mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
4f712d10cd
svn:r3953
1230 lines
62 KiB
Plaintext
1230 lines
62 KiB
Plaintext
Changes in version 0.1.0.1-rc - 2005-03-28
|
|
|
|
o New features:
|
|
- Add reachability testing. Your Tor server will automatically try
|
|
to see if its ORPort and DirPort are reachable from the outside,
|
|
and it won't upload its descriptor until it decides they are.
|
|
- Handle unavailable hidden services better. Handle slow or busy
|
|
hidden services better.
|
|
- Add support for CONNECTing through https proxies, with "HttpsProxy"
|
|
config option.
|
|
- New exit policy: accept most low-numbered ports, rather than
|
|
rejecting most low-numbered ports.
|
|
- More Tor controller support (still experimental). See
|
|
http://tor.eff.org/doc/control-spec.txt for all the new features,
|
|
including signals to emulate unix signals from any platform;
|
|
redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
|
closestream; closecircuit; etc.
|
|
- Make nt services work and start on startup on win32 (based on
|
|
patch by Matt Edman).
|
|
- Add a new AddressMap config directive to rewrite incoming socks
|
|
addresses. This lets you, for example, declare an implicit
|
|
required exit node for certain sites.
|
|
- Add a new TrackHostExits config directive to trigger addressmaps
|
|
for certain incoming socks addresses -- for sites that break when
|
|
your exit keeps changing (based on patch from Mike Perry).
|
|
- Redo the client-side dns cache so it's just an addressmap too.
|
|
- Notice when our IP changes, and reset stats/uptime/reachability.
|
|
- When an application is using socks5, give him the whole variety of
|
|
potential socks5 responses (connect refused, host unreachable, etc),
|
|
rather than just "success" or "failure".
|
|
- A more sane version numbering system. See
|
|
http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
|
- New contributed script "exitlist": a simple python script to
|
|
parse directories and find Tor nodes that exit to listed
|
|
addresses/ports.
|
|
- New contributed script "privoxy-tor-toggle" to toggle whether
|
|
Privoxy uses Tor. Seems to be configured for Debian by default.
|
|
- Report HTTP reasons to client when getting a response from directory
|
|
servers -- so you can actually know what went wrong.
|
|
- New config option MaxAdvertisedBandwidth which lets you advertise
|
|
a low bandwidthrate (to not attract as many circuits) while still
|
|
allowing a higher bandwidthrate in reality.
|
|
|
|
o Robustness/stability fixes:
|
|
- Make Tor use Niels Provos's libevent instead of its current
|
|
poll-but-sometimes-select mess. This will let us use faster async
|
|
cores (like epoll, kpoll, and /dev/poll), and hopefully work better
|
|
on Windows too.
|
|
- pthread support now too. This was forced because when we forked,
|
|
we ended up wasting a lot of duplicate ram over time. Also switch
|
|
to foo_r versions of some library calls to allow reentry and
|
|
threadsafeness.
|
|
- Better handling for heterogeneous / unreliable nodes:
|
|
- Annotate circuits w/ whether they aim to contain high uptime nodes
|
|
and/or high capacity nodes. When building circuits, choose
|
|
appropriate nodes.
|
|
- This means that every single node in an intro rend circuit,
|
|
not just the last one, will have a minimum uptime.
|
|
- New config option LongLivedPorts to indicate application streams
|
|
that will want high uptime circuits.
|
|
- Servers reset uptime when a dir fetch entirely fails. This
|
|
hopefully reflects stability of the server's network connectivity.
|
|
- If somebody starts his tor server in Jan 2004 and then fixes his
|
|
clock, don't make his published uptime be a year.
|
|
- Reset published uptime when you wake up from hibernation.
|
|
- Introduce a notion of 'internal' circs, which are chosen without
|
|
regard to the exit policy of the last hop. Intro and rendezvous
|
|
circs must be internal circs, to avoid leaking information. Resolve
|
|
and connect streams can use internal circs if they want.
|
|
- New circuit pooling algorithm: make sure to have enough circs around
|
|
to satisfy any predicted ports, and also make sure to have 2 internal
|
|
circs around if we've required internal circs lately (and with high
|
|
uptime if we've seen that lately too).
|
|
- Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
|
which describes how often we retry making new circuits if current
|
|
ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
|
how long we're willing to make use of an already-dirty circuit.
|
|
- Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
|
circ as necessary, if there are any completed ones lying around
|
|
when we try to launch one.
|
|
- Make hidden services try to establish a rendezvous for 30 seconds,
|
|
rather than for n (where n=3) attempts to build a circuit.
|
|
- Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
|
|
"ShutdownWaitLength".
|
|
- Try to be more zealous about calling connection_edge_end when
|
|
things go bad with edge conns in connection.c.
|
|
- Revise tor-spec to add more/better stream end reasons.
|
|
- Revise all calls to connection_edge_end to avoid sending "misc",
|
|
and to take errno into account where possible.
|
|
|
|
o Bug fixes:
|
|
- Fix a race condition that can trigger an assert, when we have a
|
|
pending create cell and an OR connection fails right then.
|
|
- Fix several double-mark-for-close bugs, e.g. where we were finding
|
|
a conn for a cell even if that conn is already marked for close.
|
|
- Make sequence of log messages when starting on win32 with no config
|
|
file more reasonable.
|
|
- When choosing an exit node for a new non-internal circ, don't take
|
|
into account whether it'll be useful for any pending x.onion
|
|
addresses -- it won't.
|
|
- Turn addr_policy_compare from a tristate to a quadstate; this should
|
|
help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
|
for google.com" problem.
|
|
- Make "platform" string in descriptor more accurate for Win32 servers,
|
|
so it's not just "unknown platform".
|
|
- Fix an edge case in parsing config options (thanks weasel).
|
|
If they say "--" on the commandline, it's not an option.
|
|
- Reject odd-looking addresses at the client (e.g. addresses that
|
|
contain a colon), rather than having the server drop them because
|
|
they're malformed.
|
|
- tor-resolve requests were ignoring .exit if there was a working circuit
|
|
they could use instead.
|
|
- REUSEADDR on normal platforms means you can rebind to the port
|
|
right after somebody else has let it go. But REUSEADDR on win32
|
|
means to let you bind to the port _even when somebody else
|
|
already has it bound_! So, don't do that on Win32.
|
|
- Change version parsing logic: a version is "obsolete" if it is not
|
|
recommended and (1) there is a newer recommended version in the
|
|
same series, or (2) there are no recommended versions in the same
|
|
series, but there are some recommended versions in a newer series.
|
|
A version is "new" if it is newer than any recommended version in
|
|
the same series.
|
|
- Stop most cases of hanging up on a socks connection without sending
|
|
the socks reject.
|
|
|
|
o Helpful fixes:
|
|
- Require BandwidthRate to be at least 20kB/s for servers.
|
|
- When a dirserver causes you to give a warn, mention which dirserver
|
|
it was.
|
|
- New config option DirAllowPrivateAddresses for authdirservers.
|
|
Now by default they refuse router descriptors that have non-IP or
|
|
private-IP addresses.
|
|
- Stop publishing socksport in the directory, since it's not
|
|
actually meant to be public. For compatibility, publish a 0 there
|
|
for now.
|
|
- Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
|
smart" value, that is low for servers and high for clients.
|
|
- If our clock jumps forward by 100 seconds or more, assume something
|
|
has gone wrong with our network and abandon all not-yet-used circs.
|
|
- Warn when exit policy implicitly allows local addresses.
|
|
- If we get an incredibly skewed timestamp from a dirserver mirror
|
|
that isn't a verified OR, don't warn -- it's probably him that's
|
|
wrong.
|
|
- Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
|
cookies to disk and doesn't log each web request to disk. (Thanks
|
|
to Brett Carrington for pointing this out.)
|
|
- When a client asks us for a dir mirror and we don't have one,
|
|
launch an attempt to get a fresh one.
