TODO 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289
  1. improve how it behaves when i remove a line from the approved-routers files
  2. on hup, retry_all_connections (plus binding? and closing i guess. hm.)
  3. Legend:
  4. SPEC!! - Not specified
  5. SPEC - Spec not finalized
  6. NICK - nick claims
  7. ARMA - arma claims
  8. - Not done
  9. * Top priority
  10. . Partially done
  11. o Done
  12. D Deferred
  13. X Abandoned
  14. For 0.0.2pre15:
  15. o don't pick exit nodes which will certainly reject all things.
  16. o don't pick nodes that the directory says are down
  17. o choose randomly from running dirservers, not just first one
  18. o install the man page
  19. o warn when client-side tries an address/port which no router in the dir accepts.
  20. For 0.0.2pre14:
  21. o More flexible exit policies (18.*, 18.0.0.0/8)
  22. o Work to succeed in the precense of exit policy violation
  23. o Replace desired_path_len with opaque path-selection specifier
  24. o Client-side DNS caching
  25. o Add entries to client DNS cache based on END cells
  26. o Remove port from END_REASON_EXITPOLICY cells
  27. o Start building new circuits when we get an exit-policy
  28. failure. (Defer exiting from the middle of existing
  29. circuits or extending existing circuits for later.)
  30. o Implement function to check whether a routerinfo_t
  31. supports a given exit addr.
  32. o Choose the exit node of an in-progress circuit based on
  33. pending AP connections.
  34. o Choose the exit node _first_, then beginning, then
  35. middle nodes.
  36. Short-term:
  37. - Make tls connections tls_close intentionally
  38. o Rename ACI to circID
  39. . integrate rep_ok functions, see what breaks
  40. - update tor faq
  41. o obey SocksBindAddress, ORBindAddress
  42. - warn if we're running as root
  43. o make connection_flush_buf() more obviously obsolete
  44. o let hup reread the config file, eg so we can get new exit
  45. policies without restarting
  46. o Put recommended_versions in a config entry
  47. - use times(2) rather than gettimeofday to measure how long it
  48. takes to process a cell
  49. o Separate trying to rebuild a circuit because you have none from trying
  50. to rebuild a circuit because the current one is stale
  51. X Continue reading from socks port even while waiting for connect.
  52. . Exit policies
  53. o Spec how to write the exit policies
  54. . Path selection algorithms
  55. o Choose path more incrementally
  56. - Let user request first/last node
  57. - And disallow certain nodes
  58. D Choose path by jurisdiction, etc?
  59. o Make relay end cells have failure status and payload attached
  60. X let non-approved routers handshake.
  61. - Dirserver shouldn't put you in running-routers list if you haven't
  62. uploaded a descriptor recently
  63. . migrate to using nickname rather than addr:port for routers
  64. o decide_aci_type
  65. - generate onion skins
  66. - circuit_send_next_onion_skin
  67. - circuit_extend
  68. - onion_generate_cpath
  69. - get_unique_aci_by_addr_port
  70. - circ->n_addr and circ->n_port
  71. - circuit_enumerate_by_naddr_nport
  72. - cpath layers
  73. - connection_or_connect
  74. - connection_exact_get_by_addr_port
  75. - connection_twin_get_by_addr_port
  76. - router_get_by_addr_port
  77. - connection_or_init_conn_from_router
  78. - tag_pack, tag_unpack, connection_cpu_process_inbuf
  79. - directory_initiate_command
  80. . Move from onions to ephemeral DH
  81. o incremental path building
  82. o transition circuit-level sendmes to hop-level sendmes
  83. o implement truncate, truncated
  84. o move from 192byte DH to 128byte DH, so it isn't so damn slow
  85. - exiting from not-last hop
  86. - OP logic to decide to extend/truncate a path
  87. - make sure exiting from the not-last hop works
  88. - logic to find last *open* hop, not last hop, in cpath
  89. o Remember address and port when beginning.
