网络

开发平台：

Unix_Linux

ChangeLog：源码内容

Changes in version 0.2.1.20 - 2009-10-15
o Major bugfixes:
- Send circuit or stream sendme cells when our window has decreased
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
by Karsten when testing the "reduce circuit window" performance
patch. Bugfix on the 54th commit on Tor -- from July 2002,
before the release of Tor 0.0.0. This is the new winner of the
oldest-bug prize.
- Fix a remotely triggerable memory leak when a consensus document
contains more than one signature from the same voter. Bugfix on
0.2.0.3-alpha.
- Avoid segfault in rare cases when finishing an introduction circuit
as a client and finding out that we don't have an introduction key
for it. Fixes bug 1073. Reported by Aaron Swartz.
o Major features:
- Tor now reads the "circwindow" parameter out of the consensus,
and uses that value for its circuit package window rather than the
default of 1000 cells. Begins the implementation of proposal 168.
o New directory authorities:
- Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
authority.
- Move moria1 and tonga to alternate IP addresses.
o Minor bugfixes:
- Fix a signed/unsigned compile warning in 0.2.1.19.
- Fix possible segmentation fault on directory authorities. Bugfix on
0.2.1.14-rc.
- Fix an extremely rare infinite recursion bug that could occur if
we tried to log a message after shutting down the log subsystem.
Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
- Fix an obscure bug where hidden services on 64-bit big-endian
systems might mis-read the timestamp in v3 introduce cells, and
refuse to connect back to the client. Discovered by "rotor".
Bugfix on 0.2.1.6-alpha.
- We were triggering a CLOCK_SKEW controller status event whenever
we connect via the v2 connection protocol to any relay that has
a wrong clock. Instead, we should only inform the controller when
it's a trusted authority that claims our clock is wrong. Bugfix
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
- We were telling the controller about CHECKING_REACHABILITY and
REACHABILITY_FAILED status events whenever we launch a testing
circuit or notice that one has failed. Instead, only tell the
controller when we want to inform the user of overall success or
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
by SwissTorExit.
- Don't warn when we're using a circuit that ends with a node
excluded in ExcludeExitNodes, but the circuit is not used to access
the outside world. This should help fix bug 1090. Bugfix on
0.2.1.6-alpha.
- Work around a small memory leak in some versions of OpenSSL that
stopped the memory used by the hostname TLS extension from being
freed.
o Minor features:
- Add a "getinfo status/accepted-server-descriptor" controller
command, which is the recommended way for controllers to learn
whether our server descriptor has been successfully received by at
least on directory authority. Un-recommend good-server-descriptor
getinfo and status events until we have a better design for them.
Changes in version 0.2.1.19 - 2009-07-28
Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
services on Tor 0.2.1.3-alpha through 0.2.1.18.
o Major bugfixes:
- Make accessing hidden services on 0.2.1.x work right again.
Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
part of patch provided by "optimist".
o Minor features:
- When a relay/bridge is writing out its identity key fingerprint to
the "fingerprint" file and to its logs, write it without spaces. Now
it will look like the fingerprints in our bridges documentation,
and confuse fewer users.
o Minor bugfixes:
- Relays no longer publish a new server descriptor if they change
their MaxAdvertisedBandwidth config option but it doesn't end up
changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
fixes bug 1026. Patch from Sebastian.
- Avoid leaking memory every time we get a create cell but we have
so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
fixes bug 1034. Reported by BarkerJr.
Changes in version 0.2.1.18 - 2009-07-24
Tor 0.2.1.18 lays the foundations for performance improvements,
adds status events to help users diagnose bootstrap problems, adds
optional authentication/authorization for hidden services, fixes a
variety of potential anonymity problems, and includes a huge pile of
other features and bug fixes.
o Build fixes:
- Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
Changes in version 0.2.1.17-rc - 2009-07-07
Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
candidate for the 0.2.1.x series. It lays the groundwork for further
client performance improvements, and also fixes a big bug with directory
authorities that were causing them to assign Guard and Stable flags
poorly.
The Windows bundles also finally include the geoip database that we
thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
should actually install Torbutton rather than giving you a cryptic
failure message (oops).
o Major features:
- Clients now use the bandwidth values in the consensus, rather than
the bandwidth values in each relay descriptor. This approach opens
the door to more accurate bandwidth estimates once the directory
authorities start doing active measurements. Implements more of
proposal 141.
o Major bugfixes:
- When Tor clients restart after 1-5 days, they discard all their
cached descriptors as too old, but they still use the cached
consensus document. This approach is good for robustness, but
bad for performance: since they don't know any bandwidths, they
end up choosing at random rather than weighting their choice by
speed. Fixed by the above feature of putting bandwidths in the
consensus. Bugfix on 0.2.0.x.
- Directory authorities were neglecting to mark relays down in their
internal histories if the relays fall off the routerlist without
ever being found unreachable. So there were relays in the histories
that haven't been seen for eight months, and are listed as being
up for eight months. This wreaked havoc on the "median wfu"
and "median mtbf" calculations, in turn making Guard and Stable
flags very wrong, hurting network performance. Fixes bugs 696 and
969. Bugfix on 0.2.0.6-alpha.
o Minor bugfixes:
- Serve the DirPortFrontPage page even when we have been approaching
our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
- The control port would close the connection before flushing long
replies, such as the network consensus, if a QUIT command was issued
before the reply had completed. Now, the control port flushes all
pending replies before closing the connection. Also fixed a spurious
warning when a QUIT command is issued after a malformed or rejected
AUTHENTICATE command, but before the connection was closed. Patch
by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
- When we can't find an intro key for a v2 hidden service descriptor,
fall back to the v0 hidden service descriptor and log a bug message.
Workaround for bug 1024.
- Fix a log message that did not respect the SafeLogging option.
Resolves bug 1027.
o Minor features:
- If we're a relay and we change our IP address, be more verbose
about the reason that made us change. Should help track down
further bugs for relays on dynamic IP addresses.
Changes in version 0.2.0.35 - 2009-06-24
o Security fix:
- Avoid crashing in the presence of certain malformed descriptors.
Found by lark, and by automated fuzzing.
- Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
o Major bugfixes:
- Finally fix the bug where dynamic-IP relays disappear when their
IP address changes: directory mirrors were mistakenly telling
them their old address if they asked via begin_dir, so they
never got an accurate answer about their new address, so they
just vanished after a day. For belt-and-suspenders, relays that
don't set Address in their config now avoid using begin_dir for
all direct connections. Should fix bugs 827, 883, and 900.
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
that would occur on some exit nodes when DNS failures and timeouts
occurred in certain patterns. Fix for bug 957.
o Minor bugfixes:
- When starting with a cache over a few days old, do not leak
memory for the obsolete router descriptors in it. Bugfix on
0.2.0.33; fixes bug 672.
- Hidden service clients didn't use a cached service descriptor that
was older than 15 minutes, but wouldn't fetch a new one either,
because there was already one in the cache. Now, fetch a v2
descriptor unless the same descriptor was added to the cache within
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
Changes in version 0.2.1.16-rc - 2009-06-20
Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
a bunch of minor bugs.
o Security fixes:
- Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
o Major performance improvements (on 0.2.0.x):
- Disable and refactor some debugging checks that forced a linear scan
over the whole server-side DNS cache. These accounted for over 50%
of CPU time on a relatively busy exit node's gprof profile. Found
by Jacob.
- Disable some debugging checks that appeared in exit node profile
data.
o Minor features:
- Update to the "June 3 2009" ip-to-country file.
- Do not have tor-resolve automatically refuse all .onion addresses;
if AutomapHostsOnResolve is set in your torrc, this will work fine.
o Minor bugfixes (on 0.2.0.x):
- Log correct error messages for DNS-related network errors on
Windows.
- Fix a race condition that could cause crashes or memory corruption
when running as a server with a controller listening for log
messages.
- Avoid crashing when we have a policy specified in a DirPolicy or
SocksPolicy or ReachableAddresses option with ports set on it,
and we re-load the policy. May fix bug 996.
- Hidden service clients didn't use a cached service descriptor that
was older than 15 minutes, but wouldn't fetch a new one either,
because there was already one in the cache. Now, fetch a v2
descriptor unless the same descriptor was added to the cache within
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
o Minor bugfixes (on 0.2.1.x):
- Don't warn users about low port and hibernation mix when they
provide a *ListenAddress directive to fix that. Bugfix on
0.2.1.15-rc.
- When switching back and forth between bridge mode, do not start
gathering GeoIP data until two hours have passed.
- Do not complain that the user has requested an excluded node as
an exit when the node is not really an exit. This could happen
because the circuit was for testing, or an introduction point.
Fix for bug 984.
Changes in version 0.2.1.15-rc - 2009-05-25
Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
series. It fixes a major bug on fast exit relays, as well as a variety
of more minor bugs.
o Major bugfixes (on 0.2.0.x):
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
that would occur on some exit nodes when DNS failures and timeouts
occurred in certain patterns. Fix for bug 957.
o Minor bugfixes (on 0.2.0.x):
- Actually return -1 in the error case for read_bandwidth_usage().
Harmless bug, since we currently don't care about the return value
anywhere. Bugfix on 0.2.0.9-alpha.
- Provide a more useful log message if bug 977 (related to buffer
freelists) ever reappears, and do not crash right away.
- Fix an assertion failure on 64-bit platforms when we allocated
memory right up to the end of a memarea, then realigned the memory
one step beyond the end. Fixes a possible cause of bug 930.
- Protect the count of open sockets with a mutex, so we can't
corrupt it when two threads are closing or opening sockets at once.
Fix for bug 939. Bugfix on 0.2.0.1-alpha.