|
|
- If we're hibernating and we get a SIGINT, exit immediately.
|
|
- Add --with-dmalloc ./configure option, to track memory leaks.
|
|
- And try to free all memory on closing, so we can detect what
|
|
we're leaking.
|
|
- Cache local dns resolves correctly even when they're .exit
|
|
addresses.
|
|
- Give a better warning when some other server advertises an
|
|
ORPort that is actually an apache running ssl.
|
|
- Add "opt hibernating 1" to server descriptor to make it clearer
|
|
whether the server is hibernating.
|
|
|
|
|
|
Changes in version 0.0.9.7 - 2005-04-01
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix another race crash bug (thanks to Glenn Fink for reporting).
|
|
- Compare identity to identity, not to nickname, when extending to
|
|
a router not already in the directory. This was preventing us from
|
|
extending to unknown routers. Oops.
|
|
- Make sure to create OS X Tor user in <500 range, so we aren't
|
|
creating actual system users.
|
|
- Note where connection-that-hasn't-sent-end was marked, and fix
|
|
a few really loud instances of this harmless bug (it's fixed more
|
|
in 0.1.0.x.)
|
|
|
|
|
|
Changes in version 0.0.9.6 - 2005-03-24
|
|
o Bugfixes on 0.0.9.x (crashes and asserts):
|
|
- Add new end stream reasons to maintainance branch. Fix bug where
|
|
reason (8) could trigger an assert. Prevent bug from recurring.
|
|
- Apparently win32 stat wants paths to not end with a slash.
|
|
- Fix assert triggers in assert_cpath_layer_ok(), where we were
|
|
blowing away the circuit that conn->cpath_layer points to, then
|
|
checking to see if the circ is well-formed. Backport check to make
|
|
sure we dont use the cpath on a closed connection.
|
|
- Prevent circuit_resume_edge_reading_helper() from trying to package
|
|
inbufs for marked-for-close streams.
|
|
- Don't crash on hup if your options->address has become unresolvable.
|
|
- Some systems (like OS X) sometimes accept() a connection and tell
|
|
you the remote host is 0.0.0.0:0. If this happens, due to some
|
|
other mis-features, we get confused; so refuse the conn for now.
|
|
|
|
o Bugfixes on 0.0.9.x (other):
|
|
- Fix harmless but scary "Unrecognized content encoding" warn message.
|
|
- Add new stream error reason: TORPROTOCOL reason means "you are not
|
|
speaking a version of Tor I understand; say bye-bye to your stream."
|
|
- Be willing to cache directories from up to ROUTER_MAX_AGE seconds
|
|
into the future, now that we are more tolerant of skew. This
|
|
resolves a bug where a Tor server would refuse to cache a directory
|
|
because all the directories it gets are too far in the future;
|
|
yet the Tor server never logs any complaints about clock skew.
|
|
- Mac packaging magic: make man pages useable, and do not overwrite
|
|
existing torrc files.
|
|
- Make OS X log happily to /var/log/tor/tor.log
|
|
|
|
|
|
Changes in version 0.0.9.5 - 2005-02-22
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix an assert race at exit nodes when resolve requests fail.
|
|
- Stop picking unverified dir mirrors--it only leads to misery.
|
|
- Patch from Matt Edman to make NT services work better. Service
|
|
support is still not compiled into the executable by default.
|
|
- Patch from Dmitri Bely so the Tor service runs better under
|
|
the win32 SYSTEM account.
|
|
- Make tor-resolve actually work (?) on Win32.
|
|
- Fix a sign bug when getrlimit claims to have 4+ billion
|
|
file descriptors available.
|
|
- Stop refusing to start when bandwidthburst == bandwidthrate.
|
|
- When create cells have been on the onion queue more than five
|
|
seconds, just send back a destroy and take them off the list.
|
|
|
|
|
|
Changes in version 0.0.9.4 - 2005-02-03
|
|
o Bugfixes on 0.0.9:
|
|
- Fix an assert bug that took down most of our servers: when
|
|
a server claims to have 1 GB of bandwidthburst, don't
|
|
freak out.
|
|
- Don't crash as badly if we have spawned the max allowed number
|
|
of dnsworkers, or we're out of file descriptors.
|
|
- Block more file-sharing ports in the default exit policy.
|
|
- MaxConn is now automatically set to the hard limit of max
|
|
file descriptors we're allowed (ulimit -n), minus a few for
|
|
logs, etc.
|
|
- Give a clearer message when servers need to raise their
|
|
ulimit -n when they start running out of file descriptors.
|
|
- SGI Compatibility patches from Jan Schaumann.
|
|
- Tolerate a corrupt cached directory better.
|
|
- When a dirserver hasn't approved your server, list which one.
|
|
- Go into soft hibernation after 95% of the bandwidth is used,
|
|
not 99%. This is especially important for daily hibernators who
|
|
have a small accounting max. Hopefully it will result in fewer
|
|
cut connections when the hard hibernation starts.
|
|
- Load-balance better when using servers that claim more than
|
|
800kB/s of capacity.
|
|
- Make NT services work (experimental, only used if compiled in).
|
|
|
|
|
|
Changes in version 0.0.9.3 - 2005-01-21
|
|
o Bugfixes on 0.0.9:
|
|
- Backport the cpu use fixes from main branch, so busy servers won't
|
|
need as much processor time.
|
|
- Work better when we go offline and then come back, or when we
|
|
run Tor at boot before the network is up. We do this by
|
|
optimistically trying to fetch a new directory whenever an
|
|
application request comes in and we think we're offline -- the
|
|
human is hopefully a good measure of when the network is back.
|
|
- Backport some minimal hidserv bugfixes: keep rend circuits open as
|
|
long as you keep using them; actually publish hidserv descriptors
|
|
shortly after they change, rather than waiting 20-40 minutes.
|
|
- Enable Mac startup script by default.
|
|
- Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
|
|
- When you update AllowUnverifiedNodes or FirewallPorts via the
|
|
controller's setconf feature, we were always appending, never
|
|
resetting.
|
|
- When you update HiddenServiceDir via setconf, it was screwing up
|
|
the order of reading the lines, making it fail.
|
|
- Do not rewrite a cached directory back to the cache; otherwise we
|
|
will think it is recent and not fetch a newer one on startup.
|
|
- Workaround for webservers that lie about Content-Encoding: Tor
|
|
now tries to autodetect compressed directories and compression
|
|
itself. This lets us Proxypass dir fetches through apache.
|
|
|
|
|
|
Changes in version 0.0.9.2 - 2005-01-04
|
|
o Bugfixes on 0.0.9 (crashes and asserts):
|
|
- Fix an assert on startup when the disk is full and you're logging
|
|
to a file.
|
|
- If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
|
|
style address, then we'd crash.
|
|
- Fix an assert trigger when the running-routers string we get from
|
|
a dirserver is broken.
|
|
- Make worker threads start and run on win32. Now win32 servers
|
|
may work better.
|
|
- Bandaid (not actually fix, but now it doesn't crash) an assert
|
|
where the dns worker dies mysteriously and the main Tor process
|
|
doesn't remember anything about the address it was resolving.
|
|
|
|
o Bugfixes on 0.0.9 (Win32):
|
|
- Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
|
|
name out of the warning/assert messages.
|
|
- Fix a superficial "unhandled error on read" bug on win32.
|
|
- The win32 installer no longer requires a click-through for our
|
|
license, since our Free Software license grants rights but does not
|
|
take any away.
|
|
- Win32: When connecting to a dirserver fails, try another one
|
|
immediately. (This was already working for non-win32 Tors.)
|
|
- Stop trying to parse $HOME on win32 when hunting for default
|
|
DataDirectory.
|
|
- Make tor-resolve.c work on win32 by calling network_init().
|
|
|
|
o Bugfixes on 0.0.9 (other):
|
|
- Make 0.0.9.x build on Solaris again.
