网络

开发平台：

Unix_Linux

ChangeLog：源码内容

o Major features:
- Do not include recognizeable strings in the commonname part of
Tor's x509 certificates.
o Major bugfixes:
- If we're a relay, avoid picking ourselves as an introduction point,
a rendezvous point, or as the final hop for internal circuits. Bug
reported by taranis and lodger. Bugfix on 0.1.2.x.
- Patch from "Andrew S. Lists" to catch when we contact a directory
mirror at IP address X and he says we look like we're coming from
IP address X. Bugfix on 0.1.2.x.
o Minor features (security):
- Be more paranoid about overwriting sensitive memory on free(),
as a defensive programming tactic to ensure forward secrecy.
o Minor features (directory authority):
- Actually validate the options passed to AuthDirReject,
AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
- Reject router descriptors with out-of-range bandwidthcapacity or
bandwidthburst values.
o Minor features (controller):
- Reject controller commands over 1MB in length. This keeps rogue
processes from running us out of memory.
o Minor features (misc):
- Give more descriptive well-formedness errors for out-of-range
hidden service descriptor/protocol versions.
- Make memory debugging information describe more about history
of cell allocation, so we can help reduce our memory use.
o Deprecated features (controller):
- The status/version/num-versioning and status/version/num-concurring
GETINFO options are no longer useful in the v3 directory protocol:
treat them as deprecated, and warn when they're used.
o Minor bugfixes:
- When our consensus networkstatus has been expired for a while, stop
being willing to build circuits using it. Fixes bug 401. Bugfix
on 0.1.2.x.
- Directory caches now fetch certificates from all authorities
listed in a networkstatus consensus, even when they do not
recognize them. Fixes bug 571. Bugfix on 0.2.0.x.
- When connecting to a bridge without specifying its key, insert
the connection into the identity-to-connection map as soon as
a key is learned. Fixes bug 574. Bugfix on 0.2.0.x.
- Detect versions of OS X where malloc_good_size() is present in the
library but never actually declared. Resolves bug 587. Bugfix
on 0.2.0.x.
- Stop incorrectly truncating zlib responses to directory authority
signature download requests. Fixes bug 593. Bugfix on 0.2.0.x.
- Stop recommending that every server operator send mail to tor-ops.
Resolves bug 597. Bugfix on 0.1.2.x.
- Don't trigger an assert if we start a directory authority with a
private IP address (like 127.0.0.1).
- Avoid possible failures when generating a directory with routers
with over-long versions strings, or too many flags set. Bugfix
on 0.1.2.x.
- If an attempt to launch a DNS resolve request over the control
port fails because we have overrun the limit on the number of
connections, tell the controller that the request has failed.
- Avoid using too little bandwidth when our clock skips a few
seconds. Bugfix on 0.1.2.x.
- Fix shell error when warning about missing packages in configure
script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x.
- Do not become confused when receiving a spurious VERSIONS-like
cell from a confused v1 client. Bugfix on 0.2.0.x.
- Re-fetch v2 (as well as v0) rendezvous descriptors when all
introduction points for a hidden service have failed. Patch from
Karsten Loesing. Bugfix on 0.2.0.x.
o Code simplifications and refactoring:
- Remove some needless generality from cpuworker code, for improved
type-safety.
- Stop overloading the circuit_t.onionskin field for both "onionskin
from a CREATE cell that we are waiting for a cpuworker to be
assigned" and "onionskin from an EXTEND cell that we are going to
send to an OR as soon as we are connected". Might help with bug 600.
- Add an in-place version of aes_crypt() so that we can avoid doing a
needless memcpy() call on each cell payload.
Changes in version 0.2.0.18-alpha - 2008-01-25
Tor 0.2.0.18-alpha adds a sixth v3 directory authority run by CCC,
fixes a big memory leak in 0.2.0.17-alpha, and adds new config options
that can warn or reject connections to ports generally associated with
vulnerable-plaintext protocols.
o New directory authorities:
- Set up dannenberg (run by CCC) as the sixth v3 directory
authority.
o Major bugfixes:
- Fix a major memory leak when attempting to use the v2 TLS
handshake code. Bugfix on 0.2.0.x; fixes bug 589.
- We accidentally enabled the under-development v2 TLS handshake
code, which was causing log entries like "TLS error while
renegotiating handshake". Disable it again. Resolves bug 590.
- We were computing the wrong Content-Length: header for directory
responses that need to be compressed on the fly, causing clients
asking for those items to always fail. Bugfix on 0.2.0.x; partially
fixes bug 593.
o Major features:
- Avoid going directly to the directory authorities even if you're a
relay, if you haven't found yourself reachable yet or if you've
decided not to advertise your dirport yet. Addresses bug 556.
- If we've gone 12 hours since our last bandwidth check, and we
estimate we have less than 50KB bandwidth capacity but we could
handle more, do another bandwidth test.
- New config options WarnPlaintextPorts and RejectPlaintextPorts so
Tor can warn and/or refuse connections to ports commonly used with
vulnerable-plaintext protocols. Currently we warn on ports 23,
109, 110, and 143, but we don't reject any.
o Minor bugfixes:
- When we setconf ClientOnly to 1, close any current OR and Dir
listeners. Reported by mwenge.
- When we get a consensus that's been signed by more people than
we expect, don't log about it; it's not a big deal. Reported
by Kyle Williams.
o Minor features:
- Don't answer "/tor/networkstatus-bridges" directory requests if
the request isn't encrypted.
- Make "ClientOnly 1" config option disable directory ports too.
- Patches from Karsten Loesing to make v2 hidden services more
robust: work even when there aren't enough HSDir relays available;
retry when a v2 rend desc fetch fails; but don't retry if we
already have a usable v0 rend desc.
Changes in version 0.2.0.17-alpha - 2008-01-17
Tor 0.2.0.17-alpha makes the tarball build cleanly again (whoops).
o Compile fixes:
- Make the tor-gencert man page get included correctly in the tarball.
Changes in version 0.2.0.16-alpha - 2008-01-17
Tor 0.2.0.16-alpha adds a fifth v3 directory authority run by Karsten
Loesing, and generally cleans up a lot of features and minor bugs.
o New directory authorities:
- Set up gabelmoo (run by Karsten Loesing) as the fifth v3 directory
authority.
o Major performance improvements:
- Switch our old ring buffer implementation for one more like that
used by free Unix kernels. The wasted space in a buffer with 1mb
of data will now be more like 8k than 1mb. The new implementation
also avoids realloc();realloc(); patterns that can contribute to
memory fragmentation.
o Minor features:
- Configuration files now accept C-style strings as values. This
helps encode characters not allowed in the current configuration
file format, such as newline or #. Addresses bug 557.
- Although we fixed bug 539 (where servers would send HTTP status 503
responses _and_ send a body too), there are still servers out
there that haven't upgraded. Therefore, make clients parse such
bodies when they receive them.
- When we're not serving v2 directory information, there is no reason
to actually keep any around. Remove the obsolete files and directory
on startup if they are very old and we aren't going to serve them.
o Minor performance improvements:
- Reference-count and share copies of address policy entries; only 5%
of them were actually distinct.
- Never walk through the list of logs if we know that no log is
interested in a given message.
o Minor bugfixes:
- When an authority has not signed a consensus, do not try to
download a nonexistent "certificate with key 00000000". Bugfix
on 0.2.0.x. Fixes bug 569.
- Fix a rare assert error when we're closing one of our threads:
use a mutex to protect the list of logs, so we never write to the
list as it's being freed. Bugfix on 0.1.2.x. Fixes the very rare
bug 575, which is kind of the revenge of bug 222.
- Patch from Karsten Loesing to complain less at both the client
and the relay when a relay used to have the HSDir flag but doesn't
anymore, and we try to upload a hidden service descriptor.
- Stop leaking one cert per TLS context. Fixes bug 582. Bugfix on
0.2.0.15-alpha.
- Do not try to download missing certificates until we have tried
to check our fallback consensus. Fixes bug 583.
- Make bridges round reported GeoIP stats info up to the nearest
estimate, not down. Now we can distinguish between "0 people from
this country" and "1 person from this country".
- Avoid a spurious free on base64 failure. Bugfix on 0.1.2.
- Avoid possible segfault if key generation fails in
crypto_pk_hybrid_encrypt. Bugfix on 0.2.0.
- Avoid segfault in the case where a badly behaved v2 versioning
directory sends a signed networkstatus with missing client-versions.
Bugfix on 0.1.2.
- Avoid segfaults on certain complex invocations of
router_get_by_hexdigest(). Bugfix on 0.1.2.
- Correct bad index on array access in parse_http_time(). Bugfix
on 0.2.0.
- Fix possible bug in vote generation when server versions are present
but client versions are not.
- Fix rare bug on REDIRECTSTREAM control command when called with no
port set: it could erroneously report an error when none had
happened.
- Avoid bogus crash-prone, leak-prone tor_realloc when we're
compressing large objects and find ourselves with more than 4k
left over. Bugfix on 0.2.0.
- Fix a small memory leak when setting up a hidden service.
- Fix a few memory leaks that could in theory happen under bizarre
error conditions.
- Fix an assert if we post a general-purpose descriptor via the
control port but that descriptor isn't mentioned in our current
network consensus. Bug reported by Jon McLachlan; bugfix on
0.2.0.9-alpha.
o Minor features (controller):
- Get NS events working again. Patch from tup.
- The GETCONF command now escapes and quotes configuration values
that don't otherwise fit into the torrc file.
- The SETCONF command now handles quoted values correctly.
o Minor features (directory authorities):
- New configuration options to override default maximum number of
servers allowed on a single IP address. This is important for
running a test network on a single host.
- Actually implement the -s option to tor-gencert.
- Add a manual page for tor-gencert.
o Minor features (bridges):
- Bridge authorities no longer serve bridge descriptors over
unencrypted connections.
o Minor features (other):
- Add hidden services and DNSPorts to the list of things that make
Tor accept that it has running ports. Change starting Tor with no
ports from a fatal error to a warning; we might change it back if
this turns out to confuse anybody. Fixes bug 579.