- Don't allow a bridge to publish its router descriptor to a
non-bridge directory authority. Fixes part of bug 932.
- When we change to or from being a bridge, reset our counts of
client usage by country. Fixes bug 932.
- Fix a bug that made stream bandwidth get misreported to the
controller.
- Stop using malloc_usable_size() to use more area than we had
actually allocated: it was safe, but made valgrind really unhappy.
- Fix a memory leak when v3 directory authorities load their keys
and cert from disk. Bugfix on 0.2.0.1-alpha.
o Minor bugfixes (on 0.2.1.x):
- Fix use of freed memory when deciding to mark a non-addable
descriptor as never-downloadable. Bugfix on 0.2.1.9-alpha.
Changes in version 0.2.1.14-rc - 2009-04-12
Tor 0.2.1.14-rc marks the first release candidate for the 0.2.1.x
series. It begins fixing some major performance problems, and also
finally addresses the bug that was causing relays on dynamic IP
addresses to fall out of the directory.
o Major features:
- Clients replace entry guards that were chosen more than a few months
ago. This change should significantly improve client performance,
especially once more people upgrade, since relays that have been
a guard for a long time are currently overloaded.
o Major bugfixes (on 0.2.0):
- Finally fix the bug where dynamic-IP relays disappear when their
IP address changes: directory mirrors were mistakenly telling
them their old address if they asked via begin_dir, so they
never got an accurate answer about their new address, so they
just vanished after a day. For belt-and-suspenders, relays that
don't set Address in their config now avoid using begin_dir for
all direct connections. Should fix bugs 827, 883, and 900.
- Relays were falling out of the networkstatus consensus for
part of a day if they changed their local config but the
authorities discarded their new descriptor as "not sufficiently
different". Now directory authorities accept a descriptor as changed
if bandwidthrate or bandwidthburst changed. Partial fix for bug 962;
patch by Sebastian.
- Avoid crashing in the presence of certain malformed descriptors.
Found by lark, and by automated fuzzing.
o Minor features:
- When generating circuit events with verbose nicknames for
controllers, try harder to look up nicknames for routers on a
circuit. (Previously, we would look in the router descriptors we had
for nicknames, but not in the consensus.) Partial fix for bug 941.
- If the bridge config line doesn't specify a port, assume 443.
This makes bridge lines a bit smaller and easier for users to
understand.
- Raise the minimum bandwidth to be a relay from 20000 bytes to 20480
bytes (aka 20KB/s), to match our documentation. Also update
directory authorities so they always assign the Fast flag to relays
with 20KB/s of capacity. Now people running relays won't suddenly
find themselves not seeing any use, if the network gets faster
on average.
- Update to the "April 3 2009" ip-to-country file.
o Minor bugfixes:
- Avoid trying to print raw memory to the logs when we decide to
give up on downloading a given relay descriptor. Bugfix on
0.2.1.9-alpha.
- In tor-resolve, when the Tor client to use is specified by
<hostname>:<port>, actually use the specified port rather than
defaulting to 9050. Bugfix on 0.2.1.6-alpha.
- Make directory usage recording work again. Bugfix on 0.2.1.6-alpha.
- When starting with a cache over a few days old, do not leak
memory for the obsolete router descriptors in it. Bugfix on
0.2.0.33.
- Avoid double-free on list of successfully uploaded hidden
service discriptors. Fix for bug 948. Bugfix on 0.2.1.6-alpha.
- Change memarea_strndup() implementation to work even when
duplicating a string at the end of a page. This bug was
harmless for now, but could have meant crashes later. Fix by
lark. Bugfix on 0.2.1.1-alpha.
- Limit uploaded directory documents to be 16M rather than 500K.
The directory authorities were refusing v3 consensus votes from
other authorities, since the votes are now 504K. Fixes bug 959;
bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
- Directory authorities should never send a 503 "busy" response to
requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
bug 959.
Changes in version 0.2.1.13-alpha - 2009-03-09
Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
cleanups. We're finally getting close to a release candidate.
o Major bugfixes:
- Correctly update the list of which countries we exclude as
exits, when the GeoIP file is loaded or reloaded. Diagnosed by
lark. Bugfix on 0.2.1.6-alpha.
o Minor bugfixes (on 0.2.0.x and earlier):
- Automatically detect MacOSX versions earlier than 10.4.0, and
disable kqueue from inside Tor when running with these versions.
We previously did this from the startup script, but that was no
help to people who didn't use the startup script. Resolves bug 863.
- When we had picked an exit node for a connection, but marked it as
"optional", and it turned out we had no onion key for the exit,
stop wanting that exit and try again. This situation may not
be possible now, but will probably become feasible with proposal
158. Spotted by rovv. Fixes another case of bug 752.
- Clients no longer cache certificates for authorities they do not
recognize. Bugfix on 0.2.0.9-alpha.
- When we can't transmit a DNS request due to a network error, retry
it after a while, and eventually transmit a failing response to
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
- If the controller claimed responsibility for a stream, but that
stream never finished making its connection, it would live
forever in circuit_wait state. Now we close it after SocksTimeout
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
- Drop begin cells to a hidden service if they come from the middle
of a circuit. Patch from lark.
- When we erroneously receive two EXTEND cells for the same circuit
ID on the same connection, drop the second. Patch from lark.
- Fix a crash that occurs on exit nodes when a nameserver request
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
bug 929.
- Do not assume that a stack-allocated character array will be
64-bit aligned on platforms that demand that uint64_t access is
aligned. Possible fix for bug 604.
- Parse dates and IPv4 addresses in a locale- and libc-independent
manner, to avoid platform-dependent behavior on malformed input.
- Build correctly when configured to build outside the main source
path. Patch from Michael Gold.
- We were already rejecting relay begin cells with destination port
of 0. Now also reject extend cells with destination port or address
of 0. Suggested by lark.
o Minor bugfixes (on 0.2.1.x):
- Don't re-extend introduction circuits if we ran out of RELAY_EARLY
cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
- If we're an exit node, scrub the IP address to which we are exiting
in the logs. Bugfix on 0.2.1.8-alpha.
o Minor features:
- On Linux, use the prctl call to re-enable core dumps when the user
is option is set.
- New controller event NEWCONSENSUS that lists the networkstatus
lines for every recommended relay. Now controllers like Torflow
can keep up-to-date on which relays they should be using.
- Update to the "February 26 2009" ip-to-country file.
Changes in version 0.2.0.34 - 2009-02-08
Tor 0.2.0.34 features several more security-related fixes. You should
upgrade, especially if you run an exit relay (remote crash) or a
directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).
This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
have many known flaws, and nobody should be using them. You should
upgrade. If you're using a Linux or BSD and its packages are obsolete,
stop using those packages and upgrade anyway.
o Security fixes:
- Fix an infinite-loop bug on handling corrupt votes under certain
circumstances. Bugfix on 0.2.0.8-alpha.
- Fix a temporary DoS vulnerability that could be performed by
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
- Avoid a potential crash on exit nodes when processing malformed
input. Remote DoS opportunity. Bugfix on 0.2.0.33.
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
o Minor bugfixes:
- Fix compilation on systems where time_t is a 64-bit integer.
Patch from Matthias Drochner.
- Don't consider expiring already-closed client connections. Fixes
bug 893. Bugfix on 0.0.2pre20.
Changes in version 0.2.1.12-alpha - 2009-02-08
Tor 0.2.1.12-alpha features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit). It also
includes a big pile of minor bugfixes and cleanups.
o Security fixes:
- Fix an infinite-loop bug on handling corrupt votes under certain
circumstances. Bugfix on 0.2.0.8-alpha.
- Fix a temporary DoS vulnerability that could be performed by
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
- Avoid a potential crash on exit nodes when processing malformed
input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.
o Minor bugfixes:
- Let controllers actually ask for the "clients_seen" event for
getting usage summaries on bridge relays. Bugfix on 0.2.1.10-alpha;
reported by Matt Edman.
- Fix a compile warning on OSX Panther. Fixes bug 913; bugfix against
0.2.1.11-alpha.
- Fix a bug in address parsing that was preventing bridges or hidden
service targets from being at IPv6 addresses.
- Solve a bug that kept hardware crypto acceleration from getting
enabled when accounting was turned on. Fixes bug 907. Bugfix on
0.0.9pre6.
- Remove a bash-ism from configure.in to build properly on non-Linux
platforms. Bugfix on 0.2.1.1-alpha.
- Fix code so authorities _actually_ send back X-Descriptor-Not-New
headers. Bugfix on 0.2.0.10-alpha.
- Don't consider expiring already-closed client connections. Fixes
bug 893. Bugfix on 0.0.2pre20.
- Fix another interesting corner-case of bug 891 spotted by rovv:
Previously, if two hosts had different amounts of clock drift, and
one of them created a new connection with just the wrong timing,
the other might decide to deprecate the new connection erroneously.
Bugfix on 0.1.1.13-alpha.
- Resolve a very rare crash bug that could occur when the user forced
a nameserver reconfiguration during the middle of a nameserver
probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
- Support changing value of ServerDNSRandomizeCase during SIGHUP.
Bugfix on 0.2.1.7-alpha.
- If we're using bridges and our network goes away, be more willing
to forgive our bridges and try again when we get an application
request. Bugfix on 0.2.0.x.
o Minor features:
- Support platforms where time_t is 64 bits long. (Congratulations,
NetBSD!) Patch from Matthias Drochner.
- Add a 'getinfo status/clients-seen' controller command, in case
controllers want to hear clients_seen events but connect late.
o Build changes:
- Disable GCC's strict alias optimization by default, to avoid the
likelihood of its introducing subtle bugs whenever our code violates
the letter of C99's alias rules.