|
|
- Due to a fencepost error, we were blowing away the \n when reporting
|
|
confvalue items in the controller. So asking for multiple config
|
|
values at once couldn't work.
|
|
- When listing circuits that are pending on an opening OR connection,
|
|
if we're an OR we were listing circuits that *end* at us as
|
|
being pending on every listener, dns/cpu worker, etc. Stop that.
|
|
- Dirservers were failing to create 'running-routers' or 'directory'
|
|
strings if we had more than some threshold of routers. Fix them so
|
|
they can handle any number of routers.
|
|
- Fix a superficial "Duplicate mark for close" bug.
|
|
- Stop checking for clock skew for OR connections, even for servers.
|
|
- Fix a fencepost error that was chopping off the last letter of any
|
|
nickname that is the maximum allowed nickname length.
|
|
- Update URLs in log messages so they point to the new website.
|
|
- Fix a potential problem in mangling server private keys while
|
|
writing to disk (not triggered yet, as far as we know).
|
|
- Include the licenses for other free software we include in Tor,
|
|
now that we're shipping binary distributions more regularly.
|
|
|
|
|
|
Changes in version 0.0.9.1 - 2004-12-15
|
|
o Bugfixes on 0.0.9:
|
|
- Make hibernation actually work.
|
|
- Make HashedControlPassword config option work.
|
|
- When we're reporting event circuit status to a controller,
|
|
don't use the stream status code.
|
|
|
|
|
|
Changes in version 0.0.9 - 2004-12-12
|
|
o Bugfixes on 0.0.8.1 (Crashes and asserts):
|
|
- Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
|
|
write() call will fail and we handle it there.
|
|
- When we run out of disk space, or other log writing error, don't
|
|
crash. Just stop logging to that log and continue.
|
|
- Fix isspace() and friends so they still make Solaris happy
|
|
but also so they don't trigger asserts on win32.
|
|
- Fix assert failure on malformed socks4a requests.
|
|
- Fix an assert bug where a hidden service provider would fail if
|
|
the first hop of his rendezvous circuit was down.
|
|
- Better handling of size_t vs int, so we're more robust on 64
|
|
bit platforms.
|
|
|
|
o Bugfixes on 0.0.8.1 (Win32):
|
|
- Make windows sockets actually non-blocking (oops), and handle
|
|
win32 socket errors better.
|
|
- Fix parse_iso_time on platforms without strptime (eg win32).
|
|
- win32: when being multithreaded, leave parent fdarray open.
|
|
- Better handling of winsock includes on non-MSV win32 compilers.
|
|
- Change our file IO stuff (especially wrt OpenSSL) so win32 is
|
|
happier.
|
|
- Make unit tests work on win32.
|
|
|
|
o Bugfixes on 0.0.8.1 (Path selection and streams):
|
|
- Calculate timeout for waiting for a connected cell from the time
|
|
we sent the begin cell, not from the time the stream started. If
|
|
it took a long time to establish the circuit, we would time out
|
|
right after sending the begin cell.
|
|
- Fix router_compare_addr_to_addr_policy: it was not treating a port
|
|
of * as always matching, so we were picking reject *:* nodes as
|
|
exit nodes too. Oops.
|
|
- When read() failed on a stream, we would close it without sending
|
|
back an end. So 'connection refused' would simply be ignored and
|
|
the user would get no response.
|
|
- Stop a sigpipe: when an 'end' cell races with eof from the app,
|
|
we shouldn't hold-open-until-flush if the eof arrived first.
|
|
- Let resolve conns retry/expire also, rather than sticking around
|
|
forever.
|
|
- Fix more dns related bugs: send back resolve_failed and end cells
|
|
more reliably when the resolve fails, rather than closing the
|
|
circuit and then trying to send the cell. Also attach dummy resolve
|
|
connections to a circuit *before* calling dns_resolve(), to fix
|
|
a bug where cached answers would never be sent in RESOLVED cells.
|
|
|
|
o Bugfixes on 0.0.8.1 (Circuits):
|
|
- Finally fix a bug that's been plaguing us for a year:
|
|
With high load, circuit package window was reaching 0. Whenever
|
|
we got a circuit-level sendme, we were reading a lot on each
|
|
socket, but only writing out a bit. So we would eventually reach
|
|
eof. This would be noticed and acted on even when there were still
|
|
bytes sitting in the inbuf.
|
|
- Use identity comparison, not nickname comparison, to choose which
|
|
half of circuit-ID-space each side gets to use. This is needed
|
|
because sometimes we think of a router as a nickname, and sometimes
|
|
as a hex ID, and we can't predict what the other side will do.
|
|
|
|
o Bugfixes on 0.0.8.1 (Other):
|
|
- Fix a whole slew of memory leaks.
|
|
- Disallow NDEBUG. We don't ever want anybody to turn off debug.
|
|
- If we are using select, make sure we stay within FD_SETSIZE.
|
|
- When poll() is interrupted, we shouldn't believe the revents values.
|
|
- Add a FAST_SMARTLIST define to optionally inline smartlist_get
|
|
and smartlist_len, which are two major profiling offenders.
|
|
- If do_hup fails, actually notice.
|
|
- Flush the log file descriptor after we print "Tor opening log file",
|
|
so we don't see those messages days later.
|
|
- Hidden service operators now correctly handle version 1 style
|
|
INTRODUCE1 cells (nobody generates them still, so not a critical
|
|
bug).
|
|
- Handle more errnos from accept() without closing the listener.
|
|
Some OpenBSD machines were closing their listeners because
|
|
they ran out of file descriptors.
|
|
- Some people had wrapped their tor client/server in a script
|
|
that would restart it whenever it died. This did not play well
|
|
with our "shut down if your version is obsolete" code. Now people
|
|
don't fetch a new directory if their local cached version is
|
|
recent enough.
|
|
- Make our autogen.sh work on ksh as well as bash.
|
|
- Better torrc example lines for dirbindaddress and orbindaddress.
|
|
- Improved bounds checking on parsed ints (e.g. config options and
|
|
the ones we find in directories.)
|
|
- Stop using separate defaults for no-config-file and
|
|
empty-config-file. Now you have to explicitly turn off SocksPort,
|
|
if you don't want it open.
|
|
- We were starting to daemonize before we opened our logs, so if
|
|
there were any problems opening logs, we would complain to stderr,
|
|
which wouldn't work, and then mysteriously exit.
|
|
- If a verified OR connects to us before he's uploaded his descriptor,
|
|
or we verify him and hup but he still has the original TLS
|
|
connection, then conn->nickname is still set like he's unverified.
|
|
|
|
o Code security improvements, inspired by Ilja:
|
|
- tor_snprintf wrapper over snprintf with consistent (though not C99)
|
|
overflow behavior.
|
|
- Replace sprintf with tor_snprintf. (I think they were all safe, but
|
|
hey.)
|
|
- Replace strcpy/strncpy with strlcpy in more places.
|
|
- Avoid strcat; use tor_snprintf or strlcat instead.
|
|
|
|
o Features (circuits and streams):
|
|
- New circuit building strategy: keep a list of ports that we've
|
|
used in the past 6 hours, and always try to have 2 circuits open
|
|
or on the way that will handle each such port. Seed us with port
|
|
80 so web users won't complain that Tor is "slow to start up".
|
|
- Make kill -USR1 dump more useful stats about circuits.
|
|
- When warning about retrying or giving up, print the address, so
|
|
the user knows which one it's talking about.
|
|
- If you haven't used a clean circuit in an hour, throw it away,
|
|
just to be on the safe side. (This means after 6 hours a totally
|
|
unused Tor client will have no circuits open.)
|
|
- Support "foo.nickname.exit" addresses, to let Alice request the
|
|
address "foo" as viewed by exit node "nickname". Based on a patch
|
|
from Geoff Goodell.
|
|
- If your requested entry or exit node has advertised bandwidth 0,
|
|
pick it anyway.
