From af6b6e3b8193b1ca734c8a0bbeeebbca69212e1f Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Fri, 26 Jan 2007 02:08:53 +0000 Subject: [PATCH] 0.1.0 in all its detailed glory svn:r9412 --- ChangeLog | 809 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 468 insertions(+), 341 deletions(-) diff --git a/ChangeLog b/ChangeLog index 421230ae6f..4356a457d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1530,347 +1530,6 @@ Changes in version 0.1.0.11 - 2005-06-30 - The MAPADDRESS control command was broken. -Changes in version 0.1.0.10 - 2005-06-14 - o Fixes on Win32: - - Make NT services work and start on startup on Win32 (based on - patch by Matt Edman). See the FAQ entry for details. - - Make 'platform' string in descriptor more accurate for Win32 - servers, so it's not just "unknown platform". - - REUSEADDR on normal platforms means you can rebind to the port - right after somebody else has let it go. But REUSEADDR on Win32 - means you can bind to the port _even when somebody else already - has it bound_! So, don't do that on Win32. - - Clean up the log messages when starting on Win32 with no config - file. - - Allow seeding the RNG on Win32 even when you're not running as - Administrator. If seeding the RNG on Win32 fails, quit. - - o Assert / crash bugs: - - Refuse relay cells that claim to have a length larger than the - maximum allowed. This prevents a potential attack that could read - arbitrary memory (e.g. keys) from an exit server's process - (CVE-2005-2050). - - If unofficial Tor clients connect and send weird TLS certs, our - Tor server triggers an assert. Stop asserting, and start handling - TLS errors better in other situations too. - - Fix a race condition that can trigger an assert when we have a - pending create cell and an OR connection attempt fails. - - o Resource leaks: - - Use pthreads for worker processes rather than forking. This was - forced because when we forked, we ended up wasting a lot of - duplicate ram over time. - - Also switch to foo_r versions of some library calls to allow - reentry and threadsafeness. - - Implement --disable-threads configure option. Disable threads on - netbsd and openbsd by default, because they have no reentrant - resolver functions (!), and on solaris since it has other - threading issues. - - Fix possible bug on threading platforms (e.g. win32) which was - leaking a file descriptor whenever a cpuworker or dnsworker died. - - Fix a minor memory leak when somebody establishes an introduction - point at your Tor server. - - Fix possible memory leak in tor_lookup_hostname(). (Thanks to - Adam Langley.) - - Add ./configure --with-dmalloc option, to track memory leaks. - - And try to free all memory on closing, so we can detect what - we're leaking. - - o Protocol correctness: - - When we've connected to an OR and handshaked but didn't like - the result, we were closing the conn without sending destroy - cells back for pending circuits. Now send those destroys. - - Start sending 'truncated' cells back rather than destroy cells - if the circuit closes in front of you. This means we won't have - to abandon partially built circuits. - - Handle changed router status correctly when dirserver reloads - fingerprint file. We used to be dropping all unverified descriptors - right then. The bug was hidden because we would immediately - fetch a directory from another dirserver, which would include the - descriptors we just dropped. - - Revise tor-spec to add more/better stream end reasons. - - Revise all calls to connection_edge_end to avoid sending 'misc', - and to take errno into account where possible. - - Client now retries when streams end early for 'hibernating' or - 'resource limit' reasons, rather than failing them. - - Try to be more zealous about calling connection_edge_end when - things go bad with edge conns in connection.c. - - o Robustness improvements: - - Better handling for heterogeneous / unreliable nodes: - - Annotate circuits with whether they aim to contain high uptime - nodes and/or high capacity nodes. When building circuits, choose - appropriate nodes. - - This means that every single node in an intro rend circuit, - not just the last one, will have a minimum uptime. - - New config option LongLivedPorts to indicate application streams - that will want high uptime circuits. - - Servers reset uptime when a dir fetch entirely fails. This - hopefully reflects stability of the server's network connectivity. - - If somebody starts his tor server in Jan 2004 and then fixes his - clock, don't make his published uptime be a year. - - Reset published uptime when we wake up from hibernation. - - Introduce a notion of 'internal' circs, which are chosen without - regard to the exit policy of the last hop. Intro and rendezvous - circs must be internal circs, to avoid leaking information. Resolve - and connect streams can use internal circs if they want. - - New circuit pooling algorithm: keep track of what destination ports - we've used recently (start out assuming we'll want to use 80), and - make sure to have enough circs around to satisfy these ports. Also - make sure to have 2 internal circs around if we've required internal - circs lately (and with high uptime if we've seen that lately too). - - Turn addr_policy_compare from a tristate to a quadstate; this should - help address our "Ah, you allow 1.2.3.4:80. You are a good choice - for google.com" problem. - - When