  90. - Extend by nickname/hostname/something, not by IP.
  91. - Need a relay teardown cell, separate from one-way ends.
  92. On-going
  93. . Better comments for functions!
  94. . Go through log messages, reduce confusing error messages.
  95. . make the logs include more info (fd, etc)
  96. . Unit tests
  97. Mid-term:
  98. - Rotate tls-level connections -- make new ones, expire old ones.
  99. So we get actual key rotation, not just symmetric key rotation
  100. - Are there anonymity issues with sequential streamIDs? Sequential
  101. circIDs? Eg an attacker can learn how many there have been.
  102. The fix is to initialize them randomly rather than at 1.
  103. - Look at having smallcells and largecells
  104. . Redo scheduler
  105. o fix SSL_read bug for buffered records
  106. - make round-robining more fair
  107. - What happens when a circuit's length is 1? What breaks?
  108. . streams / circuits
  109. o Implement streams
  110. o Rotate circuits after N minutes?
  111. X Circuits should expire when circuit->expire triggers
  112. NICK . Handle half-open connections
  113. o openssh is an application that uses half-open connections
  114. o Figure out what causes connections to close, standardize
  115. when we mark a connection vs when we tear it down
  116. o Look at what ssl does to keep from mutating data streams
  117. ARMA - Reduce streamid footprint from 7 bytes to 2 bytes
  118. - Check for collisions in streamid (now possible with
  119. just 2 bytes), and back up & replace with padding if so
  120. - Use the 3 saved bytes to put pseudorandomness in each relay cell
  121. - Use the 4 reserved bytes in each cell header to keep 1/5
  122. of a sha1 of the relay payload (move into stream header)
  123. - Move length into the stream header too
  124. - Spec the stream_id stuff. Clarify that nobody on the backward
  125. stream should look at stream_id.
  126. . Put CPU workers in separate processes
  127. o Handle multiple cpu workers (one for each cpu, plus one)
  128. o Queue for pending tasks if all workers full
  129. o Support the 'process this onion' task
  130. D Merge dnsworkers and cpuworkers to some extent
  131. - Handle cpuworkers dying
  132. . Scrubbing proxies
  133. - Find an smtp proxy?
  134. - Check the old smtp proxy code
  135. o Find an ftp proxy? wget --passive
  136. D Wait until there are packet redirectors for Linux
  137. . Get socks4a support into Mozilla
  138. . Develop rendezvous points
  139. SPEC!! - Handle socks commands other than connect, eg, bind?
  140. o Design
  141. - Spec
  142. - Implement
  143. - Tests
  144. o Testing harness/infrastructure
  145. D System tests (how?)
  146. - Performance tests, so we know when we've improved
  147. . webload infrastructure (Bruce)
  148. . httperf infrastructure (easy to set up)
  149. . oprofile (installed in RH >8.0)
  150. NICK . Daemonize and package
  151. o Teach it to fork and background
  152. - Red Hat spec file
  153. - Debian spec file equivalent
  154. . Portability
  155. . Which .h files are we actually using?
  156. . Port to:
  157. o Linux
  158. o BSD
  159. . Solaris
  160. o Cygwin
  161. . Win32
  162. o OS X
  163. - deal with pollhup / reached_eof on all platforms
  164. o openssl randomness
  165. o inet_ntoa
  166. . stdint.h
  167. - Make a script to set up a local network on your machine
  168. - More flexibility in node addressing
  169. D Support IPv6 rather than just 4
  170. - Handle multihomed servers (config variable to set IP)
  171. In the distant future:
  172. D Load balancing between router twins
  173. D Keep track of load over links/nodes, to
  174. know who's hosed
  175. SPEC!! D Non-clique topologies
  176. D Implement our own memory management, at least for common structs
  177. (Not ever necessary?)
