minor bugfixes:
- - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
- 794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- - Correctly detect the presence of the linux/netfilter_ipv4.h header
- when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- - Pick size of default geoip filename string correctly on windows.
- Fixes bug 806. Bugfix on 0.2.0.30.
- - Make the autoconf script accept the obsolete --with-ssl-dir
- option as an alias for the actually-working --with-openssl-dir
- option. Fix the help documentation to recommend --with-openssl-dir.
- Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- - When using the TransPort option on OpenBSD, and using the User
- option to change UID and drop privileges, make sure to open
- /dev/pf before dropping privileges. Fixes bug 782. Patch from
- Christopher Davis. Bugfix on 0.1.2.1-alpha.
- - Try to attach connections immediately upon receiving a RENDEZVOUS2
- or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
- on the client side when connecting to a hidden service. Bugfix
- on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
- - When closing an application-side connection because its circuit is
- getting torn down, generate the stream event correctly. Bugfix on
- 0.1.2.x. Anonymous patch.
- Changes in version 0.2.0.30 - 2008-07-15
- This new stable release switches to a more efficient directory
- distribution design, adds features to make connections to the Tor
- network harder to block, allows Tor to act as a DNS proxy, adds separate
- rate limiting for relayed traffic to make it easier for clients to
- become relays, fixes a variety of potential anonymity problems, and
- includes the usual huge pile of other features and bug fixes.
- o New v3 directory design:
- - Tor now uses a new way to learn about and distribute information
- about the network: the directory authorities vote on a common
- network status document rather than each publishing their own
- opinion. Now clients and caches download only one networkstatus
- document to bootstrap, rather than downloading one for each
- authority. Clients only download router descriptors listed in
- the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
- for details.
- - Set up moria1, tor26, and dizum as v3 directory authorities
- in addition to being v2 authorities. Also add three new ones:
- ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
- dannenberg (run by CCC).
- - Switch to multi-level keys for directory authorities: now their
- long-term identity key can be kept offline, and they periodically
- generate a new signing key. Clients fetch the "key certificates"
- to keep up to date on the right keys. Add a standalone tool
- "tor-gencert" to generate key certificates. Implements proposal 103.
- - Add a new V3AuthUseLegacyKey config option to make it easier for
- v3 authorities to change their identity keys if another bug like
- Debian's OpenSSL RNG flaw appears.
- - Authorities and caches fetch the v2 networkstatus documents
- less often, now that v3 is recommended.
- o Make Tor connections stand out less on the wire:
- - Use an improved TLS handshake designed by Steven Murdoch in proposal
- 124, as revised in proposal 130. The new handshake is meant to
- be harder for censors to fingerprint, and it adds the ability
- to detect certain kinds of man-in-the-middle traffic analysis
- attacks. The new handshake format includes version negotiation for
- OR connections as described in proposal 105, which will allow us
- to improve Tor's link protocol more safely in the future.
- - Enable encrypted directory connections by default for non-relays,
- so censor tools that block Tor directory connections based on their
- plaintext patterns will no longer work. This means Tor works in
- certain censored countries by default again.
- - Stop including recognizeable strings in the commonname part of
- Tor's x509 certificates.
- o Implement bridge relays:
- - Bridge relays (or "bridges" for short) are Tor relays that aren't
- listed in the main Tor directory. Since there is no complete public
- list of them, even an ISP that is filtering connections to all the
- known Tor relays probably won't be able to block all the bridges.
- See doc/design-paper/blocking.pdf and proposal 125 for details.
- - New config option BridgeRelay that specifies you want to be a
- bridge relay rather than a normal relay. When BridgeRelay is set
- to 1, then a) you cache dir info even if your DirPort ins't on,
- and b) the default for PublishServerDescriptor is now "bridge"
- rather than "v2,v3".
- - New config option "UseBridges 1" for clients that want to use bridge
- relays instead of ordinary entry guards. Clients then specify
- bridge relays by adding "Bridge" lines to their config file. Users
- can learn about a bridge relay either manually through word of
- mouth, or by one of our rate-limited mechanisms for giving out
- bridge addresses without letting an attacker easily enumerate them
- all. See https://www.torproject.org/bridges for details.
- - Bridge relays behave like clients with respect to time intervals
- for downloading new v3 consensus documents -- otherwise they
- stand out. Bridge users now wait until the end of the interval,
- so their bridge relay will be sure to have a new consensus document.
- o Implement bridge directory authorities:
- - Bridge authorities are like normal directory authorities, except
- they don't serve a list of known bridges. Therefore users that know
- a bridge's fingerprint can fetch a relay descriptor for that bridge,
- including fetching updates e.g. if the bridge changes IP address,
- yet an attacker can't just fetch a list of all the bridges.
- - Set up Tonga as the default bridge directory authority.
- - Bridge authorities refuse to serve bridge descriptors or other
- bridge information over unencrypted connections (that is, when
- responding to direct DirPort requests rather than begin_dir cells.)
- - Bridge directory authorities do reachability testing on the
- bridges they know. They provide router status summaries to the
- controller via "getinfo ns/purpose/bridge", and also dump summaries
- to a file periodically, so we can keep internal stats about which
- bridges are functioning.
- - If bridge users set the UpdateBridgesFromAuthority config option,
- but the digest they ask for is a 404 on the bridge authority,
- they fall back to contacting the bridge directly.
- - Bridges always use begin_dir to publish their server descriptor to
- the bridge authority using an anonymous encrypted tunnel.
- - Early work on a "bridge community" design: if bridge authorities set
- the BridgePassword config option, they will serve a snapshot of
- known bridge routerstatuses from their DirPort to anybody who
- knows that password. Unset by default.
- - Tor now includes an IP-to-country GeoIP file, so bridge relays can
- report sanitized aggregated summaries in their extra-info documents
- privately to the bridge authority, listing which countries are
- able to reach them. We hope this mechanism will let us learn when
- certain countries start trying to block bridges.
- - Bridge authorities write bridge descriptors to disk, so they can
- reload them after a reboot. They can also export the descriptors
- to other programs, so we can distribute them to blocked users via
- the BridgeDB interface, e.g. via https://bridges.torproject.org/
- and bridges@torproject.org.
- o Tor can be a DNS proxy:
- - The new client-side DNS proxy feature replaces the need for
- dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
- for DNS requests on port 9999, use the Tor network to resolve them
- anonymously, and send the reply back like a regular DNS server.
- The code still only implements a subset of DNS.
- - Add a new AutomapHostsOnResolve option: when it is enabled, any
- resolve request for hosts matching a given pattern causes Tor to
- generate an internal virtual address mapping for that host. This
- allows DNSPort to work sensibly with hidden service users. By
- default, .exit and .onion addresses are remapped; the list of
- patterns can be reconfigured with AutomapHostsSuffixes.
- - Add an "-F" option to tor-resolve to force a resolve for a .onion
- address. Thanks to the AutomapHostsOnResolve option, this is no
- longer a completely silly thing to do.
- o Major features (relay usability):
- - New config options RelayBandwidthRate and RelayBandwidthBurst:
- a separate set of token buckets for relayed traffic. Right now
- relayed traffic is defined as answers to directory requests, and
- OR connections that don't have any local circuits on them. See
- proposal 111 for details.
- - Create listener connections before we setuid to the configured
- User and Group. Now non-Windows users can choose port values
- under 1024, start Tor as root, and have Tor bind those ports
- before it changes to another UID. (Windows users could already
- pick these ports.)
- - Added a new ConstrainedSockets config option to set SO_SNDBUF and
- SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
- on "vserver" accounts. Patch from coderman.
- o Major features (directory authorities):
- - Directory authorities track weighted fractional uptime and weighted
- mean-time-between failures for relays. WFU is suitable for deciding
- whether a node is "usually up", while MTBF is suitable for deciding
- whether a node is "likely to stay up." We need both, because
- "usually up" is a good requirement for guards, while "likely to
- stay up" is a good requirement for long-lived connections.
- - Directory authorities use a new formula for selecting which relays
- to advertise as Guards: they must be in the top 7/8 in terms of
- how long we have known about them, and above the median of those
- nodes in terms of weighted fractional uptime.
- - Directory authorities use a new formula for selecting which relays
- to advertise as Stable: when we have 4 or more days of data, use
- median measured MTBF rather than median declared uptime. Implements
- proposal 108.
- - Directory authorities accept and serve "extra info" documents for
- routers. Routers now publish their bandwidth-history lines in the
- extra-info docs rather than the main descriptor. This step saves
- 60% (!) on compressed router descriptor downloads. Servers upload
- extra-info docs to any authority that accepts them; directory
- authorities now allow multiple router descriptors and/or extra
- info documents to be uploaded in a single go. Authorities, and
- caches that have been configured to download extra-info documents,
- download them as needed. Implements proposal 104.
- - Authorities now list relays who have the same nickname as
- a different named relay, but list them with a new flag:
- "Unnamed". Now we can make use of relays that happen to pick the
- same nickname as a server that registered two years ago and then
- disappeared. Implements proposal 122.
- - Store routers in a file called cached-descriptors instead of in
- cached-routers. Initialize cached-descriptors from cached-routers
- if the old format is around. The new format allows us to store
- annotations along with descriptors, to record the time we received
- each descriptor, its source, and its purpose: currently one of
- general, controller, or bridge.
- o Major features (other):
- - New config options WarnPlaintextPorts and RejectPlaintextPorts so
- Tor can warn and/or refuse connections to ports commonly used with
- vulnerable-plaintext protocols. Currently we warn on ports 23,
- 109, 110, and 143, but we don't reject any. Based on proposal 129
- by Kevin Bauer and Damon McCoy.
- - Integrate Karsten Loesing's Google Summer of Code project to publish
- hidden service descriptors on a set of redundant relays that are a
- function of the hidden service address. Now we don't have to rely
- on three central hidden service authorities for publishing and
- fetching every hidden service descriptor. Implements proposal 114.
- - Allow tunnelled directory connections to ask for an encrypted
- "begin_dir" connection or an anonymized "uses a full Tor circuit"
- connection independently. Now we can make anonymized begin_dir
- connections for (e.g.) more secure hidden service posting and
- fetching.
- o Major bugfixes (crashes and assert failures):
- - Stop imposing an arbitrary maximum on the number of file descriptors
- used for busy servers. Bug reported by Olaf Selke; patch from
- Sebastian Hahn.
- - Avoid possible failures when generating a directory with routers
- with over-long versions strings, or too many flags set.
- - Fix a rare assert error when we're closing one of our threads:
- use a mutex to protect the list of logs, so we never write to the
- list as it's being freed. Fixes the very rare bug 575, which is
- kind of the revenge of bug 222.
- - Avoid segfault in the case where a badly behaved v2 versioning
- directory sends a signed networkstatus with missing client-versions.
- - When we hit an EOF on a log (probably because we're shutting down),
- don't try to remove the log from the list: just mark it as
- unusable. (Bulletproofs against bug 222.)
- o Major bugfixes (code security fixes):
- - Detect size overflow in zlib code. Reported by Justin Ferguson and
- Dan Kaminsky.
- - Rewrite directory tokenization code to never run off the end of
- a string. Fixes bug 455. Patch from croup.
- - Be more paranoid about overwriting sensitive memory on free(),
- as a defensive programming tactic to ensure forward secrecy.
- o Major bugfixes (anonymity fixes):
- - Reject requests for reverse-dns lookup of names that are in
- a private address space. Patch from lodger.
- - Never report that we've used more bandwidth than we're willing to
- relay: it leaks how much non-relay traffic we're using. Resolves
- bug 516.
- - As a client, do not believe any server that tells us that an
- address maps to an internal address space.
- - Warn about unsafe ControlPort configurations.
- - Directory authorities now call routers Fast if their bandwidth is
- at least 100KB/s, and consider their bandwidth adequate to be a
- Guard if it is at least 250KB/s, no matter the medians. This fix
- complements proposal 107.
- - Directory authorities now never mark more than 2 servers per IP as
- Valid and Running (or 5 on addresses shared by authorities).
- Implements proposal 109, by Kevin Bauer and Damon McCoy.
- - If we're a relay, avoid picking ourselves as an introduction point,
- a rendezvous point, or as the final hop for internal circuits. Bug
- reported by taranis and lodger.
- - Exit relays that are used as a client can now reach themselves
- using the .exit notation, rather than just launching an infinite
- pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
- - Fix a bug where, when we were choosing the 'end stream reason' to
- put in our relay end cell that we send to the exit relay, Tor
- clients on Windows were sometimes sending the wrong 'reason'. The
- anonymity problem is that exit relays may be able to guess whether
- the client is running Windows, thus helping partition the anonymity
- set. Down the road we should stop sending reasons to exit relays,
- or otherwise prevent future versions of this bug.
- - Only update guard status (usable / not usable) once we have
- enough directory information. This was causing us to discard all our
- guards on startup if we hadn't been running for a few weeks. Fixes
- bug 448.
- - When our directory information has been expired for a while, stop
- being willing to build circuits using it. Fixes bug 401.
- o Major bugfixes (peace of mind for relay operators)
- - Non-exit relays no longer answer "resolve" relay cells, so they
- can't be induced to do arbitrary DNS requests. (Tor clients already
- avoid using non-exit relays for resolve cells, but now servers
- enforce this too.) Fixes bug 619. Patch from lodger.
- - When we setconf ClientOnly to 1, close any current OR and Dir
- listeners. Reported by mwenge.
- o Major bugfixes (other):
- - If we only ever used Tor for hidden service lookups or posts, we
- would stop building circuits and start refusing connections after
- 24 hours, since we falsely believed that Tor was dormant. Reported
- by nwf.
- - Add a new __HashedControlSessionPassword option for controllers
- to use for one-off session password hashes that shouldn't get
- saved to disk by SAVECONF --- Vidalia users were accumulating a
- pile of HashedControlPassword lines in their torrc files, one for
- each time they had restarted Tor and then clicked Save. Make Tor
- automatically convert "HashedControlPassword" to this new option but
- only when it's given on the command line. Partial fix for bug 586.
- - Patch from "Andrew S. Lists" to catch when we contact a directory
- mirror at IP address X and he says we look like we're coming from
- IP address X. Otherwise this would screw up our address detection.
- - Reject uploaded descriptors and extrainfo documents if they're
- huge. Otherwise we'll cache them all over the network and it'll
- clog everything up. Suggested by Aljosha Judmayer.
- - When a hidden service was trying to establish an introduction point,
- and Tor *did* manage to reuse one of the preemptively built
- circuits, it didn't correctly remember which one it used,
- so it asked for another one soon after, until there were no
- more preemptive circuits, at which point it launched one from
- scratch. Bugfix on 0.0.9.x.
- o Rate limiting and load balancing improvements:
- - When we add data to a write buffer in response to the data on that
- write buffer getting low because of a flush, do not consider the
- newly added data as a candidate for immediate flushing, but rather
- make it wait until the next round of writing. Otherwise, we flush
- and refill recursively, and a single greedy TLS connection can
- eat all of our bandwidth.
- - When counting the number of bytes written on a TLS connection,
- look at the BIO actually used for writing to the network, not
- at the BIO used (sometimes) to buffer data for the network.
- Looking at different BIOs could result in write counts on the
- order of ULONG_MAX. Fixes bug 614.
- - If we change our MaxAdvertisedBandwidth and then reload torrc,
- Tor won't realize it should publish a new relay descriptor. Fixes
- bug 688, reported by mfr.
- - Avoid using too little bandwidth when our clock skips a few seconds.
- - Choose which bridge to use proportional to its advertised bandwidth,
- rather than uniformly at random. This should speed up Tor for
- bridge users. Also do this for people who set StrictEntryNodes.
- o Bootstrapping faster and building circuits more intelligently:
- - Fix bug 660 that was preventing us from knowing that we should
- preemptively build circuits to handle expected directory requests.
- - When we're checking if we have enough dir info for each relay
- to begin establishing circuits, make sure that we actually have
- the descriptor listed in the consensus, not just any descriptor.
- - Correctly notify one-hop connections when a circuit build has
- failed. Possible fix for bug 669. Found by lodger.
- - Clients now hold circuitless TLS connections open for 1.5 times
- MaxCircuitDirtiness (15 minutes), since it is likely that they'll
- rebuild a new circuit over them within that timeframe. Previously,
- they held them open only for KeepalivePeriod (5 minutes).
- o Performance improvements (memory):
- - Add OpenBSD malloc code from "phk" as an optional malloc
- replacement on Linux: some glibc libraries do very poorly with
- Tor's memory allocation patterns. Pass --enable-openbsd-malloc to
- ./configure to get the replacement malloc code.
- - Switch our old ring buffer implementation for one more like that
- used by free Unix kernels. The wasted space in a buffer with 1mb
- of data will now be more like 8k than 1mb. The new implementation
- also avoids realloc();realloc(); patterns that can contribute to
- memory fragmentation.
- - Change the way that Tor buffers data that it is waiting to write.
- Instead of queueing data cells in an enormous ring buffer for each
- client->OR or OR->OR connection, we now queue cells on a separate
- queue for each circuit. This lets us use less slack memory, and
- will eventually let us be smarter about prioritizing different kinds
- of traffic.
- - Reference-count and share copies of address policy entries; only 5%
- of them were actually distinct.
- - Tune parameters for cell pool allocation to minimize amount of
- RAM overhead used.
- - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
- for every single inactive connection_t. Free items from the
- 4k/16k-buffer free lists when they haven't been used for a while.
- - Make memory debugging information describe more about history
- of cell allocation, so we can help reduce our memory use.
- - Be even more aggressive about releasing RAM from small
- empty buffers. Thanks to our free-list code, this shouldn't be too
- performance-intensive.
- - Log malloc statistics from mallinfo() on platforms where it exists.
- - Use memory pools to allocate cells with better speed and memory
- efficiency, especially on platforms where malloc() is inefficient.
- - Add a --with-tcmalloc option to the configure script to link
- against tcmalloc (if present). Does not yet search for non-system
- include paths.
- o Performance improvements (socket management):
- - Count the number of open sockets separately from the number of
- active connection_t objects. This will let us avoid underusing
- our allocated connection limit.
- - We no longer use socket pairs to link an edge connection to an
- anonymous directory connection or a DirPort test connection.
- Instead, we track the link internally and transfer the data
- in-process. This saves two sockets per "linked" connection (at the
- client and at the server), and avoids the nasty Windows socketpair()
- workaround.
- - We were leaking a file descriptor if Tor started with a zero-length
- cached-descriptors file. Patch by "freddy77".
- o Performance improvements (CPU use):
- - Never walk through the list of logs if we know that no log target
- is interested in a given message.
- - Call routerlist_remove_old_routers() much less often. This should
- speed startup, especially on directory caches.
- - Base64 decoding was actually showing up on our profile when parsing
- the initial descriptor file; switch to an in-process all-at-once
- implementation that's about 3.5x times faster than calling out to
- OpenSSL.
- - Use a slightly simpler string hashing algorithm (copying Python's
- instead of Java's) and optimize our digest hashing algorithm to take
- advantage of 64-bit platforms and to remove some possibly-costly
- voodoo.
- - When implementing AES counter mode, update only the portions of the
- counter buffer that need to change, and don't keep separate
- network-order and host-order counters on big-endian hosts (where
- they are the same).
- - Add an in-place version of aes_crypt() so that we can avoid doing a
- needless memcpy() call on each cell payload.
- - Use Critical Sections rather than Mutexes for synchronizing threads
- on win32; Mutexes are heavier-weight, and designed for synchronizing
- between processes.
- o Performance improvements (bandwidth use):
- - Don't try to launch new descriptor downloads quite so often when we
- already have enough directory information to build circuits.
- - Version 1 directories are no longer generated in full. Instead,
- authorities generate and serve "stub" v1 directories that list
- no servers. This will stop Tor versions 0.1.0.x and earlier from
- working, but (for security reasons) nobody should be running those
- versions anyway.
- - Avoid going directly to the directory authorities even if you're a
- relay, if you haven't found yourself reachable yet or if you've
- decided not to advertise your dirport yet. Addresses bug 556.
- - If we've gone 12 hours since our last bandwidth check, and we
- estimate we have less than 50KB bandwidth capacity but we could
- handle more, do another bandwidth test.
- - Support "If-Modified-Since" when answering HTTP requests for
- directories, running-routers documents, and v2 and v3 networkstatus
- documents. (There's no need to support it for router descriptors,
- since those are downloaded by descriptor digest.)
- - Stop fetching directory info so aggressively if your DirPort is
- on but your ORPort is off; stop fetching v2 dir info entirely.
- You can override these choices with the new FetchDirInfoEarly
- config option.
- o Changed config option behavior (features):
- - Configuration files now accept C-style strings as values. This
- helps encode characters not allowed in the current configuration
- file format, such as newline or #. Addresses bug 557.
- - Add hidden services and DNSPorts to the list of things that make
- Tor accept that it has running ports. Change starting Tor with no
- ports from a fatal error to a warning; we might change it back if
- this turns out to confuse anybody. Fixes bug 579.
- - Make PublishServerDescriptor default to 1, so the default doesn't
- have to change as we invent new directory protocol versions.
- - Allow people to say PreferTunnelledDirConns rather than
- PreferTunneledDirConns, for those alternate-spellers out there.
- - Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
- accommodate the growing number of servers that use the default
- and are reaching it.
- - Make it possible to enable HashedControlPassword and
- CookieAuthentication at the same time.
- - When a TrackHostExits-chosen exit fails too many times in a row,
- stop using it. Fixes bug 437.
- o Changed config option behavior (bugfixes):
- - Do not read the configuration file when we've only been told to
- generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
- based on patch from Sebastian Hahn.
- - Actually validate the options passed to AuthDirReject,
- AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
- - Make "ClientOnly 1" config option disable directory ports too.
- - Don't stop fetching descriptors when FetchUselessDescriptors is
- set, even if we stop asking for circuits. Bug reported by tup
- and ioerror.
- - Servers used to decline to publish their DirPort if their
- BandwidthRate or MaxAdvertisedBandwidth were below a threshold. Now
- they look only at BandwidthRate and RelayBandwidthRate.
- - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
- minus 1 byte: the actual maximum declared bandwidth.
- - Make "TrackHostExits ." actually work. Bugfix on 0.1.0.x.
- - Make the NodeFamilies config option work. (Reported by
- lodger -- it has never actually worked, even though we added it
- in Oct 2004.)
- - If Tor is invoked from something that isn't a shell (e.g. Vidalia),
- now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
- o New config options:
- - New configuration options AuthDirMaxServersPerAddr and
- AuthDirMaxServersperAuthAddr to override default maximum number
- of servers allowed on a single IP address. This is important for
- running a test network on a single host.
- - Three new config options (AlternateDirAuthority,
- AlternateBridgeAuthority, and AlternateHSAuthority) that let the
- user selectively replace the default directory authorities by type,
- rather than the all-or-nothing replacement that DirServer offers.
- - New config options AuthDirBadDir and AuthDirListBadDirs for
- authorities to mark certain relays as "bad directories" in the
- networkstatus documents. Also supports the "!baddir" directive in
- the approved-routers file.
- - New config option V2AuthoritativeDirectory that all v2 directory
- authorities must set. This lets v3 authorities choose not to serve
- v2 directory information.
- o Minor features (other):
- - When we're not serving v2 directory information, there is no reason
- to actually keep any around. Remove the obsolete files and directory
- on startup if they are very old and we aren't going to serve them.
- - When we negotiate a v2 link-layer connection (not yet implemented),
- accept RELAY_EARLY cells and turn them into RELAY cells if we've
- negotiated a v1 connection for their next step. Initial steps for
- proposal 110.
- - When we have no consensus, check FallbackNetworkstatusFile (defaults
- to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
- we can start out knowing some directory caches. We don't ship with
- a fallback consensus by default though, because it was making
- bootstrapping take too long while we tried many down relays.
- - Authorities send back an X-Descriptor-Not-New header in response to
- an accepted-but-discarded descriptor upload. Partially implements
- fix for bug 535.
- - If we find a cached-routers file that's been sitting around for more
- than 28 days unmodified, then most likely it's a leftover from
- when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
- routers anyway.
- - When we (as a cache) download a descriptor because it was listed
- in a consensus, remember when the consensus was supposed to expire,
- and don't expire the descriptor until then.
- - Optionally (if built with -DEXPORTMALLINFO) export the output
- of mallinfo via http, as tor/mallinfo.txt. Only accessible
- from localhost.
- - Tag every guard node in our state file with the version that
- we believe added it, or with our own version if we add it. This way,
- if a user temporarily runs an old version of Tor and then switches
- back to a new one, she doesn't automatically lose her guards.
- - When somebody requests a list of statuses or servers, and we have
- none of those, return a 404 rather than an empty 200.
- - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
- from croup.)
- - Add an HSAuthorityRecordStats option that hidden service authorities
- can use to track statistics of overall hidden service usage without
- logging information that would be as useful to an attacker.
- - Allow multiple HiddenServicePort directives with the same virtual
- port; when they occur, the user is sent round-robin to one
- of the target ports chosen at random. Partially fixes bug 393 by
- adding limited ad-hoc round-robining.
- - Revamp file-writing logic so we don't need to have the entire
- contents of a file in memory at once before we write to disk. Tor,
- meet stdio.
- o Minor bugfixes (other):
- - Alter the code that tries to recover from unhandled write
- errors, to not try to flush onto a socket that's given us
- unhandled errors.
- - Directory mirrors no longer include a guess at the client's IP
- address if the connection appears to be coming from the same /24
- network; it was producing too many wrong guesses.
- - If we're trying to flush the last bytes on a connection (for
- example, when answering a directory request), reset the
- time-to-give-up timeout every time we manage to write something
- on the socket.
- - Reject router descriptors with out-of-range bandwidthcapacity or
- bandwidthburst values.
- - If we can't expand our list of entry guards (e.g. because we're
- using bridges or we have StrictEntryNodes set), don't mark relays
- down when they fail a directory request. Otherwise we're too quick
- to mark all our entry points down.
- - Authorities no longer send back "400 you're unreachable please fix
- it" errors to Tor servers that aren't online all the time. We're
- supposed to tolerate these servers now.
- - Let directory authorities startup even when they can't generate
- a descriptor immediately, e.g. because they don't know their
- address.
- - Correctly enforce that elements of directory objects do not appear
- more often than they are allowed to appear.
- - Stop allowing hibernating servers to be "stable" or "fast".
- - On Windows, we were preventing other processes from reading
- cached-routers while Tor was running. (Reported by janbar)
- - Check return values from pthread_mutex functions.
- - When opening /dev/null in finish_daemonize(), do not pass the
- O_CREAT flag. Fortify was complaining, and correctly so. Fixes
- bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
- o Controller features:
- - The GETCONF command now escapes and quotes configuration values
- that don't otherwise fit into the torrc file.
- - The SETCONF command now handles quoted values correctly.
- - Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
- ask about source, timestamp of arrival, purpose, etc. We need
- something like this to help Vidalia not do GeoIP lookups on bridge
- addresses.
- - Allow multiple HashedControlPassword config lines, to support
- multiple controller passwords.
- - Accept LF instead of CRLF on controller, since some software has a
- hard time generating real Internet newlines.
- - Add GETINFO values for the server status events
- "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
- Robert Hogan.
- - There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
- GETINFO for Torstat to use until it can switch to using extrainfos.
- - New config option CookieAuthFile to choose a new location for the
- cookie authentication file, and config option
- CookieAuthFileGroupReadable to make it group-readable.
- - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
- match requests to applications. Patch from Robert Hogan.
- - Add a RESOLVE command to launch hostname lookups. Original patch
- from Robert Hogan.
- - Add GETINFO status/enough-dir-info to let controllers tell whether
- Tor has downloaded sufficient directory information. Patch from Tup.
- - You can now use the ControlSocket option to tell Tor to listen for
- controller connections on Unix domain sockets on systems that
- support them. Patch from Peter Palfrader.
- - New "GETINFO address-mappings/*" command to get address mappings
- with expiry information. "addr-mappings/*" is now deprecated.
- Patch from Tup.
- - Add a new config option __DisablePredictedCircuits designed for
- use by the controller, when we don't want Tor to build any circuits
- preemptively.
- - Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
- so we can exit from the middle of the circuit.
- - Implement "getinfo status/circuit-established".
- - Implement "getinfo status/version/..." so a controller can tell
- whether the current version is recommended, and whether any versions
- are good, and how many authorities agree. Patch from "shibz".
- - Controllers should now specify cache=no or cache=yes when using
- the +POSTDESCRIPTOR command.
- - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
- Robert Hogan. Fixes the first part of bug 681.
- - When reporting clock skew, and we know that the clock is _at least
- as skewed_ as some value, but we don't know the actual value,
- report the value as a "minimum skew."
- o Controller bugfixes:
- - Generate "STATUS_SERVER" events rather than misspelled
- "STATUS_SEVER" events. Caught by mwenge.
- - Reject controller commands over 1MB in length, so rogue
- processes can't run us out of memory.
- - Change the behavior of "getinfo status/good-server-descriptor"
- so it doesn't return failure when any authority disappears.
- - Send NAMESERVER_STATUS messages for a single failed nameserver
- correctly.
- - When the DANGEROUS_VERSION controller status event told us we're
- running an obsolete version, it used the string "OLD" to describe
- it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
- "OBSOLETE" in both cases.
- - Respond to INT and TERM SIGNAL commands before we execute the
- signal, in case the signal shuts us down. We had a patch in
- 0.1.2.1-alpha that tried to do this by queueing the response on
- the connection's buffer before shutting down, but that really
- isn't the same thing at all. Bug located by Matt Edman.
- - Provide DNS expiry times in GMT, not in local time. For backward
- compatibility, ADDRMAP events only provide GMT expiry in an extended
- field. "GETINFO address-mappings" always does the right thing.
- - Use CRLF line endings properly in NS events.
- - Make 'getinfo fingerprint' return a 551 error if we're not a
- server, so we match what the control spec claims we do. Reported
- by daejees.
- - Fix a typo in an error message when extendcircuit fails that
- caused us to not follow the \r\n-based delimiter protocol. Reported
- by daejees.
- - When tunneling an encrypted directory connection, and its first
- circuit fails, do not leave it unattached and ask the controller
- to deal. Fixes the second part of bug 681.
- - Treat some 403 responses from directory servers as INFO rather than
- WARN-severity events.
- o Portability / building / compiling:
- - When building with --enable-gcc-warnings, check for whether Apple's
- warning "-Wshorten-64-to-32" is available.
- - Support compilation to target iPhone; patch from cjacker huang.
- To build for iPhone, pass the --enable-iphone option to configure.
- - Port Tor to build and run correctly on Windows CE systems, using
- the wcecompat library. Contributed by Valerio Lupi.
- - Detect non-ASCII platforms (if any still exist) and refuse to
- build there: some of our code assumes that 'A' is 65 and so on.
- - Clear up some MIPSPro compiler warnings.
- - Make autoconf search for libevent, openssl, and zlib consistently.
- - Update deprecated macros in configure.in.
- - When warning about missing headers, tell the user to let us
- know if the compile succeeds anyway, so we can downgrade the
- warning.
- - Include the current subversion revision as part of the version
- string: either fetch it directly if we're in an SVN checkout, do
- some magic to guess it if we're in an SVK checkout, or use
- the last-detected version if we're building from a .tar.gz.
- Use this version consistently in log messages.
- - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
- - Read resolv.conf files correctly on platforms where read() returns
- partial results on small file reads.
- - Build without verbose warnings even on gcc 4.2 and 4.3.
- - On Windows, correctly detect errors when listing the contents of
- a directory. Fix from lodger.
- - Run 'make test' as part of 'make dist', so we stop releasing so
- many development snapshots that fail their unit tests.
- - Add support to detect Libevent versions in the 1.4.x series
- on mingw.
- - Add command-line arguments to unit-test executable so that we can
- invoke any chosen test from the command line rather than having
- to run the whole test suite at once; and so that we can turn on
- logging for the unit tests.
- - Do not automatically run configure from autogen.sh. This
- non-standard behavior tended to annoy people who have built other
- programs.
- - Fix a macro/CPP interaction that was confusing some compilers:
- some GCCs don't like #if/#endif pairs inside macro arguments.
- Fixes bug 707.
- - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
- Fixes bug 704; fix from Steven Murdoch.
- - Correctly detect transparent proxy support on Linux hosts that
- require in.h to be included before netfilter_ipv4.h. Patch
- from coderman.
- o Logging improvements:
- - When we haven't had any application requests lately, don't bother
- logging that we have expired a bunch of descriptors.
- - When attempting to open a logfile fails, tell us why.
- - Only log guard node status when guard node status has changed.
- - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
- make "INFO" 75% less verbose.
- - When SafeLogging is disabled, log addresses along with all TLS
- errors.
- - Report TLS "zero return" case as a "clean close" and "IO error"
- as a "close". Stop calling closes "unexpected closes": existing
- Tors don't use SSL_close(), so having a connection close without
- the TLS shutdown handshake is hardly unexpected.
- - When we receive a consensus from the future, warn about skew.
- - Make "not enough dir info yet" warnings describe *why* Tor feels
- it doesn't have enough directory info yet.
- - On the USR1 signal, when dmalloc is in use, log the top 10 memory
- consumers. (We already do this on HUP.)
- - Give more descriptive well-formedness errors for out-of-range
- hidden service descriptor/protocol versions.
- - Stop recommending that every server operator send mail to tor-ops.
- Resolves bug 597. Bugfix on 0.1.2.x.
- - Improve skew reporting: try to give the user a better log message
- about how skewed they are, and how much this matters.
- - New --quiet command-line option to suppress the default console log.
- Good in combination with --hash-password.
- - Don't complain that "your server has not managed to confirm that its
- ports are reachable" if we haven't been able to build any circuits
- yet.
- - Detect the reason for failing to mmap a descriptor file we just
- wrote, and give a more useful log message. Fixes bug 533.
- - Always prepend "Bug: " to any log message about a bug.
- - When dumping memory usage, list bytes used in buffer memory
- free-lists.
- - When running with dmalloc, dump more stats on hup and on exit.
- - Put a platform string (e.g. "Linux i686") in the startup log
- message, so when people paste just their logs, we know if it's
- OpenBSD or Windows or what.
- - When logging memory usage, break down memory used in buffers by
- buffer type.
- - When we are reporting the DirServer line we just parsed, we were
- logging the second stanza of the key fingerprint, not the first.
- - Even though Windows is equally happy with / and \ as path separators,
- try to use \ consistently on Windows and / consistently on Unix: it
- makes the log messages nicer.
- - On OSX, stop warning the user that kqueue support in libevent is
- "experimental", since it seems to have worked fine for ages.
- o Contributed scripts and tools:
- - Update linux-tor-prio.sh script to allow QoS based on the uid of
- the Tor process. Patch from Marco Bonetti with tweaks from Mike
- Perry.
- - Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
- Unix users an easy way to script their Tor process (e.g. by
- adjusting bandwidth based on the time of the day).
- - In the exitlist script, only consider the most recently published
- server descriptor for each server. Also, when the user requests
- a list of servers that _reject_ connections to a given address,
- explicitly exclude the IPs that also have servers that accept
- connections to that address. Resolves bug 405.
- - Include a new contrib/tor-exit-notice.html file that exit relay
- operators can put on their website to help reduce abuse queries.
- o Newly deprecated features:
- - The status/version/num-versioning and status/version/num-concurring
- GETINFO controller options are no longer useful in the v3 directory
- protocol: treat them as deprecated, and warn when they're used.
- - The RedirectExits config option is now deprecated.
- o Removed features:
- - Drop the old code to choke directory connections when the
- corresponding OR connections got full: thanks to the cell queue
- feature, OR conns don't get full any more.
- - Remove the old "dns worker" server DNS code: it hasn't been default
- since 0.1.2.2-alpha, and all the servers are using the new
- eventdns code.
- - Remove the code to generate the oldest (v1) directory format.
- - Remove support for the old bw_accounting file: we've been storing
- bandwidth accounting information in the state file since
- 0.1.2.5-alpha. This may result in bandwidth accounting errors
- if you try to upgrade from 0.1.1.x or earlier, or if you try to
- downgrade to 0.1.1.x or earlier.
- - Drop support for OpenSSL version 0.9.6. Just about nobody was using
- it, it had no AES, and it hasn't seen any security patches since
- 2004.
- - Stop overloading the circuit_t.onionskin field for both "onionskin
- from a CREATE cell that we are waiting for a cpuworker to be
- assigned" and "onionskin from an EXTEND cell that we are going to
- send to an OR as soon as we are connected". Might help with bug 600.
- - Remove the tor_strpartition() function: its logic was confused,
- and it was only used for one thing that could be implemented far
- more easily.
- - Remove the contrib scripts ExerciseServer.py, PathDemo.py,
- and TorControl.py, as they use the old v0 controller protocol,
- and are obsoleted by TorFlow anyway.
- - Drop support for v1 rendezvous descriptors, since we never used
- them anyway, and the code has probably rotted by now. Based on
- patch from Karsten Loesing.
- - Stop allowing address masks that do not correspond to bit prefixes.
- We have warned about these for a really long time; now it's time
- to reject them. (Patch from croup.)
- - Remove an optimization in the AES counter-mode code that assumed
- that the counter never exceeded 2^68. When the counter can be set
- arbitrarily as an IV (as it is by Karsten's new hidden services
- code), this assumption no longer holds.
- - Disable the SETROUTERPURPOSE controller command: it is now
- obsolete.
- Changes in version 0.1.2.19 - 2008-01-17
- Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
- exit policy a little bit more conservative so it's safer to run an
- exit relay on a home system, and fixes a variety of smaller issues.
- o Security fixes:
- - Exit policies now reject connections that are addressed to a
- relay's public (external) IP address too, unless
- ExitPolicyRejectPrivate is turned off. We do this because too
- many relays are running nearby to services that trust them based
- on network address.
- o Major bugfixes:
- - When the clock jumps forward a lot, do not allow the bandwidth
- buckets to become negative. Fixes bug 544.
- - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
- on every successful resolve. Reported by Mike Perry.
- - Purge old entries from the "rephist" database and the hidden
- service descriptor database even when DirPort is zero.
- - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
- requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
- crashing or mis-answering these requests.
- - When we decide to send a 503 response to a request for servers, do
- not then also send the server descriptors: this defeats the whole
- purpose. Fixes bug 539.
- o Minor bugfixes:
- - Changing the ExitPolicyRejectPrivate setting should cause us to
- rebuild our server descriptor.
- - Fix handling of hex nicknames when answering controller requests for
- networkstatus by name, or when deciding whether to warn about
- unknown routers in a config option. (Patch from mwenge.)
- - Fix a couple of hard-to-trigger autoconf problems that could result
- in really weird results on platforms whose sys/types.h files define
- nonstandard integer types.
- - Don't try to create the datadir when running --verify-config or
- --hash-password. Resolves bug 540.
- - If we were having problems getting a particular descriptor from the
- directory caches, and then we learned about a new descriptor for
- that router, we weren't resetting our failure count. Reported
- by lodger.
- - Although we fixed bug 539 (where servers would send HTTP status 503
- responses _and_ send a body too), there are still servers out there
- that haven't upgraded. Therefore, make clients parse such bodies
- when they receive them.
- - Run correctly on systems where rlim_t is larger than unsigned long.
- This includes some 64-bit systems.
- - Run correctly on platforms (like some versions of OS X 10.5) where
- the real limit for number of open files is OPEN_FILES, not rlim_max
- from getrlimit(RLIMIT_NOFILES).
- - Avoid a spurious free on base64 failure.
- - Avoid segfaults on certain complex invocations of
- router_get_by_hexdigest().
- - Fix rare bug on REDIRECTSTREAM control command when called with no
- port set: it could erroneously report an error when none had
- happened.
- Changes in version 0.1.2.18 - 2007-10-28
- Tor 0.1.2.18 fixes many problems including crash bugs, problems with
- hidden service introduction that were causing huge delays, and a big
- bug that was causing some servers to disappear from the network status
- lists for a few hours each day.
- o Major bugfixes (crashes):
- - If a connection is shut down abruptly because of something that
- happened inside connection_flushed_some(), do not call
- connection_finished_flushing(). Should fix bug 451:
- "connection_stop_writing: Assertion conn->write_event failed"
- Bugfix on 0.1.2.7-alpha.
- - Fix possible segfaults in functions called from
- rend_process_relay_cell().
- o Major bugfixes (hidden services):
- - Hidden services were choosing introduction points uniquely by
- hexdigest, but when constructing the hidden service descriptor
- they merely wrote the (potentially ambiguous) nickname.
- - Clients now use the v2 intro format for hidden service
- connections: they specify their chosen rendezvous point by identity
- digest rather than by (potentially ambiguous) nickname. These
- changes could speed up hidden service connections dramatically.
- o Major bugfixes (other):
- - Stop publishing a new server descriptor just because we get a
- HUP signal. This led (in a roundabout way) to some servers getting
- dropped from the networkstatus lists for a few hours each day.
- - When looking for a circuit to cannibalize, consider family as well
- as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
- circuit cannibalization).
- - When a router wasn't listed in a new networkstatus, we were leaving
- the flags for that router alone -- meaning it remained Named,
- Running, etc -- even though absence from the networkstatus means
- that it shouldn't be considered to exist at all anymore. Now we
- clear all the flags for routers that fall out of the networkstatus
- consensus. Fixes bug 529.
- o Minor bugfixes:
- - Don't try to access (or alter) the state file when running
- --list-fingerprint or --verify-config or --hash-password. Resolves
- bug 499.
- - When generating information telling us how to extend to a given
- router, do not try to include the nickname if it is
- absent. Resolves bug 467.
- - Fix a user-triggerable segfault in expand_filename(). (There isn't
- a way to trigger this remotely.)
- - When sending a status event to the controller telling it that an
- OR address is reachable, set the port correctly. (Previously we
- were reporting the dir port.)
- - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
- command. Bugfix on 0.1.2.17.
- - When loading bandwidth history, do not believe any information in
- the future. Fixes bug 434.
- - When loading entry guard information, do not believe any information
- in the future.
- - When we have our clock set far in the future and generate an
- onion key, then re-set our clock to be correct, we should not stop
- the onion key from getting rotated.
- - On some platforms, accept() can return a broken address. Detect
- this more quietly, and deal accordingly. Fixes bug 483.
- - It's not actually an error to find a non-pending entry in the DNS
- cache when canceling a pending resolve. Don't log unless stuff
- is fishy. Resolves bug 463.
- - Don't reset trusted dir server list when we set a configuration
- option. Patch from Robert Hogan.
- Changes in version 0.1.2.17 - 2007-08-30
- Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
- X bundles. Vidalia 0.0.14 makes authentication required for the
- ControlPort in the default configuration, which addresses important
- security risks. Everybody who uses Vidalia (or another controller)
- should upgrade.
- In addition, this Tor update fixes major load balancing problems with
- path selection, which should speed things up a lot once many people
- have upgraded.
- o Major bugfixes (security):
- - We removed support for the old (v0) control protocol. It has been
- deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
- become more of a headache than it's worth.
- o Major bugfixes (load balancing):
- - When choosing nodes for non-guard positions, weight guards
- proportionally less, since they already have enough load. Patch
- from Mike Perry.
- - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
- will allow fast Tor servers to get more attention.
- - When we're upgrading from an old Tor version, forget our current
- guards and pick new ones according to the new weightings. These
- three load balancing patches could raise effective network capacity
- by a factor of four. Thanks to Mike Perry for measurements.
- o Major bugfixes (stream expiration):
- - Expire not-yet-successful application streams in all cases if
- they've been around longer than SocksTimeout. Right now there are
- some cases where the stream will live forever, demanding a new
- circuit every 15 seconds. Fixes bug 454; reported by lodger.