a client asks us for a dir mirror and we don't have one, - launch an attempt to get a fresh one. - - First cut at support for "create-fast" cells. Clients can use - these when extending to their first hop, since the TLS already - provides forward secrecy and authentication. Not enabled on - clients yet. - - o Reachability testing. - - Your Tor server will automatically try to see if its ORPort and - DirPort are reachable from the outside, and it won't upload its - descriptor until it decides at least ORPort is reachable (when - DirPort is not yet found reachable, publish it as zero). - - When building testing circs for ORPort testing, use only - high-bandwidth nodes, so fewer circuits fail. - - Notice when our IP changes, and reset stats/uptime/reachability. - - Authdirservers don't do ORPort reachability detection, since - they're in clique mode, so it will be rare to find a server not - already connected to them. - - Authdirservers now automatically approve nodes running 0.1.0.2-rc - or later. - - o Dirserver fixes: - - Now we allow two unverified servers with the same nickname - but different keys. But if a nickname is verified, only that - nickname+key are allowed. - - If you're an authdirserver connecting to an address:port, - and it's not the OR you were expecting, forget about that - descriptor. If he *was* the one you were expecting, then forget - about all other descriptors for that address:port. - - Allow servers to publish descriptors from 12 hours in the future. - Corollary: only whine about clock skew from the dirserver if - he's a trusted dirserver (since now even verified servers could - have quite wrong clocks). - - Require servers that use the default dirservers to have public IP - addresses. We have too many servers that are configured with private - IPs and their admins never notice the log entries complaining that - their descriptors are being rejected. - - o Efficiency improvements: - - Use libevent. Now we can use faster async cores (like epoll, kpoll, - and /dev/poll), and hopefully work better on Windows too. - - Apple's OS X 10.4.0 ships with a broken kqueue API, and using - kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X. - - Find libevent even if it's hiding in /usr/local/ and your - CFLAGS and LDFLAGS don't tell you to look there. - - Be able to link with libevent as a shared library (the default - after 1.0d), even if it's hiding in /usr/local/lib and even - if you haven't added /usr/local/lib to your /etc/ld.so.conf, - assuming you're running gcc. Otherwise fail and give a useful - error message. - - Switch to a new buffer management algorithm, which tries to avoid - reallocing and copying quite as much. In first tests it looks like - it uses *more* memory on average, but less cpu. - - Switch our internal buffers implementation to use a ring buffer, - to hopefully improve performance for fast servers a lot. - - Reenable the part of the code that tries to flush as soon as an - OR outbuf has a full TLS record available. Perhaps this will make - OR outbufs not grow as huge except in rare cases, thus saving lots - of CPU time plus memory. - - Improve performance for dirservers: stop re-parsing the whole - directory every time you regenerate it. - - Keep a big splay tree of (circid,orconn)->circuit mappings to make - it much faster to look up a circuit for each relay cell. - - Remove most calls to assert_all_pending_dns_resolves_ok(), - since they're eating our cpu on exit nodes. - - Stop wasting time doing a case insensitive comparison for every - dns name every time we do any lookup. Canonicalize the names to - lowercase when you first see them. - - o Hidden services: - - Handle unavailable hidden services better. Handle slow or busy - hidden services better. - - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND - circ as necessary, if there are any completed ones lying around - when we try to launch one. - - Make hidden services try to establish a rendezvous for 30 seconds - after fetching the descriptor, rather than for n (where n=3) - attempts to build a circuit. - - Adjust maximum skew and age for rendezvous descriptors: let skew - be 48 hours rather than 90 minutes. - - Reject malformed .onion addresses rather then passing them on as - normal web requests. - - o Controller: - - More Tor controller support. See - http://tor.eff.org/doc/control-spec.txt for all the new features, - including signals to emulate unix signals from any platform; - redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor; - closestream; closecircuit; etc. - - Encode hashed controller passwords in hex instead of base64, - to make it easier to write controllers. - - Revise control spec and implementation to allow all log messages to - be sent to controller with their severities intact (suggested by - Matt Edman). Disable debug-level logs while delivering a debug-level - log to the controller, to prevent loop. Update TorControl to handle - new log event types. - - o New config options/defaults: - - Begin scrubbing sensitive strings from logs by default. Turn off - the config option SafeLogging if you need to do debugging. - - New exit policy: accept most low-numbered ports, rather than - rejecting most low-numbered ports. - - Put a note in the torrc about abuse potential with the default - exit policy. - - Add support for CONNECTing through https proxies, with "HttpsProxy" - config