Changes in version 0.2.0.33 - 2009-01-21
Tor 0.2.0.33 fixes a variety of bugs that were making relays less
useful to users. It also finally fixes a bug where a relay or client
that's been off for many days would take a long time to bootstrap.
This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)
o Security fixes:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.
o Major bugfixes:
- When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
would silently ignore the end cell and not close the stream. If
the client never closes the circuit, then the exit relay never
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
reported by "wood".
- When sending CREATED cells back for a given circuit, use a 64-bit
connection ID to find the right connection, rather than an addr:port
combination. Now that we can have multiple OR connections between
the same ORs, it is no longer possible to use addr:port to uniquely
identify a connection.
- Bridge relays that had DirPort set to 0 would stop fetching
descriptors shortly after startup, and then briefly resume
after a new bandwidth test and/or after publishing a new bridge
descriptor. Bridge users that try to bootstrap from them would
get a recent networkstatus but would get descriptors from up to
18 hours earlier, meaning most of the descriptors were obsolete
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
- Prevent bridge relays from serving their 'extrainfo' document
to anybody who asks, now that extrainfo docs include potentially
sensitive aggregated client geoip summaries. Bugfix on
0.2.0.13-alpha.
- If the cached networkstatus consensus is more than five days old,
discard it rather than trying to use it. In theory it could be
useful because it lists alternate directory mirrors, but in practice
it just means we spend many minutes trying directory mirrors that
are long gone from the network. Also discard router descriptors as
we load them if they are more than five days old, since the onion
key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
o Minor bugfixes:
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
could make gcc generate non-functional binary search code. Bugfix
on 0.2.0.10-alpha.
- Build correctly on platforms without socklen_t.
- Compile without warnings on solaris.
- Avoid potential crash on internal error during signature collection.
Fixes bug 864. Patch from rovv.
- Correct handling of possible malformed authority signing key
certificates with internal signature types. Fixes bug 880.
Bugfix on 0.2.0.3-alpha.
- Fix a hard-to-trigger resource leak when logging credential status.
CID 349.
- When we can't initialize DNS because the network is down, do not
automatically stop Tor from starting. Instead, we retry failed
dns_init() every 10 minutes, and change the exit policy to reject
*:* until one succeeds. Fixes bug 691.
- Use 64 bits instead of 32 bits for connection identifiers used with
the controller protocol, to greatly reduce risk of identifier reuse.
- When we're choosing an exit node for a circuit, and we have
no pending streams, choose a good general exit rather than one that
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
- Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes one case of bug 752. Patch from rovv.
- Clip the MaxCircuitDirtiness config option to a minimum of 10
seconds. Warn the user if lower values are given in the
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
user if lower values are given in the configuration. Bugfix on
0.1.1.17-rc. Patch by Sebastian.
- Fix a memory leak when we decline to add a v2 rendezvous descriptor to
the cache because we already had a v0 descriptor with the same ID.
Bugfix on 0.2.0.18-alpha.
- Fix a race condition when freeing keys shared between main thread
and CPU workers that could result in a memory leak. Bugfix on
0.1.0.1-rc. Fixes bug 889.
- Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv.
- Check which hops rendezvous stream cells are associated with to
prevent possible guess-the-streamid injection attacks from
intermediate hops. Fixes another case of bug 446. Based on patch
from rovv.
- If a broken client asks a non-exit router to connect somewhere,
do not even do the DNS lookup before rejecting the connection.
Fixes another case of bug 619. Patch from rovv.
- When a relay gets a create cell it can't decrypt (e.g. because it's
using the wrong onion key), we were dropping it and letting the
client time out. Now actually answer with a destroy cell. Fixes
bug 904. Bugfix on 0.0.2pre8.
o Minor bugfixes (hidden services):
- Do not throw away existing introduction points on SIGHUP. Bugfix on
0.0.6pre1. Patch by Karsten. Fixes bug 874.
o Minor features:
- Report the case where all signatures in a detached set are rejected
differently than the case where there is an error handling the
detached set.
- When we realize that another process has modified our cached
descriptors, print out a more useful error message rather than
triggering an assertion. Fixes bug 885. Patch from Karsten.
- Implement the 0x20 hack to better resist DNS poisoning: set the
case on outgoing DNS requests randomly, and reject responses that do
not match the case correctly. This logic can be disabled with the
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
of servers that do not reliably preserve case in replies. See
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
for more info.
- Check DNS replies for more matching fields to better resist DNS
poisoning.
- Never use OpenSSL compression: it wastes RAM and CPU trying to
compress cells, which are basically all encrypted, compressed, or
both.
Changes in version 0.2.1.11-alpha - 2009-01-20
Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a
week it will take a long time to bootstrap again" bug. It also fixes
an important security-related bug reported by Ilja van Sprundel. You
should upgrade. (We'll send out more details about the bug once people
have had some time to upgrade.)
o Security fixes:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.
o Major bugfixes:
- Discard router descriptors as we load them if they are more than
five days old. Otherwise if Tor is off for a long time and then
starts with cached descriptors, it will try to use the onion
keys in those obsolete descriptors when building circuits. Bugfix
on 0.2.0.x. Fixes bug 887.
o Minor features:
- Try to make sure that the version of Libevent we're running with
is binary-compatible with the one we built with. May address bug
897 and others.
- Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
for bug 905. Bugfix on 0.2.1.7-alpha.
- Add a new --enable-local-appdata configuration switch to change
the default location of the datadir on win32 from APPDATA to
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
entirely. Patch from coderman.
o Minor bugfixes:
- Make outbound DNS packets respect the OutboundBindAddress setting.
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
- When our circuit fails at the first hop (e.g. we get a destroy
cell back), avoid using that OR connection anymore, and also
tell all the one-hop directory requests waiting for it that they
should fail. Bugfix on 0.2.1.3-alpha.
- In the torify(1) manpage, mention that tsocks will leak your
DNS requests.
Changes in version 0.2.1.10-alpha - 2009-01-06
Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that
would make the bridge relay not so useful if it had DirPort set to 0,
and one that could let an attacker learn a little bit of information
about the bridge's users), and a bug that would cause your Tor relay
to ignore a circuit create request it can't decrypt (rather than reply
with an error). It also fixes a wide variety of other bugs.
o Major bugfixes:
- If the cached networkstatus consensus is more than five days old,
discard it rather than trying to use it. In theory it could
be useful because it lists alternate directory mirrors, but in
practice it just means we spend many minutes trying directory
mirrors that are long gone from the network. Helps bug 887 a bit;
bugfix on 0.2.0.x.
- Bridge relays that had DirPort set to 0 would stop fetching
descriptors shortly after startup, and then briefly resume
after a new bandwidth test and/or after publishing a new bridge
descriptor. Bridge users that try to bootstrap from them would
get a recent networkstatus but would get descriptors from up to
18 hours earlier, meaning most of the descriptors were obsolete
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
- Prevent bridge relays from serving their 'extrainfo' document
to anybody who asks, now that extrainfo docs include potentially
sensitive aggregated client geoip summaries. Bugfix on
0.2.0.13-alpha.
o Minor features:
- New controller event "clients_seen" to report a geoip-based summary
of which countries we've seen clients from recently. Now controllers
like Vidalia can show bridge operators that they're actually making
a difference.
- Build correctly against versions of OpenSSL 0.9.8 or later built
without support for deprecated functions.
- Update to the "December 19 2008" ip-to-country file.
o Minor bugfixes (on 0.2.0.x):
- Authorities now vote for the Stable flag for any router whose
weighted MTBF is at least 5 days, regardless of the mean MTBF.
- Do not remove routers as too old if we do not have any consensus
document. Bugfix on 0.2.0.7-alpha.
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
- When an exit relay resolves a stream address to a local IP address,
do not just keep retrying that same exit relay over and
over. Instead, just close the stream. Addresses bug 872. Bugfix
on 0.2.0.32. Patch from rovv.
- If a hidden service sends us an END cell, do not consider
retrying the connection; just close it. Patch from rovv.
- When we made bridge authorities stop serving bridge descriptors over
unencrypted links, we also broke DirPort reachability testing for
bridges. So bridges with a non-zero DirPort were printing spurious
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
- When a relay gets a create cell it can't decrypt (e.g. because it's
using the wrong onion key), we were dropping it and letting the
client time out. Now actually answer with a destroy cell. Fixes
bug 904. Bugfix on 0.0.2pre8.
- Squeeze 2-5% out of client performance (according to oprofile) by
improving the implementation of some policy-manipulation functions.
o Minor bugfixes (on 0.2.1.x):
- Make get_interface_address() function work properly again; stop
guessing the wrong parts of our address as our address.
- Do not cannibalize a circuit if we're out of RELAY_EARLY cells to
send on that circuit. Otherwise we might violate the proposal-110
limit. Bugfix on 0.2.1.3-alpha. Partial fix for bug 878. Diagnosis
thanks to Karsten.
- When we're sending non-EXTEND cells to the first hop in a circuit,
for example to use an encrypted directory connection, we don't need
to use RELAY_EARLY cells: the first hop knows what kind of cell
it is, and nobody else can even see the cell type. Conserving
RELAY_EARLY cells makes it easier to cannibalize circuits like
this later.
- Stop logging nameserver addresses in reverse order.
- If we are retrying a directory download slowly over and over, do
not automatically give up after the 254th failure. Bugfix on
0.2.1.9-alpha.