- o Minor features (controller):
- - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
- is valid before any authentication has been received. It tells
- a controller what kind of authentication is expected, and what
- protocol is spoken. Implements proposal 119.
- o Minor bugfixes (performance):
- - Save on most routerlist_assert_ok() calls in routerlist.c, thus
- greatly speeding up loading cached-routers from disk on startup.
- - Disable sentinel-based debugging for buffer code: we squashed all
- the bugs that this was supposed to detect a long time ago, and now
- its only effect is to change our buffer sizes from nice powers of
- two (which platform mallocs tend to like) to values slightly over
- powers of two (which make some platform mallocs sad).
- o Minor bugfixes (misc):
- - If exit bandwidth ever exceeds one third of total bandwidth, then
- use the correct formula to weight exit nodes when choosing paths.
- Based on patch from Mike Perry.
- - Choose perfectly fairly among routers when choosing by bandwidth and
- weighting by fraction of bandwidth provided by exits. Previously, we
- would choose with only approximate fairness, and correct ourselves
- if we ran off the end of the list.
- - If we require CookieAuthentication but we fail to write the
- cookie file, we would warn but not exit, and end up in a state
- where no controller could authenticate. Now we exit.
- - If we require CookieAuthentication, stop generating a new cookie
- every time we change any piece of our config.
- - Refuse to start with certain directory authority keys, and
- encourage people using them to stop.
- - Terminate multi-line control events properly. Original patch
- from tup.
- - Fix a minor memory leak when we fail to find enough suitable
- servers to choose a circuit.
- - Stop leaking part of the descriptor when we run into a particularly
- unparseable piece of it.
- Changes in version 0.1.2.16 - 2007-08-01
- Tor 0.1.2.16 fixes a critical security vulnerability that allows a
- remote attacker in certain situations to rewrite the user's torrc
- configuration file. This can completely compromise anonymity of users
- in most configurations, including those running the Vidalia bundles,
- TorK, etc. Or worse.
- o Major security fixes:
- - Close immediately after missing authentication on control port;
- do not allow multiple authentication attempts.
- Changes in version 0.1.2.15 - 2007-07-17
- Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
- problems, fixes compilation on BSD, and fixes a variety of other
- bugs. Everybody should upgrade.
- o Major bugfixes (compilation):
- - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
- o Major bugfixes (crashes):
- - Try even harder not to dereference the first character after
- an mmap(). Reported by lodger.
- - Fix a crash bug in directory authorities when we re-number the
- routerlist while inserting a new router.
- - When the cached-routers file is an even multiple of the page size,
- don't run off the end and crash. (Fixes bug 455; based on idea
- from croup.)
- - Fix eventdns.c behavior on Solaris: It is critical to include
- orconfig.h _before_ sys/types.h, so that we can get the expected
- definition of _FILE_OFFSET_BITS.
- o Major bugfixes (security):
- - Fix a possible buffer overrun when using BSD natd support. Bug
- found by croup.
- - When sending destroy cells from a circuit's origin, don't include
- the reason for tearing down the circuit. The spec says we didn't,
- and now we actually don't. Reported by lodger.
- - Keep streamids from different exits on a circuit separate. This
- bug may have allowed other routers on a given circuit to inject
- cells into streams. Reported by lodger; fixes bug 446.
- - If there's a never-before-connected-to guard node in our list,
- never choose any guards past it. This way we don't expand our
- guard list unless we need to.
- o Minor bugfixes (guard nodes):
- - Weight guard selection by bandwidth, so that low-bandwidth nodes
- don't get overused as guards.
- o Minor bugfixes (directory):
- - Correctly count the number of authorities that recommend each
- version. Previously, we were under-counting by 1.
- - Fix a potential crash bug when we load many server descriptors at
- once and some of them make others of them obsolete. Fixes bug 458.
- o Minor bugfixes (hidden services):
- - Stop tearing down the whole circuit when the user asks for a
- connection to a port that the hidden service didn't configure.
- Resolves bug 444.
- o Minor bugfixes (misc):
- - On Windows, we were preventing other processes from reading
- cached-routers while Tor was running. Reported by janbar.
- - Fix a possible (but very unlikely) bug in picking routers by
- bandwidth. Add a log message to confirm that it is in fact
- unlikely. Patch from lodger.
- - Backport a couple of memory leak fixes.
- - Backport miscellaneous cosmetic bugfixes.
- Changes in version 0.1.2.14 - 2007-05-25
- Tor 0.1.2.14 changes the addresses of two directory authorities (this
- change especially affects those who serve or use hidden services),
- and fixes several other crash- and security-related bugs.
- o Directory authority changes:
- - Two directory authorities (moria1 and moria2) just moved to new
- IP addresses. This change will particularly affect those who serve
- or use hidden services.
- o Major bugfixes (crashes):
- - If a directory server runs out of space in the connection table
- as it's processing a begin_dir request, it will free the exit stream
- but leave it attached to the circuit, leading to unpredictable
- behavior. (Reported by seeess, fixes bug 425.)
- - Fix a bug in dirserv_remove_invalid() that would cause authorities
- to corrupt memory under some really unlikely scenarios.
- - Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
- - Avoid segfaults when reading from mmaped descriptor file. (Reported
- by lodger.)
- o Major bugfixes (security):
- - When choosing an entry guard for a circuit, avoid using guards
- that are in the same family as the chosen exit -- not just guards
- that are exactly the chosen exit. (Reported by lodger.)
- o Major bugfixes (resource management):
- - If a directory authority is down, skip it when deciding where to get
- networkstatus objects or descriptors. Otherwise we keep asking
- every 10 seconds forever. Fixes bug 384.
- - Count it as a failure if we fetch a valid network-status but we
- don't want to keep it. Otherwise we'll keep fetching it and keep
- not wanting to keep it. Fixes part of bug 422.
- - If all of our dirservers have given us bad or no networkstatuses
- lately, then stop hammering them once per minute even when we
- think they're failed. Fixes another part of bug 422.
- o Minor bugfixes:
- - Actually set the purpose correctly for descriptors inserted with
- purpose=controller.
- - When we have k non-v2 authorities in our DirServer config,
- we ignored the last k authorities in the list when updating our
- network-statuses.
- - Correctly back-off from requesting router descriptors that we are
- having a hard time downloading.
- - Read resolv.conf files correctly on platforms where read() returns
- partial results on small file reads.
- - Don't rebuild the entire router store every time we get 32K of
- routers: rebuild it when the journal gets very large, or when
- the gaps in the store get very large.
- o Minor features:
- - When routers publish SVN revisions in their router descriptors,
- authorities now include those versions correctly in networkstatus
- documents.
- - Warn when using a version of libevent before 1.3b to run a server on
- OSX or BSD: these versions interact badly with userspace threads.
- Changes in version 0.1.2.13 - 2007-04-24
- This release features some major anonymity fixes, such as safer path
- selection; better client performance; faster bootstrapping, better
- address detection, and better DNS support for servers; write limiting as
- well as read limiting to make servers easier to run; and a huge pile of
- other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
- Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
- of the Freenode IRC network, remembering his patience and vision for
- free speech on the Internet.
- o Major features, client performance:
- - Weight directory requests by advertised bandwidth. Now we can
- let servers enable write limiting but still allow most clients to
- succeed at their directory requests. (We still ignore weights when
- choosing a directory authority; I hope this is a feature.)
- - Stop overloading exit nodes -- avoid choosing them for entry or
- middle hops when the total bandwidth available from non-exit nodes
- is much higher than the total bandwidth available from exit nodes.
- - Rather than waiting a fixed amount of time between retrying
- application connections, we wait only 10 seconds for the first,
- 10 seconds for the second, and 15 seconds for each retry after
- that. Hopefully this will improve the expected user experience.
- - Sometimes we didn't bother sending a RELAY_END cell when an attempt
- to open a stream fails; now we do in more cases. This should
- make clients able to find a good exit faster in some cases, since
- unhandleable requests will now get an error rather than timing out.
- o Major features, client functionality:
- - Implement BEGIN_DIR cells, so we can connect to a directory
- server via TLS to do encrypted directory requests rather than
- plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
- config options if you like. For now, this feature only works if
- you already have a descriptor for the destination dirserver.
- - Add support for transparent application connections: this basically
- bundles the functionality of trans-proxy-tor into the Tor
- mainline. Now hosts with compliant pf/netfilter implementations
- can redirect TCP connections straight to Tor without diverting
- through SOCKS. (Based on patch from tup.)
- - Add support for using natd; this allows FreeBSDs earlier than
- 5.1.2 to have ipfw send connections through Tor without using
- SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
- o Major features, servers:
- - Setting up a dyndns name for your server is now optional: servers
- with no hostname or IP address will learn their IP address by
- asking the directory authorities. This code only kicks in when you
- would normally have exited with a "no address" error. Nothing's
- authenticated, so use with care.
- - Directory servers now spool server descriptors, v1 directories,
- and v2 networkstatus objects to buffers as needed rather than en
- masse. They also mmap the cached-routers files. These steps save
- lots of memory.
- - Stop requiring clients to have well-formed certificates, and stop
- checking nicknames in certificates. (Clients have certificates so
- that they can look like Tor servers, but in the future we might want
- to allow them to look like regular TLS clients instead. Nicknames
- in certificates serve no purpose other than making our protocol
- easier to recognize on the wire.) Implements proposal 106.
- o Improvements on DNS support:
- - Add "eventdns" asynchronous dns library originally based on code
- from Adam Langley. Now we can discard the old rickety dnsworker
- concept, and support a wider variety of DNS functions. Allows
- multithreaded builds on NetBSD and OpenBSD again.
- - Add server-side support for "reverse" DNS lookups (using PTR
- records so clients can determine the canonical hostname for a given
- IPv4 address). Only supported by servers using eventdns; servers
- now announce in their descriptors if they don't support eventdns.
- - Workaround for name servers (like Earthlink's) that hijack failing
- DNS requests and replace the no-such-server answer with a "helpful"
- redirect to an advertising-driven search portal. Also work around
- DNS hijackers who "helpfully" decline to hijack known-invalid
- RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
- lets you turn it off.
- - Servers now check for the case when common DNS requests are going to
- wildcarded addresses (i.e. all getting the same answer), and change
- their exit policy to reject *:* if it's happening.
- - When asked to resolve a hostname, don't use non-exit servers unless
- requested to do so. This allows servers with broken DNS to be
- useful to the network.
- - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
- useless IPv6 DNS resolves.
- - Specify and implement client-side SOCKS5 interface for reverse DNS
- lookups (see doc/socks-extensions.txt). Also cache them.
- - When we change nameservers or IP addresses, reset and re-launch
- our tests for DNS hijacking.
- o Improvements on reachability testing:
- - Servers send out a burst of long-range padding cells once they've
- established that they're reachable. Spread them over 4 circuits,
- so hopefully a few will be fast. This exercises bandwidth and
- bootstraps them into the directory more quickly.
- - When we find our DirPort to be reachable, publish a new descriptor
- so we'll tell the world (reported by pnx).
- - Directory authorities now only decide that routers are reachable
- if their identity keys are as expected.
- - Do DirPort reachability tests less often, since a single test
- chews through many circuits before giving up.
- - Avoid some false positives during reachability testing: don't try
- to test via a server that's on the same /24 network as us.
- - Start publishing one minute or so after we find our ORPort
- to be reachable. This will help reduce the number of descriptors
- we have for ourselves floating around, since it's quite likely
- other things (e.g. DirPort) will change during that minute too.
- - Routers no longer try to rebuild long-term connections to directory
- authorities, and directory authorities no longer try to rebuild
- long-term connections to all servers. We still don't hang up
- connections in these two cases though -- we need to look at it
- more carefully to avoid flapping, and we likely need to wait til
- 0.1.1.x is obsolete.
- o Improvements on rate limiting:
- - Enable write limiting as well as read limiting. Now we sacrifice
- capacity if we're pushing out lots of directory traffic, rather
- than overrunning the user's intended bandwidth limits.
- - Include TLS overhead when counting bandwidth usage; previously, we
- would count only the bytes sent over TLS, but not the bytes used
- to send them.
- - Servers decline directory requests much more aggressively when
- they're low on bandwidth. Otherwise they end up queueing more and
- more directory responses, which can't be good for latency.
- - But never refuse directory requests from local addresses.
- - Be willing to read or write on local connections (e.g. controller
- connections) even when the global rate limiting buckets are empty.
- - Flush local controller connection buffers periodically as we're
- writing to them, so we avoid queueing 4+ megabytes of data before
- trying to flush.
- - Revise and clean up the torrc.sample that we ship with; add
- a section for BandwidthRate and BandwidthBurst.
- o Major features, NT services:
- - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
- command-line flag so that admins can override the default by saying
- "tor --service install --user "SomeUser"". This will not affect
- existing installed services. Also, warn the user that the service
- will look for its configuration file in the service user's
- %appdata% directory. (We can't do the "hardwire the user's appdata
- directory" trick any more, since we may not have read access to that
- directory.)
- - Support running the Tor service with a torrc not in the same
- directory as tor.exe and default to using the torrc located in
- the %appdata%\Tor\ of the user who installed the service. Patch
- from Matt Edman.
- - Add an --ignore-missing-torrc command-line option so that we can
- get the "use sensible defaults if the configuration file doesn't
- exist" behavior even when specifying a torrc location on the
- command line.
- - When stopping an NT service, wait up to 10 sec for it to actually
- stop. (Patch from Matt Edman; resolves bug 295.)
- o Directory authority improvements:
- - Stop letting hibernating or obsolete servers affect uptime and
- bandwidth cutoffs.
- - Stop listing hibernating servers in the v1 directory.
- - Authorities no longer recommend exits as guards if this would shift
- too much load to the exit nodes.
- - Authorities now specify server versions in networkstatus. This adds
- about 2% to the size of compressed networkstatus docs, and allows
- clients to tell which servers support BEGIN_DIR and which don't.
- The implementation is forward-compatible with a proposed future
- protocol version scheme not tied to Tor versions.
- - DirServer configuration lines now have an orport= option so
- clients can open encrypted tunnels to the authorities without
- having downloaded their descriptors yet. Enabled for moria1,
- moria2, tor26, and lefkada now in the default configuration.
- - Add a BadDirectory flag to network status docs so that authorities
- can (eventually) tell clients about caches they believe to be
- broken. Not used yet.
- - Allow authorities to list nodes as bad exits in their
- approved-routers file by fingerprint or by address. If most
- authorities set a BadExit flag for a server, clients don't think
- of it as a general-purpose exit. Clients only consider authorities
- that advertise themselves as listing bad exits.
- - Patch from Steve Hildrey: Generate network status correctly on
- non-versioning dirservers.
- - Have directory authorities allow larger amounts of drift in uptime
- without replacing the server descriptor: previously, a server that
- restarted every 30 minutes could have 48 "interesting" descriptors
- per day.
- - Reserve the nickname "Unnamed" for routers that can't pick
- a hostname: any router can call itself Unnamed; directory
- authorities will never allocate Unnamed to any particular router;
- clients won't believe that any router is the canonical Unnamed.
- o Directory mirrors and clients:
- - Discard any v1 directory info that's over 1 month old (for
- directories) or over 1 week old (for running-routers lists).
- - Clients track responses with status 503 from dirservers. After a
- dirserver has given us a 503, we try not to use it until an hour has
- gone by, or until we have no dirservers that haven't given us a 503.
- - When we get a 503 from a directory, and we're not a server, we no
- longer count the failure against the total number of failures
- allowed for the object we're trying to download.
- - Prepare for servers to publish descriptors less often: never
- discard a descriptor simply for being too old until either it is
- recommended by no authorities, or until we get a better one for
- the same router. Make caches consider retaining old recommended
- routers for even longer.
- - Directory servers now provide 'Pragma: no-cache' and 'Expires'
- headers for content, so that we can work better in the presence of
- caching HTTP proxies.
- - Stop fetching descriptors if you're not a dir mirror and you
- haven't tried to establish any circuits lately. (This currently
- causes some dangerous behavior, because when you start up again
- you'll use your ancient server descriptors.)
- o Major fixes, crashes:
- - Stop crashing when the controller asks us to resetconf more than
- one config option at once. (Vidalia 0.0.11 does this.)
- - Fix a longstanding obscure crash bug that could occur when we run
- out of DNS worker processes, if we're not using eventdns. (Resolves
- bug 390.)
- - Fix an assert that could trigger if a controller quickly set then
- cleared EntryNodes. (Bug found by Udo van den Heuvel.)
- - Avoid crash when telling controller about stream-status and a
- stream is detached.
- - Avoid sending junk to controllers or segfaulting when a controller
- uses EVENT_NEW_DESC with verbose nicknames.
- - Stop triggering asserts if the controller tries to extend hidden
- service circuits (reported by mwenge).
- - If we start a server with ClientOnly 1, then set ClientOnly to 0
- and hup, stop triggering an assert based on an empty onion_key.
- - Mask out all signals in sub-threads; only the libevent signal
- handler should be processing them. This should prevent some crashes
- on some machines using pthreads. (Patch from coderman.)
- - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
- o Major fixes, anonymity/security:
- - Automatically avoid picking more than one node from the same
- /16 network when constructing a circuit. Add an
- "EnforceDistinctSubnets" option to let people disable it if they
- want to operate private test networks on a single subnet.
- - When generating bandwidth history, round down to the nearest
- 1k. When storing accounting data, round up to the nearest 1k.
- - When we're running as a server, remember when we last rotated onion
- keys, so that we will rotate keys once they're a week old even if
- we never stay up for a week ourselves.
- - If a client asked for a server by name, and there's a named server
- in our network-status but we don't have its descriptor yet, we
- could return an unnamed server instead.
- - Reject (most) attempts to use Tor circuits with length one. (If
- many people start using Tor as a one-hop proxy, exit nodes become
- a more attractive target for compromise.)
- - Just because your DirPort is open doesn't mean people should be
- able to remotely teach you about hidden service descriptors. Now
- only accept rendezvous posts if you've got HSAuthoritativeDir set.
- - Fix a potential race condition in the rpm installer. Found by
- Stefan Nordhausen.
- - Do not log IPs with TLS failures for incoming TLS
- connections. (Fixes bug 382.)
- o Major fixes, other:
- - If our system clock jumps back in time, don't publish a negative
- uptime in the descriptor.
- - When we start during an accounting interval before it's time to wake
- up, remember to wake up at the correct time. (May fix bug 342.)
- - Previously, we would cache up to 16 old networkstatus documents
- indefinitely, if they came from nontrusted authorities. Now we
- discard them if they are more than 10 days old.
- - When we have a state file we cannot parse, tell the user and
- move it aside. Now we avoid situations where the user starts
- Tor in 1904, Tor writes a state file with that timestamp in it,
- the user fixes her clock, and Tor refuses to start.
- - Publish a new descriptor after we hup/reload. This is important
- if our config has changed such that we'll want to start advertising
- our DirPort now, etc.
- - If we are using an exit enclave and we can't connect, e.g. because
- its webserver is misconfigured to not listen on localhost, then
- back off and try connecting from somewhere else before we fail.
- o New config options or behaviors:
- - When EntryNodes are configured, rebuild the guard list to contain,
- in order: the EntryNodes that were guards before; the rest of the
- EntryNodes; the nodes that were guards before.
- - Do not warn when individual nodes in the configuration's EntryNodes,
- ExitNodes, etc are down: warn only when all possible nodes
- are down. (Fixes bug 348.)
- - Put a lower-bound on MaxAdvertisedBandwidth.
- - Start using the state file to store bandwidth accounting data:
- the bw_accounting file is now obsolete. We'll keep generating it
- for a while for people who are still using 0.1.2.4-alpha.
- - Try to batch changes to the state file so that we do as few
- disk writes as possible while still storing important things in
- a timely fashion.
- - The state file and the bw_accounting file get saved less often when
- the AvoidDiskWrites config option is set.
- - Make PIDFile work on Windows.
- - Add internal descriptions for a bunch of configuration options:
- accessible via controller interface and in comments in saved
- options files.
- - Reject *:563 (NNTPS) in the default exit policy. We already reject
- NNTP by default, so this seems like a sensible addition.
- - Clients now reject hostnames with invalid characters. This should
- avoid some inadvertent info leaks. Add an option
- AllowNonRFC953Hostnames to disable this behavior, in case somebody
- is running a private network with hosts called @, !, and #.
- - Check for addresses with invalid characters at the exit as well,
- and warn less verbosely when they fail. You can override this by
- setting ServerDNSAllowNonRFC953Addresses to 1.
- - Remove some options that have been deprecated since at least
- 0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
- SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
- to set log options. Mark PathlenCoinWeight as obsolete.
- - Stop accepting certain malformed ports in configured exit policies.
- - When the user uses bad syntax in the Log config line, stop
- suggesting other bad syntax as a replacement.
- - Add new config option "ResolvConf" to let the server operator
- choose an alternate resolve.conf file when using eventdns.
- - If one of our entry guards is on the ExcludeNodes list, or the
- directory authorities don't think it's a good guard, treat it as
- if it were unlisted: stop using it as a guard, and throw it off
- the guards list if it stays that way for a long time.
- - Allow directory authorities to be marked separately as authorities
- for the v1 directory protocol, the v2 directory protocol, and
- as hidden service directories, to make it easier to retire old
- authorities. V1 authorities should set "HSAuthoritativeDir 1"
- to continue being hidden service authorities too.
- - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
- - Make TrackExitHosts case-insensitive, and fix the behavior of
- ".suffix" TrackExitHosts items to avoid matching in the middle of
- an address.
- - New DirPort behavior: if you have your dirport set, you download
- descriptors aggressively like a directory mirror, whether or not
- your ORPort is set.
- o Docs:
- - Create a new file ReleaseNotes which was the old ChangeLog. The
- new ChangeLog file now includes the notes for all development
- versions too.
- - Add a new address-spec.txt document to describe our special-case
- addresses: .exit, .onion, and .noconnnect.
- - Fork the v1 directory protocol into its own spec document,
- and mark dir-spec.txt as the currently correct (v2) spec.