Changes in version 0.1.2.19 - 2008-01-17
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
exit policy a little bit more conservative so it's safer to run an
exit relay on a home system, and fixes a variety of smaller issues.
o Security fixes:
- Exit policies now reject connections that are addressed to a
relay's public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address.
o Major bugfixes:
- When the clock jumps forward a lot, do not allow the bandwidth
buckets to become negative. Fixes bug 544.
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
on every successful resolve. Reported by Mike Perry.
- Purge old entries from the "rephist" database and the hidden
service descriptor database even when DirPort is zero.
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
crashing or mis-answering these requests.
- When we decide to send a 503 response to a request for servers, do
not then also send the server descriptors: this defeats the whole
purpose. Fixes bug 539.
o Minor bugfixes:
- Changing the ExitPolicyRejectPrivate setting should cause us to
rebuild our server descriptor.
- Fix handling of hex nicknames when answering controller requests for
networkstatus by name, or when deciding whether to warn about
unknown routers in a config option. (Patch from mwenge.)
- Fix a couple of hard-to-trigger autoconf problems that could result
in really weird results on platforms whose sys/types.h files define
nonstandard integer types.
- Don't try to create the datadir when running --verify-config or
--hash-password. Resolves bug 540.
- If we were having problems getting a particular descriptor from the
directory caches, and then we learned about a new descriptor for
that router, we weren't resetting our failure count. Reported
by lodger.
- Although we fixed bug 539 (where servers would send HTTP status 503
responses _and_ send a body too), there are still servers out there
that haven't upgraded. Therefore, make clients parse such bodies
when they receive them.
- Run correctly on systems where rlim_t is larger than unsigned long.
This includes some 64-bit systems.
- Run correctly on platforms (like some versions of OS X 10.5) where
the real limit for number of open files is OPEN_FILES, not rlim_max
from getrlimit(RLIMIT_NOFILES).
- Avoid a spurious free on base64 failure.
- Avoid segfaults on certain complex invocations of
router_get_by_hexdigest().
- Fix rare bug on REDIRECTSTREAM control command when called with no
port set: it could erroneously report an error when none had
happened.
Changes in version 0.2.0.15-alpha - 2007-12-25
Tor 0.2.0.14-alpha and 0.2.0.15-alpha fix a bunch of bugs with the
features added in 0.2.0.13-alpha.
o Major bugfixes:
- Fix several remotely triggerable asserts based on DirPort requests
for a v2 or v3 networkstatus object before we were prepared. This
was particularly bad for 0.2.0.13 and later bridge relays, who
would never have a v2 networkstatus and would thus always crash
when used. Bugfixes on 0.2.0.x.
- Estimate the v3 networkstatus size more accurately, rather than
estimating it at zero bytes and giving it artificially high priority
compared to other directory requests. Bugfix on 0.2.0.x.
o Minor bugfixes:
- Fix configure.in logic for cross-compilation.
- When we load a bridge descriptor from the cache, and it was
previously unreachable, mark it as retriable so we won't just
ignore it. Also, try fetching a new copy immediately. Bugfixes
on 0.2.0.13-alpha.
- The bridge GeoIP stats were counting other relays, for example
self-reachability and authority-reachability tests.
o Minor features:
- Support compilation to target iPhone; patch from cjacker huang.
To build for iPhone, pass the --enable-iphone option to configure.
Changes in version 0.2.0.14-alpha - 2007-12-23
o Major bugfixes:
- Fix a crash on startup if you install Tor 0.2.0.13-alpha fresh
without a datadirectory from a previous Tor install. Reported
by Zax.
- Fix a crash when we fetch a descriptor that turns out to be
unexpected (it used to be in our networkstatus when we started
fetching it, but it isn't in our current networkstatus), and we
aren't using bridges. Bugfix on 0.2.0.x.
- Fix a crash when accessing hidden services: it would work the first
time you use a given introduction point for your service, but
on subsequent requests we'd be using garbage memory. Fixed by
Karsten Loesing. Bugfix on 0.2.0.13-alpha.
- Fix a crash when we load a bridge descriptor from disk but we don't
currently have a Bridge line for it in our torrc. Bugfix on
0.2.0.13-alpha.
o Major features:
- If bridge authorities set BridgePassword, they will serve a
snapshot of known bridge routerstatuses from their DirPort to
anybody who knows that password. Unset by default.
o Minor bugfixes:
- Make the unit tests build again.
- Make "GETINFO/desc-annotations/id/<OR digest>" actually work.
- Make PublishServerDescriptor default to 1, so the default doesn't
have to change as we invent new directory protocol versions.
- Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to
be included unless sys/time.h is already included. Fixes
bug 553. Bugfix on 0.2.0.x.
- If we receive a general-purpose descriptor and then receive an
identical bridge-purpose descriptor soon after, don't discard
the next one as a duplicate.
o Minor features:
- If BridgeRelay is set to 1, then the default for
PublishServerDescriptor is now "bridge" rather than "v2,v3".
- If the user sets RelayBandwidthRate but doesn't set
RelayBandwidthBurst, then make them equal rather than erroring out.
Changes in version 0.2.0.13-alpha - 2007-12-21
Tor 0.2.0.13-alpha adds a fourth v3 directory authority run by Geoff
Goodell, fixes many more bugs, and adds a lot of infrastructure for
upcoming features.
o New directory authorities:
- Set up lefkada (run by Geoff Goodell) as the fourth v3 directory
authority.
o Major bugfixes:
- Only update guard status (usable / not usable) once we have
enough directory information. This was causing us to always pick
two new guards on startup (bugfix on 0.2.0.9-alpha), and it was
causing us to discard all our guards on startup if we hadn't been
running for a few weeks (bugfix on 0.1.2.x). Fixes bug 448.
- Purge old entries from the "rephist" database and the hidden
service descriptor databases even when DirPort is zero. Bugfix
on 0.1.2.x.
- We were ignoring our RelayBandwidthRate for the first 30 seconds
after opening a circuit -- even a relayed circuit. Bugfix on
0.2.0.3-alpha.
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
crashing or mis-answering these types of requests.
- Relays were publishing their server descriptor to v1 and v2
directory authorities, but they didn't try publishing to v3-only
authorities. Fix this; and also stop publishing to v1 authorities.
Bugfix on 0.2.0.x.
- When we were reading router descriptors from cache, we were ignoring
the annotations -- so for example we were reading in bridge-purpose
descriptors as general-purpose descriptors. Bugfix on 0.2.0.8-alpha.
- When we decided to send a 503 response to a request for servers, we
were then also sending the server descriptors: this defeats the
whole purpose. Fixes bug 539; bugfix on 0.1.2.x.
o Major features:
- Bridge relays now behave like clients with respect to time
intervals for downloading new consensus documents -- otherwise they
stand out. Bridge users now wait until the end of the interval,
so their bridge relay will be sure to have a new consensus document.
- Three new config options (AlternateDirAuthority,
AlternateBridgeAuthority, and AlternateHSAuthority) that let the
user selectively replace the default directory authorities by type,
rather than the all-or-nothing replacement that DirServer offers.
- Tor can now be configured to read a GeoIP file from disk in one
of two formats. This can be used by controllers to map IP addresses
to countries. Eventually, it may support exit-by-country.
- When possible, bridge relays remember which countries users
are coming from, and report aggregate information in their
extra-info documents, so that the bridge authorities can learn
where Tor is blocked.
- Bridge directory authorities now do reachability testing on the
bridges they know. They provide router status summaries to the
controller via "getinfo ns/purpose/bridge", and also dump summaries
to a file periodically.
- Stop fetching directory info so aggressively if your DirPort is
on but your ORPort is off; stop fetching v2 dir info entirely.
You can override these choices with the new FetchDirInfoEarly
config option.
o Minor bugfixes:
- The fix in 0.2.0.12-alpha cleared the "hsdir" flag in v3 network
consensus documents when there are too many relays at a single
IP address. Now clear it in v2 network status documents too, and
also clear it in routerinfo_t when the relay is no longer listed
in the relevant networkstatus document.
- Don't crash if we get an unexpected value for the
PublishServerDescriptor config option. Reported by Matt Edman;
bugfix on 0.2.0.9-alpha.
- Our new v2 hidden service descriptor format allows descriptors
that have no introduction points. But Tor crashed when we tried
to build a descriptor with no intro points (and it would have
crashed if we had tried to parse one). Bugfix on 0.2.0.x; patch
by Karsten Loesing.
- Fix building with dmalloc 5.5.2 with glibc.
- Reject uploaded descriptors and extrainfo documents if they're
huge. Otherwise we'll cache them all over the network and it'll
clog everything up. Reported by Aljosha Judmayer.
- Check for presence of s6_addr16 and s6_addr32 fields in in6_addr
via autoconf. Should fix compile on solaris. Bugfix on 0.2.0.x.
- When the DANGEROUS_VERSION controller status event told us we're
running an obsolete version, it used the string "OLD" to describe
it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
"OBSOLETE" in both cases. Bugfix on 0.1.2.x.
- If we can't expand our list of entry guards (e.g. because we're
using bridges or we have StrictEntryNodes set), don't mark relays
down when they fail a directory request. Otherwise we're too quick
to mark all our entry points down. Bugfix on 0.1.2.x.
- Fix handling of hex nicknames when answering controller requests for
networkstatus by name, or when deciding whether to warn about unknown
routers in a config option. Bugfix on 0.1.2.x. (Patch from mwenge.)
- Fix a couple of hard-to-trigger autoconf problems that could result
in really weird results on platforms whose sys/types.h files define
nonstandard integer types. Bugfix on 0.1.2.x.
- Fix compilation with --disable-threads set. Bugfix on 0.2.0.x.
- Don't crash on name lookup when we have no current consensus. Fixes
bug 538; bugfix on 0.2.0.x.
- Only Tors that want to mirror the v2 directory info should
create the "cached-status" directory in their datadir. (All Tors
used to create it.) Bugfix on 0.2.0.9-alpha.
- Directory authorities should only automatically download Extra Info
documents if they're v1, v2, or v3 authorities. Bugfix on 0.1.2.x.
o Minor features:
- On the USR1 signal, when dmalloc is in use, log the top 10 memory
consumers. (We already do this on HUP.)
- Authorities and caches fetch the v2 networkstatus documents
less often, now that v3 is encouraged.