- Resume reporting accurate "stream end" reasons to the local control
port. They were lost in the changes for Proposal 148. Bugfix on
0.2.1.9-alpha.
o Deprecated and removed features:
- The old "tor --version --version" command, which would print out
the subversion "Id" of most of the source files, is now removed. It
turned out to be less useful than we'd expected, and harder to
maintain.
o Code simplifications and refactoring:
- Change our header file guard macros to be less likely to conflict
with system headers. Adam Langley noticed that we were conflicting
with log.h on Android.
- Tool-assisted documentation cleanup. Nearly every function or
static variable in Tor should have its own documentation now.
Changes in version 0.2.1.9-alpha - 2008-12-25
Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.
o New directory authorities:
- gabelmoo (the authority run by Karsten Loesing) now has a new
IP address.
o Security fixes:
- Never use a connection with a mismatched address to extend a
circuit, unless that connection is canonical. A canonical
connection is one whose address is authenticated by the router's
identity key, either in a NETINFO cell or in a router descriptor.
- Avoid a possible memory corruption bug when receiving hidden service
descriptors. Bugfix on 0.2.1.6-alpha.
o Major bugfixes:
- Fix a logic error that would automatically reject all but the first
configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for
part of bug 813/868. Bug spotted by coderman.
- When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
would silently ignore the end cell and not close the stream. If
the client never closes the circuit, then the exit relay never
closes the TCP connection. Bug introduced in 0.1.2.1-alpha;
reported by "wood".
- When we can't initialize DNS because the network is down, do not
automatically stop Tor from starting. Instead, retry failed
dns_init() every 10 minutes, and change the exit policy to reject
*:* until one succeeds. Fixes bug 691.
o Minor features:
- Give a better error message when an overzealous init script says
"sudo -u username tor --user username". Makes Bug 882 easier for
users to diagnose.
- When a directory authority gives us a new guess for our IP address,
log which authority we used. Hopefully this will help us debug
the recent complaints about bad IP address guesses.
- Detect svn revision properly when we're using git-svn.
- Try not to open more than one descriptor-downloading connection
to an authority at once. This should reduce load on directory
authorities. Fixes bug 366.
- Add cross-certification to newly generated certificates, so that
a signing key is enough information to look up a certificate.
Partial implementation of proposal 157.
- Start serving certificates by <identity digest, signing key digest>
pairs. Partial implementation of proposal 157.
- Clients now never report any stream end reason except 'MISC'.
Implements proposal 148.
- On platforms with a maximum syslog string length, truncate syslog
messages to that length ourselves, rather than relying on the
system to do it for us.
- Optimize out calls to time(NULL) that occur for every IO operation,
or for every cell. On systems where time() is a slow syscall,
this fix will be slightly helpful.
- Exit servers can now answer resolve requests for ip6.arpa addresses.
- When we download a descriptor that we then immediately (as
a directory authority) reject, do not retry downloading it right
away. Should save some bandwidth on authorities. Fix for bug
888. Patch by Sebastian Hahn.
- When a download gets us zero good descriptors, do not notify
Tor that new directory information has arrived.
- Avoid some nasty corner cases in the logic for marking connections
as too old or obsolete or noncanonical for circuits. Partial
bugfix on bug 891.
o Minor features (controller):
- New CONSENSUS_ARRIVED event to note when a new consensus has
been fetched and validated.
- When we realize that another process has modified our cached
descriptors file, print out a more useful error message rather
than triggering an assertion. Fixes bug 885. Patch from Karsten.
- Add an internal-use-only __ReloadTorrcOnSIGHUP option for
controllers to prevent SIGHUP from reloading the
configuration. Fixes bug 856.
o Minor bugfixes:
- Resume using the correct "REASON=" stream when telling the
controller why we closed a stream. Bugfix in 0.2.1.1-alpha.
- When a canonical connection appears later in our internal list
than a noncanonical one for a given OR ID, always use the
canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
Spotted by rovv.
- Clip the MaxCircuitDirtiness config option to a minimum of 10
seconds. Warn the user if lower values are given in the
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
user if lower values are given in the configuration. Bugfix on
0.1.1.17-rc. Patch by Sebastian.
- Fix a race condition when freeing keys shared between main thread
and CPU workers that could result in a memory leak. Bugfix on
0.1.0.1-rc. Fixes bug 889.
o Minor bugfixes (hidden services):
- Do not throw away existing introduction points on SIGHUP (bugfix on
0.0.6pre1); also, do not stall hidden services because we're
throwing away introduction points; bugfix on 0.2.1.7-alpha. Spotted
by John Brooks. Patch by Karsten. Fixes bug 874.
- Fix a memory leak when we decline to add a v2 rendezvous
descriptor to the cache because we already had a v0 descriptor
with the same ID. Bugfix on 0.2.0.18-alpha.
o Deprecated and removed features:
- RedirectExits has been removed. It was deprecated since
0.2.0.3-alpha.
- Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
- Cell pools are now always enabled; --disable-cell-pools is ignored.
o Code simplifications and refactoring:
- Rename the confusing or_is_obsolete field to the more appropriate
is_bad_for_new_circs, and move it to or_connection_t where it
belongs.
- Move edge-only flags from connection_t to edge_connection_t: not
only is this better coding, but on machines of plausible alignment,
it should save 4-8 bytes per connection_t. "Every little bit helps."
- Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
for consistency; keep old option working for backward compatibility.
- Simplify the code for finding connections to use for a circuit.
Changes in version 0.2.1.8-alpha - 2008-12-08
Tor 0.2.1.8-alpha fixes some crash bugs in earlier alpha releases,
builds better on unusual platforms like Solaris and old OS X, and
fixes a variety of other issues.
o Major features:
- New DirPortFrontPage option that takes an html file and publishes
it as "/" on the DirPort. Now relay operators can provide a
disclaimer without needing to set up a separate webserver. There's
a sample disclaimer in contrib/tor-exit-notice.html.
o Security fixes:
- When the client is choosing entry guards, now it selects at most
one guard from a given relay family. Otherwise we could end up with
all of our entry points into the network run by the same operator.
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
o Major bugfixes:
- Fix a DOS opportunity during the voting signature collection process
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
- Fix a possible segfault when establishing an exit connection. Bugfix
on 0.2.1.5-alpha.
o Minor bugfixes:
- Get file locking working on win32. Bugfix on 0.2.1.6-alpha. Fixes
bug 859.
- Made Tor a little less aggressive about deleting expired
certificates. Partial fix for bug 854.
- Stop doing unaligned memory access that generated bus errors on
sparc64. Bugfix on 0.2.0.10-alpha. Fix for bug 862.
- Fix a crash bug when changing EntryNodes from the controller. Bugfix
on 0.2.1.6-alpha. Fix for bug 867. Patched by Sebastian.
- Make USR2 log-level switch take effect immediately. Bugfix on
0.1.2.8-beta.
- If one win32 nameserver fails to get added, continue adding the
rest, and don't automatically fail.
- Use fcntl() for locking when flock() is not available. Should fix
compilation on Solaris. Should fix Bug 873. Bugfix on 0.2.1.6-alpha.
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
could make gcc generate non-functional binary search code. Bugfix
on 0.2.0.10-alpha.
- Build correctly on platforms without socklen_t.
- Avoid potential crash on internal error during signature collection.
Fixes bug 864. Patch from rovv.
- Do not use C's stdio library for writing to log files. This will
improve logging performance by a minute amount, and will stop
leaking fds when our disk is full. Fixes bug 861.
- Stop erroneous use of O_APPEND in cases where we did not in fact
want to re-seek to the end of a file before every last write().
- Correct handling of possible malformed authority signing key
certificates with internal signature types. Fixes bug 880. Bugfix
on 0.2.0.3-alpha.
- Fix a hard-to-trigger resource leak when logging credential status.
CID 349.
o Minor features:
- Directory mirrors no longer fetch the v1 directory or
running-routers files. They are obsolete, and nobody asks for them
anymore. This is the first step to making v1 authorities obsolete.
o Minor features (controller):
- Return circuit purposes in response to GETINFO circuit-status. Fixes
bug 858.
Changes in version 0.2.0.32 - 2008-11-20
Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
packages (and maybe other packages) noticed by Theo de Raadt, fixes
a smaller security flaw that might allow an attacker to access local
services, further improves hidden service performance, and fixes a
variety of other issues.
o Security fixes:
- The "User" and "Group" config options did not clear the
supplementary group entries for the Tor process. The "User" option
is now more robust, and we now set the groups to the specified
user's primary group. The "Group" option is now ignored. For more
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
- The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
o Major bugfixes:
- Fix a DOS opportunity during the voting signature collection process
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
o Major bugfixes (hidden services):
- When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
- When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor has not been
downloaded yet. In these cases, do not attempt to upload the
rendezvous descriptor, but wait until the router descriptor is
downloaded and retry. Likewise, do not attempt to fetch a rendezvous
descriptor from a hidden service directory for which the router
descriptor has not yet been downloaded. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.
o Minor bugfixes:
- Fix several infrequent memory leaks spotted by Coverity.
- When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
- When asked to connect to A.B.exit:80, if we don't know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
- If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
Bugfix on 0.2.0.x (??).
- Remove the old v2 directory authority 'lefkada' from the default
list. It has been gone for many months.
- Stop doing unaligned memory access that generated bus errors on
sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
- Make USR2 log-level switch take effect immediately. Bugfix on
0.1.2.8-beta.
o Minor bugfixes (controller):
- Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
Changes in version 0.2.1.7-alpha - 2008-11-08
Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
packages (and maybe other packages) noticed by Theo de Raadt, fixes
a smaller security flaw that might allow an attacker to access local
services, adds better defense against DNS poisoning attacks on exit
relays, further improves hidden service performance, and fixes a
variety of other issues.
o Security fixes:
- The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
- The "User" and "Group" config options did not clear the
supplementary group entries for the Tor process. The "User" option
is now more robust, and we now set the groups to the specified
user's primary group. The "Group" option is now ignored. For more
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
- Do not use or believe expired v3 authority certificates. Patch
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
o Minor features:
- Now NodeFamily and MyFamily config options allow spaces in
identity fingerprints, so it's easier to paste them in.