|
|
- Be more greedy about filling up relay cells -- we try reading again
|
|
once we've processed the stuff we read, in case enough has arrived
|
|
to fill the last cell completely.
|
|
- Refuse application socks connections to port 0.
|
|
- Use only 0.0.9pre1 and later servers for resolve cells.
|
|
|
|
o Features (bandwidth):
|
|
- Hibernation: New config option "AccountingMax" lets you
|
|
set how many bytes per month (in each direction) you want to
|
|
allow your server to consume. Rather than spreading those
|
|
bytes out evenly over the month, we instead hibernate for some
|
|
of the month and pop up at a deterministic time, work until
|
|
the bytes are consumed, then hibernate again. Config option
|
|
"MonthlyAccountingStart" lets you specify which day of the month
|
|
your billing cycle starts on.
|
|
- Implement weekly/monthly/daily accounting: now you specify your
|
|
hibernation properties by
|
|
AccountingMax N bytes|KB|MB|GB|TB
|
|
AccountingStart day|week|month [day] HH:MM
|
|
Defaults to "month 1 0:00".
|
|
- Let bandwidth and interval config options be specified as 5 bytes,
|
|
kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
|
|
|
|
o Features (directories):
|
|
- New "router-status" line in directory, to better bind each verified
|
|
nickname to its identity key.
|
|
- Clients can ask dirservers for /dir.z to get a compressed version
|
|
of the directory. Only works for servers running 0.0.9, of course.
|
|
- Make clients cache directories and use them to seed their router
|
|
lists at startup. This means clients have a datadir again.
|
|
- Respond to content-encoding headers by trying to uncompress as
|
|
appropriate.
|
|
- Clients and servers now fetch running-routers; cache
|
|
running-routers; compress running-routers; serve compressed
|
|
running-routers.z
|
|
- Make moria2 advertise a dirport of 80, so people behind firewalls
|
|
will be able to get a directory.
|
|
- Http proxy support
|
|
- Dirservers translate requests for http://%s:%d/x to /x
|
|
- You can specify "HttpProxy %s[:%d]" and all dir fetches will
|
|
be routed through this host.
|
|
- Clients ask for /tor/x rather than /x for new enough dirservers.
|
|
This way we can one day coexist peacefully with apache.
|
|
- Clients specify a "Host: %s%d" http header, to be compatible
|
|
with more proxies, and so running squid on an exit node can work.
|
|
- Protect dirservers from overzealous descriptor uploading -- wait
|
|
10 seconds after directory gets dirty, before regenerating.
|
|
|
|
o Features (packages and install):
|
|
- Add NSI installer contributed by J Doe.
|
|
- Apply NT service patch from Osamu Fujino. Still needs more work.
|
|
- Commit VC6 and VC7 workspace/project files.
|
|
- Commit a tor.spec for making RPM files, with help from jbash.
|
|
- Add contrib/torctl.in contributed by Glenn Fink.
|
|
- Make expand_filename handle ~ and ~username.
|
|
- Use autoconf to enable largefile support where necessary. Use
|
|
ftello where available, since ftell can fail at 2GB.
|
|
- Ship src/win32/ in the tarball, so people can use it to build.
|
|
- Make old win32 fall back to CWD if SHGetSpecialFolderLocation
|
|
is broken.
|
|
|
|
o Features (ui controller):
|
|
- Control interface: a separate program can now talk to your
|
|
client/server over a socket, and get/set config options, receive
|
|
notifications of circuits and streams starting/finishing/dying,
|
|
bandwidth used, etc. The next step is to get some GUIs working.
|
|
Let us know if you want to help out. See doc/control-spec.txt .
|
|
- Ship a contrib/tor-control.py as an example script to interact
|
|
with the control port.
|
|
- "tor --hash-password zzyxz" will output a salted password for
|
|
use in authenticating to the control interface.
|
|
- Implement the control-spec's SAVECONF command, to write your
|
|
configuration to torrc.
|
|
- Get cookie authentication for the controller closer to working.
|
|
- When set_conf changes our server descriptor, upload a new copy.
|
|
But don't upload it too often if there are frequent changes.
|
|
|
|
o Features (config and command-line):
|
|
- Deprecate unofficial config option abbreviations, and abbreviations
|
|
not on the command line.
|
|
- Configuration infrastructure support for warning on obsolete
|
|
options.
|
|
- Give a slightly more useful output for "tor -h".
|
|
- Break DirFetchPostPeriod into:
|
|
- DirFetchPeriod for fetching full directory,
|
|
- StatusFetchPeriod for fetching running-routers,
|
|
- DirPostPeriod for posting server descriptor,
|
|
- RendPostPeriod for posting hidden service descriptors.
|
|
- New log format in config:
|
|
"Log minsev[-maxsev] stdout|stderr|syslog" or
|
|
"Log minsev[-maxsev] file /var/foo"
|
|
- DirPolicy config option, to let people reject incoming addresses
|
|
from their dirserver.
|
|
- "tor --list-fingerprint" will list your identity key fingerprint
|
|
and then exit.
|
|
- Make tor --version --version dump the cvs Id of every file.
|
|
- New 'MyFamily nick1,...' config option for a server to
|
|
specify other servers that shouldn't be used in the same circuit
|
|
with it. Only believed if nick1 also specifies us.
|
|
- New 'NodeFamily nick1,nick2,...' config option for a client to
|
|
specify nodes that it doesn't want to use in the same circuit.
|
|
- New 'Redirectexit pattern address:port' config option for a
|
|
server to redirect exit connections, e.g. to a local squid.
|
|
- Add "pass" target for RedirectExit, to make it easier to break
|
|
out of a sequence of RedirectExit rules.
|
|
- Make the dirservers file obsolete.
|
|
- Include a dir-signing-key token in directories to tell the
|
|
parsing entity which key is being used to sign.
|
|
- Remove the built-in bulky default dirservers string.
|
|
- New config option "Dirserver %s:%d [fingerprint]", which can be
|
|
repeated as many times as needed. If no dirservers specified,
|
|
default to moria1,moria2,tor26.
|
|
- Make 'Routerfile' config option obsolete.
|
|
- Discourage people from setting their dirfetchpostperiod more often
|
|
than once per minute.
|
|
|
|
o Features (other):
|
|
- kill -USR2 now moves all logs to loglevel debug (kill -HUP to
|
|
get back to normal.)
|
|
- Accept *:706 (silc) in default exit policy.
|
|
- Implement new versioning format for post 0.1.
|
|
- Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
|
|
log more informatively.
|
|
- Check clock skew for verified servers, but allow unverified
|
|
servers and clients to have any clock skew.
|
|
- Make sure the hidden service descriptors are at a random offset
|
|
from each other, to hinder linkability.
|
|
- Clients now generate a TLS cert too, in preparation for having
|
|
them act more like real nodes.
|
|
- Add a pure-C tor-resolve implementation.
|
|
- Use getrlimit and friends to ensure we can reach MaxConn (currently
|
|
1024) file descriptors.
|
|
- Raise the max dns workers from 50 to 100.
|
|
|
|
|
|
Changes in version 0.0.8.1 - 2004-10-13
|
|
o Bugfixes:
|
|
- Fix a seg fault that can be triggered remotely for Tor
|
|
clients/servers with an open dirport.
|
|
- Fix a rare assert trigger, where routerinfos for entries in
|
|
our cpath would expire while we're building the path.
|
|
- Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
- Fix a rare seg fault for people running hidden services on
|
|
intermittent connections.
|
|
- Fix a bug in parsing opt keywords with objects.
|
|
- Fix a stale pointer assert bug when a stream detaches and
|
|
reattaches.
|
|
- Fix a string format vulnerability (probably not exploitable)
|
|
in reporting stats locally.
|
|
- Fix an assert trigger: sometimes launching circuits can fail
|
|
immediately, e.g. because too many circuits have failed recently.