option. - - Add HttpProxyAuthenticator and HttpsProxyAuthenticator support - based on patch from Adam Langley (basic auth only). - - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate - the fast servers that have been joining lately. (Clients are now - willing to load balance over up to 2 MB of advertised bandwidth - capacity too.) - - New config option MaxAdvertisedBandwidth which lets you advertise - a low bandwidthrate (to not attract as many circuits) while still - allowing a higher bandwidthrate in reality. - - Require BandwidthRate to be at least 20kB/s for servers. - - Add a NoPublish config option, so you can be a server (e.g. for - testing running Tor servers in other Tor networks) without - publishing your descriptor to the primary dirservers. - - Add a new AddressMap config directive to rewrite incoming socks - addresses. This lets you, for example, declare an implicit - required exit node for certain sites. - - Add a new TrackHostExits config directive to trigger addressmaps - for certain incoming socks addresses -- for sites that break when - your exit keeps changing (based on patch from Mike Perry). - - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs), - which describes how often we retry making new circuits if current - ones are dirty, and MaxCircuitDirtiness (10 mins), which describes - how long we're willing to make use of an already-dirty circuit. - - Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to - a config option "ShutdownWaitLength" (when using kill -INT on - servers). - - Fix an edge case in parsing config options: if they say "--" - on the commandline, it's not a config option (thanks weasel). - - New config option DirAllowPrivateAddresses for authdirservers. - Now by default they refuse router descriptors that have non-IP or - private-IP addresses. - - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be - smart" default value: low for servers and high for clients. - - Some people were putting "Address " in their torrc, and they had - a buggy resolver that resolved " " to 0.0.0.0. Oops. - - If DataDir is ~/.tor, and that expands to /.tor, then default to - LOCALSTATEDIR/tor instead. - - Implement --verify-config command-line option to check if your torrc - is valid without actually launching Tor. - - o Logging improvements: - - When dirservers refuse a server descriptor, we now log its - contactinfo, platform, and the poster's IP address. - - Only warn once per nickname from add_nickname_list_to_smartlist() - per failure, so an entrynode or exitnode choice that's down won't - yell so much. - - When we're connecting to an OR and he's got a different nickname/key - than we were expecting, only complain loudly if we're an OP or a - dirserver. Complaining loudly to the OR admins just confuses them. - - Whine at you if you're a server and you don't set your contactinfo. - - Warn when exit policy implicitly allows local addresses. - - Give a better warning when some other server advertises an - ORPort that is actually an apache running ssl. - - If we get an incredibly skewed timestamp from a dirserver mirror - that isn't a verified OR, don't warn -- it's probably him that's - wrong. - - When a dirserver causes you to give a warn, mention which dirserver - it was. - - Initialize libevent later in the startup process, so the logs are - already established by the time we start logging libevent warns. - - Use correct errno on win32 if libevent fails. - - Check and warn about known-bad/slow libevent versions. - - Stop warning about sigpipes in the logs. We're going to - pretend that getting these occassionally is normal and fine. - - o New contrib scripts: - - New experimental script tor/contrib/exitlist: a simple python - script to parse directories and find Tor nodes that exit to listed - addresses/ports. - - New experimental script tor/contrib/ExerciseServer.py (needs more - work) that uses the controller interface to build circuits and - fetch pages over them. This will help us bootstrap servers that - have lots of capacity but haven't noticed it yet. - - New experimental script tor/contrib/PathDemo.py (needs more work) - that uses the controller interface to let you choose whole paths - via addresses like - "...path" - - New contributed script "privoxy-tor-toggle" to toggle whether - Privoxy uses Tor. Seems to be configured for Debian by default. - - Have torctl.in/tor.sh.in check for location of su binary (needed - on FreeBSD) - - o Misc bugfixes: - - chdir() to your datadirectory at the *end* of the daemonize process, - not the beginning. This was a problem because the first time you - run tor, if your datadir isn't there, and you have runasdaemon set - to 1, it will try to chdir to it before it tries to create it. Oops. - - Fix several double-mark-for-close bugs, e.g. where we were finding - a conn for a cell even if that conn is already marked for close. - - Stop most cases of hanging up on a socks connection without sending - the socks reject. - - Fix a bug in the RPM package: set home directory for _tor to - something more reasonable when first installing. - - Stop putting nodename in the Platform string in server descriptors. - It doesn't actually help, and it is confusing/upsetting some people. - - When using preferred entry or exit nodes, ignore whether the - circuit wants uptime or capacity. They asked for the nodes, they - get the nodes. - - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get - artificially capped at 500kB. - - Cache local dns resolves correctly even when they're .exit - addresses. - - If we're hibernating and we get a SIGINT, exit immediately. - - tor-resolve requests were ignoring .exit if there was a working circuit - they could use instead. - - Pay more attention to the ClientOnly config option. - - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in certain - installer screens; and don't put stuff into StartupItems unless - the user asks you to. - - o Misc features: - - Rewrite address "serifos.exit" to "externalIP.serifos.exit" - rather than just rejecting it. - - If our clock jumps forward by 100 seconds or more, assume something - has gone wrong with our network and abandon all not-yet-used circs. - - When an application is using socks5, give him the whole variety of - potential socks5 responses (connect refused, host unreachable, etc), - rather than just "success" or "failure". - - A more sane version numbering system. See - http://tor.eff.org/cvs/tor/doc/version-spec.txt for details. - - Change version parsing logic: a version is "obsolete" if it is not - recommended and (1) there is a newer recommended version in the - same series, or (2) there are no recommended versions in the same - series, but there are some recommended versions in a newer series. - A version is "new" if it is newer than any recommended version in - the same series. - - Report HTTP reasons to client when getting a response from directory - servers -- so you can actually know what went wrong. - - Reject odd-looking addresses at the client (e.g. addresses that - contain a colon), rather than having the server drop them because - they're malformed. - - Stop publishing socksport in the directory, since it's not - actually meant to be public. For compatibility, publish a 0 there - for now. - - Since we ship our own Privoxy on OS X, tweak it so it doesn't write - cookies to disk and doesn't log each web request to disk. (Thanks - to Brett Carrington for pointing this out.) - - Add OSX uninstall instructions. An actual uninstall script will - come later. - - Add "opt hibernating 1" to server descriptor to make it clearer - whether the server is hibernating. - - Changes in version 0.0.9.10 - 2005-06-16 o Bugfixes on 0.0.9.x (backported from 0.1.0.10): - Refuse relay cells that claim to have a length larger than the @@ -1879,6 +1538,169 @@ Changes in version 0.0.9.10 - 2005-06-16 (CVE-2005-2050). +Changes in version 0.1.0.10 - 2005-06-14 + o Allow a few EINVALs from libevent before dying. Warn on kqueue with + libevent before 1.1a. + + +Changes in version 0.1.0.9-rc - 2005-06-09 + o Bugfixes: + - Reset buf->highwater every time buf_shrink() is called, not just on + a successful shrink. This was causing significant memory bloat. + - Fix buffer overflow when checking hashed passwords. + - Security fix: if seeding the RNG on Win32 fails, quit. + - Allow seeding the RNG on Win32 even when you're not running as + Administrator. + - Disable threading on Solaris too. Something is wonky with it, + cpuworkers, and reentrant libs. + - Reenable the part of the code that tries to flush as soon as an + OR outbuf has a full TLS record available. Perhaps this will make + OR outbufs not grow as huge except in rare cases, thus saving lots + of CPU time plus memory. + - Reject malformed .onion addresses rather then passing them on as + normal web requests. + - Adapt patch from Adam Langley: fix possible memory leak in + tor_lookup_hostname(). + - Initialize libevent later in the startup process, so the logs are + already established by the time we start logging libevent warns. + - Use correct errno on win32 if libevent fails. + - Check and warn about known-bad/slow libevent versions. + - Pay more attention to the ClientOnly config option. + - Have torctl.in/tor.sh.in check for location of su binary (needed + on FreeBSD) + - Correct/add man page entries for LongLivedPorts, ExitPolicy, + KeepalivePeriod, ClientOnly, NoPublish, HttpProxy, HttpsProxy, + HttpProxyAuthenticator + - Stop warning about sigpipes in the logs. We're going to + pretend that getting these occassionally is normal and fine. + - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in + certain + installer screens; and don't put stuff into StartupItems unless + the user asks you to. + - Require servers that use the default dirservers to have public IP + addresses. We have too many servers that are configured with private + IPs and their admins never notice the log entries complaining that + their descriptors are being rejected. + - Add OSX uninstall instructions. An actual uninstall script will + come later. + + +Changes in version 0.1.0.8-rc - 2005-05-23 + o Bugfixes: + - It turns out that kqueue on OS X 10.3.9 was causing kernel + panics. Disable kqueue on all OS X Tors. + - Fix RPM: remove duplicate line accidentally added to the rpm + spec file. + - Disable threads on openbsd too, since its gethostaddr is not + reentrant either. + - Tolerate libevent 0.8 since it still works, even though it's + ancient. + - Enable building on Red Hat 9.0 again. + - Allow the middle hop of the testing circuit to be running any + version, now that most of them have the bugfix to let them connect + to unknown servers. This will allow reachability testing to work + even when 0.0.9.7-0.0.9.9 become obsolete. + - Handle relay cells with rh.length too