Suggested by Lucky Green.
- Implement the 0x20 hack to better resist DNS poisoning: set the
case on outgoing DNS requests randomly, and reject responses that do
not match the case correctly. This logic can be disabled with the
ServerDNSRandomizeCase setting, if you are using one of the 0.3%
of servers that do not reliably preserve case in replies. See
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
for more info.
- Preserve case in replies to DNSPort requests in order to support
the 0x20 hack for resisting DNS poisoning attacks.
o Hidden service performance improvements:
- When the client launches an introduction circuit, retry with a
new circuit after 30 seconds rather than 60 seconds.
- Launch a second client-side introduction circuit in parallel
after a delay of 15 seconds (based on work by Christian Wilms).
- Hidden services start out building five intro circuits rather
than three, and when the first three finish they publish a service
descriptor using those. Now we publish our service descriptor much
faster after restart.
o Minor bugfixes:
- Minor fix in the warning messages when you're having problems
bootstrapping; also, be more forgiving of bootstrap problems when
we're still making incremental progress on a given bootstrap phase.
- When we're choosing an exit node for a circuit, and we have
no pending streams, choose a good general exit rather than one that
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
- Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv.
- If a broken client asks a non-exit router to connect somewhere,
do not even do the DNS lookup before rejecting the connection.
Fixes another case of bug 619. Patch from rovv.
- Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes another case of bug 752. Patch from rovv.
- Check which hops rendezvous stream cells are associated with to
prevent possible guess-the-streamid injection attacks from
intermediate hops. Fixes another case of bug 446. Based on patch
from rovv.
- Avoid using a negative right-shift when comparing 32-bit
addresses. Possible fix for bug 845 and bug 811.
- Make the assert_circuit_ok() function work correctly on circuits that
have already been marked for close.
- Fix read-off-the-end-of-string error in unit tests when decoding
introduction points.
- Fix uninitialized size field for memory area allocation: may improve
memory performance during directory parsing.
- Treat duplicate certificate fetches as failures, so that we do
not try to re-fetch an expired certificate over and over and over.
- Do not say we're fetching a certificate when we'll in fact skip it
because of a pending download.
Changes in version 0.2.1.6-alpha - 2008-09-30
Tor 0.2.1.6-alpha further improves performance and robustness of
hidden services, starts work on supporting per-country relay selection,
and fixes a variety of smaller issues.
o Major features:
- Implement proposal 121: make it possible to build hidden services
that only certain clients are allowed to connect to. This is
enforced at several points, so that unauthorized clients are unable
to send INTRODUCE cells to the service, or even (depending on the
type of authentication) to learn introduction points. This feature
raises the bar for certain kinds of active attacks against hidden
services. Code by Karsten Loesing.
- Relays now store and serve v2 hidden service descriptors by default,
i.e., the new default value for HidServDirectoryV2 is 1. This is
the last step in proposal 114, which aims to make hidden service
lookups more reliable.
- Start work to allow node restrictions to include country codes. The
syntax to exclude nodes in a country with country code XX is
"ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
refinement to decide what config options should take priority if
you ask to both use a particular node and exclude it.
- Allow ExitNodes list to include IP ranges and country codes, just
like the Exclude*Nodes lists. Patch from Robert Hogan.
o Major bugfixes:
- Fix a bug when parsing ports in tor_addr_port_parse() that caused
Tor to fail to start if you had it configured to use a bridge
relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
- When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor had not been
downloaded yet. In these cases, we now wait until the router
descriptor is downloaded, and then retry. Likewise, clients
now skip over a hidden service directory if they don't yet have
its router descriptor, rather than futilely requesting it and
putting mysterious complaints in the logs. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.
- When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
- DNS replies need to have names matching their requests, but
these names should be in the questions section, not necessarily
in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.
o Minor features:
- Update to the "September 1 2008" ip-to-country file.
- Allow ports 465 and 587 in the default exit policy again. We had
rejected them in 0.1.0.15, because back in 2005 they were commonly
misconfigured and ended up as spam targets. We hear they are better
locked down these days.
- Use a lockfile to make sure that two Tor processes are not
simultaneously running with the same datadir.
- Serve the latest v3 networkstatus consensus via the control
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
- Better logging about stability/reliability calculations on directory
servers.
- Drop the requirement to have an open dir port for storing and
serving v2 hidden service descriptors.
- Directory authorities now serve a /tor/dbg-stability.txt URL to
help debug WFU and MTBF calculations.
- Implement most of Proposal 152: allow specialized servers to permit
single-hop circuits, and clients to use those servers to build
single-hop circuits when using a specialized controller. Patch
from Josh Albrecht. Resolves feature request 768.
- Add a -p option to tor-resolve for specifying the SOCKS port: some
people find host:port too confusing.
- Make TrackHostExit mappings expire a while after their last use, not
after their creation. Patch from Robert Hogan.
- Provide circuit purposes along with circuit events to the controller.
o Minor bugfixes:
- Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
Reported by Tas.
- Fixed some memory leaks -- some quite frequent, some almost
impossible to trigger -- based on results from Coverity.
- When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
- Fix an assertion bug in parsing policy-related options; possible fix
for bug 811.
- Catch and report a few more bootstrapping failure cases when Tor
fails to establish a TCP connection. Cleanup on 0.2.1.x.
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
- When asked to connect to A.B.exit:80, if we don't know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
- If we are not using BEGIN_DIR cells, don't attempt to contact hidden
service directories if they have no advertised dir port. Bugfix
on 0.2.0.10-alpha.
- If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch by rovv.
Bugfix on 0.2.0.x (??).
- Avoid a "0 divided by 0" calculation when calculating router uptime
at directory authorities. Bugfix on 0.2.0.8-alpha.
- Make DNS resolved controller events into "CLOSED", not
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
bug 807.
- Fix a bug where an unreachable relay would establish enough
reachability testing circuits to do a bandwidth test -- if
we already have a connection to the middle hop of the testing
circuit, then it could establish the last hop by using the existing
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
circuits no longer use entry guards in 0.2.1.3-alpha.
- If we have correct permissions on $datadir, we complain to stdout
and fail to start. But dangerous permissions on
$datadir/cached-status/ would cause us to open a log and complain
there. Now complain to stdout and fail to start in both cases. Fixes
bug 820, reported by seeess.
- Remove the old v2 directory authority 'lefkada' from the default
list. It has been gone for many months.
o Code simplifications and refactoring:
- Revise the connection_new functions so that a more typesafe variant
exists. This will work better with Coverity, and let us find any
actual mistakes we're making here.
- Refactor unit testing logic so that dmalloc can be used sensibly
with unit tests to check for memory leaks.
- Move all hidden-service related fields from connection and circuit
structure to substructures: this way they won't eat so much memory.
Changes in version 0.2.0.31 - 2008-09-03
Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
a big bug we're seeing where in rare cases traffic from one Tor stream
gets mixed into another stream, and fixes a variety of smaller issues.
o Major bugfixes:
- Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.
o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- When using the TransPort option on OpenBSD, and using the User
option to change UID and drop privileges, make sure to open
/dev/pf before dropping privileges. Fixes bug 782. Patch from
Christopher Davis. Bugfix on 0.1.2.1-alpha.
- Try to attach connections immediately upon receiving a RENDEZVOUS2
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
on the client side when connecting to a hidden service. Bugfix
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
- When closing an application-side connection because its circuit is
getting torn down, generate the stream event correctly. Bugfix on
0.1.2.x. Anonymous patch.
Changes in version 0.2.1.5-alpha - 2008-08-31
Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
in a lot of the infrastructure for adding authorization to hidden
services, lays the groundwork for having clients read their load
balancing information out of the networkstatus consensus rather than
the individual router descriptors, addresses two potential anonymity
issues, and fixes a variety of smaller issues.
o Major features:
- Convert many internal address representations to optionally hold
IPv6 addresses.
- Generate and accept IPv6 addresses in many protocol elements.
- Make resolver code handle nameservers located at ipv6 addresses.
- Begin implementation of proposal 121 ("Client authorization for
hidden services"): configure hidden services with client
authorization, publish descriptors for them, and configure
authorization data for hidden services at clients. The next
step is to actually access hidden services that perform client
authorization.
- More progress toward proposal 141: Network status consensus
documents and votes now contain bandwidth information for each
router and a summary of that router's exit policy. Eventually this
will be used by clients so that they do not have to download every
known descriptor before building circuits.
o Major bugfixes (on 0.2.0.x and before):
- When sending CREATED cells back for a given circuit, use a 64-bit
connection ID to find the right connection, rather than an addr:port
combination. Now that we can have multiple OR connections between
the same ORs, it is no longer possible to use addr:port to uniquely
identify a connection.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.
o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- When using the TransPort option on OpenBSD, and using the User
option to change UID and drop privileges, make sure to open /dev/pf
before dropping privileges. Fixes bug 782. Patch from Christopher
Davis. Bugfix on 0.1.2.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Add a missing safe_str() call for a debug log message.
- Use 64 bits instead of 32 bits for connection identifiers used with
the controller protocol, to greatly reduce risk of identifier reuse.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
o Minor features:
- Rate-limit too-many-sockets messages: when they happen, they happen
a lot. Resolves bug 748.