  178. D Advanced directory servers
  179. D Automated reputation management
  180. SPEC!! D Figure out how to do threshold directory servers
  181. D jurisdiction info in dirserver entries? other info?
  182. Older (done) todo stuff:
  183. o Get tor to act like a socks server
  184. o socks4, socks4a
  185. o socks5
  186. o routers have identity key, link key, onion key.
  187. o link key certs are
  188. D signed by identity key
  189. D not in descriptor
  190. o not in config
  191. D not on disk
  192. o identity and onion keys are in descriptor (and disk)
  193. o upon boot, if it doesn't find identity key, generate it and write it.
  194. o also write a file with the identity key fingerprint in it
  195. o router generates descriptor: flesh out router_get_my_descriptor()
  196. o Routers sign descriptors with identity key
  197. o routers put version number in descriptor
  198. o routers should maybe have `uname -a` in descriptor?
  199. o Give nicknames to routers
  200. o in config
  201. o in descriptors
  202. o router posts descriptor
  203. o when it boots
  204. o every DirFetchPostPeriod seconds
  205. D when it changes
  206. o change tls stuff so certs don't get written to disk, or read from disk
  207. o make directory.c 'thread'safe
  208. o dirserver parses descriptor
  209. o dirserver checks signature
  210. D client checks signature?
  211. o dirserver writes directory to file
  212. o reads that file upon boot
  213. o directory includes all routers, up and down
  214. o add "up" line to directory, listing nicknames
  215. o instruments ORs to report stats
  216. o average cell fullness
  217. o average bandwidth used
  218. o configure log files. separate log file, separate severities.
  219. o what assumptions break if we fclose(0) when we daemonize?
  220. o make buffer struct elements opaque outside buffers.c
  221. o add log convention to the HACKING file
  222. o make 'make install' do the right thing
  223. o change binary name to tor
  224. o change config files so you look at commandline, else look in
  225. /etc/torrc. no cascading.
  226. o have an absolute datadir with fixed names for files, and fixed-name
  227. keydir under that with fixed names
  228. o Move (most of) the router/directory code out of main.c
  229. o Simple directory servers
  230. o Include key in source; sign directories
  231. o Signed directory backend
  232. o Document
  233. o Integrate
  234. o Add versions to code
  235. o Have directories list recommended-versions
  236. o Include line in directories
  237. o Check for presence of line.
  238. o Quit if running the wrong version
  239. o Command-line option to override quit
  240. o Add more information to directory server entries
  241. o Exit policies
  242. o Clearer bandwidth management
  243. o Do we want to remove bandwidth from OR handshakes?
  244. o What about OP handshakes?
  245. X Move away from openssl
  246. o Abstract out crypto calls
  247. X Look at nss, others? Just include code?
  248. o Use a stronger cipher
  249. o aes now, by including the code ourselves
  250. X On the fly compression of each stream
  251. o Clean up the event loop (optimize and sanitize)
  252. o Remove that awful concept of 'roles'
  253. o Terminology
  254. o Circuits, topics, cells stay named that
  255. o 'Connection' gets divided, or renamed, or something?
  256. o DNS farm
  257. o Distribute queries onto the farm, get answers
  258. o Preemptively grow a new worker before he's needed
  259. o Prune workers when too many are idle
  260. o DNS cache
  261. o Clear DNS cache over time
  262. D Honor DNS TTL info (how??)
  263. o Have strategy when all workers are busy
  264. o Keep track of which connections are in dns_wait
  265. o Need to cache positives/negatives on the tor side
  266. o Keep track of which queries have been asked
  267. o Better error handling when
  268. o An address doesn't resolve
  269. o We have max workers running
  270. o Consider taking the master out of the loop?
  271. X Implement reply onions
  272. o Total rate limiting
  273. o Look at OR handshake in more detail
  274. o Spec it
  275. o Merge OR and OP handshakes
  276. o rearrange connection_or so it doesn't suck so much to read
  277. D Periodic link key rotation. Spec?
  278. o wrap malloc with something that explodes when it fails
  279. o Clean up the number of places that get to look at prkey