large. This prevents + a potential attack that could read arbitrary memory (maybe even + keys) from the exit server's process. + - We screwed up the dirport reachability testing when we don't yet + have a cached version of the directory. Hopefully now fixed. + - Clean up router_load_single_router() (used by the controller), + so it doesn't seg fault on error. + - Fix a minor memory leak when somebody establishes an introduction + point at your Tor server. + - If a socks connection ends because read fails, don't warn that + you're not sending a socks reply back. + + o Features: + - Add HttpProxyAuthenticator config option too, that works like + the HttpsProxyAuthenticator config option. + - Encode hashed controller passwords in hex instead of base64, + to make it easier to write controllers. + + +Changes in version 0.1.0.7-rc - 2005-05-17 + o Bugfixes: + - Fix a bug in the OS X package installer that prevented it from + installing on Tiger. + - Fix a script bug in the OS X package installer that made it + complain during installation. + - Find libevent even if it's hiding in /usr/local/ and your + CFLAGS and LDFLAGS don't tell you to look there. + - Be able to link with libevent as a shared library (the default + after 1.0d), even if it's hiding in /usr/local/lib and even + if you haven't added /usr/local/lib to your /etc/ld.so.conf, + assuming you're running gcc. Otherwise fail and give a useful + error message. + - Fix a bug in the RPM packager: set home directory for _tor to + something more reasonable when first installing. + - Free a minor amount of memory that is still reachable on exit. + + +Changes in version 0.1.0.6-rc - 2005-05-14 + o Bugfixes: + - Implement --disable-threads configure option. Disable threads on + netbsd by default, because it appears to have no reentrant resolver + functions. + - Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent + release (1.1) detects and disables kqueue if it's broken. + - Append default exit policy before checking for implicit internal + addresses. Now we don't log a bunch of complaints on startup + when using the default exit policy. + - Some people were putting "Address " in their torrc, and they had + a buggy resolver that resolved " " to 0.0.0.0. Oops. + - If DataDir is ~/.tor, and that expands to /.tor, then default to + LOCALSTATEDIR/tor instead. + - Fix fragmented-message bug in TorControl.py. + - Resolve a minor bug which would prevent unreachable dirports + from getting suppressed in the published descriptor. + - When the controller gave us a new descriptor, we weren't resolving + it immediately, so Tor would think its address was 0.0.0.0 until + we fetched a new directory. + - Fix an uppercase/lowercase case error in suppressing a bogus + libevent warning on some Linuxes. + + o Features: + - Begin scrubbing sensitive strings from logs by default. Turn off + the config option SafeLogging if you need to do debugging. + - Switch to a new buffer management algorithm, which tries to avoid + reallocing and copying quite as much. In first tests it looks like + it uses *more* memory on average, but less cpu. + - First cut at support for "create-fast" cells. Clients can use + these when extending to their first hop, since the TLS already + provides forward secrecy and authentication. Not enabled on + clients yet. + - When dirservers refuse a router descriptor, we now log its + contactinfo, platform, and the poster's IP address. + - Call tor_free_all instead of connections_free_all after forking, to + save memory on systems that need to fork. + - Whine at you if you're a server and you don't set your contactinfo. + - Implement --verify-config command-line option to check if your torrc + is valid without actually launching Tor. + - Rewrite address "serifos.exit" to "localhost.serifos.exit" + rather than just rejecting it. + + +Changes in version 0.1.0.5-rc - 2005-04-27 + o Bugfixes: + - Stop trying to print a null pointer if an OR conn fails because + we didn't like its cert. + o Features: + - Switch our internal buffers implementation to use a ring buffer, + to hopefully improve performance for fast servers a lot. + - Add HttpsProxyAuthenticator support (basic auth only), based + on patch from Adam Langley. + - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate + the fast servers that have been joining lately. + - Give hidden service accesses extra time on the first attempt, + since 60 seconds is often only barely enough. This might improve + robustness more. + - Improve performance for dirservers: stop re-parsing the whole + directory every time you regenerate it. + - Add more debugging info to help us find the weird dns freebsd + pthreads bug; cleaner debug messages to help track future issues. + + Changes in version 0.0.9.9 - 2005-04-23 o Bugfixes on 0.0.9.x: - If unofficial Tor clients connect and send weird TLS certs, our @@ -1886,6 +1708,104 @@ Changes in version 0.0.9.9 - 2005-04-23 backport from the broader fix that we put into 0.1.0.4-rc. +Changes in version 0.1.0.4-rc - 2005-04-23 + o Bugfixes: + - If unofficial Tor clients connect and send weird TLS certs, our + Tor server triggers an assert. Stop asserting, and start handling + TLS errors better in other situations too. + - When the controller asks us to tell it about all the debug-level + logs, it turns out we were generating debug-level logs while + telling it about them, which turns into a bad loop. Now