- Resist DNS poisoning a little better by making sure that names in
answer sections match.
- Print the SOCKS5 error message string as well as the error code
when a tor-resolve request fails. Patch from Jacob.
Changes in version 0.2.1.4-alpha - 2008-08-04
Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.
o Major bugfixes:
- The address part of exit policies was not correctly written
to router descriptors. This generated router descriptors that failed
their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
on 0.2.1.3-alpha.
- Tor triggered a false assert when extending a circuit to a relay
but we already have a connection open to that relay. Noticed by
phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.
o Minor bugfixes:
- Fix a hidden service logging bug: in some edge cases, the router
descriptor of a previously picked introduction point becomes
obsolete and we need to give up on it rather than continually
complaining that it has become obsolete. Observed by xiando. Bugfix
on 0.2.1.3-alpha.
o Removed features:
- Take out the TestVia config option, since it was a workaround for
a bug that was fixed in Tor 0.1.1.21.
Changes in version 0.2.1.3-alpha - 2008-08-03
Tor 0.2.1.3-alpha implements most of the pieces to prevent
infinite-length circuit attacks (see proposal 110); fixes a bug that
might cause exit relays to corrupt streams they send back; allows
address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
ExcludeExitNodes config options; and fixes a big pile of bugs.
o Bootstrapping bugfixes (on 0.2.1.x-alpha):
- Send a bootstrap problem "warn" event on the first problem if the
reason is NO_ROUTE (that is, our network is down).
o Major features:
- Implement most of proposal 110: The first K cells to be sent
along a circuit are marked as special "early" cells; only K "early"
cells will be allowed. Once this code is universal, we can block
certain kinds of DOS attack by requiring that EXTEND commands must
be sent using an "early" cell.
o Major bugfixes:
- Try to attach connections immediately upon receiving a RENDEZVOUS2
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
on the client side when connecting to a hidden service. Bugfix
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
- Ensure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
o Minor features:
- When relays do their initial bandwidth measurement, don't limit
to just our entry guards for the test circuits. Otherwise we tend
to have multiple test circuits going through a single entry guard,
which makes our bandwidth test less accurate. Fixes part of bug 654;
patch contributed by Josh Albrecht.
- Add an ExcludeExitNodes option so users can list a set of nodes
that should be be excluded from the exit node position, but
allowed elsewhere. Implements proposal 151.
- Allow address patterns (e.g., 255.128.0.0/16) to appear in
ExcludeNodes and ExcludeExitNodes lists.
- Change the implementation of ExcludeNodes and ExcludeExitNodes to
be more efficient. Formerly it was quadratic in the number of
servers; now it should be linear. Fixes bug 509.
- Save 16-22 bytes per open circuit by moving the n_addr, n_port,
and n_conn_id_digest fields into a separate structure that's
only needed when the circuit has not yet attached to an n_conn.
o Minor bugfixes:
- Change the contrib/tor.logrotate script so it makes the new
logs as "_tor:_tor" rather than the default, which is generally
"root:wheel". Fixes bug 676, reported by Serge Koksharov.
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
warnings (occasionally), but it can also cause the compiler to
eliminate error-checking code. Suggested by Peter Gutmann.
- When a hidden service is giving up on an introduction point candidate
that was not included in the last published rendezvous descriptor,
don't reschedule publication of the next descriptor. Fixes bug 763.
Bugfix on 0.0.9.3.
- Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
HiddenServiceExcludeNodes as obsolete: they never worked properly,
and nobody claims to be using them. Fixes bug 754. Bugfix on
0.1.0.1-rc. Patch from Christian Wilms.
- Fix a small alignment and memory-wasting bug on buffer chunks.
Spotted by rovv.
o Minor bugfixes (controller):
- When closing an application-side connection because its circuit
is getting torn down, generate the stream event correctly.
Bugfix on 0.1.2.x. Anonymous patch.
o Removed features:
- Remove all backward-compatibility code to support relays running
versions of Tor so old that they no longer work at all on the
Tor network.
Changes in version 0.2.0.30 - 2008-07-15
o Minor bugfixes:
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
warnings (occasionally), but it can also cause the compiler to
eliminate error-checking code. Suggested by Peter Gutmann.
Changes in version 0.2.0.29-rc - 2008-07-08
Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
hidden-service performance bugs, and fixes a bunch of smaller bugs.
o Major bugfixes:
- If you have more than one bridge but don't know their keys,
you would only launch a request for the descriptor of the first one
on your list. (Tor considered launching requests for the others, but
found that it already had a connection on the way for $0000...0000
so it didn't open another.) Bugfix on 0.2.0.x.
- If you have more than one bridge but don't know their keys, and the
connection to one of the bridges failed, you would cancel all
pending bridge connections. (After all, they all have the same
digest.) Bugfix on 0.2.0.x.
- When a hidden service was trying to establish an introduction point,
and Tor had built circuits preemptively for such purposes, we
were ignoring all the preemptive circuits and launching a new one
instead. Bugfix on 0.2.0.14-alpha.
- When a hidden service was trying to establish an introduction point,
and Tor *did* manage to reuse one of the preemptively built
circuits, it didn't correctly remember which one it used,
so it asked for another one soon after, until there were no
more preemptive circuits, at which point it launched one from
scratch. Bugfix on 0.0.9.x.
- Make directory servers include the X-Your-Address-Is: http header in
their responses even for begin_dir conns. Now clients who only
ever use begin_dir connections still have a way to learn their IP
address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.
o Minor bugfixes:
- Fix a macro/CPP interaction that was confusing some compilers:
some GCCs don't like #if/#endif pairs inside macro arguments.
Fixes bug 707.
- Fix macro collision between OpenSSL 0.9.8h and Windows headers.
Fixes bug 704; fix from Steven Murdoch.
- When opening /dev/null in finish_daemonize(), do not pass the
O_CREAT flag. Fortify was complaining, and correctly so. Fixes
bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
- Correctly detect transparent proxy support on Linux hosts that
require in.h to be included before netfilter_ipv4.h. Patch
from coderman.
- Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying
session resumption at this point, but apparently some did, in
ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
found by Geoff Goodell.
Changes in version 0.2.1.2-alpha - 2008-06-20
Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
make it easier to set up your own private Tor network; fixes several
big bugs with using more than one bridge relay; fixes a big bug with
offering hidden services quickly after Tor starts; and uses a better
API for reporting potential bootstrapping problems to the controller.
o Major features:
- New TestingTorNetwork config option to allow adjustment of
previously constant values that, while reasonable, could slow
bootstrapping. Implements proposal 135. Patch from Karsten.
o Major bugfixes:
- If you have more than one bridge but don't know their digests,
you would only learn a request for the descriptor of the first one
on your list. (Tor considered launching requests for the others, but
found that it already had a connection on the way for $0000...0000
so it didn't open another.) Bugfix on 0.2.0.x.
- If you have more than one bridge but don't know their digests,
and the connection to one of the bridges failed, you would cancel
all pending bridge connections. (After all, they all have the
same digest.) Bugfix on 0.2.0.x.
- When establishing a hidden service, introduction points that
originate from cannibalized circuits are completely ignored and not
included in rendezvous service descriptors. This might be another
reason for delay in making a hidden service available. Bugfix
from long ago (0.0.9.x?)
o Minor features:
- Allow OpenSSL to use dynamic locks if it wants.
- When building a consensus, do not include routers that are down.
This will cut down 30% to 40% on consensus size. Implements
proposal 138.
- In directory authorities' approved-routers files, allow
fingerprints with or without space.
- Add a "GETINFO /status/bootstrap-phase" controller option, so the
controller can query our current bootstrap state in case it attaches
partway through and wants to catch up.
- Send an initial "Starting" bootstrap status event, so we have a
state to start out in.
o Minor bugfixes:
- Asking for a conditional consensus at .../consensus/<fingerprints>
would crash a dirserver if it did not already have a
consensus. Bugfix on 0.2.1.1-alpha.
- Clean up some macro/CPP interactions: some GCC versions don't like
#if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
0.2.0.x.
o Bootstrapping bugfixes (on 0.2.1.1-alpha):
- Directory authorities shouldn't complain about bootstrapping
problems just because they do a lot of reachability testing and
some of the connection attempts fail.
- Start sending "count" and "recommendation" key/value pairs in
bootstrap problem status events, so the controller can hear about
problems even before Tor decides they're worth reporting for sure.
- If you're using bridges, generate "bootstrap problem" warnings
as soon as you run out of working bridges, rather than waiting
for ten failures -- which will never happen if you have less than
ten bridges.
- If we close our OR connection because there's been a circuit
pending on it for too long, we were telling our bootstrap status
events "REASON=NONE". Now tell them "REASON=TIMEOUT".
Changes in version 0.2.1.1-alpha - 2008-06-13
Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
were making the Tor process bloat especially on Linux; makes our TLS
handshake blend in better; sends "bootstrap phase" status events to
the controller, so it can keep the user informed of progress (and
problems) fetching directory information and establishing circuits;
and adds a variety of smaller features.
o Major features:
- More work on making our TLS handshake blend in: modify the list
of ciphers advertised by OpenSSL in client mode to even more
closely resemble a common web browser. We cheat a little so that
we can advertise ciphers that the locally installed OpenSSL doesn't
know about.
- Start sending "bootstrap phase" status events to the controller,
so it can keep the user informed of progress fetching directory
information and establishing circuits. Also inform the controller
if we think we're stuck at a particular bootstrap phase. Implements
proposal 137.