- Add a new config option BridgeRelay that specifies you want to
be a bridge relay. Right now the only difference is that it makes
you answer begin_dir requests, and it makes you cache dir info,
even if your DirPort isn't on.
- Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
ask about source, timestamp of arrival, purpose, etc. We need
something like this to help Vidalia not do GeoIP lookups on bridge
addresses.
- Allow multiple HashedControlPassword config lines, to support
multiple controller passwords.
- Authorities now decide whether they're authoritative for a given
router based on the router's purpose.
- New config options AuthDirBadDir and AuthDirListBadDirs for
authorities to mark certain relays as "bad directories" in the
networkstatus documents. Also supports the "!baddir" directive in
the approved-routers file.
Changes in version 0.2.0.12-alpha - 2007-11-16
This twelfth development snapshot fixes some more build problems as
well as a few minor bugs.
o Compile fixes:
- Make it build on OpenBSD again. Patch from tup.
- Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes
package-building for Red Hat, OS X, etc.
o Minor bugfixes (on 0.1.2.x):
- Changing the ExitPolicyRejectPrivate setting should cause us to
rebuild our server descriptor.
o Minor bugfixes (on 0.2.0.x):
- When we're lacking a consensus, don't try to perform rendezvous
operations. Reported by Karsten Loesing.
- Fix a small memory leak whenever we decide against using a
newly picked entry guard. Reported by Mike Perry.
- When authorities detected more than two relays running on the same
IP address, they were clearing all the status flags but forgetting
to clear the "hsdir" flag. So clients were being told that a
given relay was the right choice for a v2 hsdir lookup, yet they
never had its descriptor because it was marked as 'not running'
in the consensus.
- If we're trying to fetch a bridge descriptor and there's no way
the bridge authority could help us (for example, we don't know
a digest, or there is no bridge authority), don't be so eager to
fall back to asking the bridge authority.
- If we're using bridges or have strictentrynodes set, and our
chosen exit is in the same family as all our bridges/entry guards,
then be flexible about families.
o Minor features:
- When we negotiate a v2 link-layer connection (not yet implemented),
accept RELAY_EARLY cells and turn them into RELAY cells if we've
negotiated a v1 connection for their next step. Initial code for
proposal 110.
Changes in version 0.2.0.11-alpha - 2007-11-12
This eleventh development snapshot fixes some build problems with
the previous snapshot. It also includes a more secure-by-default exit
policy for relays, fixes an enormous memory leak for exit relays, and
fixes another bug where servers were falling out of the directory list.
o Security fixes:
- Exit policies now reject connections that are addressed to a
relay's public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address. Bugfix on 0.1.2.x.
o Major bugfixes:
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
on every successful resolve. Reported by Mike Perry; bugfix
on 0.1.2.x.
- On authorities, never downgrade to old router descriptors simply
because they're listed in the consensus. This created a catch-22
where we wouldn't list a new descriptor because there was an
old one in the consensus, and we couldn't get the new one in the
consensus because we wouldn't list it. Possible fix for bug 548.
Also, this might cause bug 543 to appear on authorities; if so,
we'll need a band-aid for that. Bugfix on 0.2.0.9-alpha.
o Packaging fixes on 0.2.0.10-alpha:
- We were including instructions about what to do with the
src/config/fallback-consensus file, but we weren't actually
including it in the tarball. Disable all of that for now.
o Minor features:
- Allow people to say PreferTunnelledDirConns rather than
PreferTunneledDirConns, for those alternate-spellers out there.
o Minor bugfixes:
- Don't reevaluate all the information from our consensus document
just because we've downloaded a v2 networkstatus that we intend
to cache. Fixes bug 545; bugfix on 0.2.0.x.
Changes in version 0.2.0.10-alpha - 2007-11-10
This tenth development snapshot adds a third v3 directory authority
run by Mike Perry, adds most of Karsten Loesing's new hidden service
descriptor format, fixes a bad crash bug and new bridge bugs introduced
in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation,
fixes some minor memory leaks in previous 0.2.0.x snapshots, and
addresses many more minor issues.
o New directory authorities:
- Set up ides (run by Mike Perry) as the third v3 directory authority.
o Major features:
- Allow tunnelled directory connections to ask for an encrypted
"begin_dir" connection or an anonymized "uses a full Tor circuit"
connection independently. Now we can make anonymized begin_dir
connections for (e.g.) more secure hidden service posting and
fetching.
- More progress on proposal 114: code from Karsten Loesing to
implement new hidden service descriptor format.
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
accommodate the growing number of servers that use the default
and are reaching it.
- Directory authorities use a new formula for selecting which nodes
to advertise as Guards: they must be in the top 7/8 in terms of
how long we have known about them, and above the median of those
nodes in terms of weighted fractional uptime.
- Make "not enough dir info yet" warnings describe *why* Tor feels
it doesn't have enough directory info yet.
o Major bugfixes:
- Stop servers from crashing if they set a Family option (or
maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
by Fabian Keil.
- Make bridge users work again -- the move to v3 directories in
0.2.0.9-alpha had introduced a number of bugs that made bridges
no longer work for clients.
- When the clock jumps forward a lot, do not allow the bandwidth
buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544.
o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha):
- When the consensus lists a router descriptor that we previously were
mirroring, but that we considered non-canonical, reload the
descriptor as canonical. This fixes bug 543 where Tor servers
would start complaining after a few days that they don't have
enough directory information to build a circuit.
- Consider replacing the current consensus when certificates arrive
that make the pending consensus valid. Previously, we were only
considering replacement when the new certs _didn't_ help.
- Fix an assert error on startup if we didn't already have the
consensus and certs cached in our datadirectory: we were caching
the consensus in consensus_waiting_for_certs but then free'ing it
right after.
- Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad
Request) if we need more v3 certs but we've already got pending
requests for all of them.
- Correctly back off from failing certificate downloads. Fixes
bug 546.
- Authorities don't vote on the Running flag if they have been running
for less than 30 minutes themselves. Fixes bug 547, where a newly
started authority would vote that everyone was down.
o New requirements:
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
it, it had no AES, and it hasn't seen any security patches since
2004.
o Minor features:
- Clients now hold circuitless TLS connections open for 1.5 times
MaxCircuitDirtiness (15 minutes), since it is likely that they'll
rebuild a new circuit over them within that timeframe. Previously,
they held them open only for KeepalivePeriod (5 minutes).
- Use "If-Modified-Since" to avoid retrieving consensus
networkstatuses that we already have.
- When we have no consensus, check FallbackNetworkstatusFile (defaults
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
we start knowing some directory caches.
- When we receive a consensus from the future, warn about skew.
- Improve skew reporting: try to give the user a better log message
about how skewed they are, and how much this matters.
- When we have a certificate for an authority, believe that
certificate's claims about the authority's IP address.
- New --quiet command-line option to suppress the default console log.
Good in combination with --hash-password.
- Authorities send back an X-Descriptor-Not-New header in response to
an accepted-but-discarded descriptor upload. Partially implements
fix for bug 535.
- Make the log message for "tls error. breaking." more useful.
- Better log messages about certificate downloads, to attempt to
track down the second incarnation of bug 546.
o Minor features (bridges):
- If bridge users set UpdateBridgesFromAuthority, but the digest
they ask for is a 404 from the bridge authority, they now fall
back to trying the bridge directly.
- Bridges now use begin_dir to publish their server descriptor to
the bridge authority, even when they haven't set TunnelDirConns.
o Minor features (controller):
- When reporting clock skew, and we know that the clock is _at least
as skewed_ as some value, but we don't know the actual value,
report the value as a "minimum skew."
o Utilities:
- Update linux-tor-prio.sh script to allow QoS based on the uid of
the Tor process. Patch from Marco Bonetti with tweaks from Mike
Perry.
o Minor bugfixes:
- Refuse to start if both ORPort and UseBridges are set. Bugfix
on 0.2.0.x, suggested by Matt Edman.
- Don't stop fetching descriptors when FetchUselessDescriptors is
set, even if we stop asking for circuits. Bugfix on 0.1.2.x;
reported by tup and ioerror.
- Better log message on vote from unknown authority.
- Don't log "Launching 0 request for 0 router" message.
o Minor bugfixes (memory leaks):
- Stop leaking memory every time we parse a v3 certificate. Bugfix
on 0.2.0.1-alpha.
- Stop leaking memory every time we load a v3 certificate. Bugfix
on 0.2.0.1-alpha. Fixes bug 536.
- Stop leaking a cached networkstatus on exit. Bugfix on
0.2.0.3-alpha.
- Stop leaking voter information every time we free a consensus.
Bugfix on 0.2.0.3-alpha.
- Stop leaking signed data every time we check a voter signature.
Bugfix on 0.2.0.3-alpha.
- Stop leaking a signature every time we fail to parse a consensus or
a vote. Bugfix on 0.2.0.3-alpha.
- Stop leaking v2_download_status_map on shutdown. Bugfix on
0.2.0.9-alpha.
- Stop leaking conn->nickname every time we make a connection to a
Tor relay without knowing its expected identity digest (e.g. when
using bridges). Bugfix on 0.2.0.3-alpha.
- Minor bugfixes (portability):
- Run correctly on platforms where rlim_t is larger than unsigned
long, and/or where the real limit for number of open files is
OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In
particular, these may be needed for OS X 10.5.
Changes in version 0.1.2.18 - 2007-10-28
Tor 0.1.2.18 fixes many problems including crash bugs, problems with
hidden service introduction that were causing huge delays, and a big
bug that was causing some servers to disappear from the network status
lists for a few hours each day.
o Major bugfixes (crashes):
- If a connection is shut down abruptly because of something that
happened inside connection_flushed_some(), do not call
connection_finished_flushing(). Should fix bug 451:
"connection_stop_writing: Assertion conn->write_event failed"
Bugfix on 0.1.2.7-alpha.
- Fix possible segfaults in functions called from
rend_process_relay_cell().
o Major bugfixes (hidden services):
- Hidden services were choosing introduction points uniquely by
hexdigest, but when constructing the hidden service descriptor
they merely wrote the (potentially ambiguous) nickname.