|
|
- Fix a compile warning on 64 bit platforms.
|
|
|
|
|
|
Changes in version 0.0.8 - 2004-08-25
|
|
o Bugfixes:
|
|
- Made our unit tests compile again on OpenBSD 3.5, and tor
|
|
itself compile again on OpenBSD on a sparc64.
|
|
- We were neglecting milliseconds when logging on win32, so
|
|
everything appeared to happen at the beginning of each second.
|
|
- Check directory signature _before_ you decide whether you're
|
|
you're running an obsolete version and should exit.
|
|
- Check directory signature _before_ you parse the running-routers
|
|
list to decide who's running.
|
|
- Check return value of fclose while writing to disk, so we don't
|
|
end up with broken files when servers run out of disk space.
|
|
- Port it to SunOS 5.9 / Athena
|
|
- Fix two bugs in saving onion keys to disk when rotating, so
|
|
hopefully we'll get fewer people using old onion keys.
|
|
- Remove our mostly unused -- and broken -- hex_encode()
|
|
function. Use base16_encode() instead. (Thanks to Timo Lindfors
|
|
for pointing out this bug.)
|
|
- Only pick and establish intro points after we've gotten a
|
|
directory.
|
|
- Fix assert triggers: if the other side returns an address 0.0.0.0,
|
|
don't put it into the client dns cache.
|
|
- If a begin failed due to exit policy, but we believe the IP
|
|
address should have been allowed, switch that router to exitpolicy
|
|
reject *:* until we get our next directory.
|
|
|
|
o Protocol changes:
|
|
- 'Extend' relay cell payloads now include the digest of the
|
|
intended next hop's identity key. Now we can verify that we're
|
|
extending to the right router, and also extend to routers we
|
|
hadn't heard of before.
|
|
|
|
o Features:
|
|
- Tor nodes can now act as relays (with an advertised ORPort)
|
|
without being manually verified by the dirserver operators.
|
|
- Uploaded descriptors of unverified routers are now accepted
|
|
by the dirservers, and included in the directory.
|
|
- Verified routers are listed by nickname in the running-routers
|
|
list; unverified routers are listed as "$<fingerprint>".
|
|
- We now use hash-of-identity-key in most places rather than
|
|
nickname or addr:port, for improved security/flexibility.
|
|
- AllowUnverifiedNodes config option to let circuits choose no-name
|
|
routers in entry,middle,exit,introduction,rendezvous positions.
|
|
Allow middle and rendezvous positions by default.
|
|
- When picking unverified routers, skip those with low uptime and/or
|
|
low bandwidth, depending on what properties you care about.
|
|
- ClientOnly option for nodes that never want to become servers.
|
|
- Directory caching.
|
|
- "AuthoritativeDir 1" option for the official dirservers.
|
|
- Now other nodes (clients and servers) will cache the latest
|
|
directory they've pulled down.
|
|
- They can enable their DirPort to serve it to others.
|
|
- Clients will pull down a directory from any node with an open
|
|
DirPort, and check the signature/timestamp correctly.
|
|
- Authoritative dirservers now fetch directories from other
|
|
authdirservers, to stay better synced.
|
|
- Running-routers list tells who's down also, along with noting
|
|
if they're verified (listed by nickname) or unverified (listed
|
|
by hash-of-key).
|
|
- Allow dirservers to serve running-router list separately.
|
|
This isn't used yet.
|
|
- You can now fetch $DIRURL/running-routers to get just the
|
|
running-routers line, not the whole descriptor list. (But
|
|
clients don't use this yet.)
|
|
- Clients choose nodes proportional to advertised bandwidth.
|
|
- Clients avoid using nodes with low uptime as introduction points.
|
|
- Handle servers with dynamic IP addresses: don't just replace
|
|
options->Address with the resolved one at startup, and
|
|
detect our address right before we make a routerinfo each time.
|
|
- 'FascistFirewall' option to pick dirservers and ORs on specific
|
|
ports; plus 'FirewallPorts' config option to tell FascistFirewall
|
|
which ports are open. (Defaults to 80,443)
|
|
- Try other dirservers immediately if the one you try is down. This
|
|
should tolerate down dirservers better now.
|
|
- ORs connect-on-demand to other ORs
|
|
- If you get an extend cell to an OR you're not connected to,
|
|
connect, handshake, and forward the create cell.
|
|
- The authoritative dirservers stay connected to everybody,
|
|
and everybody stays connected to 0.0.7 servers, but otherwise
|
|
clients/servers expire unused connections after 5 minutes.
|
|
- When servers get a sigint, they delay 30 seconds (refusing new
|
|
connections) then exit. A second sigint causes immediate exit.
|
|
- File and name management:
|
|
- Look for .torrc if no CONFDIR "torrc" is found.
|
|
- If no datadir is defined, then choose, make, and secure ~/.tor
|
|
as datadir.
|
|
- If torrc not found, exitpolicy reject *:*.
|
|
- Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
|
|
- If no nickname is defined, derive default from hostname.
|
|
- Rename secret key files, e.g. identity.key -> secret_id_key,
|
|
to discourage people from mailing their identity key to tor-ops.
|
|
- Refuse to build a circuit before the directory has arrived --
|
|
it won't work anyway, since you won't know the right onion keys
|
|
to use.
|
|
- Parse tor version numbers so we can do an is-newer-than check
|
|
rather than an is-in-the-list check.
|
|
- New socks command 'resolve', to let us shim gethostbyname()
|
|
locally.
|
|
- A 'tor_resolve' script to access the socks resolve functionality.
|
|
- A new socks-extensions.txt doc file to describe our
|
|
interpretation and extensions to the socks protocols.
|
|
- Add a ContactInfo option, which gets published in descriptor.
|
|
- Write tor version at the top of each log file
|
|
- New docs in the tarball:
|
|
- tor-doc.html.
|
|
- Document that you should proxy your SSL traffic too.
|
|
- Log a warning if the user uses an unsafe socks variant, so people
|
|
are more likely to learn about privoxy or socat.
|
|
- Log a warning if you're running an unverified server, to let you
|
|
know you might want to get it verified.
|
|
- Change the default exit policy to reject the default edonkey,
|
|
kazaa, gnutella ports.
|
|
- Add replace_file() to util.[ch] to handle win32's rename().
|
|
- Publish OR uptime in descriptor (and thus in directory) too.
|
|
- Remember used bandwidth (both in and out), and publish 15-minute
|
|
snapshots for the past day into our descriptor.
|
|
- Be more aggressive about trying to make circuits when the network
|
|
has changed (e.g. when you unsuspend your laptop).
|
|
- Check for time skew on http headers; report date in response to
|
|
"GET /".
|
|
- If the entrynode config line has only one node, don't pick it as
|
|
an exitnode.
|
|
- Add strict{entry|exit}nodes config options. If set to 1, then
|
|
we refuse to build circuits that don't include the specified entry
|
|
or exit nodes.
|
|
- OutboundBindAddress config option, to bind to a specific
|
|
IP address for outgoing connect()s.
|
|
- End truncated log entries (e.g. directories) with "[truncated]".
|
|
|
|
|
|
Changes in version 0.0.7.3 - 2004-08-12
|
|
o Stop dnsworkers from triggering an assert failure when you
|
|
ask them to resolve the host "".
|
|
|
|
|
|
Changes in version 0.0.7.2 - 2004-07-07
|
|
o A better fix for the 0.0.0.0 problem, that will hopefully
|
|
eliminate the remaining related assertion failures.
|
|
|
|
|
|
Changes in version 0.0.7.1 - 2004-07-04
|
|
o When an address resolves to 0.0.0.0, treat it as a failed resolve,
|
|
since internally we use 0.0.0.0 to signify "not yet resolved".