- Resume using OpenSSL's RAND_poll() for better (and more portable)
cross-platform entropy collection again. We used to use it, then
stopped using it because of a bug that could crash systems that
called RAND_poll when they had a lot of fds open. It looks like the
bug got fixed in late 2006. Our new behavior is to call RAND_poll()
at startup, and to call RAND_poll() when we reseed later only if
we have a non-buggy OpenSSL version.
o Major bugfixes:
- When we choose to abandon a new entry guard because we think our
older ones might be better, close any circuits pending on that
new entry guard connection. This fix should make us recover much
faster when our network is down and then comes back. Bugfix on
0.1.2.8-beta; found by lodger.
o Memory fixes and improvements:
- Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
to avoid unused RAM in buffer chunks and memory pools.
- Speed up parsing and cut down on memory fragmentation by using
stack-style allocations for parsing directory objects. Previously,
this accounted for over 40% of allocations from within Tor's code
on a typical directory cache.
- Use a Bloom filter rather than a digest-based set to track which
descriptors we need to keep around when we're cleaning out old
router descriptors. This speeds up the computation significantly,
and may reduce fragmentation.
- Reduce the default smartlist size from 32 to 16; it turns out that
most smartlists hold around 8-12 elements tops.
- Make dumpstats() log the fullness and size of openssl-internal
buffers.
- If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
patch to their OpenSSL, turn it on to save memory on servers. This
patch will (with any luck) get included in a mainline distribution
before too long.
- Never use OpenSSL compression: it wastes RAM and CPU trying to
compress cells, which are basically all encrypted, compressed,
or both.
o Minor bugfixes:
- Stop reloading the router list from disk for no reason when we
run out of reachable directory mirrors. Once upon a time reloading
it would set the 'is_running' flag back to 1 for them. It hasn't
done that for a long time.
- In very rare situations new hidden service descriptors were
published earlier than 30 seconds after the last change to the
service. (We currently think that a hidden service descriptor
that's been stable for 30 seconds is worth publishing.)
o Minor features:
- Allow separate log levels to be configured for different logging
domains. For example, this allows one to log all notices, warnings,
or errors, plus all memory management messages of level debug or
higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
- Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
and stop using a warning that had become unfixably verbose under
GCC 4.3.
- New --hush command-line option similar to --quiet. While --quiet
disables all logging to the console on startup, --hush limits the
output to messages of warning and error severity.
- Servers support a new URL scheme for consensus downloads that
allows the client to specify which authorities are trusted.
The server then only sends the consensus if the client will trust
it. Otherwise a 404 error is sent back. Clients use this
new scheme when the server supports it (meaning it's running
0.2.1.1-alpha or later). Implements proposal 134.
- New configure/torrc options (--enable-geoip-stats,
DirRecordUsageByCountry) to record how many IPs we've served
directory info to in each country code, how many status documents
total we've sent to each country code, and what share of the total
directory requests we should expect to see.
- Use the TLS1 hostname extension to more closely resemble browser
behavior.
- Lots of new unit tests.
- Add a macro to implement the common pattern of iterating through
two parallel lists in lockstep.
Changes in version 0.2.0.28-rc - 2008-06-13
Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
performance bug, and fixes a bunch of smaller bugs.
o Anonymity fixes:
- Fix a bug where, when we were choosing the 'end stream reason' to
put in our relay end cell that we send to the exit relay, Tor
clients on Windows were sometimes sending the wrong 'reason'. The
anonymity problem is that exit relays may be able to guess whether
the client is running Windows, thus helping partition the anonymity
set. Down the road we should stop sending reasons to exit relays,
or otherwise prevent future versions of this bug.
o Major bugfixes:
- While setting up a hidden service, some valid introduction circuits
were overlooked and abandoned. This might be the reason for
the long delay in making a hidden service available. Bugfix on
0.2.0.14-alpha.
o Minor features:
- Update to the "June 9 2008" ip-to-country file.
- Run 'make test' as part of 'make dist', so we stop releasing so
many development snapshots that fail their unit tests.
o Minor bugfixes:
- When we're checking if we have enough dir info for each relay
to begin establishing circuits, make sure that we actually have
the descriptor listed in the consensus, not just any descriptor.
Bugfix on 0.1.2.x.
- Bridge relays no longer print "xx=0" in their extrainfo document
for every single country code in the geoip db. Bugfix on
0.2.0.27-rc.
- Only warn when we fail to load the geoip file if we were planning to
include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
- If we change our MaxAdvertisedBandwidth and then reload torrc,
Tor won't realize it should publish a new relay descriptor. Fixes
bug 688, reported by mfr. Bugfix on 0.1.2.x.
- When we haven't had any application requests lately, don't bother
logging that we have expired a bunch of descriptors. Bugfix
on 0.1.2.x.
- Make relay cells written on a connection count as non-padding when
tracking how long a connection has been in use. Bugfix on
0.2.0.1-alpha. Spotted by lodger.
- Fix unit tests in 0.2.0.27-rc.
- Fix compile on Windows.
Changes in version 0.2.0.27-rc - 2008-06-03
Tor 0.2.0.27-rc adds a few features we left out of the earlier
release candidates. In particular, we now include an IP-to-country
GeoIP database, so controllers can easily look up what country a
given relay is in, and so bridge relays can give us some sanitized
summaries about which countries are making use of bridges. (See proposal
126-geoip-fetching.txt for details.)
o Major features:
- Include an IP-to-country GeoIP file in the tarball, so bridge
relays can report sanitized summaries of the usage they're seeing.
o Minor features:
- Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
Robert Hogan. Fixes the first part of bug 681.
- Make bridge authorities never serve extrainfo docs.
- Add support to detect Libevent versions in the 1.4.x series
on mingw.
- Fix build on gcc 4.3 with --enable-gcc-warnings set.
- Include a new contrib/tor-exit-notice.html file that exit relay
operators can put on their website to help reduce abuse queries.
o Minor bugfixes:
- When tunneling an encrypted directory connection, and its first
circuit fails, do not leave it unattached and ask the controller
to deal. Fixes the second part of bug 681.
- Make bridge authorities correctly expire old extrainfo documents
from time to time.
Changes in version 0.2.0.26-rc - 2008-05-13
Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
in Debian's OpenSSL packages. All users running any 0.2.0.x version
should upgrade, whether they're running Debian or not.
o Major security fixes:
- Use new V3 directory authority keys on the tor26, gabelmoo, and
moria1 V3 directory authorities. The old keys were generated with
a vulnerable version of Debian's OpenSSL package, and must be
considered compromised. Other authorities' keys were not generated
with an affected version of OpenSSL.
o Major bugfixes:
- List authority signatures as "unrecognized" based on DirServer
lines, not on cert cache. Bugfix on 0.2.0.x.
o Minor features:
- Add a new V3AuthUseLegacyKey option to make it easier for
authorities to change their identity keys if they have to.
Changes in version 0.2.0.25-rc - 2008-04-23
Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.
o Major bugfixes:
- Remember to initialize threading before initializing logging.
Otherwise, many BSD-family implementations will crash hard on
startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.
o Minor bugfixes:
- Authorities correctly free policies on bad servers on
exit. Fixes bug 672. Bugfix on 0.2.0.x.
Changes in version 0.2.0.24-rc - 2008-04-22
Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
v3 directory authority, makes relays with dynamic IP addresses and no
DirPort notice more quickly when their IP address changes, fixes a few
rare crashes and memory leaks, and fixes a few other miscellaneous bugs.
o New directory authorities:
- Take lefkada out of the list of v3 directory authorities, since
it has been down for months.
- Set up dizum (run by Alex de Joode) as the new sixth v3 directory
authority.
o Major bugfixes:
- Detect address changes more quickly on non-directory mirror
relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.
o Minor features (security):
- Reject requests for reverse-dns lookup of names that are in
a private address space. Patch from lodger.
- Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
from lodger.
o Minor bugfixes (crashes):
- Avoid a rare assert that can trigger when Tor doesn't have much
directory information yet and it tries to fetch a v2 hidden
service descriptor. Fixes bug 651, reported by nwf.
- Initialize log mutex before initializing dmalloc. Otherwise,
running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
- Use recursive pthread mutexes in order to avoid deadlock when
logging debug-level messages to a controller. Bug spotted by nwf,
bugfix on 0.2.0.16-alpha.
o Minor bugfixes (resource management):
- Keep address policies from leaking memory: start their refcount
at 1, not 2. Bugfix on 0.2.0.16-alpha.
- Free authority certificates on exit, so they don't look like memory
leaks. Bugfix on 0.2.0.19-alpha.
- Free static hashtables for policy maps and for TLS connections on
shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
- Avoid allocating extra space when computing consensuses on 64-bit
platforms. Bug spotted by aakova.
o Minor bugfixes (misc):
- Do not read the configuration file when we've only been told to
generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
based on patch from Sebastian Hahn.
- Exit relays that are used as a client can now reach themselves
using the .exit notation, rather than just launching an infinite
pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
- When attempting to open a logfile fails, tell us why.
- Fix a dumb bug that was preventing us from knowing that we should
preemptively build circuits to handle expected directory requests.
Fixes bug 660. Bugfix on 0.1.2.x.
- Warn less verbosely about clock skew from netinfo cells from
untrusted sources. Fixes bug 663.
- Make controller stream events for DNS requests more consistent,
by adding "new stream" events for DNS requests, and removing
spurious "stream closed" events" for cached reverse resolves.
Patch from mwenge. Fixes bug 646.
- Correctly notify one-hop connections when a circuit build has
failed. Possible fix for bug 669. Found by lodger.
Changes in version 0.2.0.23-rc - 2008-03-24
Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
makes bootstrapping faster if the first directory mirror you contact
is down. The bundles also include the new Vidalia 0.1.2 release.
o Major bugfixes:
- When a tunneled directory request is made to a directory server
that's down, notice after 30 seconds rather than 120 seconds. Also,
fail any begindir streams that are pending on it, so they can
retry elsewhere. This was causing multi-minute delays on bootstrap.