- Clients now use the v2 intro format for hidden service
connections: they specify their chosen rendezvous point by identity
digest rather than by (potentially ambiguous) nickname. These
changes could speed up hidden service connections dramatically.
o Major bugfixes (other):
- Stop publishing a new server descriptor just because we get a
HUP signal. This led (in a roundabout way) to some servers getting
dropped from the networkstatus lists for a few hours each day.
- When looking for a circuit to cannibalize, consider family as well
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
circuit cannibalization).
- When a router wasn't listed in a new networkstatus, we were leaving
the flags for that router alone -- meaning it remained Named,
Running, etc -- even though absence from the networkstatus means
that it shouldn't be considered to exist at all anymore. Now we
clear all the flags for routers that fall out of the networkstatus
consensus. Fixes bug 529.
o Minor bugfixes:
- Don't try to access (or alter) the state file when running
--list-fingerprint or --verify-config or --hash-password. Resolves
bug 499.
- When generating information telling us how to extend to a given
router, do not try to include the nickname if it is
absent. Resolves bug 467.
- Fix a user-triggerable segfault in expand_filename(). (There isn't
a way to trigger this remotely.)
- When sending a status event to the controller telling it that an
OR address is reachable, set the port correctly. (Previously we
were reporting the dir port.)
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
command. Bugfix on 0.1.2.17.
- When loading bandwidth history, do not believe any information in
the future. Fixes bug 434.
- When loading entry guard information, do not believe any information
in the future.
- When we have our clock set far in the future and generate an
onion key, then re-set our clock to be correct, we should not stop
the onion key from getting rotated.
- On some platforms, accept() can return a broken address. Detect
this more quietly, and deal accordingly. Fixes bug 483.
- It's not actually an error to find a non-pending entry in the DNS
cache when canceling a pending resolve. Don't log unless stuff
is fishy. Resolves bug 463.
- Don't reset trusted dir server list when we set a configuration
option. Patch from Robert Hogan.
- Don't try to create the datadir when running --verify-config or
--hash-password. Resolves bug 540.
Changes in version 0.2.0.9-alpha - 2007-10-24
This ninth development snapshot switches clients to the new v3 directory
system; allows servers to be listed in the network status even when they
have the same nickname as a registered server; and fixes many other
bugs including a big one that was causing some servers to disappear
from the network status lists for a few hours each day.
o Major features (directory system):
- Clients now download v3 consensus networkstatus documents instead
of v2 networkstatus documents. Clients and caches now base their
opinions about routers on these consensus documents. Clients only
download router descriptors listed in the consensus.
- Authorities now list servers who have the same nickname as
a different named server, but list them with a new flag,
"Unnamed". Now we can list servers that happen to pick the same
nickname as a server that registered two years ago and then
disappeared. Partially implements proposal 122.
- If the consensus lists a router as "Unnamed", the name is assigned
to a different router: do not identify the router by that name.
Partially implements proposal 122.
- Authorities can now come to a consensus on which method to use to
compute the consensus. This gives us forward compatibility.
o Major bugfixes:
- Stop publishing a new server descriptor just because we HUP or
when we find our DirPort to be reachable but won't actually publish
it. New descriptors without any real changes are dropped by the
authorities, and can screw up our "publish every 18 hours" schedule.
Bugfix on 0.1.2.x.
- When a router wasn't listed in a new networkstatus, we were leaving
the flags for that router alone -- meaning it remained Named,
Running, etc -- even though absence from the networkstatus means
that it shouldn't be considered to exist at all anymore. Now we
clear all the flags for routers that fall out of the networkstatus
consensus. Fixes bug 529; bugfix on 0.1.2.x.
- Fix awful behavior in DownloadExtraInfo option where we'd fetch
extrainfo documents and then discard them immediately for not
matching the latest router. Bugfix on 0.2.0.1-alpha.
o Minor features (v3 directory protocol):
- Allow tor-gencert to generate a new certificate without replacing
the signing key.
- Allow certificates to include an address.
- When we change our directory-cache settings, reschedule all voting
and download operations.
- Reattempt certificate downloads immediately on failure, as long as
we haven't failed a threshold number of times yet.
- Delay retrying consensus downloads while we're downloading
certificates to verify the one we just got. Also, count getting a
consensus that we already have (or one that isn't valid) as a failure,
and count failing to get the certificates after 20 minutes as a
failure.
- Build circuits and download descriptors even if our consensus is a
little expired. (This feature will go away once authorities are
more reliable.)
o Minor features (router descriptor cache):
- If we find a cached-routers file that's been sitting around for more
than 28 days unmodified, then most likely it's a leftover from
when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
routers anyway.
- When we (as a cache) download a descriptor because it was listed
in a consensus, remember when the consensus was supposed to expire,
and don't expire the descriptor until then.
o Minor features (performance):
- Call routerlist_remove_old_routers() much less often. This should
speed startup, especially on directory caches.
- Don't try to launch new descriptor downloads quite so often when we
already have enough directory information to build circuits.
- Base64 decoding was actually showing up on our profile when parsing
the initial descriptor file; switch to an in-process all-at-once
implementation that's about 3.5x times faster than calling out to
OpenSSL.
o Minor features (compilation):
- Detect non-ASCII platforms (if any still exist) and refuse to
build there: some of our code assumes that 'A' is 65 and so on.
o Minor bugfixes (v3 directory authorities, bugfixes on 0.2.0.x):
- Make the "next period" votes into "current period" votes immediately
after publishing the consensus; avoid a heisenbug that made them
stick around indefinitely.
- When we discard a vote as a duplicate, do not report this as
an error.
- Treat missing v3 keys or certificates as an error when running as a
v3 directory authority.
- When we're configured to be a v3 authority, but we're only listed
as a non-v3 authority in our DirServer line for ourself, correct
the listing.
- If an authority doesn't have a qualified hostname, just put
its address in the vote. This fixes the problem where we referred to
"moria on moria:9031."
- Distinguish between detached signatures for the wrong period, and
detached signatures for a divergent vote.
- Fix a small memory leak when computing a consensus.
- When there's no concensus, we were forming a vote every 30
minutes, but writing the "valid-after" line in our vote based
on our configured V3AuthVotingInterval: so unless the intervals
matched up, we immediately rejected our own vote because it didn't
start at the voting interval that caused us to construct a vote.
o Minor bugfixes (v3 directory protocol, bugfixes on 0.2.0.x):
- Delete unverified-consensus when the real consensus is set.
- Consider retrying a consensus networkstatus fetch immediately
after one fails: don't wait 60 seconds to notice.
- When fetching a consensus as a cache, wait until a newer consensus
should exist before trying to replace the current one.
- Use a more forgiving schedule for retrying failed consensus
downloads than for other types.
o Minor bugfixes (other directory issues):
- Correct the implementation of "download votes by digest." Bugfix on
0.2.0.8-alpha.
- Authorities no longer send back "400 you're unreachable please fix
it" errors to Tor servers that aren't online all the time. We're
supposed to tolerate these servers now. Bugfix on 0.1.2.x.
o Minor bugfixes (controller):
- Don't reset trusted dir server list when we set a configuration
option. Patch from Robert Hogan; bugfix on 0.1.2.x.
- Respond to INT and TERM SIGNAL commands before we execute the
signal, in case the signal shuts us down. We had a patch in
0.1.2.1-alpha that tried to do this by queueing the response on
the connection's buffer before shutting down, but that really
isn't the same thing at all. Bug located by Matt Edman.
o Minor bugfixes (misc):
- Correctly check for bad options to the "PublishServerDescriptor"
config option. Bugfix on 0.2.0.1-alpha; reported by Matt Edman.
- Stop leaking memory on failing case of base32_decode, and make
it accept upper-case letters. Bugfixes on 0.2.0.7-alpha.
- Don't try to download extrainfo documents when we're trying to
fetch enough directory info to build a circuit: having enough
info should get priority. Bugfix on 0.2.0.x.
- Don't complain that "your server has not managed to confirm that its
ports are reachable" if we haven't been able to build any circuits
yet. Bug found by spending four hours without a v3 consensus. Bugfix
on 0.1.2.x.
- Detect the reason for failing to mmap a descriptor file we just
wrote, and give a more useful log message. Fixes bug 533. Bugfix
on 0.1.2.x.
o Code simplifications and refactoring:
- Remove support for the old bw_accounting file: we've been storing
bandwidth accounting information in the state file since
0.1.2.5-alpha. This may result in bandwidth accounting errors
if you try to upgrade from 0.1.1.x or earlier, or if you try to
downgrade to 0.1.1.x or earlier.
- New convenience code to locate a file within the DataDirectory.
- Move non-authority functionality out of dirvote.c.
- Refactor the arguments for router_pick_{directory_|trusteddir}server
so that they all take the same named flags.
o Utilities
- Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
Unix users an easy way to script their Tor process (e.g. by
adjusting bandwidth based on the time of the day).
Changes in version 0.2.0.8-alpha - 2007-10-12
This eighth development snapshot fixes a crash bug that's been bothering
us since February 2007, lets bridge authorities store a list of bridge
descriptors they've seen, gets v3 directory voting closer to working,
starts caching v3 directory consensus documents on directory mirrors,
and fixes a variety of smaller issues including some minor memory leaks.
o Major features (router descriptor cache):
- Store routers in a file called cached-descriptors instead of in
cached-routers. Initialize cached-descriptors from cached-routers
if the old format is around. The new format allows us to store
annotations along with descriptors.
- Use annotations to record the time we received each descriptor, its
source, and its purpose.
- Disable the SETROUTERPURPOSE controller command: it is now
obsolete.
- Controllers should now specify cache=no or cache=yes when using
the +POSTDESCRIPTOR command.
- Bridge authorities now write bridge descriptors to disk, meaning
we can export them to other programs and begin distributing them
to blocked users.
o Major features (directory authorities):
- When a v3 authority is missing votes or signatures, it now tries
to fetch them.
- Directory authorities track weighted fractional uptime as well as
weighted mean-time-between failures. WFU is suitable for deciding
whether a node is "usually up", while MTBF is suitable for deciding
whether a node is "likely to stay up." We need both, because
"usually up" is a good requirement for guards, while "likely to
stay up" is a good requirement for long-lived connections.
o Major features (v3 directory system):
- Caches now download v3 network status documents as needed,
and download the descriptors listed in them.