keep + track of whether you're sending a debug log to the controller, + and don't log when you are. + - Fix the "postdescriptor" feature of the controller interface: on + non-complete success, only say "done" once. + o Features: + - Clients are now willing to load balance over up to 2mB, not 1mB, + of advertised bandwidth capacity. + - Add a NoPublish config option, so you can be a server (e.g. for + testing running Tor servers in other Tor networks) without + publishing your descriptor to the primary dirservers. + + +Changes in version 0.1.0.3-rc - 2005-04-08 + o Improvements on 0.1.0.2-rc: + - Client now retries when streams end early for 'hibernating' or + 'resource limit' reasons, rather than failing them. + - More automated handling for dirserver operators: + - Automatically approve nodes running 0.1.0.2-rc or later, + now that the the reachability detection stuff is working. + - Now we allow two unverified servers with the same nickname + but different keys. But if a nickname is verified, only that + nickname+key are allowed. + - If you're an authdirserver connecting to an address:port, + and it's not the OR you were expecting, forget about that + descriptor. If he *was* the one you were expecting, then forget + about all other descriptors for that address:port. + - Allow servers to publish descriptors from 12 hours in the future. + Corollary: only whine about clock skew from the dirserver if + he's a trusted dirserver (since now even verified servers could + have quite wrong clocks). + - Adjust maximum skew and age for rendezvous descriptors: let skew + be 48 hours rather than 90 minutes. + - Efficiency improvements: + - Keep a big splay tree of (circid,orconn)->circuit mappings to make + it much faster to look up a circuit for each relay cell. + - Remove most calls to assert_all_pending_dns_resolves_ok(), + since they're eating our cpu on exit nodes. + - Stop wasting time doing a case insensitive comparison for every + dns name every time we do any lookup. Canonicalize the names to + lowercase and be done with it. + - Start sending 'truncated' cells back rather than destroy cells, + if the circuit closes in front of you. This means we won't have + to abandon partially built circuits. + - Only warn once per nickname from add_nickname_list_to_smartlist + per failure, so an entrynode or exitnode choice that's down won't + yell so much. + - Put a note in the torrc about abuse potential with the default + exit policy. + - Revise control spec and implementation to allow all log messages to + be sent to controller with their severities intact (suggested by + Matt Edman). Update TorControl to handle new log event types. + - Provide better explanation messages when controller's POSTDESCRIPTOR + fails. + - Stop putting nodename in the Platform string in server descriptors. + It doesn't actually help, and it is confusing/upsetting some people. + + o Bugfixes on 0.1.0.2-rc: + - We were printing the host mask wrong in exit policies in server + descriptors. This isn't a critical bug though, since we were still + obeying the exit policy internally. + - Fix Tor when compiled with libevent but without pthreads: move + connection_unregister() from _connection_free() to + connection_free(). + - Fix an assert trigger (already fixed in 0.0.9.x): when we have + the rare mysterious case of accepting a conn on 0.0.0.0:0, then + when we look through the connection array, we'll find any of the + cpu/dnsworkers. This is no good. + + o Bugfixes on 0.0.9.8: + - Fix possible bug on threading platforms (e.g. win32) which was + leaking a file descriptor whenever a cpuworker or dnsworker died. + - When using preferred entry or exit nodes, ignore whether the + circuit wants uptime or capacity. They asked for the nodes, they + get the nodes. + - chdir() to your datadirectory at the *end* of the daemonize process, + not the beginning. This was a problem because the first time you + run tor, if your datadir isn't there, and you have runasdaemon set + to 1, it will try to chdir to it before it tries to create it. Oops. + - Handle changed router status correctly when dirserver reloads + fingerprint file. We used to be dropping all unverified descriptors + right then. The bug was hidden because we would immediately + fetch a directory from another dirserver, which would include the + descriptors we just dropped. + - When we're connecting to an OR and he's got a different nickname/key + than we were expecting, only complain loudly if we're an OP or a + dirserver. Complaining loudly to the OR admins just confuses them. + - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get + artificially capped at 500kB. + + Changes in version 0.0.9.8 - 2005-04-07 o Bugfixes on 0.0.9.x: - We have a bug that I haven't found yet. Sometimes, very rarely, @@ -1895,6 +1815,54 @@ Changes in version 0.0.9.8 - 2005-04-07 busy for more than 100 seconds. +Changes in version 0.1.0.2-rc - 2005-04-01 + o Bugfixes on 0.1.0.1-rc: + - Fixes on reachability detection: + - Don't check for reachability while hibernating. + - If ORPort is reachable but DirPort isn't, still publish the + descriptor, but zero out DirPort until it's found reachable. + - When building testing circs for ORPort testing, use only + high-bandwidth nodes, so fewer circuits fail. + - Complain about unreachable ORPort separately from unreachable + DirPort, so the user knows what's going on. + - Make sure