- o Packaging, porting, and contrib
- - "tor --verify-config" now exits with -1(255) or 0 depending on
- whether the config options are bad or good.
- - The Debian package now uses --verify-config when (re)starting,
- to distinguish configuration errors from other errors.
- - Adapt a patch from goodell to let the contrib/exitlist script
- take arguments rather than require direct editing.
- - Prevent the contrib/exitlist script from printing the same
- result more than once.
- - Add support to tor-resolve tool for reverse lookups and SOCKS5.
- - In the hidden service example in torrc.sample, stop recommending
- esoteric and discouraged hidden service options.
- - Patch from Michael Mohr to contrib/cross.sh, so it checks more
- values before failing, and always enables eventdns.
- - Try to detect Windows correctly when cross-compiling.
- - Libevent-1.2 exports, but does not define in its headers, strlcpy.
- Try to fix this in configure.in by checking for most functions
- before we check for libevent.
- - Update RPMs to require libevent 1.2.
- - Experimentally re-enable kqueue on OSX when using libevent 1.1b
- or later. Log when we are doing this, so we can diagnose it when
- it fails. (Also, recommend libevent 1.1b for kqueue and
- win32 methods; deprecate libevent 1.0b harder; make libevent
- recommendation system saner.)
- - Build with recent (1.3+) libevents on platforms that do not
- define the nonstandard types "u_int8_t" and friends.
- - Remove architecture from OS X builds. The official builds are
- now universal binaries.
- - Run correctly on OS X platforms with case-sensitive filesystems.
- - Correctly set maximum connection limit on Cygwin. (This time
- for sure!)
- - Start compiling on MinGW on Windows (patches from Mike Chiussi
- and many others).
- - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
- - Finally fix the openssl warnings from newer gccs that believe that
- ignoring a return value is okay, but casting a return value and
- then ignoring it is a sign of madness.
- - On architectures where sizeof(int)>4, still clamp declarable
- bandwidth to INT32_MAX.
- o Minor features, controller:
- - Warn the user when an application uses the obsolete binary v0
- control protocol. We're planning to remove support for it during
- the next development series, so it's good to give people some
- advance warning.
- - Add STREAM_BW events to report per-entry-stream bandwidth
- use. (Patch from Robert Hogan.)
- - Rate-limit SIGNEWNYM signals in response to controllers that
- impolitely generate them for every single stream. (Patch from
- mwenge; closes bug 394.)
- - Add a REMAP status to stream events to note that a stream's
- address has changed because of a cached address or a MapAddress
- directive.
- - Make REMAP stream events have a SOURCE (cache or exit), and
- make them generated in every case where we get a successful
- connected or resolved cell.
- - Track reasons for OR connection failure; make these reasons
- available via the controller interface. (Patch from Mike Perry.)
- - Add a SOCKS_BAD_HOSTNAME client status event so controllers
- can learn when clients are sending malformed hostnames to Tor.
- - Specify and implement some of the controller status events.
- - Have GETINFO dir/status/* work on hosts with DirPort disabled.
- - Reimplement GETINFO so that info/names stays in sync with the
- actual keys.
- - Implement "GETINFO fingerprint".
- - Implement "SETEVENTS GUARD" so controllers can get updates on
- entry guard status as it changes.
- - Make all connections to addresses of the form ".noconnect"
- immediately get closed. This lets application/controller combos
- successfully test whether they're talking to the same Tor by
- watching for STREAM events.
- - Add a REASON field to CIRC events; for backward compatibility, this
- field is sent only to controllers that have enabled the extended
- event format. Also, add additional reason codes to explain why
- a given circuit has been destroyed or truncated. (Patches from
- Mike Perry)
- - Add a REMOTE_REASON field to extended CIRC events to tell the
- controller why a remote OR told us to close a circuit.
- - Stream events also now have REASON and REMOTE_REASON fields,
- working much like those for circuit events.
- - There's now a GETINFO ns/... field so that controllers can ask Tor
- about the current status of a router.
- - A new event type "NS" to inform a controller when our opinion of
- a router's status has changed.
- - Add a GETINFO events/names and GETINFO features/names so controllers
- can tell which events and features are supported.
- - A new CLEARDNSCACHE signal to allow controllers to clear the
- client-side DNS cache without expiring circuits.
- - Fix CIRC controller events so that controllers can learn the
- identity digests of non-Named servers used in circuit paths.
- - Let controllers ask for more useful identifiers for servers. Instead
- of learning identity digests for un-Named servers and nicknames
- for Named servers, the new identifiers include digest, nickname,
- and indication of Named status. Off by default; see control-spec.txt
- for more information.
- - Add a "getinfo address" controller command so it can display Tor's
- best guess to the user.
- - New controller event to alert the controller when our server
- descriptor has changed.
- - Give more meaningful errors on controller authentication failure.
- - Export the default exit policy via the control port, so controllers
- don't need to guess what it is / will be later.
- o Minor bugfixes, controller:
- - When creating a circuit via the controller, send a 'launched'
- event when we're done, so we follow the spec better.
- - Correct the control spec to match how the code actually responds
- to 'getinfo addr-mappings/*'. Reported by daejees.
- - The control spec described a GUARDS event, but the code
- implemented a GUARD event. Standardize on GUARD, but let people
- ask for GUARDS too. Reported by daejees.
- - Give the controller END_STREAM_REASON_DESTROY events _before_ we
- clear the corresponding on_circuit variable, and remember later
- that we don't need to send a redundant CLOSED event. (Resolves part
- 3 of bug 367.)
- - Report events where a resolve succeeded or where we got a socks
- protocol error correctly, rather than calling both of them
- "INTERNAL".
- - Change reported stream target addresses to IP consistently when
- we finally get the IP from an exit node.
- - Send log messages to the controller even if they happen to be very
- long.
- - Flush ERR-level controller status events just like we currently
- flush ERR-level log events, so that a Tor shutdown doesn't prevent
- the controller from learning about current events.
- - Report the circuit number correctly in STREAM CLOSED events. Bug
- reported by Mike Perry.
- - Do not report bizarre values for results of accounting GETINFOs
- when the last second's write or read exceeds the allotted bandwidth.
- - Report "unrecognized key" rather than an empty string when the
- controller tries to fetch a networkstatus that doesn't exist.
- - When the controller does a "GETINFO network-status", tell it
- about even those routers whose descriptors are very old, and use
- long nicknames where appropriate.
- - Fix handling of verbose nicknames with ORCONN controller events:
- make them show up exactly when requested, rather than exactly when
- not requested.
- - Controller signals now work on non-Unix platforms that don't define
- SIGUSR1 and SIGUSR2 the way we expect.
- - Respond to SIGNAL command before we execute the signal, in case
- the signal shuts us down. Suggested by Karsten Loesing.
- - Handle reporting OR_CONN_EVENT_NEW events to the controller.
- o Minor features, code performance:
- - Major performance improvement on inserting descriptors: change
- algorithm from O(n^2) to O(n).
- - Do not rotate onion key immediately after setting it for the first
- time.
- - Call router_have_min_dir_info half as often. (This is showing up in
- some profiles, but not others.)
- - When using GCC, make log_debug never get called at all, and its
- arguments never get evaluated, when no debug logs are configured.
- (This is showing up in some profiles, but not others.)
- - Statistics dumped by -USR2 now include a breakdown of public key
- operations, for profiling.
- - Make the common memory allocation path faster on machines where
- malloc(0) returns a pointer.
- - Split circuit_t into origin_circuit_t and or_circuit_t, and
- split connection_t into edge, or, dir, control, and base structs.
- These will save quite a bit of memory on busy servers, and they'll
- also help us track down bugs in the code and bugs in the spec.
- - Use OpenSSL's AES implementation on platforms where it's faster.
- This could save us as much as 10% CPU usage.
- o Minor features, descriptors and descriptor handling:
- - Avoid duplicate entries on MyFamily line in server descriptor.
- - When Tor receives a router descriptor that it asked for, but
- no longer wants (because it has received fresh networkstatuses
- in the meantime), do not warn the user. Cache the descriptor if
- we're a cache; drop it if we aren't.
- - Servers no longer ever list themselves in their "family" line,
- even if configured to do so. This makes it easier to configure
- family lists conveniently.
- o Minor fixes, confusing/misleading log messages:
- - Display correct results when reporting which versions are
- recommended, and how recommended they are. (Resolves bug 383.)
- - Inform the server operator when we decide not to advertise a
- DirPort due to AccountingMax enabled or a low BandwidthRate.
- - Only include function names in log messages for info/debug messages.
- For notice/warn/err, the content of the message should be clear on
- its own, and printing the function name only confuses users.
- - Remove even more protocol-related warnings from Tor server logs,
- such as bad TLS handshakes and malformed begin cells.
- - Fix bug 314: Tor clients issued "unsafe socks" warnings even
- when the IP address is mapped through MapAddress to a hostname.
- - Fix misleading log messages: an entry guard that is "unlisted",
- as well as not known to be "down" (because we've never heard
- of it), is not therefore "up".
- o Minor fixes, old/obsolete behavior:
- - Start assuming we can use a create_fast cell if we don't know
- what version a router is running.
- - We no longer look for identity and onion keys in "identity.key" and
- "onion.key" -- these were replaced by secret_id_key and
- secret_onion_key in 0.0.8pre1.
- - We no longer require unrecognized directory entries to be
- preceded by "opt".
- - Drop compatibility with obsolete Tors that permit create cells
- to have the wrong circ_id_type.
- - Remove code to special-case "-cvs" ending, since it has not
- actually mattered since 0.0.9.
- - Don't re-write the fingerprint file every restart, unless it has
- changed.
- o Minor fixes, misc client-side behavior:
- - Always remove expired routers and networkstatus docs before checking
- whether we have enough information to build circuits. (Fixes
- bug 373.)
- - When computing clock skew from directory HTTP headers, consider what
- time it was when we finished asking for the directory, not what
- time it is now.
- - Make our socks5 handling more robust to broken socks clients:
- throw out everything waiting on the buffer in between socks
- handshake phases, since they can't possibly (so the theory
- goes) have predicted what we plan to respond to them.
- - Expire socks connections if they spend too long waiting for the
- handshake to finish. Previously we would let them sit around for
- days, if the connecting application didn't close them either.
- - And if the socks handshake hasn't started, don't send a
- "DNS resolve socks failed" handshake reply; just close it.
- - If the user asks to use invalid exit nodes, be willing to use
- unstable ones.
- - Track unreachable entry guards correctly: don't conflate
- 'unreachable by us right now' with 'listed as down by the directory
- authorities'. With the old code, if a guard was unreachable by us
- but listed as running, it would clog our guard list forever.
- - Behave correctly in case we ever have a network with more than
- 2GB/s total advertised capacity.
- - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
- - Fix a memory leak when we ask for "all" networkstatuses and we
- get one we don't recognize.
- Changes in version 0.1.1.26 - 2006-12-14
- o Security bugfixes:
- - Stop sending the HttpProxyAuthenticator string to directory
- servers when directory connections are tunnelled through Tor.
- - Clients no longer store bandwidth history in the state file.
- - Do not log introduction points for hidden services if SafeLogging
- is set.
- o Minor bugfixes:
- - Fix an assert failure when a directory authority sets
- AuthDirRejectUnlisted and then receives a descriptor from an
- unlisted router (reported by seeess).
- Changes in version 0.1.1.25 - 2006-11-04
- o Major bugfixes:
- - When a client asks us to resolve (rather than connect to)
- an address, and we have a cached answer, give them the cached
- answer. Previously, we would give them no answer at all.
- - We were building exactly the wrong circuits when we predict
- hidden service requirements, meaning Tor would have to build all
- its circuits on demand.
- - If none of our live entry guards have a high uptime, but we
- require a guard with a high uptime, try adding a new guard before
- we give up on the requirement. This patch should make long-lived
- connections more stable on average.
- - When testing reachability of our DirPort, don't launch new
- tests when there's already one in progress -- unreachable
- servers were stacking up dozens of testing streams.
- o Security bugfixes:
- - When the user sends a NEWNYM signal, clear the client-side DNS
- cache too. Otherwise we continue to act on previous information.
- o Minor bugfixes:
- - Avoid a memory corruption bug when creating a hash table for
- the first time.
- - Avoid possibility of controller-triggered crash when misusing
- certain commands from a v0 controller on platforms that do not
- handle printf("%s",NULL) gracefully.
- - Avoid infinite loop on unexpected controller input.
- - Don't log spurious warnings when we see a circuit close reason we
- don't recognize; it's probably just from a newer version of Tor.
- - Add Vidalia to the OS X uninstaller script, so when we uninstall
- Tor/Privoxy we also uninstall Vidalia.
- Changes in version 0.1.1.24 - 2006-09-29
- o Major bugfixes:
- - Allow really slow clients to not hang up five minutes into their
- directory downloads (suggested by Adam J. Richter).
- - Fix major performance regression from 0.1.0.x: instead of checking
- whether we have enough directory information every time we want to
- do something, only check when the directory information has changed.
- This should improve client CPU usage by 25-50%.
- - Don't crash if, after a server has been running for a while,
- it can't resolve its hostname.
- - When a client asks us to resolve (not connect to) an address,
- and we have a cached answer, give them the cached answer.
- Previously, we would give them no answer at all.
- o Minor bugfixes:
- - Allow Tor to start when RunAsDaemon is set but no logs are set.
- - Don't crash when the controller receives a third argument to an
- "extendcircuit" request.
- - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
- response; fix error code when "getinfo dir/status/" fails.
- - Fix configure.in to not produce broken configure files with
- more recent versions of autoconf. Thanks to Clint for his auto*
- voodoo.
- - Fix security bug on NetBSD that could allow someone to force
- uninitialized RAM to be sent to a server's DNS resolver. This
- only affects NetBSD and other platforms that do not bounds-check
- tolower().
- - Warn user when using libevent 1.1a or earlier with win32 or kqueue
- methods: these are known to be buggy.
- - If we're a directory mirror and we ask for "all" network status
- documents, we would discard status documents from authorities
- we don't recognize.
- Changes in version 0.1.1.23 - 2006-07-30
- o Major bugfixes:
- - Fast Tor servers, especially exit nodes, were triggering asserts
- due to a bug in handling the list of pending DNS resolves. Some
- bugs still remain here; we're hunting them.
- - Entry guards could crash clients by sending unexpected input.
- - More fixes on reachability testing: if you find yourself reachable,
- then don't ever make any client requests (so you stop predicting
- circuits), then hup or have your clock jump, then later your IP
- changes, you won't think circuits are working, so you won't try to
- test reachability, so you won't publish.
- o Minor bugfixes:
- - Avoid a crash if the controller does a resetconf firewallports
- and then a setconf fascistfirewall=1.
- - Avoid an integer underflow when the dir authority decides whether
- a router is stable: we might wrongly label it stable, and compute
- a slightly wrong median stability, when a descriptor is published
- later than now.
- - Fix a place where we might trigger an assert if we can't build our
- own server descriptor yet.
- Changes in version 0.1.1.22 - 2006-07-05
- o Major bugfixes:
- - Fix a big bug that was causing servers to not find themselves
- reachable if they changed IP addresses. Since only 0.1.1.22+
- servers can do reachability testing correctly, now we automatically
- make sure to test via one of these.
- - Fix to allow clients and mirrors to learn directory info from
- descriptor downloads that get cut off partway through.
- - Directory authorities had a bug in deciding if a newly published
- descriptor was novel enough to make everybody want a copy -- a few
- servers seem to be publishing new descriptors many times a minute.
- o Minor bugfixes:
- - Fix a rare bug that was causing some servers to complain about
- "closing wedged cpuworkers" and skip some circuit create requests.
- - Make the Exit flag in directory status documents actually work.
- Changes in version 0.1.1.21 - 2006-06-10
- o Crash and assert fixes from 0.1.1.20:
- - Fix a rare crash on Tor servers that have enabled hibernation.
- - Fix a seg fault on startup for Tor networks that use only one
- directory authority.
- - Fix an assert from a race condition that occurs on Tor servers
- while exiting, where various threads are trying to log that they're
- exiting, and delete the logs, at the same time.
- - Make our unit tests pass again on certain obscure platforms.
- o Other fixes:
- - Add support for building SUSE RPM packages.
- - Speed up initial bootstrapping for clients: if we are making our
- first ever connection to any entry guard, then don't mark it down
- right after that.
- - When only one Tor server in the network is labelled as a guard,
- and we've already picked him, we would cycle endlessly picking him
- again, being unhappy about it, etc. Now we specifically exclude
- current guards when picking a new guard.
- - Servers send create cells more reliably after the TLS connection
- is established: we were sometimes forgetting to send half of them
- when we had more than one pending.
- - If we get a create cell that asks us to extend somewhere, but the
- Tor server there doesn't match the expected digest, we now send
- a destroy cell back, rather than silently doing nothing.
- - Make options->RedirectExit work again.
- - Make cookie authentication for the controller work again.
- - Stop being picky about unusual characters in the arguments to
- mapaddress. It's none of our business.
- - Add a new config option "TestVia" that lets you specify preferred
- middle hops to use for test circuits. Perhaps this will let me
- debug the reachability problems better.
- o Log / documentation fixes:
- - If we're a server and some peer has a broken TLS certificate, don't
- log about it unless ProtocolWarnings is set, i.e., we want to hear
- about protocol violations by others.
- - Fix spelling of VirtualAddrNetwork in man page.
- - Add a better explanation at the top of the autogenerated torrc file
- about what happened to our old torrc.
- Changes in version 0.1.1.20 - 2006-05-23
- o Crash and assert fixes from 0.1.0.17:
- - Fix assert bug in close_logs() on exit: when we close and delete
- logs, remove them all from the global "logfiles" list.
- - Fix an assert error when we're out of space in the connection_list
- and we try to post a hidden service descriptor (reported by Peter
- Palfrader).
- - Fix a rare assert error when we've tried all intro points for
- a hidden service and we try fetching the service descriptor again:
- "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
- - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
- out and refuse the setconf if it would fail.
- - If you specify a relative torrc path and you set RunAsDaemon in
- your torrc, then it chdir()'s to the new directory. If you then
- HUP, it tries to load the new torrc location, fails, and exits.
- The fix: no longer allow a relative path to torrc when using -f.
- - Check for integer overflows in more places, when adding elements
- to smartlists. This could possibly prevent a buffer overflow
- on malicious huge inputs.
- o Security fixes, major:
- - When we're printing strings from the network, don't try to print
- non-printable characters. Now we're safer against shell escape
- sequence exploits, and also against attacks to fool users into
- misreading their logs.
- - Implement entry guards: automatically choose a handful of entry
- nodes and stick with them for all circuits. Only pick new guards
- when the ones you have are unsuitable, and if the old guards
- become suitable again, switch back. This will increase security
- dramatically against certain end-point attacks. The EntryNodes
- config option now provides some hints about which entry guards you
- want to use most; and StrictEntryNodes means to only use those.
- Fixes CVE-2006-0414.
- - Implement exit enclaves: if we know an IP address for the
- destination, and there's a running Tor server at that address
- which allows exit to the destination, then extend the circuit to
- that exit first. This provides end-to-end encryption and end-to-end
- authentication. Also, if the user wants a .exit address or enclave,
- use 4 hops rather than 3, and cannibalize a general circ for it
- if you can.
- - Obey our firewall options more faithfully:
- . If we can't get to a dirserver directly, try going via Tor.
- . Don't ever try to connect (as a client) to a place our
- firewall options forbid.
- . If we specify a proxy and also firewall options, obey the
- firewall options even when we're using the proxy: some proxies
- can only proxy to certain destinations.
- - Make clients regenerate their keys when their IP address changes.
- - For the OS X package's modified privoxy config file, comment
- out the "logfile" line so we don't log everything passed
- through privoxy.
- - Our TLS handshakes were generating a single public/private
- keypair for the TLS context, rather than making a new one for
- each new connection. Oops. (But we were still rotating them
- periodically, so it's not so bad.)
- - When we were cannibalizing a circuit with a particular exit
- node in mind, we weren't checking to see if that exit node was
- already present earlier in the circuit. Now we are.
- - Require server descriptors to list IPv4 addresses -- hostnames
- are no longer allowed. This also fixes potential vulnerabilities
- to servers providing hostnames as their address and then
- preferentially resolving them so they can partition users.
- - Our logic to decide if the OR we connected to was the right guy
- was brittle and maybe open to a mitm for invalid routers.
- o Security fixes, minor:
- - Adjust tor-spec.txt to parameterize cell and key lengths. Now
- Ian Goldberg can prove things about our handshake protocol more
- easily.
- - Make directory authorities generate a separate "guard" flag to
- mean "would make a good entry guard". Clients now honor the
- is_guard flag rather than looking at is_fast or is_stable.
- - Try to list MyFamily elements by key, not by nickname, and warn
- if we've not heard of a server.
- - Start using RAND_bytes rather than RAND_pseudo_bytes from
- OpenSSL. Also, reseed our entropy every hour, not just at
- startup. And add entropy in 512-bit chunks, not 160-bit chunks.
- - Refuse server descriptors where the fingerprint line doesn't match
- the included identity key. Tor doesn't care, but other apps (and
- humans) might actually be trusting the fingerprint line.
- - We used to kill the circuit when we receive a relay command we
- don't recognize. Now we just drop that cell.
- - Fix a bug found by Lasse Overlier: when we were making internal
- circuits (intended to be cannibalized later for rendezvous and
- introduction circuits), we were picking them so that they had
- useful exit nodes. There was no need for this, and it actually
- aids some statistical attacks.
- - Start treating internal circuits and exit circuits separately.
- It's important to keep them separate because internal circuits
- have their last hops picked like middle hops, rather than like
- exit hops. So exiting on them will break the user's expectations.
- - Fix a possible way to DoS dirservers.
- - When the client asked for a rendezvous port that the hidden
- service didn't want to provide, we were sending an IP address
- back along with the end cell. Fortunately, it was zero. But stop
- that anyway.