- All hosts now attempt to download and keep fresh v3 authority
certificates, and re-attempt after failures.
- More internal-consistency checks for vote parsing.
o Major bugfixes (crashes):
- If a connection is shut down abruptly because of something that
happened inside connection_flushed_some(), do not call
connection_finished_flushing(). Should fix bug 451. Bugfix on
0.1.2.7-alpha.
o Major bugfixes (performance):
- Fix really bad O(n^2) performance when parsing a long list of
routers: Instead of searching the entire list for an "extra-info "
string which usually wasn't there, once for every routerinfo
we read, just scan lines forward until we find one we like.
Bugfix on 0.2.0.1.
- When we add data to a write buffer in response to the data on that
write buffer getting low because of a flush, do not consider the
newly added data as a candidate for immediate flushing, but rather
make it wait until the next round of writing. Otherwise, we flush
and refill recursively, and a single greedy TLS connection can
eat all of our bandwidth. Bugfix on 0.1.2.7-alpha.
o Minor features (v3 authority system):
- Add more ways for tools to download the votes that lead to the
current consensus.
- Send a 503 when low on bandwidth and a vote, consensus, or
certificate is requested.
- If-modified-since is now implemented properly for all kinds of
certificate requests.
o Minor bugfixes (network statuses):
- Tweak the implementation of proposal 109 slightly: allow at most
two Tor servers on the same IP address, except if it's the location
of a directory authority, in which case allow five. Bugfix on
0.2.0.3-alpha.
o Minor bugfixes (controller):
- When sending a status event to the controller telling it that an
OR address is reachable, set the port correctly. (Previously we
were reporting the dir port.) Bugfix on 0.1.2.x.
o Minor bugfixes (v3 directory system):
- Fix logic to look up a cert by its signing key digest. Bugfix on
0.2.0.7-alpha.
- Only change the reply to a vote to "OK" if it's not already
set. This gets rid of annoying "400 OK" log messages, which may
have been masking some deeper issue. Bugfix on 0.2.0.7-alpha.
- When we get a valid consensus, recompute the voting schedule.
- Base the valid-after time of a vote on the consensus voting
schedule, not on our preferred schedule.
- Make the return values and messages from signature uploads and
downloads more sensible.
- Fix a memory leak when serving votes and consensus documents, and
another when serving certificates.
o Minor bugfixes (performance):
- Use a slightly simpler string hashing algorithm (copying Python's
instead of Java's) and optimize our digest hashing algorithm to take
advantage of 64-bit platforms and to remove some possibly-costly
voodoo.
- Fix a minor memory leak whenever we parse guards from our state
file. Bugfix on 0.2.0.7-alpha.
- Fix a minor memory leak whenever we write out a file. Bugfix on
0.2.0.7-alpha.
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
command. Bugfix on 0.2.0.5-alpha.
o Minor bugfixes (portability):
- On some platforms, accept() can return a broken address. Detect
this more quietly, and deal accordingly. Fixes bug 483.
- Stop calling tor_strlower() on uninitialized memory in some cases.
Bugfix in 0.2.0.7-alpha.
o Minor bugfixes (usability):
- Treat some 403 responses from directory servers as INFO rather than
WARN-severity events.
- It's not actually an error to find a non-pending entry in the DNS
cache when canceling a pending resolve. Don't log unless stuff is
fishy. Resolves bug 463.
o Minor bugfixes (anonymity):
- Never report that we've used more bandwidth than we're willing to
relay: it leaks how much non-relay traffic we're using. Resolves
bug 516.
- When looking for a circuit to cannibalize, consider family as well
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
circuit cannibalization).
o Code simplifications and refactoring:
- Make a bunch of functions static. Remove some dead code.
- Pull out about a third of the really big routerlist.c; put it in a
new module, networkstatus.c.
- Merge the extra fields in local_routerstatus_t back into
routerstatus_t: we used to need one routerstatus_t for each
authority's opinion, plus a local_routerstatus_t for the locally
computed consensus opinion. To save space, we put the locally
modified fields into local_routerstatus_t, and only the common
stuff into routerstatus_t. But once v3 directories are in use,
clients and caches will no longer need to hold authority opinions;
thus, the rationale for keeping the types separate is now gone.
- Make the code used to reschedule and reattempt downloads more
uniform.
- Turn all 'Are we a directory server/mirror?' logic into a call to
dirserver_mode().
- Remove the code to generate the oldest (v1) directory format.
The code has been disabled since 0.2.0.5-alpha.
Changes in version 0.2.0.7-alpha - 2007-09-21
This seventh development snapshot makes bridges work again, makes bridge
authorities work for the first time, fixes two huge performance flaws
in hidden services, and fixes a variety of minor issues.
o New directory authorities:
- Set up moria1 and tor26 as the first v3 directory authorities. See
doc/spec/dir-spec.txt for details on the new directory design.
o Major bugfixes (crashes):
- Fix possible segfaults in functions called from
rend_process_relay_cell(). Bugfix on 0.1.2.x.
o Major bugfixes (bridges):
- Fix a bug that made servers send a "404 Not found" in response to
attempts to fetch their server descriptor. This caused Tor servers
to take many minutes to establish reachability for their DirPort,
and it totally crippled bridges. Bugfix on 0.2.0.5-alpha.
- Make "UpdateBridgesFromAuthority" torrc option work: when bridge
users configure that and specify a bridge with an identity
fingerprint, now they will lookup the bridge descriptor at the
default bridge authority via a one-hop tunnel, but once circuits
are established they will switch to a three-hop tunnel for later
connections to the bridge authority. Bugfix in 0.2.0.3-alpha.
o Major bugfixes (hidden services):
- Hidden services were choosing introduction points uniquely by
hexdigest, but when constructing the hidden service descriptor
they merely wrote the (potentially ambiguous) nickname.
- Clients now use the v2 intro format for hidden service
connections: they specify their chosen rendezvous point by identity
digest rather than by (potentially ambiguous) nickname. Both
are bugfixes on 0.1.2.x, and they could speed up hidden service
connections dramatically. Thanks to Karsten Loesing.
o Minor features (security):
- As a client, do not believe any server that tells us that an
address maps to an internal address space.
- Make it possible to enable HashedControlPassword and
CookieAuthentication at the same time.
o Minor features (guard nodes):
- Tag every guard node in our state file with the version that
we believe added it, or with our own version if we add it. This way,
if a user temporarily runs an old version of Tor and then switches
back to a new one, she doesn't automatically lose her guards.
o Minor features (speed):
- When implementing AES counter mode, update only the portions of the
counter buffer that need to change, and don't keep separate
network-order and host-order counters when they are the same (i.e.,
on big-endian hosts.)
o Minor features (controller):
- Accept LF instead of CRLF on controller, since some software has a
hard time generating real Internet newlines.
- Add GETINFO values for the server status events
"REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
Robert Hogan.
o Removed features:
- Routers no longer include bandwidth-history lines in their
descriptors; this information is already available in extra-info
documents, and including it in router descriptors took up 60%
(!) of compressed router descriptor downloads. Completes
implementation of proposal 104.
- Remove the contrib scripts ExerciseServer.py, PathDemo.py,
and TorControl.py, as they use the old v0 controller protocol,
and are obsoleted by TorFlow anyway.
- Drop support for v1 rendezvous descriptors, since we never used
them anyway, and the code has probably rotted by now. Based on
patch from Karsten Loesing.
- On OSX, stop warning the user that kqueue support in libevent is
"experimental", since it seems to have worked fine for ages.
o Minor bugfixes:
- When generating information telling us how to extend to a given
router, do not try to include the nickname if it is absent. Fixes
bug 467. Bugfix on 0.2.0.3-alpha.
- Fix a user-triggerable (but not remotely-triggerable) segfault
in expand_filename(). Bugfix on 0.1.2.x.
- Fix a memory leak when freeing incomplete requests from DNSPort.
Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha.
- Don't try to access (or alter) the state file when running
--list-fingerprint or --verify-config or --hash-password. (Resolves
bug 499.) Bugfix on 0.1.2.x.
- Servers used to decline to publish their DirPort if their
BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth
were below a threshold. Now they only look at BandwidthRate and
RelayBandwidthRate. Bugfix on 0.1.2.x.
- Remove an optimization in the AES counter-mode code that assumed
that the counter never exceeded 2^68. When the counter can be set
arbitrarily as an IV (as it is by Karsten's new hidden services
code), this assumption no longer holds. Bugfix on 0.1.2.x.
- Resume listing "AUTHORITY" flag for authorities in network status.
Bugfix on 0.2.0.3-alpha; reported by Alex de Joode.
o Code simplifications and refactoring:
- Revamp file-writing logic so we don't need to have the entire
contents of a file in memory at once before we write to disk. Tor,
meet stdio.
- Turn "descriptor store" into a full-fledged type.
- Move all NT services code into a separate source file.
- Unify all code that computes medians, percentile elements, etc.
- Get rid of a needless malloc when parsing address policies.
Changes in version 0.1.2.17 - 2007-08-30
Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
X bundles. Vidalia 0.0.14 makes authentication required for the
ControlPort in the default configuration, which addresses important
security risks. Everybody who uses Vidalia (or another controller)
should upgrade.
In addition, this Tor update fixes major load balancing problems with
path selection, which should speed things up a lot once many people
have upgraded.
o Major bugfixes (security):
- We removed support for the old (v0) control protocol. It has been
deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
become more of a headache than it's worth.
o Major bugfixes (load balancing):
- When choosing nodes for non-guard positions, weight guards
proportionally less, since they already have enough load. Patch
from Mike Perry.
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
will allow fast Tor servers to get more attention.
- When we're upgrading from an old Tor version, forget our current
guards and pick new ones according to the new weightings. These
three load balancing patches could raise effective network capacity
by a factor of four. Thanks to Mike Perry for measurements.
o Major bugfixes (stream expiration):
- Expire not-yet-successful application streams in all cases if
they've been around longer than SocksTimeout. Right now there are
some cases where the stream will live forever, demanding a new
circuit every 15 seconds. Fixes bug 454; reported by lodger.
o Minor features (controller):
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
is valid before any authentication has been received. It tells
a controller what kind of authentication is expected, and what
protocol is spoken. Implements proposal 119.
o Minor bugfixes (performance):
- Save on most routerlist_assert_ok() calls in routerlist.c, thus
greatly speeding up loading cached-routers from disk on startup.