we only conclude ORPort reachability if we didn't + initiate the conn. Otherwise we could falsely conclude that + we're reachable just because we connected to the guy earlier + and he used that same pipe to extend to us. + - Authdirservers shouldn't do ORPort reachability detection, + since they're in clique mode, so it will be rare to find a + server not already connected to them. + - When building testing circuits, always pick middle hops running + Tor 0.0.9.7, so we avoid the "can't extend to unknown routers" + bug. (This is a kludge; it will go away when 0.0.9.x becomes + obsolete.) + - When we decide we're reachable, actually publish our descriptor + right then. + - Fix bug in redirectstream in the controller. + - Fix the state descriptor strings so logs don't claim edge streams + are in a different state than they actually are. + - Use recent libevent features when possible (this only really affects + win32 and osx right now, because the new libevent with these + features hasn't been released yet). Add code to suppress spurious + libevent log msgs. + - Prevent possible segfault in connection_close_unattached_ap(). + - Fix newlines on torrc in win32. + - Improve error msgs when tor-resolve fails. + + o Improvements on 0.0.9.x: + - New experimental script tor/contrib/ExerciseServer.py (needs more + work) that uses the controller interface to build circuits and + fetch pages over them. This will help us bootstrap servers that + have lots of capacity but haven't noticed it yet. + - New experimental script tor/contrib/PathDemo.py (needs more work) + that uses the controller interface to let you choose whole paths + via addresses like + "...path" + - When we've connected to an OR and handshaked but didn't like + the result, we were closing the conn without sending destroy + cells back for pending circuits. Now send those destroys. + + Changes in version 0.0.9.7 - 2005-04-01 o Bugfixes on 0.0.9.x: - Fix another race crash bug (thanks to Glenn Fink for reporting). @@ -1908,6 +1876,165 @@ Changes in version 0.0.9.7 - 2005-04-01 in 0.1.0.x). +Changes in version 0.1.0.1-rc - 2005-03-28 + o New features: + - Add reachability testing. Your Tor server will automatically try + to see if its ORPort and DirPort are reachable from the outside, + and it won't upload its descriptor until it decides they are. + - Handle unavailable hidden services better. Handle slow or busy + hidden services better. + - Add support for CONNECTing through https proxies, with "HttpsProxy" + config option. + - New exit policy: accept most low-numbered ports, rather than + rejecting most low-numbered ports. + - More Tor controller support (still experimental). See + http://tor.eff.org/doc/control-spec.txt for all the new features, + including signals to emulate unix signals from any platform; + redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor; + closestream; closecircuit; etc. + - Make nt services work and start on startup on win32 (based on + patch by Matt Edman). + - Add a new AddressMap config directive to rewrite incoming socks + addresses. This lets you, for example, declare an implicit + required exit node for certain sites. + - Add a new TrackHostExits config directive to trigger addressmaps + for certain incoming socks addresses -- for sites that break when + your exit keeps changing (based on patch by Mike Perry). + - Redo the client-side dns cache so it's just an addressmap too. + - Notice when our IP changes, and reset stats/uptime/reachability. + - When an application is using socks5, give him the whole variety of + potential socks5 responses (connect refused, host unreachable, etc), + rather than just "success" or "failure". + - A more sane version numbering system. See + http://tor.eff.org/cvs/tor/doc/version-spec.txt for details. + - New contributed script "exitlist": a simple python script to + parse directories and find Tor nodes that exit to listed + addresses/ports. + - New contributed script "privoxy-tor-toggle" to toggle whether + Privoxy uses Tor. Seems to be configured for Debian by default. + - Report HTTP reasons to client when getting a response from directory + servers -- so you can actually know what went wrong. + - New config option MaxAdvertisedBandwidth which lets you advertise + a low bandwidthrate (to not attract as many circuits) while still + allowing a higher bandwidthrate in reality. + + o Robustness/stability fixes: + - Make Tor use Niels Provos's libevent instead of its current + poll-but-sometimes-select mess. This will let us use faster async + cores (like epoll, kpoll, and /dev/poll), and hopefully work better + on Windows too. + - pthread support now too. This was forced because when we forked, + we ended up wasting a lot of duplicate ram over time. Also switch + to foo_r versions of some library calls to allow reentry and + threadsafeness. + - Better handling for heterogeneous / unreliable nodes: + - Annotate circuits w/ whether they aim to contain high uptime nodes + and/or high capacity nodes. When building circuits, choose + appropriate nodes. + - This means that every single node in an intro rend circuit, + not just the last one, will have a minimum uptime. + - New config option LongLivedPorts to indicate application streams + that will want high uptime circuits. + - Servers reset uptime when a dir fetch entirely fails. This + hopefully reflects stability of the server's network connectivity. + - If