- o Packaging improvements:
- - Implement --with-libevent-dir option to ./configure. Improve
- search techniques to find libevent, and use those for openssl too.
- - Fix a couple of bugs in OpenSSL detection. Deal better when
- there are multiple SSLs installed with different versions.
- - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
- - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
- "-Wall -g -O2".
- - Make unit tests (and other invocations that aren't the real Tor)
- run without launching listeners, creating subdirectories, and so on.
- - The OS X installer was adding a symlink for tor_resolve but
- the binary was called tor-resolve (reported by Thomas Hardly).
- - Now we can target arch and OS in rpm builds (contributed by
- Phobos). Also make the resulting dist-rpm filename match the
- target arch.
- - Apply Matt Ghali's --with-syslog-facility patch to ./configure
- if you log to syslog and want something other than LOG_DAEMON.
- - Fix the torify (tsocks) config file to not use Tor for localhost
- connections.
- - Start shipping socks-extensions.txt, tor-doc-unix.html,
- tor-doc-server.html, and stylesheet.css in the tarball.
- - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
- They are useless now.
- - Add Peter Palfrader's contributed check-tor script. It lets you
- easily check whether a given server (referenced by nickname)
- is reachable by you.
- - Add BSD-style contributed startup script "rc.subr" from Peter
- Thoenen.
- o Directory improvements -- new directory protocol:
- - See tor/doc/dir-spec.txt for all the juicy details. Key points:
- - Authorities and caches publish individual descriptors (by
- digest, by fingerprint, by "all", and by "tell me yours").
- - Clients don't download or use the old directory anymore. Now they
- download network-statuses from the directory authorities, and
- fetch individual server descriptors as needed from mirrors.
- - Clients don't download descriptors of non-running servers.
- - Download descriptors by digest, not by fingerprint. Caches try to
- download all listed digests from authorities; clients try to
- download "best" digests from caches. This avoids partitioning
- and isolating attacks better.
- - Only upload a new server descriptor when options change, 18
- hours have passed, uptime is reset, or bandwidth changes a lot.
- - Directory authorities silently throw away new descriptors that
- haven't changed much if the timestamps are similar. We do this to
- tolerate older Tor servers that upload a new descriptor every 15
- minutes. (It seemed like a good idea at the time.)
- - Clients choose directory servers from the network status lists,
- not from their internal list of router descriptors. Now they can
- go to caches directly rather than needing to go to authorities
- to bootstrap the first set of descriptors.
- - When picking a random directory, prefer non-authorities if any
- are known.
- - Add a new flag to network-status indicating whether the server
- can answer v2 directory requests too.
- - Directory mirrors now cache up to 16 unrecognized network-status
- docs, so new directory authorities will be cached too.
- - Stop parsing, storing, or using running-routers output (but
- mirrors still cache and serve it).
- - Clients consider a threshold of "versioning" directory authorities
- before deciding whether to warn the user that he's obsolete.
- - Authorities publish separate sorted lists of recommended versions
- for clients and for servers.
- - Change DirServers config line to note which dirs are v1 authorities.
- - Put nicknames on the DirServer line, so we can refer to them
- without requiring all our users to memorize their IP addresses.
- - Remove option when getting directory cache to see whether they
- support running-routers; they all do now. Replace it with one
- to see whether caches support v2 stuff.
- - Stop listing down or invalid nodes in the v1 directory. This
- reduces its bulk by about 1/3, and reduces load on mirrors.
- - Mirrors no longer cache the v1 directory as often.
- - If we as a directory mirror don't know of any v1 directory
- authorities, then don't try to cache any v1 directories.
- o Other directory improvements:
- - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
- fifth authoritative directory servers.
- - Directory authorities no longer require an open connection from
- a server to consider him "reachable". We need this change because
- when we add new directory authorities, old servers won't know not
- to hang up on them.
- - Dir authorities now do their own external reachability testing
- of each server, and only list as running the ones they found to
- be reachable. We also send back warnings to the server's logs if
- it uploads a descriptor that we already believe is unreachable.
- - Spread the directory authorities' reachability testing over the
- entire testing interval, so we don't try to do 500 TLS's at once
- every 20 minutes.
- - Make the "stable" router flag in network-status be the median of
- the uptimes of running valid servers, and make clients pay
- attention to the network-status flags. Thus the cutoff adapts
- to the stability of the network as a whole, making IRC, IM, etc
- connections more reliable.
- - Make the v2 dir's "Fast" flag based on relative capacity, just
- like "Stable" is based on median uptime. Name everything in the
- top 7/8 Fast, and only the top 1/2 gets to be a Guard.
- - Retry directory requests if we fail to get an answer we like
- from a given dirserver (we were retrying before, but only if
- we fail to connect).
- - Return a robots.txt on our dirport to discourage google indexing.
- o Controller protocol improvements:
- - Revised controller protocol (version 1) that uses ascii rather
- than binary: tor/doc/control-spec.txt. Add supporting libraries
- in python and java and c# so you can use the controller from your
- applications without caring how our protocol works.
- - Allow the DEBUG controller event to work again. Mark certain log
- entries as "don't tell this to controllers", so we avoid cycles.
- - New controller function "getinfo accounting", to ask how
- many bytes we've used in this time period.
- - Add a "resetconf" command so you can set config options like
- AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
- a config option in the torrc with no value, then it clears it
- entirely (rather than setting it to its default).
- - Add a "getinfo config-file" to tell us where torrc is. Also
- expose guard nodes, config options/names.
- - Add a "quit" command (when when using the controller manually).
- - Add a new signal "newnym" to "change pseudonyms" -- that is, to
- stop using any currently-dirty circuits for new streams, so we
- don't link new actions to old actions. This also occurs on HUP
- or "signal reload".
- - If we would close a stream early (e.g. it asks for a .exit that
- we know would refuse it) but the LeaveStreamsUnattached config
- option is set by the controller, then don't close it.
- - Add a new controller event type "authdir_newdescs" that allows
- controllers to get all server descriptors that were uploaded to
- a router in its role as directory authority.
- - New controller option "getinfo desc/all-recent" to fetch the
- latest server descriptor for every router that Tor knows about.
- - Fix the controller's "attachstream 0" command to treat conn like
- it just connected, doing address remapping, handling .exit and
- .onion idioms, and so on. Now we're more uniform in making sure
- that the controller hears about new and closing connections.
- - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
- the controller. Also, rotate dns and cpu workers if the controller
- changes options that will affect them; and initialize the dns
- worker cache tree whether or not we start out as a server.
- - Add a new circuit purpose 'controller' to let the controller ask
- for a circuit that Tor won't try to use. Extend the "extendcircuit"
- controller command to let you specify the purpose if you're starting
- a new circuit. Add a new "setcircuitpurpose" controller command to
- let you change a circuit's purpose after it's been created.
- - Let the controller ask for "getinfo dir/server/foo" so it can ask
- directly rather than connecting to the dir port. "getinfo
- dir/status/foo" also works, but currently only if your DirPort
- is enabled.
- - Let the controller tell us about certain router descriptors
- that it doesn't want Tor to use in circuits. Implement
- "setrouterpurpose" and modify "+postdescriptor" to do this.
- - If the controller's *setconf commands fail, collect an error
- message in a string and hand it back to the controller -- don't
- just tell them to go read their logs.
- o Scalability, resource management, and performance:
- - Fix a major load balance bug: we were round-robin reading in 16 KB
- chunks, and servers with bandwidthrate of 20 KB, while downloading
- a 600 KB directory, would starve their other connections. Now we
- try to be a bit more fair.
- - Be more conservative about whether to advertise our DirPort.
- The main change is to not advertise if we're running at capacity
- and either a) we could hibernate ever or b) our capacity is low
- and we're using a default DirPort.
- - We weren't cannibalizing circuits correctly for
- CIRCUIT_PURPOSE_C_ESTABLISH_REND and
- CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
- build those from scratch. This should make hidden services faster.
- - Predict required circuits better, with an eye toward making hidden
- services faster on the service end.
- - Compress exit policies even more: look for duplicate lines and
- remove them.
- - Generate 18.0.0.0/8 address policy format in descs when we can;
- warn when the mask is not reducible to a bit-prefix.
- - There used to be two ways to specify your listening ports in a
- server descriptor: on the "router" line and with a separate "ports"
- line. Remove support for the "ports" line.
- - Reduce memory requirements in our structs by changing the order
- of fields. Replace balanced trees with hash tables. Inline
- bottleneck smartlist functions. Add a "Map from digest to void*"
- abstraction so we can do less hex encoding/decoding, and use it
- in router_get_by_digest(). Many other CPU and memory improvements.
- - Allow tor_gzip_uncompress to extract as much as possible from
- truncated compressed data. Try to extract as many
- descriptors as possible from truncated http responses (when
- purpose is DIR_PURPOSE_FETCH_ROUTERDESC).
- - Make circ->onionskin a pointer, not a static array. moria2 was using
- 125000 circuit_t's after it had been up for a few weeks, which
- translates to 20+ megs of wasted space.
- - The private half of our EDH handshake keys are now chosen out
- of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
- - Stop doing the complex voodoo overkill checking for insecure
- Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
- - Do round-robin writes for TLS of at most 16 kB per write. This
- might be more fair on loaded Tor servers.
- - Do not use unaligned memory access on alpha, mips, or mipsel.
- It *works*, but is very slow, so we treat them as if it doesn't.
- o Other bugfixes and improvements:
- - Start storing useful information to $DATADIR/state, so we can
- remember things across invocations of Tor. Retain unrecognized
- lines so we can be forward-compatible, and write a TorVersion line
- so we can be backward-compatible.
- - If ORPort is set, Address is not explicitly set, and our hostname
- resolves to a private IP address, try to use an interface address
- if it has a public address. Now Windows machines that think of
- themselves as localhost can guess their address.
- - Regenerate our local descriptor if it's dirty and we try to use
- it locally (e.g. if it changes during reachability detection).
- This was causing some Tor servers to keep publishing the same
- initial descriptor forever.
- - Tor servers with dynamic IP addresses were needing to wait 18
- hours before they could start doing reachability testing using
- the new IP address and ports. This is because they were using
- the internal descriptor to learn what to test, yet they were only
- rebuilding the descriptor once they decided they were reachable.
- - It turns out we couldn't bootstrap a network since we added
- reachability detection in 0.1.0.1-rc. Good thing the Tor network
- has never gone down. Add an AssumeReachable config option to let
- servers and authorities bootstrap. When we're trying to build a
- high-uptime or high-bandwidth circuit but there aren't enough
- suitable servers, try being less picky rather than simply failing.
- - Newly bootstrapped Tor networks couldn't establish hidden service
- circuits until they had nodes with high uptime. Be more tolerant.
- - Really busy servers were keeping enough circuits open on stable
- connections that they were wrapping around the circuit_id
- space. (It's only two bytes.) This exposed a bug where we would
- feel free to reuse a circuit_id even if it still exists but has
- been marked for close. Try to fix this bug. Some bug remains.
- - When we fail to bind or listen on an incoming or outgoing
- socket, we now close it before refusing, rather than just
- leaking it. (Thanks to Peter Palfrader for finding.)
- - Fix a file descriptor leak in start_daemon().
- - On Windows, you can't always reopen a port right after you've
- closed it. So change retry_listeners() to only close and re-open
- ports that have changed.
- - Workaround a problem with some http proxies that refuse GET
- requests that specify "Content-Length: 0". Reported by Adrian.
- - Recover better from TCP connections to Tor servers that are
- broken but don't tell you (it happens!); and rotate TLS
- connections once a week.
- - Fix a scary-looking but apparently harmless bug where circuits
- would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
- servers, and never switch to state CIRCUIT_STATE_OPEN.
- - Check for even more Windows version flags when writing the platform
- string in server descriptors, and note any we don't recognize.
- - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
- get a better idea of why their circuits failed. Not used yet.
- - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
- We don't use them yet, but maybe one day our DNS resolver will be
- able to discover them.
- - Let people type "tor --install" as well as "tor -install" when they
- want to make it an NT service.
- - Looks like we were never delivering deflated (i.e. compressed)
- running-routers lists, even when asked. Oops.
- - We were leaking some memory every time the client changed IPs.
- - Clean up more of the OpenSSL memory when exiting, so we can detect
- memory leaks better.
- - Never call free() on tor_malloc()d memory. This will help us
- use dmalloc to detect memory leaks.
- - Some Tor servers process billions of cells per day. These
- statistics are now uint64_t's.
- - Check [X-]Forwarded-For headers in HTTP requests when generating
- log messages. This lets people run dirservers (and caches) behind
- Apache but still know which IP addresses are causing warnings.
- - Fix minor integer overflow in calculating when we expect to use up
- our bandwidth allocation before hibernating.
- - Lower the minimum required number of file descriptors to 1000,
- so we can have some overhead for Valgrind on Linux, where the
- default ulimit -n is 1024.
- - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
- and its existence is confusing some users.
- o Config option fixes:
- - Add a new config option ExitPolicyRejectPrivate which defaults
- to on. Now all exit policies will begin with rejecting private
- addresses, unless the server operator explicitly turns it off.
- - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
- - Add new ReachableORAddresses and ReachableDirAddresses options
- that understand address policies. FascistFirewall is now a synonym
- for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
- - Start calling it FooListenAddress rather than FooBindAddress,
- since few of our users know what it means to bind an address
- or port.
- - If the user gave Tor an odd number of command-line arguments,
- we were silently ignoring the last one. Now we complain and fail.
- This wins the oldest-bug prize -- this bug has been present since
- November 2002, as released in Tor 0.0.0.
- - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
- torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
- it would silently ignore the 6668.
- - If we get a linelist or linelist_s config option from the torrc,
- e.g. ExitPolicy, and it has no value, warn and skip rather than
- silently resetting it to its default.
- - Setconf was appending items to linelists, not clearing them.
- - Add MyFamily to torrc.sample in the server section, so operators
- will be more likely to learn that it exists.
- - Make ContactInfo mandatory for authoritative directory servers.
- - MaxConn has been obsolete for a while now. Document the ConnLimit
- config option, which is a *minimum* number of file descriptors
- that must be available else Tor refuses to start.
- - Get rid of IgnoreVersion undocumented config option, and make us
- only warn, never exit, when we're running an obsolete version.
- - Make MonthlyAccountingStart config option truly obsolete now.
- - Correct the man page entry on TrackHostExitsExpire.
- - Let directory authorities start even if they don't specify an
- Address config option.
- - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
- reflect the updated flags in our v2 dir protocol.
- o Config option features:
- - Add a new config option FastFirstHopPK (on by default) so clients
- do a trivial crypto handshake for their first hop, since TLS has
- already taken care of confidentiality and authentication.
- - Let the user set ControlListenAddress in the torrc. This can be
- dangerous, but there are some cases (like a secured LAN) where it
- makes sense.
- - New config options to help controllers: FetchServerDescriptors
- and FetchHidServDescriptors for whether to fetch server
- info and hidserv info or let the controller do it, and
- PublishServerDescriptor and PublishHidServDescriptors.
- - Also let the controller set the __AllDirActionsPrivate config
- option if you want all directory fetches/publishes to happen via
- Tor (it assumes your controller bootstraps your circuits).
- - Add "HardwareAccel" config option: support for crypto hardware
- accelerators via OpenSSL. Off by default, until we find somebody
- smart who can test it for us. (It appears to produce seg faults
- in at least some cases.)
- - New config option "AuthDirRejectUnlisted" for directory authorities
- as a panic button: if we get flooded with unusable servers we can
- revert to only listing servers in the approved-routers file.
- - Directory authorities can now reject/invalidate by key and IP,
- with the config options "AuthDirInvalid" and "AuthDirReject", or
- by marking a fingerprint as "!reject" or "!invalid" (as its
- nickname) in the approved-routers file. This is useful since
- currently we automatically list servers as running and usable
- even if we know they're jerks.
- - Add a new config option TestSocks so people can see whether their
- applications are using socks4, socks4a, socks5-with-ip, or
- socks5-with-fqdn. This way they don't have to keep mucking
- with tcpdump and wondering if something got cached somewhere.
- - Add "private:*" as an alias in configuration for policies. Now
- you can simplify your exit policy rather than needing to list
- every single internal or nonroutable network space.
- - Accept "private:*" in routerdesc exit policies; not generated yet
- because older Tors do not understand it.
- - Add configuration option "V1AuthoritativeDirectory 1" which
- moria1, moria2, and tor26 have set.
- - Implement an option, VirtualAddrMask, to set which addresses
- get handed out in response to mapaddress requests. This works
- around a bug in tsocks where 127.0.0.0/8 is never socksified.
- - Add a new config option FetchUselessDescriptors, off by default,
- for when you plan to run "exitlist" on your client and you want
- to know about even the non-running descriptors.
- - SocksTimeout: How long do we let a socks connection wait
- unattached before we fail it?
- - CircuitBuildTimeout: Cull non-open circuits that were born
- at least this many seconds ago.
- - CircuitIdleTimeout: Cull open clean circuits that were born
- at least this many seconds ago.
- - New config option SafeSocks to reject all application connections
- using unsafe socks protocols. Defaults to off.
- o Improved and clearer log messages:
- - Reduce clutter in server logs. We're going to try to make
- them actually usable now. New config option ProtocolWarnings that
- lets you hear about how _other Tors_ are breaking the protocol. Off
- by default.
- - Divide log messages into logging domains. Once we put some sort
- of interface on this, it will let people looking at more verbose
- log levels specify the topics they want to hear more about.
- - Log server fingerprint on startup, so new server operators don't
- have to go hunting around their filesystem for it.
- - Provide dire warnings to any users who set DirServer manually;
- move it out of torrc.sample and into torrc.complete.
- - Make the log message less scary when all the dirservers are
- temporarily unreachable.
- - When tor_socketpair() fails in Windows, give a reasonable
- Windows-style errno back.
- - Improve tor_gettimeofday() granularity on windows.
- - We were printing the number of idle dns workers incorrectly when
- culling them.
- - Handle duplicate lines in approved-routers files without warning.
- - We were whining about using socks4 or socks5-with-local-lookup
- even when it's an IP address in the "virtual" range we designed
- exactly for this case.
- - Check for named servers when looking them up by nickname;
- warn when we're calling a non-named server by its nickname;
- don't warn twice about the same name.
- - Downgrade the dirserver log messages when whining about
- unreachability.
- - Correct "your server is reachable" log entries to indicate that
- it was self-testing that told us so.
- - If we're trying to be a Tor server and running Windows 95/98/ME
- as a server, explain that we'll likely crash.
- - Provide a more useful warn message when our onion queue gets full:
- the CPU is too slow or the exit policy is too liberal.
- - Don't warn when we receive a 503 from a dirserver/cache -- this
- will pave the way for them being able to refuse if they're busy.
- - When we fail to bind a listener, try to provide a more useful
- log message: e.g., "Is Tor already running?"
- - Only start testing reachability once we've established a
- circuit. This will make startup on dir authorities less noisy.
- - Don't try to upload hidden service descriptors until we have
- established a circuit.
- - Tor didn't warn when it failed to open a log file.
- - Warn when listening on a public address for socks. We suspect a
- lot of people are setting themselves up as open socks proxies,
- and they have no idea that jerks on the Internet are using them,
- since they simply proxy the traffic into the Tor network.
- - Give a useful message when people run Tor as the wrong user,
- rather than telling them to start chowning random directories.
- - Fix a harmless bug that was causing Tor servers to log
- "Got an end because of misc error, but we're not an AP. Closing."
- - Fix wrong log message when you add a "HiddenServiceNodes" config
- line without any HiddenServiceDir line (reported by Chris Thomas).
- - Directory authorities now stop whining so loudly about bad
- descriptors that they fetch from other dirservers. So when there's
- a log complaint, it's for sure from a freshly uploaded descriptor.
- - When logging via syslog, include the pid whenever we provide
- a log entry. Suggested by Todd Fries.
- - When we're shutting down and we do something like try to post a
- server descriptor or rendezvous descriptor, don't complain that
- we seem to be unreachable. Of course we are, we're shutting down.
- - Change log line for unreachability to explicitly suggest /etc/hosts
- as the culprit. Also make it clearer what IP address and ports we're
- testing for reachability.
- - Put quotes around user-supplied strings when logging so users are
- more likely to realize if they add bad characters (like quotes)
- to the torrc.
- - NT service patch from Matt Edman to improve error messages on Win32.
- Changes in version 0.1.0.17 - 2006-02-17
- o Crash bugfixes on 0.1.0.x:
- - When servers with a non-zero DirPort came out of hibernation,
- sometimes they would trigger an assert.
- o Other important bugfixes:
- - On platforms that don't have getrlimit (like Windows), we were
- artificially constraining ourselves to a max of 1024
- connections. Now just assume that we can handle as many as 15000
- connections. Hopefully this won't cause other problems.
- o Backported features:
- - When we're a server, a client asks for an old-style directory,
- and our write bucket is empty, don't give it to him. This way
- small servers can continue to serve the directory *sometimes*,
- without getting overloaded.
- - Whenever you get a 503 in response to a directory fetch, try
- once more. This will become important once servers start sending
- 503's whenever they feel busy.
- - Fetch a new directory every 120 minutes, not every 40 minutes.
- Now that we have hundreds of thousands of users running the old
- directory algorithm, it's starting to hurt a lot.
- - Bump up the period for forcing a hidden service descriptor upload
- from 20 minutes to 1 hour.
- Changes in version 0.1.0.16 - 2006-01-02
- o Crash bugfixes on 0.1.0.x:
- - On Windows, build with a libevent patch from "I-M Weasel" to avoid
- corrupting the heap, losing FDs, or crashing when we need to resize
- the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
- - It turns out sparc64 platforms crash on unaligned memory access
- too -- so detect and avoid this.
- - Handle truncated compressed data correctly (by detecting it and
- giving an error).
- - Fix possible-but-unlikely free(NULL) in control.c.
- - When we were closing connections, there was a rare case that
- stomped on memory, triggering seg faults and asserts.