|
|
|
|
|
|
Changes in version 0.0.7 - 2004-06-07
|
|
o Fixes for crashes and other obnoxious bugs:
|
|
- Fix an epipe bug: sometimes when directory connections failed
|
|
to connect, we would give them a chance to flush before closing
|
|
them.
|
|
- When we detached from a circuit because of resolvefailed, we
|
|
would immediately try the same circuit twice more, and then
|
|
give up on the resolve thinking we'd tried three different
|
|
exit nodes.
|
|
- Limit the number of intro circuits we'll attempt to build for a
|
|
hidden service per 15-minute period.
|
|
- Check recommended-software string *early*, before actually parsing
|
|
the directory. Thus we can detect an obsolete version and exit,
|
|
even if the new directory format doesn't parse.
|
|
o Fixes for security bugs:
|
|
- Remember which nodes are dirservers when you startup, and if a
|
|
random OR enables his dirport, don't automatically assume he's
|
|
a trusted dirserver.
|
|
o Other bugfixes:
|
|
- Directory connections were asking the wrong poll socket to
|
|
start writing, and not asking themselves to start writing.
|
|
- When we detached from a circuit because we sent a begin but
|
|
didn't get a connected, we would use it again the first time;
|
|
but after that we would correctly switch to a different one.
|
|
- Stop warning when the first onion decrypt attempt fails; they
|
|
will sometimes legitimately fail now that we rotate keys.
|
|
- Override unaligned-access-ok check when $host_cpu is ia64 or
|
|
arm. Apparently they allow it but the kernel whines.
|
|
- Dirservers try to reconnect periodically too, in case connections
|
|
have failed.
|
|
- Fix some memory leaks in directory servers.
|
|
- Allow backslash in Win32 filenames.
|
|
- Made Tor build complain-free on FreeBSD, hopefully without
|
|
breaking other BSD builds. We'll see.
|
|
- Check directory signatures based on name of signer, not on whom
|
|
we got the directory from. This will let us cache directories more
|
|
easily.
|
|
- Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
|
|
settings too.
|
|
o Features:
|
|
- Doxygen markup on all functions and global variables.
|
|
- Make directory functions update routerlist, not replace it. So
|
|
now directory disagreements are not so critical a problem.
|
|
- Remove the upper limit on number of descriptors in a dirserver's
|
|
directory (not that we were anywhere close).
|
|
- Allow multiple logfiles at different severity ranges.
|
|
- Allow *BindAddress to specify ":port" rather than setting *Port
|
|
separately. Allow multiple instances of each BindAddress config
|
|
option, so you can bind to multiple interfaces if you want.
|
|
- Allow multiple exit policy lines, which are processed in order.
|
|
Now we don't need that huge line with all the commas in it.
|
|
- Enable accept/reject policies on SOCKS connections, so you can bind
|
|
to 0.0.0.0 but still control who can use your OP.
|
|
- Updated the man page to reflect these features.
|
|
|
|
|
|
Changes in version 0.0.6.2 - 2004-05-16
|
|
o Our integrity-checking digest was checking only the most recent cell,
|
|
not the previous cells like we'd thought.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
|
|
|
|
Changes in version 0.0.6.1 - 2004-05-06
|
|
o Fix two bugs in our AES counter-mode implementation (this affected
|
|
onion-level stream encryption, but not TLS-level). It turns
|
|
out we were doing something much more akin to a 16-character
|
|
polyalphabetic cipher. Oops.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
o Retire moria3 as a directory server, and add tor26 as a directory
|
|
server.
|
|
|
|
|
|
Changes in version 0.0.6 - 2004-05-02
|
|
o Features:
|
|
- Hidden services and rendezvous points are implemented. Go to
|
|
http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
|
|
hidden services. (This only works via a socks4a proxy such as
|
|
Privoxy, and currently it's quite slow.)
|
|
- We now rotate link (tls context) keys and onion keys.
|
|
- CREATE cells now include oaep padding, so you can tell
|
|
if you decrypted them correctly.
|
|
- Retry stream correctly when we fail to connect because of
|
|
exit-policy-reject (should try another) or can't-resolve-address.
|
|
- When we hup a dirserver and we've *removed* a server from the
|
|
approved-routers list, now we remove that server from the
|
|
in-memory directories too.
|
|
- Add bandwidthburst to server descriptor.
|
|
- Directories now say which dirserver signed them.
|
|
- Use a tor_assert macro that logs failed assertions too.
|
|
- Since we don't support truncateds much, don't bother sending them;
|
|
just close the circ.
|
|
- Fetch randomness from /dev/urandom better (not via fopen/fread)
|
|
- Better debugging for tls errors
|
|
- Set Content-Type on the directory and hidserv descriptor.
|
|
- Remove IVs from cipher code, since AES-ctr has none.
|
|
o Bugfixes:
|
|
- Fix an assert trigger for exit nodes that's been plaguing us since
|
|
the days of 0.0.2prexx (thanks weasel!)
|
|
- Fix a bug where we were closing tls connections intermittently.
|
|
It turns out openssl keeps its errors around -- so if an error
|
|
happens, and you don't ask about it, and then another openssl
|
|
operation happens and succeeds, and you ask if there was an error,
|
|
it tells you about the first error.
|
|
- Fix a bug that's been lurking since 27 may 03 (!)
|
|
When passing back a destroy cell, we would use the wrong circ id.
|
|
- Don't crash if a conn that sent a begin has suddenly lost its circuit.
|
|
- Some versions of openssl have an SSL_pending function that erroneously
|
|
returns bytes when there is a non-application record pending.
|
|
- Win32 fixes. Tor now compiles on win32 with no warnings/errors.
|
|
o We were using an array of length zero in a few places.
|
|
o Win32's gethostbyname can't resolve an IP to an IP.
|
|
o Win32's close can't close a socket.
|
|
o Handle windows socket errors correctly.
|
|
o Portability:
|
|
- check for <sys/limits.h> so we build on FreeBSD again, and
|
|
<machine/limits.h> for NetBSD.
|
|
|
|
|
|
Changes in version 0.0.5 - 2004-03-30
|
|
o Install torrc as torrc.sample -- we no longer clobber your
|
|
torrc. (Woo!)
|
|
o Fix mangled-state bug in directory fetching (was causing sigpipes).
|
|
o Only build circuits after we've fetched the directory: clients were
|
|
using only the directory servers before they'd fetched a directory.
|
|
This also means longer startup time; so it goes.
|
|
o Fix an assert trigger where an OP would fail to handshake, and we'd
|
|
expect it to have a nickname.
|
|
o Work around a tsocks bug: do a socks reject when AP connection dies
|
|
early, else tsocks goes into an infinite loop.
|
|
o Hold socks connection open until reply is flushed (if possible)
|
|
o Make exit nodes resolve IPs to IPs immediately, rather than asking
|
|
the dns farm to do it.
|
|
o Fix c99 aliasing warnings in rephist.c
|
|
o Don't include server descriptors that are older than 24 hours in the
|
|
directory.
|
|
o Give socks 'reject' replies their whole 15s to attempt to flush,
|
|
rather than seeing the 60s timeout and assuming the flush had failed.
|
|
o Clean automake droppings from the cvs repository
|
|
o Add in a 'notice' log level for things the operator should hear
|
|
but that aren't warnings
|
|
|
|
|
|
Changes in version 0.0.4 - 2004-03-26
|
|
o When connecting to a dirserver or OR and the network is down,
|
|
we would crash.
|
|
|
|
|
|
Changes in version 0.0.3 - 2004-03-26
|
|
o Warn and fail if server chose a nickname with illegal characters
|
|
o Port to Solaris and Sparc:
|
|
- include missing header fcntl.h
|
|
- have autoconf find -lsocket -lnsl automatically
|
|
- deal with hardware word alignment
|
|
- make uname() work (solaris has a different return convention)
|
|
- switch from using signal() to sigaction()
|
|
o Preliminary work on reputation system:
|
|
- Keep statistics on success/fail of connect attempts; they're published
|
|
by kill -USR1 currently.