somebody starts his tor server in Jan 2004 and then fixes his + clock, don't make his published uptime be a year. + - Reset published uptime when you wake up from hibernation. + - Introduce a notion of 'internal' circs, which are chosen without + regard to the exit policy of the last hop. Intro and rendezvous + circs must be internal circs, to avoid leaking information. Resolve + and connect streams can use internal circs if they want. + - New circuit pooling algorithm: make sure to have enough circs around + to satisfy any predicted ports, and also make sure to have 2 internal + circs around if we've required internal circs lately (and with high + uptime if we've seen that lately too). + - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs), + which describes how often we retry making new circuits if current + ones are dirty, and MaxCircuitDirtiness (10 mins), which describes + how long we're willing to make use of an already-dirty circuit. + - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND + circ as necessary, if there are any completed ones lying around + when we try to launch one. + - Make hidden services try to establish a rendezvous for 30 seconds, + rather than for n (where n=3) attempts to build a circuit. + - Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option + "ShutdownWaitLength". + - Try to be more zealous about calling connection_edge_end when + things go bad with edge conns in connection.c. + - Revise tor-spec to add more/better stream end reasons. + - Revise all calls to connection_edge_end to avoid sending "misc", + and to take errno into account where possible. + + o Bug fixes: + - Fix a race condition that can trigger an assert, when we have a + pending create cell and an OR connection fails right then. + - Fix several double-mark-for-close bugs, e.g. where we were finding + a conn for a cell even if that conn is already marked for close. + - Make sequence of log messages when starting on win32 with no config + file more reasonable. + - When choosing an exit node for a new non-internal circ, don't take + into account whether it'll be useful for any pending x.onion + addresses -- it won't. + - Turn addr_policy_compare from a tristate to a quadstate; this should + help address our "Ah, you allow 1.2.3.4:80. You are a good choice + for google.com" problem. + - Make "platform" string in descriptor more accurate for Win32 servers, + so it's not just "unknown platform". + - Fix an edge case in parsing config options (thanks weasel). + If they say "--" on the commandline, it's not an option. + - Reject odd-looking addresses at the client (e.g. addresses that + contain a colon), rather than having the server drop them because + they're malformed. + - tor-resolve requests were ignoring .exit if there was a working circuit + they could use instead. + - REUSEADDR on normal platforms means you can rebind to the port + right after somebody else has let it go. But REUSEADDR on win32 + means to let you bind to the port _even when somebody else + already has it bound_! So, don't do that on Win32. + - Change version parsing logic: a version is "obsolete" if it is not + recommended and (1) there is a newer recommended version in the + same series, or (2) there are no recommended versions in the same + series, but there are some recommended versions in a newer series. + A version is "new" if it is newer than any recommended version in + the same series. + - Stop most cases of hanging up on a socks connection without sending + the socks reject. + + o Helpful fixes: + - Require BandwidthRate to be at least 20kB/s for servers. + - When a dirserver causes you to give a warn, mention which dirserver + it was. + - New config option DirAllowPrivateAddresses for authdirservers. + Now by default they refuse router descriptors that have non-IP or + private-IP addresses. + - Stop publishing socksport in the directory, since it's not + actually meant to be public. For compatibility, publish a 0 there + for now. + - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be + smart" value, that is low for servers and high for clients. + - If our clock jumps forward by 100 seconds or more, assume something + has gone wrong with our network and abandon all not-yet-used circs. + - Warn when exit policy implicitly allows local addresses. + - If we get an incredibly skewed timestamp from a dirserver mirror + that isn't a verified OR, don't warn -- it's probably him that's + wrong. + - Since we ship our own Privoxy on OS X, tweak it so it doesn't write + cookies to disk and doesn't log each web request to disk. (Thanks + to Brett Carrington for pointing this out.) + - When a client asks us for a dir mirror and we don't have one, + launch an attempt to get a fresh one. + - If we're hibernating and we get a SIGINT, exit immediately. + - Add --with-dmalloc ./configure option, to track memory leaks. + - And try to free all memory on closing, so we can detect what + we're leaking. + - Cache local dns resolves correctly even when they're .exit + addresses. + - Give a better warning when some other server advertises an + ORPort that is actually an apache running ssl. + - Add "opt hibernating 1" to server descriptor to make it clearer + whether the server is hibernating. + + Changes in version 0.0.9.6 - 2005-03-24 o Bugfixes on 0.0.9.x (crashes and asserts): - Add new end stream reasons to maintainance branch. Fix bug where