- - Avoid potential infinite recursion when building a descriptor. (We
- don't know that it ever happened, but better to fix it anyway.)
- - We were neglecting to unlink marked circuits from soon-to-close OR
- connections, which caused some rare scribbling on freed memory.
- - Fix a memory stomping race bug when closing the joining point of two
- rendezvous circuits.
- - Fix an assert in time parsing found by Steven Murdoch.
- o Other bugfixes on 0.1.0.x:
- - When we're doing reachability testing, provide more useful log
- messages so the operator knows what to expect.
- - Do not check whether DirPort is reachable when we are suppressing
- advertising it because of hibernation.
- - When building with -static or on Solaris, we sometimes needed -ldl.
- - One of the dirservers (tor26) changed its IP address.
- - When we're deciding whether a stream has enough circuits around
- that can handle it, count the freshly dirty ones and not the ones
- that are so dirty they won't be able to handle it.
- - When we're expiring old circuits, we had a logic error that caused
- us to close new rendezvous circuits rather than old ones.
- - Give a more helpful log message when you try to change ORPort via
- the controller: you should upgrade Tor if you want that to work.
- - We were failing to parse Tor versions that start with "Tor ".
- - Tolerate faulty streams better: when a stream fails for reason
- exitpolicy, stop assuming that the router is lying about his exit
- policy. When a stream fails for reason misc, allow it to retry just
- as if it was resolvefailed. When a stream has failed three times,
- reset its failure count so we can try again and get all three tries.
- Changes in version 0.1.0.15 - 2005-09-23
- o Bugfixes on 0.1.0.x:
- - Reject ports 465 and 587 (spam targets) in default exit policy.
- - Don't crash when we don't have any spare file descriptors and we
- try to spawn a dns or cpu worker.
- - Get rid of IgnoreVersion undocumented config option, and make us
- only warn, never exit, when we're running an obsolete version.
- - Don't try to print a null string when your server finds itself to
- be unreachable and the Address config option is empty.
- - Make the numbers in read-history and write-history into uint64s,
- so they don't overflow and publish negatives in the descriptor.
- - Fix a minor memory leak in smartlist_string_remove().
- - We were only allowing ourselves to upload a server descriptor at
- most every 20 minutes, even if it changed earlier than that.
- - Clean up log entries that pointed to old URLs.
- Changes in version 0.1.0.14 - 2005-08-08
- o Bugfixes on 0.1.0.x:
- - Fix the other half of the bug with crypto handshakes
- (CVE-2005-2643).
- - Fix an assert trigger if you send a 'signal term' via the
- controller when it's listening for 'event info' messages.
- Changes in version 0.1.0.13 - 2005-08-04
- o Bugfixes on 0.1.0.x:
- - Fix a critical bug in the security of our crypto handshakes.
- - Fix a size_t underflow in smartlist_join_strings2() that made
- it do bad things when you hand it an empty smartlist.
- - Fix Windows installer to ship Tor license (thanks to Aphex for
- pointing out this oversight) and put a link to the doc directory
- in the start menu.
- - Explicitly set no-unaligned-access for sparc: it turns out the
- new gcc's let you compile broken code, but that doesn't make it
- not-broken.
- Changes in version 0.1.0.12 - 2005-07-18
- o New directory servers:
- - tor26 has changed IP address.
- o Bugfixes on 0.1.0.x:
- - Fix a possible double-free in tor_gzip_uncompress().
- - When --disable-threads is set, do not search for or link against
- pthreads libraries.
- - Don't trigger an assert if an authoritative directory server
- claims its dirport is 0.
- - Fix bug with removing Tor as an NT service: some people were
- getting "The service did not return an error." Thanks to Matt
- Edman for the fix.
- Changes in version 0.1.0.11 - 2005-06-30
- o Bugfixes on 0.1.0.x:
- - Fix major security bug: servers were disregarding their
- exit policies if clients behaved unexpectedly.
- - Make OS X init script check for missing argument, so we don't
- confuse users who invoke it incorrectly.
- - Fix a seg fault in "tor --hash-password foo".
- - The MAPADDRESS control command was broken.
- Changes in version 0.1.0.10 - 2005-06-14
- o Fixes on Win32:
- - Make NT services work and start on startup on Win32 (based on
- patch by Matt Edman). See the FAQ entry for details.
- - Make 'platform' string in descriptor more accurate for Win32
- servers, so it's not just "unknown platform".
- - REUSEADDR on normal platforms means you can rebind to the port
- right after somebody else has let it go. But REUSEADDR on Win32
- means you can bind to the port _even when somebody else already
- has it bound_! So, don't do that on Win32.
- - Clean up the log messages when starting on Win32 with no config
- file.
- - Allow seeding the RNG on Win32 even when you're not running as
- Administrator. If seeding the RNG on Win32 fails, quit.
- o Assert / crash bugs:
- - Refuse relay cells that claim to have a length larger than the
- maximum allowed. This prevents a potential attack that could read
- arbitrary memory (e.g. keys) from an exit server's process
- (CVE-2005-2050).
- - If unofficial Tor clients connect and send weird TLS certs, our
- Tor server triggers an assert. Stop asserting, and start handling
- TLS errors better in other situations too.
- - Fix a race condition that can trigger an assert when we have a
- pending create cell and an OR connection attempt fails.
- o Resource leaks:
- - Use pthreads for worker processes rather than forking. This was
- forced because when we forked, we ended up wasting a lot of
- duplicate ram over time.
- - Also switch to foo_r versions of some library calls to allow
- reentry and threadsafeness.
- - Implement --disable-threads configure option. Disable threads on
- netbsd and openbsd by default, because they have no reentrant
- resolver functions (!), and on solaris since it has other
- threading issues.
- - Fix possible bug on threading platforms (e.g. win32) which was
- leaking a file descriptor whenever a cpuworker or dnsworker died.
- - Fix a minor memory leak when somebody establishes an introduction
- point at your Tor server.
- - Fix possible memory leak in tor_lookup_hostname(). (Thanks to
- Adam Langley.)
- - Add ./configure --with-dmalloc option, to track memory leaks.
- - And try to free all memory on closing, so we can detect what
- we're leaking.
- o Protocol correctness:
- - When we've connected to an OR and handshaked but didn't like
- the result, we were closing the conn without sending destroy
- cells back for pending circuits. Now send those destroys.
- - Start sending 'truncated' cells back rather than destroy cells
- if the circuit closes in front of you. This means we won't have
- to abandon partially built circuits.
- - Handle changed router status correctly when dirserver reloads
- fingerprint file. We used to be dropping all unverified descriptors
- right then. The bug was hidden because we would immediately
- fetch a directory from another dirserver, which would include the
- descriptors we just dropped.
- - Revise tor-spec to add more/better stream end reasons.
- - Revise all calls to connection_edge_end to avoid sending 'misc',
- and to take errno into account where possible.
- - Client now retries when streams end early for 'hibernating' or
- 'resource limit' reasons, rather than failing them.
- - Try to be more zealous about calling connection_edge_end when
- things go bad with edge conns in connection.c.
- o Robustness improvements:
- - Better handling for heterogeneous / unreliable nodes:
- - Annotate circuits with whether they aim to contain high uptime
- nodes and/or high capacity nodes. When building circuits, choose
- appropriate nodes.
- - This means that every single node in an intro rend circuit,
- not just the last one, will have a minimum uptime.
- - New config option LongLivedPorts to indicate application streams
- that will want high uptime circuits.
- - Servers reset uptime when a dir fetch entirely fails. This
- hopefully reflects stability of the server's network connectivity.
- - If somebody starts his tor server in Jan 2004 and then fixes his
- clock, don't make his published uptime be a year.
- - Reset published uptime when we wake up from hibernation.
- - Introduce a notion of 'internal' circs, which are chosen without
- regard to the exit policy of the last hop. Intro and rendezvous
- circs must be internal circs, to avoid leaking information. Resolve
- and connect streams can use internal circs if they want.
- - New circuit pooling algorithm: keep track of what destination ports
- we've used recently (start out assuming we'll want to use 80), and
- make sure to have enough circs around to satisfy these ports. Also
- make sure to have 2 internal circs around if we've required internal
- circs lately (and with high uptime if we've seen that lately too).
- - Turn addr_policy_compare from a tristate to a quadstate; this should
- help address our "Ah, you allow 1.2.3.4:80. You are a good choice
- for google.com" problem.
- - When a client asks us for a dir mirror and we don't have one,
- launch an attempt to get a fresh one.
- - First cut at support for "create-fast" cells. Clients can use
- these when extending to their first hop, since the TLS already
- provides forward secrecy and authentication. Not enabled on
- clients yet.
- o Reachability testing.
- - Your Tor server will automatically try to see if its ORPort and
- DirPort are reachable from the outside, and it won't upload its
- descriptor until it decides at least ORPort is reachable (when
- DirPort is not yet found reachable, publish it as zero).
- - When building testing circs for ORPort testing, use only
- high-bandwidth nodes, so fewer circuits fail.
- - Notice when our IP changes, and reset stats/uptime/reachability.
- - Authdirservers don't do ORPort reachability detection, since
- they're in clique mode, so it will be rare to find a server not
- already connected to them.
- - Authdirservers now automatically approve nodes running 0.1.0.2-rc
- or later.
- o Dirserver fixes:
- - Now we allow two unverified servers with the same nickname
- but different keys. But if a nickname is verified, only that
- nickname+key are allowed.
- - If you're an authdirserver connecting to an address:port,
- and it's not the OR you were expecting, forget about that
- descriptor. If he *was* the one you were expecting, then forget
- about all other descriptors for that address:port.
- - Allow servers to publish descriptors from 12 hours in the future.
- Corollary: only whine about clock skew from the dirserver if
- he's a trusted dirserver (since now even verified servers could
- have quite wrong clocks).
- - Require servers that use the default dirservers to have public IP
- addresses. We have too many servers that are configured with private
- IPs and their admins never notice the log entries complaining that
- their descriptors are being rejected.
- o Efficiency improvements:
- - Use libevent. Now we can use faster async cores (like epoll, kpoll,
- and /dev/poll), and hopefully work better on Windows too.
- - Apple's OS X 10.4.0 ships with a broken kqueue API, and using
- kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X.
- - Find libevent even if it's hiding in /usr/local/ and your
- CFLAGS and LDFLAGS don't tell you to look there.
- - Be able to link with libevent as a shared library (the default
- after 1.0d), even if it's hiding in /usr/local/lib and even
- if you haven't added /usr/local/lib to your /etc/ld.so.conf,
- assuming you're running gcc. Otherwise fail and give a useful
- error message.
- - Switch to a new buffer management algorithm, which tries to avoid
- reallocing and copying quite as much. In first tests it looks like
- it uses *more* memory on average, but less cpu.
- - Switch our internal buffers implementation to use a ring buffer,
- to hopefully improve performance for fast servers a lot.
- - Reenable the part of the code that tries to flush as soon as an
- OR outbuf has a full TLS record available. Perhaps this will make
- OR outbufs not grow as huge except in rare cases, thus saving lots
- of CPU time plus memory.
- - Improve performance for dirservers: stop re-parsing the whole
- directory every time you regenerate it.
- - Keep a big splay tree of (circid,orconn)->circuit mappings to make
- it much faster to look up a circuit for each relay cell.
- - Remove most calls to assert_all_pending_dns_resolves_ok(),
- since they're eating our cpu on exit nodes.
- - Stop wasting time doing a case insensitive comparison for every
- dns name every time we do any lookup. Canonicalize the names to
- lowercase when you first see them.
- o Hidden services:
- - Handle unavailable hidden services better. Handle slow or busy
- hidden services better.
- - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
- circ as necessary, if there are any completed ones lying around
- when we try to launch one.
- - Make hidden services try to establish a rendezvous for 30 seconds
- after fetching the descriptor, rather than for n (where n=3)
- attempts to build a circuit.
- - Adjust maximum skew and age for rendezvous descriptors: let skew
- be 48 hours rather than 90 minutes.
- - Reject malformed .onion addresses rather then passing them on as
- normal web requests.
- o Controller:
- - More Tor controller support. See
- http://tor.eff.org/doc/control-spec.txt for all the new features,
- including signals to emulate unix signals from any platform;
- redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
- closestream; closecircuit; etc.
- - Encode hashed controller passwords in hex instead of base64,
- to make it easier to write controllers.
- - Revise control spec and implementation to allow all log messages to
- be sent to controller with their severities intact (suggested by
- Matt Edman). Disable debug-level logs while delivering a debug-level
- log to the controller, to prevent loop. Update TorControl to handle
- new log event types.
- o New config options/defaults:
- - Begin scrubbing sensitive strings from logs by default. Turn off
- the config option SafeLogging if you need to do debugging.
- - New exit policy: accept most low-numbered ports, rather than
- rejecting most low-numbered ports.
- - Put a note in the torrc about abuse potential with the default
- exit policy.
- - Add support for CONNECTing through https proxies, with "HttpsProxy"
- config option.
- - Add HttpProxyAuthenticator and HttpsProxyAuthenticator support
- based on patch from Adam Langley (basic auth only).
- - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
- the fast servers that have been joining lately. (Clients are now
- willing to load balance over up to 2 MB of advertised bandwidth
- capacity too.)
- - New config option MaxAdvertisedBandwidth which lets you advertise
- a low bandwidthrate (to not attract as many circuits) while still
- allowing a higher bandwidthrate in reality.
- - Require BandwidthRate to be at least 20kB/s for servers.
- - Add a NoPublish config option, so you can be a server (e.g. for
- testing running Tor servers in other Tor networks) without
- publishing your descriptor to the primary dirservers.
- - Add a new AddressMap config directive to rewrite incoming socks
- addresses. This lets you, for example, declare an implicit
- required exit node for certain sites.
- - Add a new TrackHostExits config directive to trigger addressmaps
- for certain incoming socks addresses -- for sites that break when
- your exit keeps changing (based on patch from Mike Perry).
- - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
- which describes how often we retry making new circuits if current
- ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
- how long we're willing to make use of an already-dirty circuit.
- - Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to
- a config option "ShutdownWaitLength" (when using kill -INT on
- servers).
- - Fix an edge case in parsing config options: if they say "--"
- on the commandline, it's not a config option (thanks weasel).
- - New config option DirAllowPrivateAddresses for authdirservers.
- Now by default they refuse router descriptors that have non-IP or
- private-IP addresses.
- - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
- smart" default value: low for servers and high for clients.
- - Some people were putting "Address " in their torrc, and they had
- a buggy resolver that resolved " " to 0.0.0.0. Oops.
- - If DataDir is ~/.tor, and that expands to /.tor, then default to
- LOCALSTATEDIR/tor instead.
- - Implement --verify-config command-line option to check if your torrc
- is valid without actually launching Tor.
- o Logging improvements:
- - When dirservers refuse a server descriptor, we now log its
- contactinfo, platform, and the poster's IP address.
- - Only warn once per nickname from add_nickname_list_to_smartlist()
- per failure, so an entrynode or exitnode choice that's down won't
- yell so much.
- - When we're connecting to an OR and he's got a different nickname/key
- than we were expecting, only complain loudly if we're an OP or a
- dirserver. Complaining loudly to the OR admins just confuses them.
- - Whine at you if you're a server and you don't set your contactinfo.
- - Warn when exit policy implicitly allows local addresses.
- - Give a better warning when some other server advertises an
- ORPort that is actually an apache running ssl.
- - If we get an incredibly skewed timestamp from a dirserver mirror
- that isn't a verified OR, don't warn -- it's probably him that's
- wrong.
- - When a dirserver causes you to give a warn, mention which dirserver
- it was.
- - Initialize libevent later in the startup process, so the logs are
- already established by the time we start logging libevent warns.
- - Use correct errno on win32 if libevent fails.
- - Check and warn about known-bad/slow libevent versions.
- - Stop warning about sigpipes in the logs. We're going to
- pretend that getting these occassionally is normal and fine.
- o New contrib scripts:
- - New experimental script tor/contrib/exitlist: a simple python
- script to parse directories and find Tor nodes that exit to listed
- addresses/ports.
- - New experimental script tor/contrib/ExerciseServer.py (needs more
- work) that uses the controller interface to build circuits and
- fetch pages over them. This will help us bootstrap servers that
- have lots of capacity but haven't noticed it yet.
- - New experimental script tor/contrib/PathDemo.py (needs more work)
- that uses the controller interface to let you choose whole paths
- via addresses like
- "<hostname>.<path,separated by dots>.<length of path>.path"
- - New contributed script "privoxy-tor-toggle" to toggle whether
- Privoxy uses Tor. Seems to be configured for Debian by default.
- - Have torctl.in/tor.sh.in check for location of su binary (needed
- on FreeBSD)
- o Misc bugfixes:
- - chdir() to your datadirectory at the *end* of the daemonize process,
- not the beginning. This was a problem because the first time you
- run tor, if your datadir isn't there, and you have runasdaemon set
- to 1, it will try to chdir to it before it tries to create it. Oops.
- - Fix several double-mark-for-close bugs, e.g. where we were finding
- a conn for a cell even if that conn is already marked for close.
- - Stop most cases of hanging up on a socks connection without sending
- the socks reject.
- - Fix a bug in the RPM package: set home directory for _tor to
- something more reasonable when first installing.
- - Stop putting nodename in the Platform string in server descriptors.
- It doesn't actually help, and it is confusing/upsetting some people.
- - When using preferred entry or exit nodes, ignore whether the
- circuit wants uptime or capacity. They asked for the nodes, they
- get the nodes.
- - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
- artificially capped at 500kB.
- - Cache local dns resolves correctly even when they're .exit
- addresses.
- - If we're hibernating and we get a SIGINT, exit immediately.
- - tor-resolve requests were ignoring .exit if there was a working circuit
- they could use instead.
- - Pay more attention to the ClientOnly config option.
- - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in certain
- installer screens; and don't put stuff into StartupItems unless
- the user asks you to.
- o Misc features:
- - Rewrite address "serifos.exit" to "externalIP.serifos.exit"
- rather than just rejecting it.
- - If our clock jumps forward by 100 seconds or more, assume something
- has gone wrong with our network and abandon all not-yet-used circs.
- - When an application is using socks5, give him the whole variety of
- potential socks5 responses (connect refused, host unreachable, etc),
- rather than just "success" or "failure".
- - A more sane version numbering system. See
- http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
- - Change version parsing logic: a version is "obsolete" if it is not
- recommended and (1) there is a newer recommended version in the
- same series, or (2) there are no recommended versions in the same
- series, but there are some recommended versions in a newer series.
- A version is "new" if it is newer than any recommended version in
- the same series.
- - Report HTTP reasons to client when getting a response from directory
- servers -- so you can actually know what went wrong.
- - Reject odd-looking addresses at the client (e.g. addresses that
- contain a colon), rather than having the server drop them because
- they're malformed.
- - Stop publishing socksport in the directory, since it's not
- actually meant to be public. For compatibility, publish a 0 there
- for now.
- - Since we ship our own Privoxy on OS X, tweak it so it doesn't write
- cookies to disk and doesn't log each web request to disk. (Thanks
- to Brett Carrington for pointing this out.)
- - Add OSX uninstall instructions. An actual uninstall script will
- come later.
- - Add "opt hibernating 1" to server descriptor to make it clearer
- whether the server is hibernating.
- Changes in version 0.0.9.10 - 2005-06-16
- o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
- - Refuse relay cells that claim to have a length larger than the
- maximum allowed. This prevents a potential attack that could read
- arbitrary memory (e.g. keys) from an exit server's process
- (CVE-2005-2050).
- Changes in version 0.0.9.9 - 2005-04-23
- o Bugfixes on 0.0.9.x:
- - If unofficial Tor clients connect and send weird TLS certs, our
- Tor server triggers an assert. This release contains a minimal
- backport from the broader fix that we put into 0.1.0.4-rc.
- Changes in version 0.0.9.8 - 2005-04-07
- o Bugfixes on 0.0.9.x:
- - We have a bug that I haven't found yet. Sometimes, very rarely,
- cpuworkers get stuck in the 'busy' state, even though the cpuworker
- thinks of itself as idle. This meant that no new circuits ever got
- established. Here's a workaround to kill any cpuworker that's been
- busy for more than 100 seconds.
- Changes in version 0.0.9.7 - 2005-04-01
- o Bugfixes on 0.0.9.x:
- - Fix another race crash bug (thanks to Glenn Fink for reporting).
- - Compare identity to identity, not to nickname, when extending to
- a router not already in the directory. This was preventing us from
- extending to unknown routers. Oops.
- - Make sure to create OS X Tor user in <500 range, so we aren't
- creating actual system users.
- - Note where connection-that-hasn't-sent-end was marked, and fix
- a few really loud instances of this harmless bug (it's fixed more
- in 0.1.0.x).
- Changes in version 0.0.9.6 - 2005-03-24
- o Bugfixes on 0.0.9.x (crashes and asserts):
- - Add new end stream reasons to maintainance branch. Fix bug where
- reason (8) could trigger an assert. Prevent bug from recurring.
- - Apparently win32 stat wants paths to not end with a slash.
- - Fix assert triggers in assert_cpath_layer_ok(), where we were
- blowing away the circuit that conn->cpath_layer points to, then
- checking to see if the circ is well-formed. Backport check to make
- sure we dont use the cpath on a closed connection.
- - Prevent circuit_resume_edge_reading_helper() from trying to package
- inbufs for marked-for-close streams.
- - Don't crash on hup if your options->address has become unresolvable.
- - Some systems (like OS X) sometimes accept() a connection and tell
- you the remote host is 0.0.0.0:0. If this happens, due to some
- other mis-features, we get confused; so refuse the conn for now.
- o Bugfixes on 0.0.9.x (other):
- - Fix harmless but scary "Unrecognized content encoding" warn message.
- - Add new stream error reason: TORPROTOCOL reason means "you are not
- speaking a version of Tor I understand; say bye-bye to your stream."
- - Be willing to cache directories from up to ROUTER_MAX_AGE seconds
- into the future, now that we are more tolerant of skew. This
- resolves a bug where a Tor server would refuse to cache a directory
- because all the directories it gets are too far in the future;
- yet the Tor server never logs any complaints about clock skew.