|
|
- Add a RunTesting option to try to learn link state by creating test
|
|
circuits, even when SocksPort is off.
|
|
- Remove unused open circuits when there are too many.
|
|
|
|
|
|
Changes in version 0.0.2 - 2004-03-19
|
|
- Include strlcpy and strlcat for safer string ops
|
|
- define INADDR_NONE so we compile (but still not run) on solaris
|
|
|
|
|
|
Changes in version 0.0.2pre27 - 2004-03-14
|
|
o Bugfixes:
|
|
- Allow internal tor networks (we were rejecting internal IPs,
|
|
now we allow them if they're set explicitly).
|
|
- And fix a few endian issues.
|
|
|
|
|
|
Changes in version 0.0.2pre26 - 2004-03-14
|
|
o New features:
|
|
- If a stream times out after 15s without a connected cell, don't
|
|
try that circuit again: try a new one.
|
|
- Retry streams at most 4 times. Then give up.
|
|
- When a dirserver gets a descriptor from an unknown router, it
|
|
logs its fingerprint (so the dirserver operator can choose to
|
|
accept it even without mail from the server operator).
|
|
- Inform unapproved servers when we reject their descriptors.
|
|
- Make tor build on Windows again. It works as a client, who knows
|
|
about as a server.
|
|
- Clearer instructions in the torrc for how to set up a server.
|
|
- Be more efficient about reading fd's when our global token bucket
|
|
(used for rate limiting) becomes empty.
|
|
o Bugfixes:
|
|
- Stop asserting that computers always go forward in time. It's
|
|
simply not true.
|
|
- When we sent a cell (e.g. destroy) and then marked an OR connection
|
|
expired, we might close it before finishing a flush if the other
|
|
side isn't reading right then.
|
|
- Don't allow dirservers to start if they haven't defined
|
|
RecommendedVersions
|
|
- We were caching transient dns failures. Oops.
|
|
- Prevent servers from publishing an internal IP as their address.
|
|
- Address a strcat vulnerability in circuit.c
|
|
|
|
|
|
Changes in version 0.0.2pre25 - 2004-03-04
|
|
o New features:
|
|
- Put the OR's IP in its router descriptor, not its fqdn. That way
|
|
we'll stop being stalled by gethostbyname for nodes with flaky dns,
|
|
e.g. poblano.
|
|
o Bugfixes:
|
|
- If the user typed in an address that didn't resolve, the server
|
|
crashed.
|
|
|
|
|
|
Changes in version 0.0.2pre24 - 2004-03-03
|
|
o Bugfixes:
|
|
- Fix an assertion failure in dns.c, where we were trying to dequeue
|
|
a pending dns resolve even if it wasn't pending
|
|
- Fix a spurious socks5 warning about still trying to write after the
|
|
connection is finished.
|
|
- Hold certain marked_for_close connections open until they're finished
|
|
flushing, rather than losing bytes by closing them too early.
|
|
- Correctly report the reason for ending a stream
|
|
- Remove some duplicate calls to connection_mark_for_close
|
|
- Put switch_id and start_daemon earlier in the boot sequence, so it
|
|
will actually try to chdir() to options.DataDirectory
|
|
- Make 'make test' exit(1) if a test fails; fix some unit tests
|
|
- Make tor fail when you use a config option it doesn't know about,
|
|
rather than warn and continue.
|
|
- Make --version work
|
|
- Bugfixes on the rpm spec file and tor.sh, so it's more up to date
|
|
|
|
|
|
Changes in version 0.0.2pre23 - 2004-02-29
|
|
o New features:
|
|
- Print a statement when the first circ is finished, so the user
|
|
knows it's working.
|
|
- If a relay cell is unrecognized at the end of the circuit,
|
|
send back a destroy. (So attacks to mutate cells are more
|
|
clearly thwarted.)
|
|
- New config option 'excludenodes' to avoid certain nodes for circuits.
|
|
- When it daemonizes, it chdir's to the DataDirectory rather than "/",
|
|
so you can collect coredumps there.
|
|
o Bugfixes:
|
|
- Fix a bug in tls flushing where sometimes data got wedged and
|
|
didn't flush until more data got sent. Hopefully this bug was
|
|
a big factor in the random delays we were seeing.
|
|
- Make 'connected' cells include the resolved IP, so the client
|
|
dns cache actually gets populated.
|
|
- Disallow changing from ORPort=0 to ORPort>0 on hup.
|
|
- When we time-out on a stream and detach from the circuit, send an
|
|
end cell down it first.
|
|
- Only warn about an unknown router (in exitnodes, entrynodes,
|
|
excludenodes) after we've fetched a directory.
|
|
|
|
|
|
Changes in version 0.0.2pre22 - 2004-02-26
|
|
o New features:
|
|
- Servers publish less revealing uname information in descriptors.
|
|
- More memory tracking and assertions, to crash more usefully when
|
|
errors happen.
|
|
- If the default torrc isn't there, just use some default defaults.
|
|
Plus provide an internal dirservers file if they don't have one.
|
|
- When the user tries to use Tor as an http proxy, give them an http
|
|
501 failure explaining that we're a socks proxy.
|
|
- Dump a new router.desc on hup, to help confused people who change
|
|
their exit policies and then wonder why router.desc doesn't reflect
|
|
it.
|
|
- Clean up the generic tor.sh init script that we ship with.
|
|
o Bugfixes:
|
|
- If the exit stream is pending on the resolve, and a destroy arrives,
|
|
then the stream wasn't getting removed from the pending list. I
|
|
think this was the one causing recent server crashes.
|
|
- Use a more robust poll on OSX 10.3, since their poll is flaky.
|
|
- When it couldn't resolve any dirservers, it was useless from then on.
|
|
Now it reloads the RouterFile (or default dirservers) if it has no
|
|
dirservers.
|
|
- Move the 'tor' binary back to /usr/local/bin/ -- it turns out
|
|
many users don't even *have* a /usr/local/sbin/.
|
|
|
|
|
|
Changes in version 0.0.2pre21 - 2004-02-18
|
|
o New features:
|
|
- There's a ChangeLog file that actually reflects the changelog.
|
|
- There's a 'torify' wrapper script, with an accompanying
|
|
tor-tsocks.conf, that simplifies the process of using tsocks for
|
|
tor. It even has a man page.
|
|
- The tor binary gets installed to sbin rather than bin now.
|
|
- Retry streams where the connected cell hasn't arrived in 15 seconds
|
|
- Clean up exit policy handling -- get the default out of the torrc,
|
|
so we can update it without forcing each server operator to fix
|
|
his/her torrc.
|
|
- Allow imaps and pop3s in default exit policy
|
|
o Bugfixes:
|
|
- Prevent picking middleman nodes as the last node in the circuit
|
|
|
|
|
|
Changes in version 0.0.2pre20 - 2004-01-30
|
|
o New features:
|
|
- We now have a deb package, and it's in debian unstable. Go to
|
|
it, apt-getters. :)
|
|
- I've split the TotalBandwidth option into BandwidthRate (how many
|
|
bytes per second you want to allow, long-term) and
|
|
BandwidthBurst (how many bytes you will allow at once before the cap
|
|
kicks in). This better token bucket approach lets you, say, set
|
|
BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
|
|
performance while not exceeding your monthly bandwidth quota.
|
|
- Push out a tls record's worth of data once you've got it, rather
|
|
than waiting until you've read everything waiting to be read. This
|
|
may improve performance by pipelining better. We'll see.
|
|
- Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
|
|
from failed circuits (if they haven't been connected yet) and attach
|
|
to new ones.
|
|
- Expire old streams that haven't managed to connect. Some day we'll
|
|
have them reattach to new circuits instead.
|
|
|
|
o Bugfixes:
|
|
- Fix several memory leaks that were causing servers to become bloated
|
|
after a while.
|
|
- Fix a few very rare assert triggers. A few more remain.