- Disable sentinel-based debugging for buffer code: we squashed all
the bugs that this was supposed to detect a long time ago, and now
its only effect is to change our buffer sizes from nice powers of
two (which platform mallocs tend to like) to values slightly over
powers of two (which make some platform mallocs sad).
o Minor bugfixes (misc):
- If exit bandwidth ever exceeds one third of total bandwidth, then
use the correct formula to weight exit nodes when choosing paths.
Based on patch from Mike Perry.
- Choose perfectly fairly among routers when choosing by bandwidth and
weighting by fraction of bandwidth provided by exits. Previously, we
would choose with only approximate fairness, and correct ourselves
if we ran off the end of the list.
- If we require CookieAuthentication but we fail to write the
cookie file, we would warn but not exit, and end up in a state
where no controller could authenticate. Now we exit.
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
- Refuse to start with certain directory authority keys, and
encourage people using them to stop.
- Terminate multi-line control events properly. Original patch
from tup.
- Fix a minor memory leak when we fail to find enough suitable
servers to choose a circuit.
- Stop leaking part of the descriptor when we run into a particularly
unparseable piece of it.
Changes in version 0.2.0.6-alpha - 2007-08-26
This sixth development snapshot features a new Vidalia version in the
Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for
the ControlPort in the default configuration, which addresses important
security risks.
In addition, this snapshot fixes major load balancing problems
with path selection, which should speed things up a lot once many
people have upgraded. The directory authorities also use a new
mean-time-between-failure approach to tracking which servers are stable,
rather than just looking at the most recent uptime.
o New directory authorities:
- Set up Tonga as the default bridge directory authority.
o Major features:
- Directory authorities now track servers by weighted
mean-times-between-failures. When we have 4 or more days of data,
use measured MTBF rather than declared uptime to decide whether
to call a router Stable. Implements proposal 108.
o Major bugfixes (load balancing):
- When choosing nodes for non-guard positions, weight guards
proportionally less, since they already have enough load. Patch
from Mike Perry.
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
will allow fast Tor servers to get more attention.
- When we're upgrading from an old Tor version, forget our current
guards and pick new ones according to the new weightings. These
three load balancing patches could raise effective network capacity
by a factor of four. Thanks to Mike Perry for measurements.
o Major bugfixes (descriptor parsing):
- Handle unexpected whitespace better in malformed descriptors. Bug
found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x.
o Minor features:
- There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
GETINFO for Torstat to use until it can switch to using extrainfos.
- Optionally (if built with -DEXPORTMALLINFO) export the output
of mallinfo via http, as tor/mallinfo.txt. Only accessible
from localhost.
o Minor bugfixes:
- Do not intermix bridge routers with controller-added
routers. (Bugfix on 0.2.0.x)
- Do not fail with an assert when accept() returns an unexpected
address family. Addresses but does not wholly fix bug 483. (Bugfix
on 0.2.0.x)
- Let directory authorities startup even when they can't generate
a descriptor immediately, e.g. because they don't know their
address.
- Stop putting the authentication cookie in a file called "0"
in your working directory if you don't specify anything for the
new CookieAuthFile option. Reported by Matt Edman.
- Make it possible to read the PROTOCOLINFO response in a way that
conforms to our control-spec. Reported by Matt Edman.
- Fix a minor memory leak when we fail to find enough suitable
servers to choose a circuit. Bugfix on 0.1.2.x.
- Stop leaking part of the descriptor when we run into a particularly
unparseable piece of it. Bugfix on 0.1.2.x.
- Unmap the extrainfo cache file on exit.
Changes in version 0.2.0.5-alpha - 2007-08-19
This fifth development snapshot fixes compilation on Windows again;
fixes an obnoxious client-side bug that slowed things down and put
extra load on the network; gets us closer to using the v3 directory
voting scheme; makes it easier for Tor controllers to use cookie-based
authentication; and fixes a variety of other bugs.
o Removed features:
- Version 1 directories are no longer generated in full. Instead,
authorities generate and serve "stub" v1 directories that list
no servers. This will stop Tor versions 0.1.0.x and earlier from
working, but (for security reasons) nobody should be running those
versions anyway.
o Major bugfixes (compilation, 0.2.0.x):
- Try to fix Win32 compilation again: improve checking for IPv6 types.
- Try to fix MSVC compilation: build correctly on platforms that do
not define s6_addr16 or s6_addr32.
- Fix compile on platforms without getaddrinfo: bug found by Li-Hui
Zhou.
o Major bugfixes (stream expiration):
- Expire not-yet-successful application streams in all cases if
they've been around longer than SocksTimeout. Right now there are
some cases where the stream will live forever, demanding a new
circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454;
reported by lodger.
o Minor features (directory servers):
- When somebody requests a list of statuses or servers, and we have
none of those, return a 404 rather than an empty 200.
o Minor features (directory voting):
- Store v3 consensus status consensuses on disk, and reload them
on startup.
o Minor features (security):
- Warn about unsafe ControlPort configurations.
- Refuse to start with certain directory authority keys, and
encourage people using them to stop.
o Minor features (controller):
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
is valid before any authentication has been received. It tells
a controller what kind of authentication is expected, and what
protocol is spoken. Implements proposal 119.
- New config option CookieAuthFile to choose a new location for the
cookie authentication file, and config option
CookieAuthFileGroupReadable to make it group-readable.
o Minor features (unit testing):
- Add command-line arguments to unit-test executable so that we can
invoke any chosen test from the command line rather than having
to run the whole test suite at once; and so that we can turn on
logging for the unit tests.
o Minor bugfixes (on 0.1.2.x):
- If we require CookieAuthentication but we fail to write the
cookie file, we would warn but not exit, and end up in a state
where no controller could authenticate. Now we exit.
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
- When loading bandwidth history, do not believe any information in
the future. Fixes bug 434.
- When loading entry guard information, do not believe any information
in the future.
- When we have our clock set far in the future and generate an
onion key, then re-set our clock to be correct, we should not stop
the onion key from getting rotated.
- Clean up torrc sample config file.
- Do not automatically run configure from autogen.sh. This
non-standard behavior tended to annoy people who have built other
programs.
o Minor bugfixes (on 0.2.0.x):
- Fix a bug with AutomapHostsOnResolve that would always cause
the second request to fail. Bug reported by Kate. Bugfix on
0.2.0.3-alpha.
- Fix a bug in ADDRMAP controller replies that would sometimes
try to print a NULL. Patch from tup.
- Read v3 directory authority keys from the right location.
- Numerous bugfixes to directory voting code.
Changes in version 0.1.2.16 - 2007-08-01
Tor 0.1.2.16 fixes a critical security vulnerability that allows a
remote attacker in certain situations to rewrite the user's torrc
configuration file. This can completely compromise anonymity of users
in most configurations, including those running the Vidalia bundles,
TorK, etc. Or worse.
o Major security fixes:
- Close immediately after missing authentication on control port;
do not allow multiple authentication attempts.
Changes in version 0.2.0.4-alpha - 2007-08-01
This fourth development snapshot fixes a critical security vulnerability
for most users, specifically those running Vidalia, TorK, etc. Everybody
should upgrade to either 0.1.2.16 or 0.2.0.4-alpha.
o Major security fixes:
- Close immediately after missing authentication on control port;
do not allow multiple authentication attempts.
o Major bugfixes (compilation):
- Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already
defined there.
o Minor features (performance):
- Be even more aggressive about releasing RAM from small
empty buffers. Thanks to our free-list code, this shouldn't be too
performance-intensive.
- Disable sentinel-based debugging for buffer code: we squashed all
the bugs that this was supposed to detect a long time ago, and
now its only effect is to change our buffer sizes from nice
powers of two (which platform mallocs tend to like) to values
slightly over powers of two (which make some platform mallocs sad).
- Log malloc statistics from mallinfo() on platforms where it
exists.
Changes in version 0.2.0.3-alpha - 2007-07-29
This third development snapshot introduces new experimental
blocking-resistance features and a preliminary version of the v3
directory voting design, and includes many other smaller features
and bugfixes.
o Major features:
- The first pieces of our "bridge" design for blocking-resistance
are implemented. People can run bridge directory authorities;
people can run bridges; and people can configure their Tor clients
with a set of bridges to use as the first hop into the Tor network.
See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for
details.
- Create listener connections before we setuid to the configured
User and Group. Now non-Windows users can choose port values
under 1024, start Tor as root, and have Tor bind those ports
before it changes to another UID. (Windows users could already
pick these ports.)
- Added a new ConstrainedSockets config option to set SO_SNDBUF and
SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
on "vserver" accounts. (Patch from coderman.)
- Be even more aggressive about separating local traffic from relayed
traffic when RelayBandwidthRate is set. (Refines proposal 111.)
o Major features (experimental):
- First cut of code for "v3 dir voting": directory authorities will
vote on a common network status document rather than each publishing
their own opinion. This code needs more testing and more corner-case
handling before it's ready for use.
o Security fixes:
- Directory authorities now call routers Fast if their bandwidth is
at least 100KB/s, and consider their bandwidth adequate to be a
Guard if it is at least 250KB/s, no matter the medians. This fix
complements proposal 107. [Bugfix on 0.1.2.x]
- Directory authorities now never mark more than 3 servers per IP as
Valid and Running. (Implements proposal 109, by Kevin Bauer and
Damon McCoy.)
- Minor change to organizationName and commonName generation
procedures in TLS certificates during Tor handshakes, to invalidate
some earlier censorware approaches. This is not a long-term
solution, but applying it will give us a bit of time to look into
the epidemiology of countermeasures as they spread.
o Major bugfixes (directory):
- Rewrite directory tokenization code to never run off the end of
a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]
o Minor features (controller):
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
match requests to applications. (Patch from Robert Hogan.)
- Report address and port correctly on connections to DNSPort. (Patch
from Robert Hogan.)
- Add a RESOLVE command to launch hostname lookups. (Original patch
from Robert Hogan.)