- - Mac packaging magic: make man pages useable, and do not overwrite
- existing torrc files.
- - Make OS X log happily to /var/log/tor/tor.log
- Changes in version 0.0.9.5 - 2005-02-22
- o Bugfixes on 0.0.9.x:
- - Fix an assert race at exit nodes when resolve requests fail.
- - Stop picking unverified dir mirrors--it only leads to misery.
- - Patch from Matt Edman to make NT services work better. Service
- support is still not compiled into the executable by default.
- - Patch from Dmitri Bely so the Tor service runs better under
- the win32 SYSTEM account.
- - Make tor-resolve actually work (?) on Win32.
- - Fix a sign bug when getrlimit claims to have 4+ billion
- file descriptors available.
- - Stop refusing to start when bandwidthburst == bandwidthrate.
- - When create cells have been on the onion queue more than five
- seconds, just send back a destroy and take them off the list.
- Changes in version 0.0.9.4 - 2005-02-03
- o Bugfixes on 0.0.9:
- - Fix an assert bug that took down most of our servers: when
- a server claims to have 1 GB of bandwidthburst, don't
- freak out.
- - Don't crash as badly if we have spawned the max allowed number
- of dnsworkers, or we're out of file descriptors.
- - Block more file-sharing ports in the default exit policy.
- - MaxConn is now automatically set to the hard limit of max
- file descriptors we're allowed (ulimit -n), minus a few for
- logs, etc.
- - Give a clearer message when servers need to raise their
- ulimit -n when they start running out of file descriptors.
- - SGI Compatibility patches from Jan Schaumann.
- - Tolerate a corrupt cached directory better.
- - When a dirserver hasn't approved your server, list which one.
- - Go into soft hibernation after 95% of the bandwidth is used,
- not 99%. This is especially important for daily hibernators who
- have a small accounting max. Hopefully it will result in fewer
- cut connections when the hard hibernation starts.
- - Load-balance better when using servers that claim more than
- 800kB/s of capacity.
- - Make NT services work (experimental, only used if compiled in).
- Changes in version 0.0.9.3 - 2005-01-21
- o Bugfixes on 0.0.9:
- - Backport the cpu use fixes from main branch, so busy servers won't
- need as much processor time.
- - Work better when we go offline and then come back, or when we
- run Tor at boot before the network is up. We do this by
- optimistically trying to fetch a new directory whenever an
- application request comes in and we think we're offline -- the
- human is hopefully a good measure of when the network is back.
- - Backport some minimal hidserv bugfixes: keep rend circuits open as
- long as you keep using them; actually publish hidserv descriptors
- shortly after they change, rather than waiting 20-40 minutes.
- - Enable Mac startup script by default.
- - Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
- - When you update AllowUnverifiedNodes or FirewallPorts via the
- controller's setconf feature, we were always appending, never
- resetting.
- - When you update HiddenServiceDir via setconf, it was screwing up
- the order of reading the lines, making it fail.
- - Do not rewrite a cached directory back to the cache; otherwise we
- will think it is recent and not fetch a newer one on startup.
- - Workaround for webservers that lie about Content-Encoding: Tor
- now tries to autodetect compressed directories and compression
- itself. This lets us Proxypass dir fetches through apache.
- Changes in version 0.0.9.2 - 2005-01-04
- o Bugfixes on 0.0.9 (crashes and asserts):
- - Fix an assert on startup when the disk is full and you're logging
- to a file.
- - If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
- style address, then we'd crash.
- - Fix an assert trigger when the running-routers string we get from
- a dirserver is broken.
- - Make worker threads start and run on win32. Now win32 servers
- may work better.
- - Bandaid (not actually fix, but now it doesn't crash) an assert
- where the dns worker dies mysteriously and the main Tor process
- doesn't remember anything about the address it was resolving.
- o Bugfixes on 0.0.9 (Win32):
- - Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
- name out of the warning/assert messages.
- - Fix a superficial "unhandled error on read" bug on win32.
- - The win32 installer no longer requires a click-through for our
- license, since our Free Software license grants rights but does not
- take any away.
- - Win32: When connecting to a dirserver fails, try another one
- immediately. (This was already working for non-win32 Tors.)
- - Stop trying to parse $HOME on win32 when hunting for default
- DataDirectory.
- - Make tor-resolve.c work on win32 by calling network_init().
- o Bugfixes on 0.0.9 (other):
- - Make 0.0.9.x build on Solaris again.
- - Due to a fencepost error, we were blowing away the \n when reporting
- confvalue items in the controller. So asking for multiple config
- values at once couldn't work.
- - When listing circuits that are pending on an opening OR connection,
- if we're an OR we were listing circuits that *end* at us as
- being pending on every listener, dns/cpu worker, etc. Stop that.
- - Dirservers were failing to create 'running-routers' or 'directory'
- strings if we had more than some threshold of routers. Fix them so
- they can handle any number of routers.
- - Fix a superficial "Duplicate mark for close" bug.
- - Stop checking for clock skew for OR connections, even for servers.
- - Fix a fencepost error that was chopping off the last letter of any
- nickname that is the maximum allowed nickname length.
- - Update URLs in log messages so they point to the new website.
- - Fix a potential problem in mangling server private keys while
- writing to disk (not triggered yet, as far as we know).
- - Include the licenses for other free software we include in Tor,
- now that we're shipping binary distributions more regularly.
- Changes in version 0.0.9.1 - 2004-12-15
- o Bugfixes on 0.0.9:
- - Make hibernation actually work.
- - Make HashedControlPassword config option work.
- - When we're reporting event circuit status to a controller,
- don't use the stream status code.
- Changes in version 0.0.9 - 2004-12-12
- o Bugfixes on 0.0.8.1 (Crashes and asserts):
- - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
- write() call will fail and we handle it there.
- - When we run out of disk space, or other log writing error, don't
- crash. Just stop logging to that log and continue.
- - Fix isspace() and friends so they still make Solaris happy
- but also so they don't trigger asserts on win32.
- - Fix assert failure on malformed socks4a requests.
- - Fix an assert bug where a hidden service provider would fail if
- the first hop of his rendezvous circuit was down.
- - Better handling of size_t vs int, so we're more robust on 64
- bit platforms.
- o Bugfixes on 0.0.8.1 (Win32):
- - Make windows sockets actually non-blocking (oops), and handle
- win32 socket errors better.
- - Fix parse_iso_time on platforms without strptime (eg win32).
- - win32: when being multithreaded, leave parent fdarray open.
- - Better handling of winsock includes on non-MSV win32 compilers.
- - Change our file IO stuff (especially wrt OpenSSL) so win32 is
- happier.
- - Make unit tests work on win32.
- o Bugfixes on 0.0.8.1 (Path selection and streams):
- - Calculate timeout for waiting for a connected cell from the time
- we sent the begin cell, not from the time the stream started. If
- it took a long time to establish the circuit, we would time out
- right after sending the begin cell.
- - Fix router_compare_addr_to_addr_policy: it was not treating a port
- of * as always matching, so we were picking reject *:* nodes as
- exit nodes too. Oops.
- - When read() failed on a stream, we would close it without sending
- back an end. So 'connection refused' would simply be ignored and
- the user would get no response.
- - Stop a sigpipe: when an 'end' cell races with eof from the app,
- we shouldn't hold-open-until-flush if the eof arrived first.
- - Let resolve conns retry/expire also, rather than sticking around
- forever.
- - Fix more dns related bugs: send back resolve_failed and end cells
- more reliably when the resolve fails, rather than closing the
- circuit and then trying to send the cell. Also attach dummy resolve
- connections to a circuit *before* calling dns_resolve(), to fix
- a bug where cached answers would never be sent in RESOLVED cells.
- o Bugfixes on 0.0.8.1 (Circuits):
- - Finally fix a bug that's been plaguing us for a year:
- With high load, circuit package window was reaching 0. Whenever
- we got a circuit-level sendme, we were reading a lot on each
- socket, but only writing out a bit. So we would eventually reach
- eof. This would be noticed and acted on even when there were still
- bytes sitting in the inbuf.
- - Use identity comparison, not nickname comparison, to choose which
- half of circuit-ID-space each side gets to use. This is needed
- because sometimes we think of a router as a nickname, and sometimes
- as a hex ID, and we can't predict what the other side will do.
- o Bugfixes on 0.0.8.1 (Other):
- - Fix a whole slew of memory leaks.
- - Disallow NDEBUG. We don't ever want anybody to turn off debug.
- - If we are using select, make sure we stay within FD_SETSIZE.
- - When poll() is interrupted, we shouldn't believe the revents values.
- - Add a FAST_SMARTLIST define to optionally inline smartlist_get
- and smartlist_len, which are two major profiling offenders.
- - If do_hup fails, actually notice.
- - Flush the log file descriptor after we print "Tor opening log file",
- so we don't see those messages days later.
- - Hidden service operators now correctly handle version 1 style
- INTRODUCE1 cells (nobody generates them still, so not a critical
- bug).
- - Handle more errnos from accept() without closing the listener.
- Some OpenBSD machines were closing their listeners because
- they ran out of file descriptors.
- - Some people had wrapped their tor client/server in a script
- that would restart it whenever it died. This did not play well
- with our "shut down if your version is obsolete" code. Now people
- don't fetch a new directory if their local cached version is
- recent enough.
- - Make our autogen.sh work on ksh as well as bash.
- - Better torrc example lines for dirbindaddress and orbindaddress.
- - Improved bounds checking on parsed ints (e.g. config options and
- the ones we find in directories.)
- - Stop using separate defaults for no-config-file and
- empty-config-file. Now you have to explicitly turn off SocksPort,
- if you don't want it open.
- - We were starting to daemonize before we opened our logs, so if
- there were any problems opening logs, we would complain to stderr,
- which wouldn't work, and then mysteriously exit.
- - If a verified OR connects to us before he's uploaded his descriptor,
- or we verify him and hup but he still has the original TLS
- connection, then conn->nickname is still set like he's unverified.
- o Code security improvements, inspired by Ilja:
- - tor_snprintf wrapper over snprintf with consistent (though not C99)
- overflow behavior.
- - Replace sprintf with tor_snprintf. (I think they were all safe, but
- hey.)
- - Replace strcpy/strncpy with strlcpy in more places.
- - Avoid strcat; use tor_snprintf or strlcat instead.
- o Features (circuits and streams):
- - New circuit building strategy: keep a list of ports that we've
- used in the past 6 hours, and always try to have 2 circuits open
- or on the way that will handle each such port. Seed us with port
- 80 so web users won't complain that Tor is "slow to start up".
- - Make kill -USR1 dump more useful stats about circuits.
- - When warning about retrying or giving up, print the address, so
- the user knows which one it's talking about.
- - If you haven't used a clean circuit in an hour, throw it away,
- just to be on the safe side. (This means after 6 hours a totally
- unused Tor client will have no circuits open.)
- - Support "foo.nickname.exit" addresses, to let Alice request the
- address "foo" as viewed by exit node "nickname". Based on a patch
- from Geoff Goodell.
- - If your requested entry or exit node has advertised bandwidth 0,
- pick it anyway.
- - Be more greedy about filling up relay cells -- we try reading again
- once we've processed the stuff we read, in case enough has arrived
- to fill the last cell completely.
- - Refuse application socks connections to port 0.
- - Use only 0.0.9pre1 and later servers for resolve cells.
- o Features (bandwidth):
- - Hibernation: New config option "AccountingMax" lets you
- set how many bytes per month (in each direction) you want to
- allow your server to consume. Rather than spreading those
- bytes out evenly over the month, we instead hibernate for some
- of the month and pop up at a deterministic time, work until
- the bytes are consumed, then hibernate again. Config option
- "MonthlyAccountingStart" lets you specify which day of the month
- your billing cycle starts on.
- - Implement weekly/monthly/daily accounting: now you specify your
- hibernation properties by
- AccountingMax N bytes|KB|MB|GB|TB
- AccountingStart day|week|month [day] HH:MM
- Defaults to "month 1 0:00".
- - Let bandwidth and interval config options be specified as 5 bytes,
- kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
- o Features (directories):
- - New "router-status" line in directory, to better bind each verified
- nickname to its identity key.
- - Clients can ask dirservers for /dir.z to get a compressed version
- of the directory. Only works for servers running 0.0.9, of course.
- - Make clients cache directories and use them to seed their router
- lists at startup. This means clients have a datadir again.
- - Respond to content-encoding headers by trying to uncompress as
- appropriate.
- - Clients and servers now fetch running-routers; cache
- running-routers; compress running-routers; serve compressed
- running-routers.z
- - Make moria2 advertise a dirport of 80, so people behind firewalls
- will be able to get a directory.
- - Http proxy support
- - Dirservers translate requests for http://%s:%d/x to /x
- - You can specify "HttpProxy %s[:%d]" and all dir fetches will
- be routed through this host.
- - Clients ask for /tor/x rather than /x for new enough dirservers.
- This way we can one day coexist peacefully with apache.
- - Clients specify a "Host: %s%d" http header, to be compatible
- with more proxies, and so running squid on an exit node can work.
- - Protect dirservers from overzealous descriptor uploading -- wait
- 10 seconds after directory gets dirty, before regenerating.
- o Features (packages and install):
- - Add NSI installer contributed by J Doe.
- - Apply NT service patch from Osamu Fujino. Still needs more work.
- - Commit VC6 and VC7 workspace/project files.
- - Commit a tor.spec for making RPM files, with help from jbash.
- - Add contrib/torctl.in contributed by Glenn Fink.
- - Make expand_filename handle ~ and ~username.
- - Use autoconf to enable largefile support where necessary. Use
- ftello where available, since ftell can fail at 2GB.
- - Ship src/win32/ in the tarball, so people can use it to build.
- - Make old win32 fall back to CWD if SHGetSpecialFolderLocation
- is broken.
- o Features (ui controller):
- - Control interface: a separate program can now talk to your
- client/server over a socket, and get/set config options, receive
- notifications of circuits and streams starting/finishing/dying,
- bandwidth used, etc. The next step is to get some GUIs working.
- Let us know if you want to help out. See doc/control-spec.txt .
- - Ship a contrib/tor-control.py as an example script to interact
- with the control port.
- - "tor --hash-password zzyxz" will output a salted password for
- use in authenticating to the control interface.
- - Implement the control-spec's SAVECONF command, to write your
- configuration to torrc.
- - Get cookie authentication for the controller closer to working.
- - When set_conf changes our server descriptor, upload a new copy.
- But don't upload it too often if there are frequent changes.
- o Features (config and command-line):
- - Deprecate unofficial config option abbreviations, and abbreviations
- not on the command line.
- - Configuration infrastructure support for warning on obsolete
- options.
- - Give a slightly more useful output for "tor -h".
- - Break DirFetchPostPeriod into:
- - DirFetchPeriod for fetching full directory,
- - StatusFetchPeriod for fetching running-routers,
- - DirPostPeriod for posting server descriptor,
- - RendPostPeriod for posting hidden service descriptors.
- - New log format in config:
- "Log minsev[-maxsev] stdout|stderr|syslog" or
- "Log minsev[-maxsev] file /var/foo"
- - DirPolicy config option, to let people reject incoming addresses
- from their dirserver.
- - "tor --list-fingerprint" will list your identity key fingerprint
- and then exit.
- - Make tor --version --version dump the cvs Id of every file.
- - New 'MyFamily nick1,...' config option for a server to
- specify other servers that shouldn't be used in the same circuit
- with it. Only believed if nick1 also specifies us.
- - New 'NodeFamily nick1,nick2,...' config option for a client to
- specify nodes that it doesn't want to use in the same circuit.
- - New 'Redirectexit pattern address:port' config option for a
- server to redirect exit connections, e.g. to a local squid.
- - Add "pass" target for RedirectExit, to make it easier to break
- out of a sequence of RedirectExit rules.
- - Make the dirservers file obsolete.
- - Include a dir-signing-key token in directories to tell the
- parsing entity which key is being used to sign.
- - Remove the built-in bulky default dirservers string.
- - New config option "Dirserver %s:%d [fingerprint]", which can be
- repeated as many times as needed. If no dirservers specified,
- default to moria1,moria2,tor26.
- - Make 'Routerfile' config option obsolete.
- - Discourage people from setting their dirfetchpostperiod more often
- than once per minute.
- o Features (other):
- - kill -USR2 now moves all logs to loglevel debug (kill -HUP to
- get back to normal.)
- - Accept *:706 (silc) in default exit policy.
- - Implement new versioning format for post 0.1.
- - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
- log more informatively.
- - Check clock skew for verified servers, but allow unverified
- servers and clients to have any clock skew.
- - Make sure the hidden service descriptors are at a random offset
- from each other, to hinder linkability.
- - Clients now generate a TLS cert too, in preparation for having
- them act more like real nodes.
- - Add a pure-C tor-resolve implementation.
- - Use getrlimit and friends to ensure we can reach MaxConn (currently
- 1024) file descriptors.
- - Raise the max dns workers from 50 to 100.
- Changes in version 0.0.8.1 - 2004-10-13
- o Bugfixes:
- - Fix a seg fault that can be triggered remotely for Tor
- clients/servers with an open dirport.
- - Fix a rare assert trigger, where routerinfos for entries in
- our cpath would expire while we're building the path.
- - Fix a bug in OutboundBindAddress so it (hopefully) works.
- - Fix a rare seg fault for people running hidden services on
- intermittent connections.
- - Fix a bug in parsing opt keywords with objects.
- - Fix a stale pointer assert bug when a stream detaches and
- reattaches.
- - Fix a string format vulnerability (probably not exploitable)
- in reporting stats locally.
- - Fix an assert trigger: sometimes launching circuits can fail
- immediately, e.g. because too many circuits have failed recently.
- - Fix a compile warning on 64 bit platforms.
- Changes in version 0.0.8 - 2004-08-25
- o Bugfixes:
- - Made our unit tests compile again on OpenBSD 3.5, and tor
- itself compile again on OpenBSD on a sparc64.
- - We were neglecting milliseconds when logging on win32, so
- everything appeared to happen at the beginning of each second.
- - Check directory signature _before_ you decide whether you're
- you're running an obsolete version and should exit.
- - Check directory signature _before_ you parse the running-routers
- list to decide who's running.
- - Check return value of fclose while writing to disk, so we don't
- end up with broken files when servers run out of disk space.
- - Port it to SunOS 5.9 / Athena
- - Fix two bugs in saving onion keys to disk when rotating, so
- hopefully we'll get fewer people using old onion keys.
- - Remove our mostly unused -- and broken -- hex_encode()
- function. Use base16_encode() instead. (Thanks to Timo Lindfors
- for pointing out this bug.)
- - Only pick and establish intro points after we've gotten a
- directory.
- - Fix assert triggers: if the other side returns an address 0.0.0.0,
- don't put it into the client dns cache.
- - If a begin failed due to exit policy, but we believe the IP
- address should have been allowed, switch that router to exitpolicy
- reject *:* until we get our next directory.
- o Protocol changes:
- - 'Extend' relay cell payloads now include the digest of the
- intended next hop's identity key. Now we can verify that we're
- extending to the right router, and also extend to routers we
- hadn't heard of before.
- o Features:
- - Tor nodes can now act as relays (with an advertised ORPort)
- without being manually verified by the dirserver operators.
- - Uploaded descriptors of unverified routers are now accepted
- by the dirservers, and included in the directory.
- - Verified routers are listed by nickname in the running-routers
- list; unverified routers are listed as "$<fingerprint>".
- - We now use hash-of-identity-key in most places rather than
- nickname or addr:port, for improved security/flexibility.
- - AllowUnverifiedNodes config option to let circuits choose no-name
- routers in entry,middle,exit,introduction,rendezvous positions.
- Allow middle and rendezvous positions by default.
- - When picking unverified routers, skip those with low uptime and/or
- low bandwidth, depending on what properties you care about.
- - ClientOnly option for nodes that never want to become servers.
- - Directory caching.
- - "AuthoritativeDir 1" option for the official dirservers.
- - Now other nodes (clients and servers) will cache the latest
- directory they've pulled down.
- - They can enable their DirPort to serve it to others.
- - Clients will pull down a directory from any node with an open
- DirPort, and check the signature/timestamp correctly.
- - Authoritative dirservers now fetch directories from other
- authdirservers, to stay better synced.
- - Running-routers list tells who's down also, along with noting
- if they're verified (listed by nickname) or unverified (listed
- by hash-of-key).
- - Allow dirservers to serve running-router list separately.
- This isn't used yet.
- - You can now fetch $DIRURL/running-routers to get just the
- running-routers line, not the whole descriptor list. (But
- clients don't use this yet.)
- - Clients choose nodes proportional to advertised bandwidth.
- - Clients avoid using nodes with low uptime as introduction points.
- - Handle servers with dynamic IP addresses: don't just replace
- options->Address with the resolved one at startup, and
- detect our address right before we make a routerinfo each time.
- - 'FascistFirewall' option to pick dirservers and ORs on specific
- ports; plus 'FirewallPorts' config option to tell FascistFirewall
- which ports are open. (Defaults to 80,443)
- - Try other dirservers immediately if the one you try is down. This
- should tolerate down dirservers better now.
- - ORs connect-on-demand to other ORs
- - If you get an extend cell to an OR you're not connected to,
- connect, handshake, and forward the create cell.
- - The authoritative dirservers stay connected to everybody,
- and everybody stays connected to 0.0.7 servers, but otherwise
- clients/servers expire unused connections after 5 minutes.
- - When servers get a sigint, they delay 30 seconds (refusing new
- connections) then exit. A second sigint causes immediate exit.
- - File and name management:
- - Look for .torrc if no CONFDIR "torrc" is found.
- - If no datadir is defined, then choose, make, and secure ~/.tor
- as datadir.
- - If torrc not found, exitpolicy reject *:*.
- - Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
- - If no nickname is defined, derive default from hostname.
- - Rename secret key files, e.g. identity.key -> secret_id_key,
- to discourage people from mailing their identity key to tor-ops.