Changes in version 0.2.0.22-rc - 2008-03-18
Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
enables encrypted directory connections by default for non-relays, fixes
some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
o Major features:
- Enable encrypted directory connections by default for non-relays,
so censor tools that block Tor directory connections based on their
plaintext patterns will no longer work. This means Tor works in
certain censored countries by default again.
o Major bugfixes:
- Make sure servers always request certificates from clients during
TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
- Do not enter a CPU-eating loop when a connection is closed in
the middle of client-side TLS renegotiation. Fixes bug 622. Bug
diagnosed by lodger; bugfix on 0.2.0.20-rc.
- Fix assertion failure that could occur when a blocked circuit
became unblocked, and it had pending client DNS requests. Bugfix
on 0.2.0.1-alpha. Fixes bug 632.
o Minor bugfixes (on 0.1.2.x):
- Generate "STATUS_SERVER" events rather than misspelled
"STATUS_SEVER" events. Caught by mwenge.
- When counting the number of bytes written on a TLS connection,
look at the BIO actually used for writing to the network, not
at the BIO used (sometimes) to buffer data for the network.
Looking at different BIOs could result in write counts on the
order of ULONG_MAX. Fixes bug 614.
- On Windows, correctly detect errors when listing the contents of
a directory. Fix from lodger.
o Minor bugfixes (on 0.2.0.x):
- Downgrade "sslv3 alert handshake failure" message to INFO.
- If we set RelayBandwidthRate and RelayBandwidthBurst very high but
left BandwidthRate and BandwidthBurst at the default, we would be
silently limited by those defaults. Now raise them to match the
RelayBandwidth* values.
- Fix the SVK version detection logic to work correctly on a branch.
- Make --enable-openbsd-malloc work correctly on Linux with alpha
CPUs. Fixes bug 625.
- Logging functions now check that the passed severity is sane.
- Use proper log levels in the testsuite call of
get_interface_address6().
- When using a nonstandard malloc, do not use the platform values for
HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
- Make the openbsd malloc code use 8k pages on alpha CPUs and
16k pages on ia64.
- Detect mismatched page sizes when using --enable-openbsd-malloc.
- Avoid double-marked-for-close warning when certain kinds of invalid
.in-addr.arpa addresses are passed to the DNSPort. Part of a fix
for bug 617. Bugfix on 0.2.0.1-alpha.
- Make sure that the "NULL-means-reject *:*" convention is followed by
all the policy manipulation functions, avoiding some possible crash
bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
- Fix the implementation of ClientDNSRejectInternalAddresses so that it
actually works, and doesn't warn about every single reverse lookup.
Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha.
o Minor features:
- Only log guard node status when guard node status has changed.
- Downgrade the 3 most common "INFO" messages to "DEBUG". This will
make "INFO" 75% less verbose.
Changes in version 0.2.0.21-rc - 2008-03-02
Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
makes Tor work well with Vidalia again, fixes a rare assert bug,
and fixes a pair of more minor bugs. The bundles also include Vidalia
0.1.0 and Torbutton 1.1.16.
o Major bugfixes:
- The control port should declare that it requires password auth
when HashedControlSessionPassword is set too. Patch from Matt Edman;
bugfix on 0.2.0.20-rc. Fixes bug 615.
- Downgrade assert in connection_buckets_decrement() to a log message.
This may help us solve bug 614, and in any case will make its
symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
- We were sometimes miscounting the number of bytes read from the
network, causing our rate limiting to not be followed exactly.
Bugfix on 0.2.0.16-alpha. Reported by lodger.
o Minor bugfixes:
- Fix compilation with OpenSSL 0.9.8 and 0.9.8a. All other supported
OpenSSL versions should have been working fine. Diagnosis and patch
from lodger, Karsten Loesing, and Sebastian Hahn. Fixes bug 616.
Bugfix on 0.2.0.20-rc.
Changes in version 0.2.0.20-rc - 2008-02-24
Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
makes more progress towards normalizing Tor's TLS handshake, makes
hidden services work better again, helps relays bootstrap if they don't
know their IP address, adds optional support for linking in openbsd's
allocator or tcmalloc, allows really fast relays to scale past 15000
sockets, and fixes a bunch of minor bugs reported by Veracode.
o Major features:
- Enable the revised TLS handshake based on the one designed by
Steven Murdoch in proposal 124, as revised in proposal 130. It
includes version negotiation for OR connections as described in
proposal 105. The new handshake is meant to be harder for censors
to fingerprint, and it adds the ability to detect certain kinds of
man-in-the-middle traffic analysis attacks. The version negotiation
feature will allow us to improve Tor's link protocol more safely
in the future.
- Choose which bridge to use proportional to its advertised bandwidth,
rather than uniformly at random. This should speed up Tor for
bridge users. Also do this for people who set StrictEntryNodes.
- When a TrackHostExits-chosen exit fails too many times in a row,
stop using it. Bugfix on 0.1.2.x; fixes bug 437.
o Major bugfixes:
- Resolved problems with (re-)fetching hidden service descriptors.
Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
and 0.2.0.19-alpha.
- If we only ever used Tor for hidden service lookups or posts, we
would stop building circuits and start refusing connections after
24 hours, since we falsely believed that Tor was dormant. Reported
by nwf; bugfix on 0.1.2.x.
- Servers that don't know their own IP address should go to the
authorities for their first directory fetch, even if their DirPort
is off or if they don't know they're reachable yet. This will help
them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
- When counting the number of open sockets, count not only the number
of sockets we have received from the socket() call, but also
the number we've gotten from accept() and socketpair(). This bug
made us fail to count all sockets that we were using for incoming
connections. Bugfix on 0.2.0.x.
- Fix code used to find strings within buffers, when those strings
are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
- Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
- Add a new __HashedControlSessionPassword option for controllers
to use for one-off session password hashes that shouldn't get
saved to disk by SAVECONF --- Vidalia users were accumulating a
pile of HashedControlPassword lines in their torrc files, one for
each time they had restarted Tor and then clicked Save. Make Tor
automatically convert "HashedControlPassword" to this new option but
only when it's given on the command line. Partial fix for bug 586.
o Minor features (performance):
- Tune parameters for cell pool allocation to minimize amount of
RAM overhead used.
- Add OpenBSD malloc code from phk as an optional malloc
replacement on Linux: some glibc libraries do very poorly
with Tor's memory allocation patterns. Pass
--enable-openbsd-malloc to get the replacement malloc code.
- Add a --with-tcmalloc option to the configure script to link
against tcmalloc (if present). Does not yet search for
non-system include paths.
- Stop imposing an arbitrary maximum on the number of file descriptors
used for busy servers. Bug reported by Olaf Selke; patch from
Sebastian Hahn.
o Minor features (other):
- When SafeLogging is disabled, log addresses along with all TLS
errors.
- When building with --enable-gcc-warnings, check for whether Apple's
warning "-Wshorten-64-to-32" is available.
- Add a --passphrase-fd argument to the tor-gencert command for
scriptability.
o Minor bugfixes (memory leaks and code problems):
- We were leaking a file descriptor if Tor started with a zero-length
cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
- Detect size overflow in zlib code. Reported by Justin Ferguson and
Dan Kaminsky.
- We were comparing the raw BridgePassword entry with a base64'ed
version of it, when handling a "/tor/networkstatus-bridges"
directory request. Now compare correctly. Noticed by Veracode.
- Recover from bad tracked-since value in MTBF-history file.
Should fix bug 537.
- Alter the code that tries to recover from unhandled write
errors, to not try to flush onto a socket that's given us
unhandled errors. Bugfix on 0.1.2.x.
- Make Unix controlsockets work correctly on OpenBSD. Patch from
tup. Bugfix on 0.2.0.3-alpha.
o Minor bugfixes (other):
- If we have an extra-info document for our server, always make
it available on the control port, even if we haven't gotten
a copy of it from an authority yet. Patch from mwenge.
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
- Directory mirrors no longer include a guess at the client's IP
address if the connection appears to be coming from the same /24
network; it was producing too many wrong guesses.
- Make the new hidden service code respect the SafeLogging setting.
Bugfix on 0.2.0.x. Patch from Karsten.
- When starting as an authority, do not overwrite all certificates
cached from other authorities. Bugfix on 0.2.0.x. Fixes bug 606.
- If we're trying to flush the last bytes on a connection (for
example, when answering a directory request), reset the
time-to-give-up timeout every time we manage to write something
on the socket. Bugfix on 0.1.2.x.
- Change the behavior of "getinfo status/good-server-descriptor"
so it doesn't return failure when any authority disappears.
- Even though the man page said that "TrackHostExits ." should
work, nobody had ever implemented it. Bugfix on 0.1.0.x.
- Report TLS "zero return" case as a "clean close" and "IO error"
as a "close". Stop calling closes "unexpected closes": existing
Tors don't use SSL_close(), so having a connection close without
the TLS shutdown handshake is hardly unexpected.
- Send NAMESERVER_STATUS messages for a single failed nameserver
correctly.
o Code simplifications and refactoring:
- Remove the tor_strpartition function: its logic was confused,
and it was only used for one thing that could be implemented far
more easily.
Changes in version 0.2.0.19-alpha - 2008-02-09
Tor 0.2.0.19-alpha makes more progress towards normalizing Tor's TLS
handshake, makes path selection for relays more secure and IP address
guessing more robust, and generally fixes a lot of bugs in preparation
for calling the 0.2.0 branch stable.