- Add GETINFO status/enough-dir-info to let controllers tell whether
Tor has downloaded sufficient directory information. (Patch
from Tup.)
- You can now use the ControlSocket option to tell Tor to listen for
controller connections on Unix domain sockets on systems that
support them. (Patch from Peter Palfrader.)
- STREAM NEW events are generated for DNSPort requests and for
tunneled directory connections. (Patch from Robert Hogan.)
- New "GETINFO address-mappings/*" command to get address mappings
with expiry information. "addr-mappings/*" is now deprecated.
(Patch from Tup.)
o Minor features (misc):
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
from croup.)
- The tor-gencert tool for v3 directory authorities now creates all
files as readable to the file creator only, and write-protects
the authority identity key.
- When dumping memory usage, list bytes used in buffer memory
free-lists.
- When running with dmalloc, dump more stats on hup and on exit.
- Directory authorities now fail quickly and (relatively) harmlessly
if they generate a network status document that is somehow
malformed.
o Traffic load balancing improvements:
- If exit bandwidth ever exceeds one third of total bandwidth, then
use the correct formula to weight exit nodes when choosing paths.
(Based on patch from Mike Perry.)
- Choose perfectly fairly among routers when choosing by bandwidth and
weighting by fraction of bandwidth provided by exits. Previously, we
would choose with only approximate fairness, and correct ourselves
if we ran off the end of the list. [Bugfix on 0.1.2.x]
o Performance improvements:
- Be more aggressive with freeing buffer RAM or putting it on the
memory free lists.
- Use Critical Sections rather than Mutexes for synchronizing threads
on win32; Mutexes are heavier-weight, and designed for synchronizing
between processes.
o Deprecated and removed features:
- RedirectExits is now deprecated.
- Stop allowing address masks that do not correspond to bit prefixes.
We have warned about these for a really long time; now it's time
to reject them. (Patch from croup.)
o Minor bugfixes (directory):
- Fix another crash bug related to extra-info caching. (Bug found by
Peter Palfrader.) [Bugfix on 0.2.0.2-alpha]
- Directories no longer return a "304 not modified" when they don't
have the networkstatus the client asked for. Also fix a memory
leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha]
- We had accidentally labelled 0.1.2.x directory servers as not
suitable for begin_dir requests, and had labelled no directory
servers as suitable for uploading extra-info documents. [Bugfix
on 0.2.0.1-alpha]
o Minor bugfixes (dns):
- Fix a crash when DNSPort is set more than once. (Patch from Robert
Hogan.) [Bugfix on 0.2.0.2-alpha]
- Add DNSPort connections to the global connection list, so that we
can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
on 0.2.0.2-alpha]
- Fix a dangling reference that could lead to a crash when DNSPort is
changed or closed (Patch from Robert Hogan.) [Bugfix on
0.2.0.2-alpha]
o Minor bugfixes (controller):
- Provide DNS expiry times in GMT, not in local time. For backward
compatibility, ADDRMAP events only provide GMT expiry in an extended
field. "GETINFO address-mappings" always does the right thing.
- Use CRLF line endings properly in NS events.
- Terminate multi-line control events properly. (Original patch
from tup.) [Bugfix on 0.1.2.x-alpha]
- Do not include spaces in SOURCE_ADDR fields in STREAM
events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha]
Changes in version 0.1.2.15 - 2007-07-17
Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
problems, fixes compilation on BSD, and fixes a variety of other
bugs. Everybody should upgrade.
o Major bugfixes (compilation):
- Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
o Major bugfixes (crashes):
- Try even harder not to dereference the first character after
an mmap(). Reported by lodger.
- Fix a crash bug in directory authorities when we re-number the
routerlist while inserting a new router.
- When the cached-routers file is an even multiple of the page size,
don't run off the end and crash. (Fixes bug 455; based on idea
from croup.)
- Fix eventdns.c behavior on Solaris: It is critical to include
orconfig.h _before_ sys/types.h, so that we can get the expected
definition of _FILE_OFFSET_BITS.
o Major bugfixes (security):
- Fix a possible buffer overrun when using BSD natd support. Bug
found by croup.
- When sending destroy cells from a circuit's origin, don't include
the reason for tearing down the circuit. The spec says we didn't,
and now we actually don't. Reported by lodger.
- Keep streamids from different exits on a circuit separate. This
bug may have allowed other routers on a given circuit to inject
cells into streams. Reported by lodger; fixes bug 446.
- If there's a never-before-connected-to guard node in our list,
never choose any guards past it. This way we don't expand our
guard list unless we need to.
o Minor bugfixes (guard nodes):
- Weight guard selection by bandwidth, so that low-bandwidth nodes
don't get overused as guards.
o Minor bugfixes (directory):
- Correctly count the number of authorities that recommend each
version. Previously, we were under-counting by 1.
- Fix a potential crash bug when we load many server descriptors at
once and some of them make others of them obsolete. Fixes bug 458.
o Minor bugfixes (hidden services):
- Stop tearing down the whole circuit when the user asks for a
connection to a port that the hidden service didn't configure.
Resolves bug 444.
o Minor bugfixes (misc):
- On Windows, we were preventing other processes from reading
cached-routers while Tor was running. Reported by janbar.
- Fix a possible (but very unlikely) bug in picking routers by
bandwidth. Add a log message to confirm that it is in fact
unlikely. Patch from lodger.
- Backport a couple of memory leak fixes.
- Backport miscellaneous cosmetic bugfixes.
Changes in version 0.2.0.2-alpha - 2007-06-02
o Major bugfixes on 0.2.0.1-alpha:
- Fix an assertion failure related to servers without extra-info digests.
Resolves bugs 441 and 442.
o Minor features (directory):
- Support "If-Modified-Since" when answering HTTP requests for
directories, running-routers documents, and network-status documents.
(There's no need to support it for router descriptors, since those
are downloaded by descriptor digest.)
o Minor build issues:
- Clear up some MIPSPro compiler warnings.
- When building from a tarball on a machine that happens to have SVK
installed, report the micro-revision as whatever version existed
in the tarball, not as "x".
Changes in version 0.2.0.1-alpha - 2007-06-01
This early development snapshot provides new features for people running
Tor as both a client and a server (check out the new RelayBandwidth
config options); lets Tor run as a DNS proxy; and generally moves us
forward on a lot of fronts.
o Major features, server usability:
- New config options RelayBandwidthRate and RelayBandwidthBurst:
a separate set of token buckets for relayed traffic. Right now
relayed traffic is defined as answers to directory requests, and
OR connections that don't have any local circuits on them.
o Major features, client usability:
- A client-side DNS proxy feature to replace the need for
dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
for DNS requests on port 9999, use the Tor network to resolve them
anonymously, and send the reply back like a regular DNS server.
The code still only implements a subset of DNS.
- Make PreferTunneledDirConns and TunnelDirConns work even when
we have no cached directory info. This means Tor clients can now
do all of their connections protected by TLS.
o Major features, performance and efficiency:
- Directory authorities accept and serve "extra info" documents for
routers. These documents contain fields from router descriptors
that aren't usually needed, and that use a lot of excess
bandwidth. Once these fields are removed from router descriptors,
the bandwidth savings should be about 60%. [Partially implements
proposal 104.]
- Servers upload extra-info documents to any authority that accepts
them. Authorities (and caches that have been configured to download
extra-info documents) download them as needed. [Partially implements
proposal 104.]
- Change the way that Tor buffers data that it is waiting to write.
Instead of queueing data cells in an enormous ring buffer for each
client->OR or OR->OR connection, we now queue cells on a separate
queue for each circuit. This lets us use less slack memory, and
will eventually let us be smarter about prioritizing different kinds
of traffic.
- Use memory pools to allocate cells with better speed and memory
efficiency, especially on platforms where malloc() is inefficient.
- Stop reading on edge connections when their corresponding circuit
buffers are full; start again as the circuits empty out.
o Major features, other:
- Add an HSAuthorityRecordStats option that hidden service authorities
can use to track statistics of overall hidden service usage without
logging information that would be very useful to an attacker.
- Start work implementing multi-level keys for directory authorities:
Add a standalone tool to generate key certificates. (Proposal 103.)
o Security fixes:
- Directory authorities now call routers Stable if they have an
uptime of at least 30 days, even if that's not the median uptime
in the network. Implements proposal 107, suggested by Kevin Bauer
and Damon McCoy.
o Minor fixes (resource management):
- Count the number of open sockets separately from the number
of active connection_t objects. This will let us avoid underusing
our allocated connection limit.
- We no longer use socket pairs to link an edge connection to an
anonymous directory connection or a DirPort test connection.
Instead, we track the link internally and transfer the data
in-process. This saves two sockets per "linked" connection (at the
client and at the server), and avoids the nasty Windows socketpair()
workaround.
- Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
for every single inactive connection_t. Free items from the
4k/16k-buffer free lists when they haven't been used for a while.
o Minor features (build):
- Make autoconf search for libevent, openssl, and zlib consistently.
- Update deprecated macros in configure.in.
- When warning about missing headers, tell the user to let us
know if the compile succeeds anyway, so we can downgrade the
warning.
- Include the current subversion revision as part of the version
string: either fetch it directly if we're in an SVN checkout, do
some magic to guess it if we're in an SVK checkout, or use
the last-detected version if we're building from a .tar.gz.
Use this version consistently in log messages.
o Minor features (logging):
- Always prepend "Bug: " to any log message about a bug.
- Put a platform string (e.g. "Linux i686") in the startup log
message, so when people paste just their logs, we know if it's
OpenBSD or Windows or what.
- When logging memory usage, break down memory used in buffers by
buffer type.
o Minor features (directory system):
- New config option V2AuthoritativeDirectory that all directory
authorities should set. This will let future authorities choose
not to serve V2 directory information.
- Directory authorities allow multiple router descriptors and/or extra
info documents to be uploaded in a single go. This will make
implementing proposal 104 simpler.
o Minor features (controller):
- Add a new config option __DisablePredictedCircuits designed for
use by the controller, when we don't want Tor to build any circuits
preemptively.
- Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
so we can exit from the middle of the circuit.
- Implement "getinfo status/circuit-established".