- - Refuse to build a circuit before the directory has arrived --
- it won't work anyway, since you won't know the right onion keys
- to use.
- - Parse tor version numbers so we can do an is-newer-than check
- rather than an is-in-the-list check.
- - New socks command 'resolve', to let us shim gethostbyname()
- locally.
- - A 'tor_resolve' script to access the socks resolve functionality.
- - A new socks-extensions.txt doc file to describe our
- interpretation and extensions to the socks protocols.
- - Add a ContactInfo option, which gets published in descriptor.
- - Write tor version at the top of each log file
- - New docs in the tarball:
- - tor-doc.html.
- - Document that you should proxy your SSL traffic too.
- - Log a warning if the user uses an unsafe socks variant, so people
- are more likely to learn about privoxy or socat.
- - Log a warning if you're running an unverified server, to let you
- know you might want to get it verified.
- - Change the default exit policy to reject the default edonkey,
- kazaa, gnutella ports.
- - Add replace_file() to util.[ch] to handle win32's rename().
- - Publish OR uptime in descriptor (and thus in directory) too.
- - Remember used bandwidth (both in and out), and publish 15-minute
- snapshots for the past day into our descriptor.
- - Be more aggressive about trying to make circuits when the network
- has changed (e.g. when you unsuspend your laptop).
- - Check for time skew on http headers; report date in response to
- "GET /".
- - If the entrynode config line has only one node, don't pick it as
- an exitnode.
- - Add strict{entry|exit}nodes config options. If set to 1, then
- we refuse to build circuits that don't include the specified entry
- or exit nodes.
- - OutboundBindAddress config option, to bind to a specific
- IP address for outgoing connect()s.
- - End truncated log entries (e.g. directories) with "[truncated]".
- Changes in version 0.0.7.3 - 2004-08-12
- o Stop dnsworkers from triggering an assert failure when you
- ask them to resolve the host "".
- Changes in version 0.0.7.2 - 2004-07-07
- o A better fix for the 0.0.0.0 problem, that will hopefully
- eliminate the remaining related assertion failures.
- Changes in version 0.0.7.1 - 2004-07-04
- o When an address resolves to 0.0.0.0, treat it as a failed resolve,
- since internally we use 0.0.0.0 to signify "not yet resolved".
- Changes in version 0.0.7 - 2004-06-07
- o Fixes for crashes and other obnoxious bugs:
- - Fix an epipe bug: sometimes when directory connections failed
- to connect, we would give them a chance to flush before closing
- them.
- - When we detached from a circuit because of resolvefailed, we
- would immediately try the same circuit twice more, and then
- give up on the resolve thinking we'd tried three different
- exit nodes.
- - Limit the number of intro circuits we'll attempt to build for a
- hidden service per 15-minute period.
- - Check recommended-software string *early*, before actually parsing
- the directory. Thus we can detect an obsolete version and exit,
- even if the new directory format doesn't parse.
- o Fixes for security bugs:
- - Remember which nodes are dirservers when you startup, and if a
- random OR enables his dirport, don't automatically assume he's
- a trusted dirserver.
- o Other bugfixes:
- - Directory connections were asking the wrong poll socket to
- start writing, and not asking themselves to start writing.
- - When we detached from a circuit because we sent a begin but
- didn't get a connected, we would use it again the first time;
- but after that we would correctly switch to a different one.
- - Stop warning when the first onion decrypt attempt fails; they
- will sometimes legitimately fail now that we rotate keys.
- - Override unaligned-access-ok check when $host_cpu is ia64 or
- arm. Apparently they allow it but the kernel whines.
- - Dirservers try to reconnect periodically too, in case connections
- have failed.
- - Fix some memory leaks in directory servers.
- - Allow backslash in Win32 filenames.
- - Made Tor build complain-free on FreeBSD, hopefully without
- breaking other BSD builds. We'll see.
- - Check directory signatures based on name of signer, not on whom
- we got the directory from. This will let us cache directories more
- easily.
- - Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
- settings too.
- o Features:
- - Doxygen markup on all functions and global variables.
- - Make directory functions update routerlist, not replace it. So
- now directory disagreements are not so critical a problem.
- - Remove the upper limit on number of descriptors in a dirserver's
- directory (not that we were anywhere close).
- - Allow multiple logfiles at different severity ranges.
- - Allow *BindAddress to specify ":port" rather than setting *Port
- separately. Allow multiple instances of each BindAddress config
- option, so you can bind to multiple interfaces if you want.
- - Allow multiple exit policy lines, which are processed in order.
- Now we don't need that huge line with all the commas in it.
- - Enable accept/reject policies on SOCKS connections, so you can bind
- to 0.0.0.0 but still control who can use your OP.
- - Updated the man page to reflect these features.
- Changes in version 0.0.6.2 - 2004-05-16
- o Our integrity-checking digest was checking only the most recent cell,
- not the previous cells like we'd thought.
- Thanks to Stefan Mark for finding the flaw!
- Changes in version 0.0.6.1 - 2004-05-06
- o Fix two bugs in our AES counter-mode implementation (this affected
- onion-level stream encryption, but not TLS-level). It turns
- out we were doing something much more akin to a 16-character
- polyalphabetic cipher. Oops.
- Thanks to Stefan Mark for finding the flaw!
- o Retire moria3 as a directory server, and add tor26 as a directory
- server.
- Changes in version 0.0.6 - 2004-05-02
- o Features:
- - Hidden services and rendezvous points are implemented. Go to
- http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
- hidden services. (This only works via a socks4a proxy such as
- Privoxy, and currently it's quite slow.)
- - We now rotate link (tls context) keys and onion keys.
- - CREATE cells now include oaep padding, so you can tell
- if you decrypted them correctly.
- - Retry stream correctly when we fail to connect because of
- exit-policy-reject (should try another) or can't-resolve-address.
- - When we hup a dirserver and we've *removed* a server from the
- approved-routers list, now we remove that server from the
- in-memory directories too.
- - Add bandwidthburst to server descriptor.
- - Directories now say which dirserver signed them.
- - Use a tor_assert macro that logs failed assertions too.
- - Since we don't support truncateds much, don't bother sending them;
- just close the circ.
- - Fetch randomness from /dev/urandom better (not via fopen/fread)
- - Better debugging for tls errors
- - Set Content-Type on the directory and hidserv descriptor.
- - Remove IVs from cipher code, since AES-ctr has none.
- o Bugfixes:
- - Fix an assert trigger for exit nodes that's been plaguing us since
- the days of 0.0.2prexx (thanks weasel!)
- - Fix a bug where we were closing tls connections intermittently.
- It turns out openssl keeps its errors around -- so if an error
- happens, and you don't ask about it, and then another openssl
- operation happens and succeeds, and you ask if there was an error,
- it tells you about the first error.
- - Fix a bug that's been lurking since 27 may 03 (!)
- When passing back a destroy cell, we would use the wrong circ id.
- - Don't crash if a conn that sent a begin has suddenly lost its circuit.
- - Some versions of openssl have an SSL_pending function that erroneously
- returns bytes when there is a non-application record pending.
- - Win32 fixes. Tor now compiles on win32 with no warnings/errors.
- o We were using an array of length zero in a few places.
- o Win32's gethostbyname can't resolve an IP to an IP.
- o Win32's close can't close a socket.
- o Handle windows socket errors correctly.
- o Portability:
- - check for <sys/limits.h> so we build on FreeBSD again, and
- <machine/limits.h> for NetBSD.
- Changes in version 0.0.5 - 2004-03-30
- o Install torrc as torrc.sample -- we no longer clobber your
- torrc. (Woo!)
- o Fix mangled-state bug in directory fetching (was causing sigpipes).
- o Only build circuits after we've fetched the directory: clients were
- using only the directory servers before they'd fetched a directory.
- This also means longer startup time; so it goes.
- o Fix an assert trigger where an OP would fail to handshake, and we'd
- expect it to have a nickname.
- o Work around a tsocks bug: do a socks reject when AP connection dies
- early, else tsocks goes into an infinite loop.
- o Hold socks connection open until reply is flushed (if possible)
- o Make exit nodes resolve IPs to IPs immediately, rather than asking
- the dns farm to do it.
- o Fix c99 aliasing warnings in rephist.c
- o Don't include server descriptors that are older than 24 hours in the
- directory.
- o Give socks 'reject' replies their whole 15s to attempt to flush,
- rather than seeing the 60s timeout and assuming the flush had failed.
- o Clean automake droppings from the cvs repository
- o Add in a 'notice' log level for things the operator should hear
- but that aren't warnings
- Changes in version 0.0.4 - 2004-03-26
- o When connecting to a dirserver or OR and the network is down,
- we would crash.
- Changes in version 0.0.3 - 2004-03-26
- o Warn and fail if server chose a nickname with illegal characters
- o Port to Solaris and Sparc:
- - include missing header fcntl.h
- - have autoconf find -lsocket -lnsl automatically
- - deal with hardware word alignment
- - make uname() work (solaris has a different return convention)
- - switch from using signal() to sigaction()
- o Preliminary work on reputation system:
- - Keep statistics on success/fail of connect attempts; they're published
- by kill -USR1 currently.
- - Add a RunTesting option to try to learn link state by creating test
- circuits, even when SocksPort is off.
- - Remove unused open circuits when there are too many.
- Changes in version 0.0.2 - 2004-03-19
- - Include strlcpy and strlcat for safer string ops
- - define INADDR_NONE so we compile (but still not run) on solaris
- Changes in version 0.0.2pre27 - 2004-03-14
- o Bugfixes:
- - Allow internal tor networks (we were rejecting internal IPs,
- now we allow them if they're set explicitly).
- - And fix a few endian issues.
- Changes in version 0.0.2pre26 - 2004-03-14
- o New features:
- - If a stream times out after 15s without a connected cell, don't
- try that circuit again: try a new one.
- - Retry streams at most 4 times. Then give up.
- - When a dirserver gets a descriptor from an unknown router, it
- logs its fingerprint (so the dirserver operator can choose to
- accept it even without mail from the server operator).
- - Inform unapproved servers when we reject their descriptors.
- - Make tor build on Windows again. It works as a client, who knows
- about as a server.
- - Clearer instructions in the torrc for how to set up a server.
- - Be more efficient about reading fd's when our global token bucket
- (used for rate limiting) becomes empty.
- o Bugfixes:
- - Stop asserting that computers always go forward in time. It's
- simply not true.
- - When we sent a cell (e.g. destroy) and then marked an OR connection
- expired, we might close it before finishing a flush if the other
- side isn't reading right then.
- - Don't allow dirservers to start if they haven't defined
- RecommendedVersions
- - We were caching transient dns failures. Oops.
- - Prevent servers from publishing an internal IP as their address.
- - Address a strcat vulnerability in circuit.c
- Changes in version 0.0.2pre25 - 2004-03-04
- o New features:
- - Put the OR's IP in its router descriptor, not its fqdn. That way
- we'll stop being stalled by gethostbyname for nodes with flaky dns,
- e.g. poblano.
- o Bugfixes:
- - If the user typed in an address that didn't resolve, the server
- crashed.
- Changes in version 0.0.2pre24 - 2004-03-03
- o Bugfixes:
- - Fix an assertion failure in dns.c, where we were trying to dequeue
- a pending dns resolve even if it wasn't pending
- - Fix a spurious socks5 warning about still trying to write after the
- connection is finished.
- - Hold certain marked_for_close connections open until they're finished
- flushing, rather than losing bytes by closing them too early.
- - Correctly report the reason for ending a stream
- - Remove some duplicate calls to connection_mark_for_close
- - Put switch_id and start_daemon earlier in the boot sequence, so it
- will actually try to chdir() to options.DataDirectory
- - Make 'make test' exit(1) if a test fails; fix some unit tests
- - Make tor fail when you use a config option it doesn't know about,
- rather than warn and continue.
- - Make --version work
- - Bugfixes on the rpm spec file and tor.sh, so it's more up to date
- Changes in version 0.0.2pre23 - 2004-02-29
- o New features:
- - Print a statement when the first circ is finished, so the user
- knows it's working.
- - If a relay cell is unrecognized at the end of the circuit,
- send back a destroy. (So attacks to mutate cells are more
- clearly thwarted.)
- - New config option 'excludenodes' to avoid certain nodes for circuits.
- - When it daemonizes, it chdir's to the DataDirectory rather than "/",
- so you can collect coredumps there.
- o Bugfixes:
- - Fix a bug in tls flushing where sometimes data got wedged and
- didn't flush until more data got sent. Hopefully this bug was
- a big factor in the random delays we were seeing.
- - Make 'connected' cells include the resolved IP, so the client
- dns cache actually gets populated.
- - Disallow changing from ORPort=0 to ORPort>0 on hup.
- - When we time-out on a stream and detach from the circuit, send an
- end cell down it first.
- - Only warn about an unknown router (in exitnodes, entrynodes,
- excludenodes) after we've fetched a directory.
- Changes in version 0.0.2pre22 - 2004-02-26
- o New features:
- - Servers publish less revealing uname information in descriptors.
- - More memory tracking and assertions, to crash more usefully when
- errors happen.
- - If the default torrc isn't there, just use some default defaults.
- Plus provide an internal dirservers file if they don't have one.
- - When the user tries to use Tor as an http proxy, give them an http
- 501 failure explaining that we're a socks proxy.
- - Dump a new router.desc on hup, to help confused people who change
- their exit policies and then wonder why router.desc doesn't reflect
- it.
- - Clean up the generic tor.sh init script that we ship with.
- o Bugfixes:
- - If the exit stream is pending on the resolve, and a destroy arrives,
- then the stream wasn't getting removed from the pending list. I
- think this was the one causing recent server crashes.
- - Use a more robust poll on OSX 10.3, since their poll is flaky.
- - When it couldn't resolve any dirservers, it was useless from then on.
- Now it reloads the RouterFile (or default dirservers) if it has no
- dirservers.
- - Move the 'tor' binary back to /usr/local/bin/ -- it turns out
- many users don't even *have* a /usr/local/sbin/.
- Changes in version 0.0.2pre21 - 2004-02-18
- o New features:
- - There's a ChangeLog file that actually reflects the changelog.
- - There's a 'torify' wrapper script, with an accompanying
- tor-tsocks.conf, that simplifies the process of using tsocks for
- tor. It even has a man page.
- - The tor binary gets installed to sbin rather than bin now.
- - Retry streams where the connected cell hasn't arrived in 15 seconds
- - Clean up exit policy handling -- get the default out of the torrc,
- so we can update it without forcing each server operator to fix
- his/her torrc.
- - Allow imaps and pop3s in default exit policy
- o Bugfixes:
- - Prevent picking middleman nodes as the last node in the circuit
- Changes in version 0.0.2pre20 - 2004-01-30
- o New features:
- - We now have a deb package, and it's in debian unstable. Go to
- it, apt-getters. :)
- - I've split the TotalBandwidth option into BandwidthRate (how many
- bytes per second you want to allow, long-term) and
- BandwidthBurst (how many bytes you will allow at once before the cap
- kicks in). This better token bucket approach lets you, say, set
- BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
- performance while not exceeding your monthly bandwidth quota.
- - Push out a tls record's worth of data once you've got it, rather
- than waiting until you've read everything waiting to be read. This
- may improve performance by pipelining better. We'll see.
- - Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
- from failed circuits (if they haven't been connected yet) and attach
- to new ones.
- - Expire old streams that haven't managed to connect. Some day we'll
- have them reattach to new circuits instead.
- o Bugfixes:
- - Fix several memory leaks that were causing servers to become bloated
- after a while.
- - Fix a few very rare assert triggers. A few more remain.
- - Setuid to User _before_ complaining about running as root.
- Changes in version 0.0.2pre19 - 2004-01-07
- o Bugfixes:
- - Fix deadlock condition in dns farm. We were telling a child to die by
- closing the parent's file descriptor to him. But newer children were
- inheriting the open file descriptor from the parent, and since they
- weren't closing it, the socket never closed, so the child never read
- eof, so he never knew to exit. Similarly, dns workers were holding
- open other sockets, leading to all sorts of chaos.
- - New cleaner daemon() code for forking and backgrounding.
- - If you log to a file, it now prints an entry at the top of the
- logfile so you know it's working.
- - The onionskin challenge length was 30 bytes longer than necessary.
- - Started to patch up the spec so it's not quite so out of date.
- Changes in version 0.0.2pre18 - 2004-01-02
- o Bugfixes:
- - Fix endian issues with the 'integrity' field in the relay header.
- - Fix a potential bug where connections in state
- AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
- Changes in version 0.0.2pre17 - 2003-12-30
- o Bugfixes:
- - Made --debuglogfile (or any second log file, actually) work.
- - Resolved an edge case in get_unique_circ_id_by_conn where a smart
- adversary could force us into an infinite loop.
- o Features:
- - Each onionskin handshake now includes a hash of the computed key,
- to prove the server's identity and help perfect forward secrecy.
- - Changed cell size from 256 to 512 bytes (working toward compatibility
- with MorphMix).
- - Changed cell length to 2 bytes, and moved it to the relay header.
- - Implemented end-to-end integrity checking for the payloads of
- relay cells.
- - Separated streamid from 'recognized' (otherwise circuits will get
- messed up when we try to have streams exit from the middle). We
- use the integrity-checking to confirm that a cell is addressed to
- this hop.
- - Randomize the initial circid and streamid values, so an adversary who
- breaks into a node can't learn how many circuits or streams have
- been made so far.
- Changes in version 0.0.2pre16 - 2003-12-14
- o Bugfixes:
- - Fixed a bug that made HUP trigger an assert
- - Fixed a bug where a circuit that immediately failed wasn't being
- counted as a failed circuit in counting retries.
- o Features:
- - Now we close the circuit when we get a truncated cell: otherwise we're
- open to an anonymity attack where a bad node in the path truncates
- the circuit and then we open streams at him.
- - Add port ranges to exit policies
- - Add a conservative default exit policy
- - Warn if you're running tor as root
- - on HUP, retry OR connections and close/rebind listeners
- - options.EntryNodes: try these nodes first when picking the first node
- - options.ExitNodes: if your best choices happen to include any of
- your preferred exit nodes, you choose among just those preferred
- exit nodes.
- - options.ExcludedNodes: nodes that are never picked in path building
- Changes in version 0.0.2pre15 - 2003-12-03
- o Robustness and bugfixes:
- - Sometimes clients would cache incorrect DNS resolves, which would
- really screw things up.
- - An OP that goes offline would slowly leak all its sockets and stop
- working.
- - A wide variety of bugfixes in exit node selection, exit policy
- handling, and processing pending streams when a new circuit is
- established.
- - Pick nodes for a path only from those the directory says are up
- - Choose randomly from all running dirservers, not always the first one
- - Increase allowed http header size for directory fetch.
- - Stop writing to stderr (if we're daemonized it will be closed).
- - Enable -g always, so cores will be more useful to me.
- - Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
- o Documentation:
- - Wrote a man page. It lists commonly used options.
- o Configuration:
- - Change default loglevel to warn.
- - Make PidFile default to null rather than littering in your CWD.
- - OnionRouter config option is now obsolete. Instead it just checks
- ORPort>0.
- - Moved to a single unified torrc file for both clients and servers.
- Changes in version 0.0.2pre14 - 2003-11-29
- o Robustness and bugfixes:
- - Force the admin to make the DataDirectory himself
- - to get ownership/permissions right
- - so clients no longer make a DataDirectory and then never use it
- - fix bug where a client who was offline for 45 minutes would never
- pull down a directory again
- - fix (or at least hide really well) the dns assert bug that was
- causing server crashes
- - warnings and improved robustness wrt clockskew for certs
- - use the native daemon(3) to daemonize, when available
- - exit if bind() fails
- - exit if neither socksport nor orport is defined
- - include our own tor_timegm (Win32 doesn't have its own)
- - bugfix for win32 with lots of connections
- - fix minor bias in PRNG
- - make dirserver more robust to corrupt cached directory
- o Documentation:
- - Wrote the design document (woo)
- o Circuit building and exit policies:
- - Circuits no longer try to use nodes that the directory has told them
- are down.
- - Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
- bitcounts (18.0.0.0/8).
- - Make AP connections standby for a circuit if no suitable circuit
- exists, rather than failing
- - Circuits choose exit node based on addr/port, exit policies, and
- which AP connections are standing by
- - Bump min pathlen from 2 to 3
- - Relay end cells have a payload to describe why the stream ended.
- - If the stream failed because of exit policy, try again with a new
- circuit.
- - Clients have a dns cache to remember resolved addresses.
- - Notice more quickly when we have no working circuits
- o Configuration:
- - APPort is now called SocksPort
- - SocksBindAddress, ORBindAddress, DirBindAddress let you configure
- where to bind
- - RecommendedVersions is now a config variable rather than
- hardcoded (for dirservers)
- - Reloads config on HUP
- - Usage info on -h or --help
- - If you set User and Group config vars, it'll setu/gid to them.
- Changes in version 0.0.2pre13 - 2003-10-19
- o General stability:
- - SSL_write no longer fails when it returns WANTWRITE and the number
- of bytes in the buf has changed by the next SSL_write call.
- - Fix segfault fetching directory when network is down
- - Fix a variety of minor memory leaks
- - Dirservers reload the fingerprints file on HUP, so I don't have
- to take down the network when I approve a new router
- - Default server config file has explicit Address line to specify fqdn
- o Buffers:
- - Buffers grow and shrink as needed (Cut process size from 20M to 2M)
- - Make listener connections not ever alloc bufs
- o Autoconf improvements:
- - don't clobber an external CFLAGS in ./configure
- - Make install now works
- - create var/lib/tor on make install
- - autocreate a tor.sh initscript to help distribs
- - autocreate the torrc and sample-server-torrc with correct paths
- o Log files and Daemonizing now work:
- - If --DebugLogFile is specified, log to it at -l debug
- - If --LogFile is specified, use it instead of commandline
- - If --RunAsDaemon is set, tor forks and backgrounds on startup
|