|
|
- Setuid to User _before_ complaining about running as root.
|
|
|
|
|
|
Changes in version 0.0.2pre19 - 2004-01-07
|
|
o Bugfixes:
|
|
- Fix deadlock condition in dns farm. We were telling a child to die by
|
|
closing the parent's file descriptor to him. But newer children were
|
|
inheriting the open file descriptor from the parent, and since they
|
|
weren't closing it, the socket never closed, so the child never read
|
|
eof, so he never knew to exit. Similarly, dns workers were holding
|
|
open other sockets, leading to all sorts of chaos.
|
|
- New cleaner daemon() code for forking and backgrounding.
|
|
- If you log to a file, it now prints an entry at the top of the
|
|
logfile so you know it's working.
|
|
- The onionskin challenge length was 30 bytes longer than necessary.
|
|
- Started to patch up the spec so it's not quite so out of date.
|
|
|
|
|
|
Changes in version 0.0.2pre18 - 2004-01-02
|
|
o Bugfixes:
|
|
- Fix endian issues with the 'integrity' field in the relay header.
|
|
- Fix a potential bug where connections in state
|
|
AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
|
|
|
|
|
|
Changes in version 0.0.2pre17 - 2003-12-30
|
|
o Bugfixes:
|
|
- Made --debuglogfile (or any second log file, actually) work.
|
|
- Resolved an edge case in get_unique_circ_id_by_conn where a smart
|
|
adversary could force us into an infinite loop.
|
|
|
|
o Features:
|
|
- Each onionskin handshake now includes a hash of the computed key,
|
|
to prove the server's identity and help perfect forward secrecy.
|
|
- Changed cell size from 256 to 512 bytes (working toward compatibility
|
|
with MorphMix).
|
|
- Changed cell length to 2 bytes, and moved it to the relay header.
|
|
- Implemented end-to-end integrity checking for the payloads of
|
|
relay cells.
|
|
- Separated streamid from 'recognized' (otherwise circuits will get
|
|
messed up when we try to have streams exit from the middle). We
|
|
use the integrity-checking to confirm that a cell is addressed to
|
|
this hop.
|
|
- Randomize the initial circid and streamid values, so an adversary who
|
|
breaks into a node can't learn how many circuits or streams have
|
|
been made so far.
|
|
|
|
|
|
Changes in version 0.0.2pre16 - 2003-12-14
|
|
o Bugfixes:
|
|
- Fixed a bug that made HUP trigger an assert
|
|
- Fixed a bug where a circuit that immediately failed wasn't being
|
|
counted as a failed circuit in counting retries.
|
|
|
|
o Features:
|
|
- Now we close the circuit when we get a truncated cell: otherwise we're
|
|
open to an anonymity attack where a bad node in the path truncates
|
|
the circuit and then we open streams at him.
|
|
- Add port ranges to exit policies
|
|
- Add a conservative default exit policy
|
|
- Warn if you're running tor as root
|
|
- on HUP, retry OR connections and close/rebind listeners
|
|
- options.EntryNodes: try these nodes first when picking the first node
|
|
- options.ExitNodes: if your best choices happen to include any of
|
|
your preferred exit nodes, you choose among just those preferred
|
|
exit nodes.
|
|
- options.ExcludedNodes: nodes that are never picked in path building
|
|
|
|
|
|
Changes in version 0.0.2pre15 - 2003-12-03
|
|
o Robustness and bugfixes:
|
|
- Sometimes clients would cache incorrect DNS resolves, which would
|
|
really screw things up.
|
|
- An OP that goes offline would slowly leak all its sockets and stop
|
|
working.
|
|
- A wide variety of bugfixes in exit node selection, exit policy
|
|
handling, and processing pending streams when a new circuit is
|
|
established.
|
|
- Pick nodes for a path only from those the directory says are up
|
|
- Choose randomly from all running dirservers, not always the first one
|
|
- Increase allowed http header size for directory fetch.
|
|
- Stop writing to stderr (if we're daemonized it will be closed).
|
|
- Enable -g always, so cores will be more useful to me.
|
|
- Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
|
|
|
|
o Documentation:
|
|
- Wrote a man page. It lists commonly used options.
|
|
|
|
o Configuration:
|
|
- Change default loglevel to warn.
|
|
- Make PidFile default to null rather than littering in your CWD.
|
|
- OnionRouter config option is now obsolete. Instead it just checks
|
|
ORPort>0.
|
|
- Moved to a single unified torrc file for both clients and servers.
|
|
|
|
|
|
Changes in version 0.0.2pre14 - 2003-11-29
|
|
o Robustness and bugfixes:
|
|
- Force the admin to make the DataDirectory himself
|
|
- to get ownership/permissions right
|
|
- so clients no longer make a DataDirectory and then never use it
|
|
- fix bug where a client who was offline for 45 minutes would never
|
|
pull down a directory again
|
|
- fix (or at least hide really well) the dns assert bug that was
|
|
causing server crashes
|
|
- warnings and improved robustness wrt clockskew for certs
|
|
- use the native daemon(3) to daemonize, when available
|
|
- exit if bind() fails
|
|
- exit if neither socksport nor orport is defined
|
|
- include our own tor_timegm (Win32 doesn't have its own)
|
|
- bugfix for win32 with lots of connections
|
|
- fix minor bias in PRNG
|
|
- make dirserver more robust to corrupt cached directory
|
|
|
|
o Documentation:
|
|
- Wrote the design document (woo)
|
|
|
|
o Circuit building and exit policies:
|
|
- Circuits no longer try to use nodes that the directory has told them
|
|
are down.
|
|
- Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
|
|
bitcounts (18.0.0.0/8).
|
|
- Make AP connections standby for a circuit if no suitable circuit
|
|
exists, rather than failing
|
|
- Circuits choose exit node based on addr/port, exit policies, and
|
|
which AP connections are standing by
|
|
- Bump min pathlen from 2 to 3
|
|
- Relay end cells have a payload to describe why the stream ended.
|
|
- If the stream failed because of exit policy, try again with a new
|
|
circuit.
|
|
- Clients have a dns cache to remember resolved addresses.
|
|
- Notice more quickly when we have no working circuits
|
|
|
|
o Configuration:
|
|
- APPort is now called SocksPort
|
|
- SocksBindAddress, ORBindAddress, DirBindAddress let you configure
|
|
where to bind
|
|
- RecommendedVersions is now a config variable rather than
|
|
hardcoded (for dirservers)
|
|
- Reloads config on HUP
|
|
- Usage info on -h or --help
|
|
- If you set User and Group config vars, it'll setu/gid to them.
|
|
|
|
Changes in version 0.0.2pre13 - 2003-10-19
|
|
o General stability:
|
|
- SSL_write no longer fails when it returns WANTWRITE and the number
|
|
of bytes in the buf has changed by the next SSL_write call.
|
|
- Fix segfault fetching directory when network is down
|
|
- Fix a variety of minor memory leaks
|
|
- Dirservers reload the fingerprints file on HUP, so I don't have
|
|
to take down the network when I approve a new router
|
|
- Default server config file has explicit Address line to specify fqdn
|
|
|
|
o Buffers:
|
|
- Buffers grow and shrink as needed (Cut process size from 20M to 2M)
|
|
- Make listener connections not ever alloc bufs
|
|
|
|
o Autoconf improvements:
|
|
- don't clobber an external CFLAGS in ./configure
|
|
- Make install now works
|
|
- create var/lib/tor on make install
|
|
- autocreate a tor.sh initscript to help distribs
|
|
- autocreate the torrc and sample-server-torrc with correct paths
|
|
|
|
o Log files and Daemonizing now work:
|
|
- If --DebugLogFile is specified, log to it at -l debug
|
|
- If --LogFile is specified, use it instead of commandline
|
|
- If --RunAsDaemon is set, tor forks and backgrounds on startup
|
|
|