- Implement "getinfo status/version/..." so a controller can tell
whether the current version is recommended, and whether any versions
are good, and how many authorities agree. (Patch from shibz.)
o Minor features (hidden services):
- Allow multiple HiddenServicePort directives with the same virtual
port; when they occur, the user is sent round-robin to one
of the target ports chosen at random. Partially fixes bug 393 by
adding limited ad-hoc round-robining.
o Minor features (other):
- More unit tests.
- Add a new AutomapHostsOnResolve option: when it is enabled, any
resolve request for hosts matching a given pattern causes Tor to
generate an internal virtual address mapping for that host. This
allows DNSPort to work sensibly with hidden service users. By
default, .exit and .onion addresses are remapped; the list of
patterns can be reconfigured with AutomapHostsSuffixes.
- Add an "-F" option to tor-resolve to force a resolve for a .onion
address. Thanks to the AutomapHostsOnResolve option, this is no
longer a completely silly thing to do.
- If Tor is invoked from something that isn't a shell (e.g. Vidalia),
now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
- Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
minus 1 byte: the actual maximum declared bandwidth.
o Removed features:
- Removed support for the old binary "version 0" controller protocol.
This has been deprecated since 0.1.1, and warnings have been issued
since 0.1.2. When we encounter a v0 control message, we now send
back an error and close the connection.
- Remove the old "dns worker" server DNS code: it hasn't been default
since 0.1.2.2-alpha, and all the servers seem to be using the new
eventdns code.
o Minor bugfixes (portability):
- Even though Windows is equally happy with / and as path separators,
try to use consistently on Windows and / consistently on Unix: it
makes the log messages nicer.
- Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
- Read resolv.conf files correctly on platforms where read() returns
partial results on small file reads.
o Minor bugfixes (directory):
- Correctly enforce that elements of directory objects do not appear
more often than they are allowed to appear.
- When we are reporting the DirServer line we just parsed, we were
logging the second stanza of the key fingerprint, not the first.
o Minor bugfixes (logging):
- When we hit an EOF on a log (probably because we're shutting down),
don't try to remove the log from the list: just mark it as
unusable. (Bulletproofs against bug 222.)
o Minor bugfixes (other):
- In the exitlist script, only consider the most recently published
server descriptor for each server. Also, when the user requests
a list of servers that _reject_ connections to a given address,
explicitly exclude the IPs that also have servers that accept
connections to that address. (Resolves bug 405.)
- Stop allowing hibernating servers to be "stable" or "fast".
- On Windows, we were preventing other processes from reading
cached-routers while Tor was running. (Reported by janbar)
- Make the NodeFamilies config option work. (Reported by
lodger -- it has never actually worked, even though we added it
in Oct 2004.)
- Check return values from pthread_mutex functions.
- Don't save non-general-purpose router descriptors to the disk cache,
because we have no way of remembering what their purpose was when
we restart.
- Add even more asserts to hunt down bug 417.
- Build without verbose warnings even on (not-yet-released) gcc 4.2.
- Fix a possible (but very unlikely) bug in picking routers by bandwidth.
Add a log message to confirm that it is in fact unlikely.
o Minor bugfixes (controller):
- Make 'getinfo fingerprint' return a 551 error if we're not a
server, so we match what the control spec claims we do. Reported
by daejees.
- Fix a typo in an error message when extendcircuit fails that
caused us to not follow the rn-based delimiter protocol. Reported
by daejees.
o Code simplifications and refactoring:
- Stop passing around circuit_t and crypt_path_t pointers that are
implicit in other procedure arguments.
- Drop the old code to choke directory connections when the
corresponding OR connections got full: thanks to the cell queue
feature, OR conns don't get full any more.
- Make dns_resolve() handle attaching connections to circuits
properly, so the caller doesn't have to.
- Rename wants_to_read and wants_to_write to read/write_blocked_on_bw.
- Keep the connection array as a dynamic smartlist_t, rather than as
a fixed-sized array. This is important, as the number of connections
is becoming increasingly decoupled from the number of sockets.
Changes in version 0.1.2.14 - 2007-05-25
Tor 0.1.2.14 changes the addresses of two directory authorities (this
change especially affects those who serve or use hidden services),
and fixes several other crash- and security-related bugs.
o Directory authority changes:
- Two directory authorities (moria1 and moria2) just moved to new
IP addresses. This change will particularly affect those who serve
or use hidden services.
o Major bugfixes (crashes):
- If a directory server runs out of space in the connection table
as it's processing a begin_dir request, it will free the exit stream
but leave it attached to the circuit, leading to unpredictable
behavior. (Reported by seeess, fixes bug 425.)
- Fix a bug in dirserv_remove_invalid() that would cause authorities
to corrupt memory under some really unlikely scenarios.
- Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
- Avoid segfaults when reading from mmaped descriptor file. (Reported
by lodger.)
o Major bugfixes (security):
- When choosing an entry guard for a circuit, avoid using guards
that are in the same family as the chosen exit -- not just guards
that are exactly the chosen exit. (Reported by lodger.)
o Major bugfixes (resource management):
- If a directory authority is down, skip it when deciding where to get
networkstatus objects or descriptors. Otherwise we keep asking
every 10 seconds forever. Fixes bug 384.
- Count it as a failure if we fetch a valid network-status but we
don't want to keep it. Otherwise we'll keep fetching it and keep
not wanting to keep it. Fixes part of bug 422.
- If all of our dirservers have given us bad or no networkstatuses
lately, then stop hammering them once per minute even when we
think they're failed. Fixes another part of bug 422.
o Minor bugfixes:
- Actually set the purpose correctly for descriptors inserted with
purpose=controller.
- When we have k non-v2 authorities in our DirServer config,
we ignored the last k authorities in the list when updating our
network-statuses.
- Correctly back-off from requesting router descriptors that we are
having a hard time downloading.
- Read resolv.conf files correctly on platforms where read() returns
partial results on small file reads.
- Don't rebuild the entire router store every time we get 32K of
routers: rebuild it when the journal gets very large, or when
the gaps in the store get very large.
o Minor features:
- When routers publish SVN revisions in their router descriptors,
authorities now include those versions correctly in networkstatus
documents.
- Warn when using a version of libevent before 1.3b to run a server on
OSX or BSD: these versions interact badly with userspace threads.
Changes in version 0.1.2.13 - 2007-04-24
This release features some major anonymity fixes, such as safer path
selection; better client performance; faster bootstrapping, better
address detection, and better DNS support for servers; write limiting as
well as read limiting to make servers easier to run; and a huge pile of
other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
of the Freenode IRC network, remembering his patience and vision for
free speech on the Internet.
o Minor fixes:
- Fix a memory leak when we ask for "all" networkstatuses and we
get one we don't recognize.
- Add more asserts to hunt down bug 417.
- Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
Changes in version 0.1.2.12-rc - 2007-03-16
o Major bugfixes:
- Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
directory information requested inside Tor connections (i.e. via
begin_dir cells). It only triggered when the same connection was
serving other data at the same time. Reported by seeess.
o Minor bugfixes:
- When creating a circuit via the controller, send a 'launched'
event when we're done, so we follow the spec better.
Changes in version 0.1.2.11-rc - 2007-03-15
o Minor bugfixes (controller), reported by daejees:
- Correct the control spec to match how the code actually responds
to 'getinfo addr-mappings/*'.
- The control spec described a GUARDS event, but the code
implemented a GUARD event. Standardize on GUARD, but let people
ask for GUARDS too.
Changes in version 0.1.2.10-rc - 2007-03-07
o Major bugfixes (Windows):
- Do not load the NT services library functions (which may not exist)
just to detect if we're a service trying to shut down. Now we run
on Win98 and friends again.
o Minor bugfixes (other):
- Clarify a couple of log messages.
- Fix a misleading socks5 error number.
Changes in version 0.1.2.9-rc - 2007-03-02
o Major bugfixes (Windows):
- On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead
of the usual GCC "%llu". This prevents a bug when saving 64-bit
int configuration values: the high-order 32 bits would get
truncated. In particular, we were being bitten by the default
MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400
and maybe also bug 397.)
o Minor bugfixes (performance):
- Use OpenSSL's AES implementation on platforms where it's faster.
This could save us as much as 10% CPU usage.
o Minor bugfixes (server):
- Do not rotate onion key immediately after setting it for the first
time.
o Minor bugfixes (directory authorities):
- Stop calling servers that have been hibernating for a long time
"stable". Also, stop letting hibernating or obsolete servers affect
uptime and bandwidth cutoffs.
- Stop listing hibernating servers in the v1 directory.
o Minor bugfixes (hidden services):
- Upload hidden service descriptors slightly less often, to reduce
load on authorities.
o Minor bugfixes (other):
- Fix an assert that could trigger if a controller quickly set then
cleared EntryNodes. (Bug found by Udo van den Heuvel.)
- On architectures where sizeof(int)>4, still clamp declarable bandwidth
to INT32_MAX.
- Fix a potential race condition in the rpm installer. Found by
Stefan Nordhausen.
- Try to fix eventdns warnings once and for all: do not treat a dns rcode
of 2 as indicating that the server is completely bad; it sometimes
means that the server is just bad for the request in question. (may fix
the last of bug 326.)
- Disable encrypted directory connections when we don't have a server
descriptor for the destination. We'll get this working again in
the 0.2.0 branch.
Changes in version 0.1.2.8-beta - 2007-02-26
o Major bugfixes (crashes):
- Stop crashing when the controller asks us to resetconf more than
one config option at once. (Vidalia 0.0.11 does this.)
- Fix a crash that happened on Win98 when we're given command-line
arguments: don't try to load NT service functions from advapi32.dll
except when we need them. (Bug introduced in 0.1.2.7-alpha;
resolves bug 389.)
- Fix a longstanding obscure crash bug that could occur when
we run out of DNS worker processes. (Resolves bug 390.)
o Major bugfixes (hidden services):
- Correctly detect whether hidden service descriptor downloads are
in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
o Major bugfixes (accounting):
- When we start during an accounting interval before it's time to wake
up, remember to wake up at the correct time. (May fix bug 342.)
o Minor bugfixes (controller):
- Give the controller END_STREAM_REASON_DESTROY events _before_ we
clear the corresponding on_circuit variable, and remember later
that we don't need to send a redundant CLOSED event. (Resolves part
3 of bug 367.)